github.com/trustbloc/kms-go@v1.1.2/wrapper/localsuite/wrapper_test.go (about) 1 /* 2 Copyright Gen Digital Inc. All Rights Reserved. 3 SPDX-License-Identifier: Apache-2.0 4 */ 5 6 package localsuite 7 8 import ( 9 "crypto/ed25519" 10 "crypto/rand" 11 "errors" 12 "testing" 13 14 "github.com/go-jose/go-jose/v3" 15 "github.com/stretchr/testify/require" 16 "github.com/trustbloc/kms-go/doc/jose/jwk" 17 mockcrypto "github.com/trustbloc/kms-go/mock/crypto" 18 mockkms "github.com/trustbloc/kms-go/mock/kms" 19 kmsapi "github.com/trustbloc/kms-go/spi/kms" 20 ) 21 22 func TestKMSCrypto_Create(t *testing.T) { 23 t.Run("success", func(t *testing.T) { 24 edPub, _, err := ed25519.GenerateKey(rand.Reader) 25 require.NoError(t, err) 26 27 kc := newKMSCrypto(&mockkms.KeyManager{ 28 CrAndExportPubKeyValue: edPub, 29 }, &mockcrypto.Crypto{}) 30 31 pk, err := kc.Create(kmsapi.ED25519) 32 require.NoError(t, err) 33 34 require.Equal(t, "Ed25519", pk.Crv) 35 require.Equal(t, "OKP", pk.Kty) 36 }) 37 38 t.Run("kms err", func(t *testing.T) { 39 errExpected := errors.New("expected error") 40 41 kc := newKMSCrypto(&mockkms.KeyManager{ 42 CrAndExportPubKeyErr: errExpected, 43 }, &mockcrypto.Crypto{}) 44 45 pk, err := kc.Create(kmsapi.ED25519) 46 require.ErrorIs(t, err, errExpected) 47 require.Nil(t, pk) 48 }) 49 50 t.Run("invalid public key bytes value", func(t *testing.T) { 51 kc := newKMSCrypto(&mockkms.KeyManager{ 52 CrAndExportPubKeyValue: []byte("invalid"), 53 }, &mockcrypto.Crypto{}) 54 55 pk, err := kc.Create(kmsapi.ECDSAP256DER) 56 require.Error(t, err) 57 require.Contains(t, err.Error(), "asn1:") 58 require.Nil(t, pk) 59 }) 60 } 61 62 func TestKmsCrypto_Sign(t *testing.T) { 63 errExpected := errors.New("expected error") 64 65 t.Run("success", func(t *testing.T) { 66 expectSig := []byte("signature") 67 68 kc := newKMSCrypto( 69 &mockkms.KeyManager{}, 70 &mockcrypto.Crypto{ 71 SignValue: expectSig, 72 }) 73 74 sig, err := kc.Sign([]byte("test message"), &jwk.JWK{JSONWebKey: jose.JSONWebKey{KeyID: "foo"}}) 75 require.NoError(t, err) 76 require.Equal(t, expectSig, sig) 77 }) 78 79 t.Run("kms error", func(t *testing.T) { 80 kc := newKMSCrypto( 81 &mockkms.KeyManager{ 82 GetKeyErr: errExpected, 83 }, 84 &mockcrypto.Crypto{}) 85 86 sig, err := kc.Sign([]byte("test message"), &jwk.JWK{JSONWebKey: jose.JSONWebKey{KeyID: "foo"}}) 87 require.ErrorIs(t, err, errExpected) 88 require.Nil(t, sig) 89 }) 90 91 t.Run("crypto error", func(t *testing.T) { 92 kc := newKMSCrypto( 93 &mockkms.KeyManager{}, 94 &mockcrypto.Crypto{ 95 SignErr: errExpected, 96 }) 97 98 sig, err := kc.Sign([]byte("test message"), &jwk.JWK{JSONWebKey: jose.JSONWebKey{KeyID: "foo"}}) 99 require.ErrorIs(t, err, errExpected) 100 require.Nil(t, sig) 101 }) 102 } 103 104 func TestKMSCrypto_Verify(t *testing.T) { 105 sig := []byte("signature") 106 msg := []byte("message") 107 108 t.Run("success - own key", func(t *testing.T) { 109 pk := &jwk.JWK{ 110 JSONWebKey: jose.JSONWebKey{KeyID: "foo"}, 111 } 112 113 kc := newKMSCrypto(&mockkms.KeyManager{}, &mockcrypto.Crypto{}) 114 115 err := kc.Verify(sig, msg, pk) 116 require.NoError(t, err) 117 }) 118 119 t.Run("success - other key", func(t *testing.T) { 120 edPub, _, err := ed25519.GenerateKey(rand.Reader) 121 require.NoError(t, err) 122 123 signerKC := newKMSCrypto(&mockkms.KeyManager{ 124 CrAndExportPubKeyValue: edPub, 125 }, &mockcrypto.Crypto{}) 126 127 pk, err := signerKC.Create(kmsapi.ED25519) 128 require.NoError(t, err) 129 130 kc := newKMSCrypto(&mockkms.KeyManager{ 131 ExportPubKeyBytesErr: errors.New("not my key"), 132 }, &mockcrypto.Crypto{}) 133 134 err = kc.Verify(sig, msg, pk) 135 require.NoError(t, err) 136 }) 137 138 t.Run("fail to extract public key bytes", func(t *testing.T) { 139 pk := &jwk.JWK{ 140 JSONWebKey: jose.JSONWebKey{KeyID: "foo"}, 141 } 142 143 kc := newKMSCrypto(&mockkms.KeyManager{ 144 ExportPubKeyBytesErr: errors.New("not my key"), 145 }, &mockcrypto.Crypto{}) 146 147 err := kc.Verify(sig, msg, pk) 148 require.Error(t, err) 149 require.Contains(t, err.Error(), "unsupported public key type") 150 }) 151 152 errExpected := errors.New("expected error") 153 154 t.Run("kms key handle error", func(t *testing.T) { 155 pk := &jwk.JWK{ 156 JSONWebKey: jose.JSONWebKey{KeyID: "foo"}, 157 } 158 159 kc := newKMSCrypto(&mockkms.KeyManager{ 160 PubKeyBytesToHandleErr: errExpected, 161 }, &mockcrypto.Crypto{}) 162 163 err := kc.Verify(sig, msg, pk) 164 require.ErrorIs(t, err, errExpected) 165 }) 166 167 t.Run("verify error", func(t *testing.T) { 168 pk := &jwk.JWK{ 169 JSONWebKey: jose.JSONWebKey{KeyID: "foo"}, 170 } 171 172 kc := newKMSCrypto(&mockkms.KeyManager{}, &mockcrypto.Crypto{ 173 VerifyErr: errExpected, 174 }) 175 176 err := kc.Verify(sig, msg, pk) 177 require.ErrorIs(t, err, errExpected) 178 }) 179 } 180 181 func TestKmsCrypto_FixedKey(t *testing.T) { 182 sig := []byte("signature") 183 msg := []byte("message") 184 pk := &jwk.JWK{ 185 JSONWebKey: jose.JSONWebKey{KeyID: "foo"}, 186 } 187 errExpected := errors.New("expected error") 188 189 t.Run("get fixed key crypto success", func(t *testing.T) { 190 kc := newKMSCrypto(&mockkms.KeyManager{}, &mockcrypto.Crypto{}) 191 192 fkc, err := kc.FixedKeyCrypto(pk) 193 require.NoError(t, err) 194 require.NotNil(t, fkc) 195 196 fks, err := kc.FixedKeySigner(pk) 197 require.NoError(t, err) 198 require.NotNil(t, fks) 199 }) 200 201 t.Run("get fixed key crypto error", func(t *testing.T) { 202 t.Run("kms get", func(t *testing.T) { 203 kc := newKMSCrypto(&mockkms.KeyManager{ 204 GetKeyErr: errExpected, 205 }, &mockcrypto.Crypto{}) 206 207 fkc, err := kc.FixedKeyCrypto(pk) 208 require.ErrorIs(t, err, errExpected) 209 require.Nil(t, fkc) 210 211 fks, err := kc.FixedKeySigner(pk) 212 require.ErrorIs(t, err, errExpected) 213 require.Nil(t, fks) 214 }) 215 216 t.Run("verification key handle", func(t *testing.T) { 217 kc := newKMSCrypto(&mockkms.KeyManager{ 218 ExportPubKeyBytesErr: errors.New("not my key"), 219 }, &mockcrypto.Crypto{}) 220 221 fkc, err := kc.FixedKeyCrypto(pk) 222 require.Error(t, err) 223 require.Contains(t, err.Error(), "unsupported public key type") 224 require.Nil(t, fkc) 225 }) 226 }) 227 228 t.Run("sign success", func(t *testing.T) { 229 kc := newKMSCrypto(&mockkms.KeyManager{}, &mockcrypto.Crypto{ 230 SignValue: sig, 231 }) 232 233 fkc, err := kc.FixedKeyCrypto(pk) 234 require.NoError(t, err) 235 require.NotNil(t, fkc) 236 237 sigOut, err := fkc.Sign(msg) 238 require.NoError(t, err) 239 require.Equal(t, sig, sigOut) 240 241 fks, err := kc.FixedKeySigner(pk) 242 require.NoError(t, err) 243 require.NotNil(t, fks) 244 245 sigOut, err = fks.Sign(msg) 246 require.NoError(t, err) 247 require.Equal(t, sig, sigOut) 248 }) 249 250 t.Run("sign error", func(t *testing.T) { 251 kc := newKMSCrypto(&mockkms.KeyManager{}, &mockcrypto.Crypto{ 252 SignErr: errExpected, 253 }) 254 255 fkc, err := kc.FixedKeyCrypto(pk) 256 require.NoError(t, err) 257 require.NotNil(t, fkc) 258 259 