github.com/zntrio/harp/v2@v2.0.9/pkg/container/seal/v1/helpers_test.go (about) 1 // Licensed to Elasticsearch B.V. under one or more contributor 2 // license agreements. See the NOTICE file distributed with 3 // this work for additional information regarding copyright 4 // ownership. Elasticsearch B.V. licenses this file to you under 5 // the Apache License, Version 2.0 (the "License"); you may 6 // not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, 12 // software distributed under the License is distributed on an 13 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 14 // KIND, either express or implied. See the License for the 15 // specific language governing permissions and limitations 16 // under the License. 17 18 package v1 19 20 import ( 21 "bytes" 22 "testing" 23 24 "github.com/awnumar/memguard" 25 "github.com/stretchr/testify/assert" 26 "golang.org/x/crypto/nacl/box" 27 28 containerv1 "github.com/zntrio/harp/v2/api/gen/go/harp/container/v1" 29 ) 30 31 func Test_deriveSharedKeyFromRecipient(t *testing.T) { 32 pk1, sk1, err := box.GenerateKey(bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 33 assert.NoError(t, err) 34 assert.NotNil(t, pk1) 35 assert.NotNil(t, sk1) 36 37 pk2, sk2, err := box.GenerateKey(bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 38 assert.NoError(t, err) 39 assert.NotNil(t, pk2) 40 assert.NotNil(t, sk2) 41 42 // ECDH(pk2, sk1) 43 dk1, err := deriveSharedKeyFromRecipient(pk2, sk1, nil) 44 assert.NoError(t, err) 45 assert.Equal(t, &[32]byte{ 46 0xd1, 0xc0, 0x22, 0x38, 0x31, 0x6d, 0x7d, 0x6b, 47 0x57, 0x88, 0x72, 0x3d, 0xc2, 0x82, 0xd7, 0xe2, 48 0xfa, 0x6, 0x43, 0xb0, 0x98, 0x6f, 0x8, 0xe6, 49 0x28, 0xb0, 0x86, 0x73, 0x15, 0x2e, 0x6e, 0x5, 50 }, dk1) 51 52 // ECDH(pk1, sk2) 53 dk2, err := deriveSharedKeyFromRecipient(pk1, sk2, nil) 54 assert.NoError(t, err) 55 56 // ECDH(pk1, sk2) == ECDH(pk2, sk1) 57 assert.Equal(t, dk1, dk2) 58 } 59 60 func Test_deriveSharedKeyFromRecipient_WithPSK(t *testing.T) { 61 var psk [preSharedKeySize]byte 62 memguard.WipeBytes(psk[:]) // Ensure zeroed psk 63 64 pk1, sk1, err := box.GenerateKey(bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 65 assert.NoError(t, err) 66 assert.NotNil(t, pk1) 67 assert.NotNil(t, sk1) 68 69 pk2, sk2, err := box.GenerateKey(bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 70 assert.NoError(t, err) 71 assert.NotNil(t, pk2) 72 assert.NotNil(t, sk2) 73 74 t.Run("same psk", func(t *testing.T) { 75 // ECDH-PSK(pk2, sk1, psk) 76 dk1, err := deriveSharedKeyFromRecipient(pk2, sk1, &psk) 77 assert.NoError(t, err) 78 assert.Equal(t, &[32]byte{ 79 0xa2, 0x1c, 0xe3, 0xca, 0x42, 0x75, 0x71, 