github.com/trustbloc/kms-go@v1.1.2/secretlock/local/masterlock/hkdf/master_secret_lock_test.go

github.com/trustbloc/kms-go@v1.1.2/secretlock/local/masterlock/hkdf/master_secret_lock_test.go (about)

     1  /*
     2  Copyright SecureKey Technologies Inc. All Rights Reserved.
     3  SPDX-License-Identifier: Apache-2.0
     4  */
     5  
     6  package hkdf
     7  
     8  import (
     9  	"crypto/rand"
    10  	"crypto/sha256"
    11  	"crypto/sha512"
    12  	"testing"
    13  
    14  	"github.com/google/tink/go/subtle/random"
    15  	"github.com/stretchr/testify/require"
    16  
    17  	"github.com/trustbloc/kms-go/spi/secretlock"
    18  )
    19  
    20  func TestMasterLock(t *testing.T) {
    21  	keySize := sha256.New().Size()
    22  	testKey := random.GetRandomBytes(uint32(keySize))
    23  	goodPassphrase := "somepassphrase"
    24  
    25  	salt := make([]byte, keySize)
    26  	_, err := rand.Read(salt)
    27  	require.NoError(t, err)
    28  
    29  	mkLock, err := NewMasterLock(goodPassphrase, sha256.New, salt)
    30  	require.NoError(t, err)
    31  
    32  	// try to create a bad master key lock (unsupported hash)
    33  	mkLockBad, err := NewMasterLock(goodPassphrase, sha512.New, salt)
    34  	require.Error(t, err)
    35  	require.Empty(t, mkLockBad)
    36  
    37  	encryptedMk, err := mkLock.Encrypt("", &secretlock.EncryptRequest{Plaintext: string(testKey)})
    38  	require.NoError(t, err)
    39  	require.NotEmpty(t, encryptedMk)
    40  
    41  	decryptedMk, err := mkLock.Decrypt("", &secretlock.DecryptRequest{Ciphertext: encryptedMk.Ciphertext})
    42  	require.NoError(t, err)
    43  	require.Equal(t, testKey, []byte(decryptedMk.Plaintext))
    44  
    45  	// try decrypting a non valid base64URL string
    46  	decryptedMk, err = mkLock.Decrypt("", &secretlock.DecryptRequest{Ciphertext: "bad{}base64URLstring[]"})
    47  	require.Error(t, err)
    48  	require.Empty(t, decryptedMk)
    49  
    50  	// create a new lock instance with the same passphrase, hash, salt
    51  	mkLock2, err := NewMasterLock(goodPassphrase, sha256.New, salt)
    52  	require.NoError(t, err)
    53  
    54  	// ensure Decrypt() is successful and returns the same result as the original lock
    55  	decryptedMk2, err := mkLock2.Decrypt("", &secretlock.DecryptRequest{Ciphertext: encryptedMk.Ciphertext})
    56  	require.NoError(t, err)
    57  	require.Equal(t, testKey, []byte(decryptedMk2.Plaintext))
    58  
    59  	// recreate new lock with empty salt
    60  	mkLock2, err = NewMasterLock(goodPassphrase, sha256.New, nil)
    61  	require.NoError(t, err)
    62  
    63  	decryptedMk2, err = mkLock2.Decrypt("", &secretlock.DecryptRequest{Ciphertext: encryptedMk.Ciphertext})
    64  	require.Error(t, err)
    65  	require.Empty(t, decryptedMk2)
    66  
    67  	// recreate new lock with a different salt
    68  	salt2 := make([]byte, keySize)
    69  	_, err = rand.Read(salt2)
    70  	require.NoError(t, err)
    71  
    72  	mkLock2, err = NewMasterLock(goodPassphrase, sha256.New, salt2)
    73  	require.NoError(t, err)
    74  
    75  	decryptedMk2, err = mkLock2.Decrypt("", &secretlock.DecryptRequest{Ciphertext: encryptedMk.Ciphertext})
    76  	require.Error(t, err)
    77  	require.Empty(t, decryptedMk2)
    78  
    79  	// try with a bad passhrase
    80  	mkLock2, err = NewMasterLock("badPassphrase", sha256.New, salt)
    81  	require.NoError(t, err)
    82  
    83  	decryptedMk2, err = mkLock2.Decrypt("", &secretlock.DecryptRequest{Ciphertext: encryptedMk.Ciphertext})
    84  	require.Error(t, err)
    85  	require.Empty(t, decryptedMk2)
    86  
    87  	// try creating a lock with a nil hash
    88  	mkLock2, err = NewMasterLock(goodPassphrase, nil, salt)
    89  	require.Error(t, err)
    90  	require.Empty(t, mkLock2)
    91  
    92  	// try creating a lock with an empty passphrase
    93  	mkLock2, err = NewMasterLock("", sha256.New, salt)
    94  	require.Error(t, err)
    95  	require.Empty(t, mkLock2)
    96  }