github.com/rahart/packer@v0.12.2-0.20161229105310-282bb6ad370f/builder/azure/pkcs12/crypto_test.go

github.com/rahart/packer@v0.12.2-0.20161229105310-282bb6ad370f/builder/azure/pkcs12/crypto_test.go (about)

     1  package pkcs12
     2  
     3  import (
     4  	"bytes"
     5  	"crypto/cipher"
     6  	"crypto/x509/pkix"
     7  	"encoding/asn1"
     8  	"testing"
     9  )
    10  
    11  func pbDecrypterFor(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher.BlockMode, error) {
    12  	algorithmName, supported := algByOID[algorithm.Algorithm.String()]
    13  	if !supported {
    14  		return nil, NotImplementedError("algorithm " + algorithm.Algorithm.String() + " is not supported")
    15  	}
    16  
    17  	var params pbeParams
    18  	if _, err := asn1.Unmarshal(algorithm.Parameters.FullBytes, &params); err != nil {
    19  		return nil, err
    20  	}
    21  
    22  	k := deriveKeyByAlg[algorithmName](params.Salt, password, params.Iterations)
    23  	iv := deriveIVByAlg[algorithmName](params.Salt, password, params.Iterations)
    24  	password = nil
    25  
    26  	code, err := blockcodeByAlg[algorithmName](k)
    27  	if err != nil {
    28  		return nil, err
    29  	}
    30  
    31  	cbc := cipher.NewCBCDecrypter(code, iv)
    32  	return cbc, nil
    33  }
    34  
    35  func pbDecrypt(info decryptable, password []byte) (decrypted []byte, err error) {
    36  	cbc, err := pbDecrypterFor(info.GetAlgorithm(), password)
    37  	password = nil
    38  	if err != nil {
    39  		return nil, err
    40  	}
    41  
    42  	encrypted := info.GetData()
    43  
    44  	decrypted = make([]byte, len(encrypted))
    45  	cbc.CryptBlocks(decrypted, encrypted)
    46  
    47  	if psLen := int(decrypted[len(decrypted)-1]); psLen > 0 && psLen <= cbc.BlockSize() {
    48  		m := decrypted[:len(decrypted)-psLen]
    49  		ps := decrypted[len(decrypted)-psLen:]
    50  		if bytes.Compare(ps, bytes.Repeat([]byte{byte(psLen)}, psLen)) != 0 {
    51  			return nil, ErrDecryption
    52  		}
    53  		decrypted = m
    54  	} else {
    55  		return nil, ErrDecryption
    56  	}
    57  
    58  	return
    59  }
    60  
    61  func TestPbDecrypterFor(t *testing.T) {
    62  	params, _ := asn1.Marshal(pbeParams{
    63  		Salt:       []byte{1, 2, 3, 4, 5, 6, 7, 8},
    64  		Iterations: 2048,
    65  	})
    66  	alg := pkix.AlgorithmIdentifier{
    67  		Algorithm: asn1.ObjectIdentifier([]int{1, 2, 3}),
    68  		Parameters: asn1.RawValue{
    69  			FullBytes: params,
    70  		},
    71  	}
    72  
    73  	pass, _ := bmpString("Sesame open")
    74  
    75  	_, err := pbDecrypterFor(alg, pass)
    76  	if _, ok := err.(NotImplementedError); !ok {
    77  		t.Errorf("expected not implemented error, got: %T %s", err, err)
    78  	}
    79  
    80  	alg.Algorithm = asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 1, 3})
    81  	cbc, err := pbDecrypterFor(alg, pass)
    82  	if err != nil {
    83  		t.Errorf("err: %v", err)
    84  	}
    85  
    86  	M := []byte{1, 2, 3, 4, 5, 6, 7, 8}
    87  	expectedM := []byte{185, 73, 135, 249, 137, 1, 122, 247}
    88  	cbc.CryptBlocks(M, M)
    89  
    90  	if bytes.Compare(M, expectedM) != 0 {
    91  		t.Errorf("expected M to be '%d', but found '%d", expectedM, M)
    92  	}
    93  }
    94  
    95  func TestPbDecrypt(t *testing.T) {
    96  
    97  	tests := [][]byte{
    98  		[]byte("\x33\x73\xf3\x9f\xda\x49\xae\xfc\xa0\x9a\xdf\x5a\x58\xa0\xea\x46"), // 7 padding bytes
    99  		[]byte("\x33\x73\xf3\x9f\xda\x49\xae\xfc\x96\x24\x2f\x71\x7e\x32\x3f\xe7"), // 8 padding bytes
   100  		[]byte("\x35\x0c\xc0\x8d\xab\xa9\x5d\x30\x7f\x9a\xec\x6a\xd8\x9b\x9c\xd9"), // 9 padding bytes, incorrect
   101  		[]byte("\xb2\xf9\x6e\x06\x60\xae\x20\xcf\x08\xa0\x7b\xd9\x6b\x20\xef\x41"), // incorrect padding bytes: [ ... 0x04 0x02 ]
   102  	}
   103  	expected := []interface{}{
   104  		[]byte("A secret!"),
   105  		[]byte("A secret"),
   106  		ErrDecryption,
   107  		ErrDecryption,
   108  	}
   109  
   110  	for i, c := range tests {
   111  		td := testDecryptable{
   112  			data: c,
   113  			algorithm: pkix.AlgorithmIdentifier{
   114  				Algorithm: asn1.ObjectIdentifier([]int{1, 2, 840, 113549, 1, 12, 1, 3}), // SHA1/3TDES
   115  				Parameters: pbeParams{
   116  					Salt:       []byte("\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8"),
   117  					Iterations: 4096,
   118  				}.RawASN1(),
   119  			},
   120  		}
   121  		p, _ := bmpString("sesame")
   122  
   123  		m, err := pbDecrypt(td, p)
   124  
   125  		switch e := expected[i].(type) {
   126  		case []byte:
   127  			if err != nil {
   128  				t.Errorf("error decrypting C=%x: %v", c, err)
   129  			}
   130  			if bytes.Compare(m, e) != 0 {
   131  				t.Errorf("expected C=%x to be decoded to M=%x, but found %x", c, e, m)
   132  			}
   133  		case error:
   134  			if err == nil || err.Error() != e.Error() {
   135  				t.Errorf("expecting error '%v' during decryption of c=%x, but found err='%v'", e, c, err)
   136  			}
   137  		}
   138  	}
   139  }
   140  
   141  type testDecryptable struct {
   142  	data      []byte
   143  	algorithm pkix.AlgorithmIdentifier
   144  }
   145  
   146  func (d testDecryptable) GetAlgorithm() pkix.AlgorithmIdentifier { return d.algorithm }
   147  func (d testDecryptable) GetData() []byte                        { return d.data }
   148  
   149  func (params pbeParams) RawASN1() (raw asn1.RawValue) {
   150  	asn1Bytes, err := asn1.Marshal(params)
   151  	if err != nil {
   152  		panic(err)
   153  	}
   154  	_, err = asn1.Unmarshal(asn1Bytes, &raw)
   155  	if err != nil {
   156  		panic(err)
   157  	}
   158  	return
   159  }