0x95, 80 0x7, 0x9e, 0x96, 0x10, 0xa1, 0x7c, 0x83, 0x2, 81 0x44, 0xda, 0x91, 0xef, 0xc3, 0x56, 0xb5, 0x1e, 82 0x2d, 0x4b, 0x24, 0xde, 0x3f, 0x7c, 0x5b, 0x19, 83 }, dk1) 84 85 // ECDH-PSK(pk1, sk2, psk) 86 dk2, err := deriveSharedKeyFromRecipient(pk1, sk2, &psk) 87 assert.NoError(t, err) 88 89 // ECDH-PSK(pk1, sk2, psk) == ECDH(pk2, sk1, psk) 90 assert.Equal(t, dk1, dk2) 91 }) 92 93 t.Run("only seal psk", func(t *testing.T) { 94 // ECDH-PSK(pk2, sk1, psk) 95 dk1, err := deriveSharedKeyFromRecipient(pk2, sk1, &psk) 96 assert.NoError(t, err) 97 assert.Equal(t, &[32]byte{ 98 0xa2, 0x1c, 0xe3, 0xca, 0x42, 0x75, 0x71, 0x95, 99 0x7, 0x9e, 0x96, 0x10, 0xa1, 0x7c, 0x83, 0x2, 100 0x44, 0xda, 0x91, 0xef, 0xc3, 0x56, 0xb5, 0x1e, 101 0x2d, 0x4b, 0x24, 0xde, 0x3f, 0x7c, 0x5b, 0x19, 102 }, dk1) 103 104 // ECDH(pk1, sk2) 105 dk2, err := deriveSharedKeyFromRecipient(pk1, sk2, nil) 106 assert.NoError(t, err) 107 108 // ECDH(pk1, sk2, psk) != ECDH(pk2, sk1) 109 assert.NotEqual(t, dk1, dk2) 110 }) 111 112 t.Run("only unseal psk", func(t *testing.T) { 113 // ECDH(pk2, sk1) 114 dk1, err := deriveSharedKeyFromRecipient(pk2, sk1, nil) 115 assert.NoError(t, err) 116 117 // ECDH(pk1, sk2) 118 dk2, err := deriveSharedKeyFromRecipient(pk1, sk2, &psk) 119 assert.NoError(t, err) 120 assert.Equal(t, &[32]byte{ 121 0xa2, 0x1c, 0xe3, 0xca, 0x42, 0x75, 0x71, 0x95, 122 0x7, 0x9e, 0x96, 0x10, 0xa1, 0x7c, 0x83, 0x2, 123 0x44, 0xda, 0x91, 0xef, 0xc3, 0x56, 0xb5, 0x1e, 124 0x2d, 0x4b, 0x24, 0xde, 0x3f, 0x7c, 0x5b, 0x19, 125 }, dk2) 126 127 // ECDH(pk1, sk2, psk) != ECDH-PSK(pk2, sk1, psk) 128 assert.NotEqual(t, dk1, dk2) 129 }) 130 } 131 132 func Test_keyIdentifierFromDerivedKey(t *testing.T) { 133 dk := &[32]byte{ 134 0xd1, 0xc0, 0x22, 0x38, 0x31, 0x6d, 0x7d, 0x6b, 135 0x57, 0x88, 0x72, 0x3d, 0xc2, 0x82, 0xd7, 0xe2, 136 0xfa, 0x6, 0x43, 0xb0, 0x98, 0x6f, 0x8, 0xe6, 137 0x28, 0xb0, 0x86, 0x73, 0x15, 0x2e, 0x6e, 0x5, 138 } 139 140 id, err := keyIdentifierFromDerivedKey(dk, nil) 141 assert.NoError(t, err) 142 assert.Equal(t, []byte{ 143 0xdd, 0x3e, 0x93, 0x8a, 0x57, 0x74, 0xbd, 0xf5, 144 0xed, 0xe, 0x9a, 0xae, 0x86, 0xd5, 0xd6, 0xf7, 145 0xfc, 0xbb, 0x3d, 0xe0, 0x54, 0xa8, 0x18, 0x38, 146 0x5e, 0xea, 0xa6, 0x46, 0xa9, 0xb0, 0xc8, 0x57, 147 }, id) 148 } 149 150 func Test_keyIdentifierFromDerivedKey_WithPSK(t *testing.T) { 151 var psk [preSharedKeySize]byte 152 memguard.WipeBytes(psk[:]) // Ensure zeroed psk 153 154 dk := &[32]byte{ 155 0xd1, 0xc0, 0x22, 0x38, 0x31, 0x6d, 0x7d, 0x6b, 156 0x57, 0x88, 0x72, 0x3d, 0xc2, 0x82, 0xd7, 0xe2, 157 0xfa, 0x6, 0x43, 0xb0, 0x98, 0x6f, 0x8, 0xe6, 158 0x28, 0xb0, 0x86, 0x73, 0x15, 0x2e, 0x6e, 0x5, 