sigOut, err := fkc.Sign(msg) 260 require.ErrorIs(t, err, errExpected) 261 require.Nil(t, sigOut) 262 263 fks, err := kc.FixedKeySigner(pk) 264 require.NoError(t, err) 265 require.NotNil(t, fks) 266 267 sigOut, err = fks.Sign(msg) 268 require.ErrorIs(t, err, errExpected) 269 require.Nil(t, sigOut) 270 }) 271 272 t.Run("verify success", func(t *testing.T) { 273 kc := newKMSCrypto(&mockkms.KeyManager{}, &mockcrypto.Crypto{}) 274 275 fkc, err := kc.FixedKeyCrypto(pk) 276 require.NoError(t, err) 277 require.NotNil(t, fkc) 278 279 err = fkc.Verify(sig, msg) 280 require.NoError(t, err) 281 }) 282 283 t.Run("verify error", func(t *testing.T) { 284 kc := newKMSCrypto(&mockkms.KeyManager{}, &mockcrypto.Crypto{ 285 VerifyErr: errExpected, 286 }) 287 288 fkc, err := kc.FixedKeyCrypto(pk) 289 require.NoError(t, err) 290 require.NotNil(t, fkc) 291 292 err = fkc.Verify(sig, msg) 293 require.ErrorIs(t, err, errExpected) 294 }) 295 } 296 297 func TestKMSCryptoSigner_Sign(t *testing.T) { 298 sig := []byte("signature") 299 msg := []byte("message") 300 errExpected := errors.New("expected error") 301 pk := &jwk.JWK{ 302 JSONWebKey: jose.JSONWebKey{KeyID: "foo"}, 303 } 304 305 t.Run("success", func(t *testing.T) { 306 kcs := newKMSCryptoSigner(&mockkms.KeyManager{}, &mockcrypto.Crypto{ 307 SignValue: sig, 308 }) 309 310 sigOut, err := kcs.Sign(msg, pk) 311 require.NoError(t, err) 312 require.Equal(t, sig, sigOut) 313 }) 314 315 t.Run("kms get error", func(t *testing.T) { 316 kcs := newKMSCryptoSigner(&mockkms.KeyManager{ 317 GetKeyErr: errExpected, 318 }, &mockcrypto.Crypto{}) 319 320 sigOut, err := kcs.Sign(msg, pk) 321 require.ErrorIs(t, err, errExpected) 322 require.Nil(t, sigOut) 323 }) 324 325 t.Run("crypto sign error", func(t *testing.T) { 326 kcs := newKMSCryptoSigner(&mockkms.KeyManager{}, &mockcrypto.Crypto{ 327 SignErr: errExpected, 328 }) 329 330 sigOut, err := kcs.Sign(msg, pk) 331 require.ErrorIs(t, err, errExpected) 332 require.Nil(t, sigOut) 333 }) 334 } 335 336 func TestKmsCryptoSigner_FixedKeySigner(t *testing.T) { 337 sig := []byte("signature") 338 msg := []byte("message") 339 pk := &jwk.JWK{ 340 JSONWebKey: jose.JSONWebKey{KeyID: "foo"}, 341 } 342 errExpected := errors.New("expected error") 343 344 t.Run("get fixed key signer success", func(t *testing.T) { 345 ks := newKMSCryptoSigner(&mockkms.KeyManager{}, &mockcrypto.Crypto{}) 346 347 fks, err := ks.FixedKeySigner(pk) 348 require.NoError(t, err) 349 require.NotNil(t, fks) 350 }) 351 352 t.Run("get fixed key signer error", func(t *testing.T) { 353 ks := newKMSCryptoSigner(&mockkms.KeyManager{ 354 GetKeyErr: errExpected, 355 }, &mockcrypto.Crypto{}) 356 357 fks, err := ks.FixedKeySigner(pk) 358 require.ErrorIs(t, err, errExpected) 359 require.Nil(t, fks) 360 }) 361 362 t.Run("sign success", func(t *testing.T) { 363 kc := newKMSCryptoSigner(&mockkms.KeyManager{}, &mockcrypto.Crypto{ 364 SignValue: sig, 365 }) 366 367 fks, err := kc.FixedKeySigner(pk) 368 require.NoError(t, err) 369 require.NotNil(t, fks) 370 371 sigOut, err := fks.Sign(msg) 372 require.NoError(t, err) 373 require.Equal(t, sig, sigOut) 374 }) 375 376 t.Run("sign error", func(t *testing.T) { 377 kc := newKMSCryptoSigner(&mockkms.KeyManager{}, &mockcrypto.Crypto{ 378 SignErr: errExpected, 379 }) 380 381 fks, err := kc.FixedKeySigner(pk) 382 require.NoError(t, err) 383 require.NotNil(t, fks) 384 385 sigOut, err := fks.Sign(msg) 386 require.ErrorIs(t, err, errExpected) 387 require.Nil(t, sigOut) 388 }) 389 }