159 } 160 161 id, err := keyIdentifierFromDerivedKey(dk, &psk) 162 assert.NoError(t, err) 163 assert.Equal(t, []byte{ 164 0xa8, 0xc3, 0x54, 0x67, 0xe0, 0x1e, 0x55, 0x8b, 165 0xfc, 0xd8, 0x34, 0xe0, 0x19, 0x3e, 0x3f, 0xae, 166 0x9a, 0xd0, 0xcf, 0xb6, 0x50, 0xd9, 0x71, 0x36, 167 0x4c, 0x48, 0xb5, 0x9e, 0xeb, 0xe3, 0x46, 0xf7, 168 }, id) 169 } 170 171 func Test_packRecipient(t *testing.T) { 172 payloadKey := &[32]byte{} 173 174 pk1, sk1, err := box.GenerateKey(bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 175 assert.NoError(t, err) 176 assert.NotNil(t, pk1) 177 assert.NotNil(t, sk1) 178 179 pk2, sk2, err := box.GenerateKey(bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 180 assert.NoError(t, err) 181 assert.NotNil(t, pk2) 182 assert.NotNil(t, sk2) 183 184 recipient, err := packRecipient(bytes.NewReader([]byte("00003-deterministic-buffer-for-tests")), payloadKey, sk1, pk2, nil) 185 assert.NoError(t, err) 186 assert.NotNil(t, recipient) 187 assert.Equal(t, []byte{ 188 0xdd, 0x3e, 0x93, 0x8a, 0x57, 0x74, 0xbd, 0xf5, 189 0xed, 0xe, 0x9a, 0xae, 0x86, 0xd5, 0xd6, 0xf7, 190 0xfc, 0xbb, 0x3d, 0xe0, 0x54, 0xa8, 0x18, 0x38, 191 0x5e, 0xea, 0xa6, 0x46, 0xa9, 0xb0, 0xc8, 0x57, 192 }, recipient.Identifier) 193 assert.Equal(t, []byte{ 194 0x30, 0x30, 0x30, 0x30, 0x33, 0x2d, 0x64, 0x65, 195 0x74, 0x65, 0x72, 0x6d, 0x69, 0x6e, 0x69, 0x73, 196 0x74, 0x69, 0x63, 0x2d, 0x62, 0x75, 0x66, 0x66, 197 0xc7, 0xc3, 0x15, 0x7a, 0x5b, 0x1b, 0x47, 0x31, 198 0x5b, 0xb7, 0xb4, 0x4d, 0xe5, 0x92, 0x32, 0xd6, 199 0xbf, 0xe7, 0x52, 0x9a, 0xff, 0x84, 0xb7, 0xaf, 200 0x5f, 0x7, 0x47, 0xca, 0x57, 0x8f, 0x4e, 0x3c, 201 0x28, 0x3a, 0x66, 0xa0, 0x4b, 0xec, 0x12, 0x23, 202 0x7e, 0xa4, 0x37, 0x47, 0xf5, 0x53, 0x2a, 0xbb, 203 }, recipient.Key) 204 } 205 206 func Test_packRecipient_WithPSK(t *testing.T) { 207 var psk [preSharedKeySize]byte 208 memguard.WipeBytes(psk[:]) // Ensure zeroed psk 209 210 payloadKey := &[32]byte{} 211 212 pk1, sk1, err := box.GenerateKey(bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 213 assert.NoError(t, err) 214 assert.NotNil(t, pk1) 215 assert.NotNil(t, sk1) 216 217 pk2, sk2, err := box.GenerateKey(bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 218 assert.NoError(t, err) 219 assert.NotNil(t, pk2) 220 assert.NotNil(t, sk2) 221 222 recipient, err := packRecipient(bytes.NewReader([]byte("00003-deterministic-buffer-for-tests")), payloadKey, sk1, pk2, &psk) 223 assert.NoError(t, err) 224 assert.NotNil(t, recipient) 225 assert.Equal(t, []byte{ 226 0x67, 0xbc, 0xce, 0x91, 0x97, 0xb1, 0xf9, 0xa, 227 0xc1, 0xdc, 0x86, 0x9a, 0xc3, 0xac, 0xf7, 0xe2, 228 0x68, 0xeb, 0x5a, 0xec, 0x2f, 0xe9, 0x69, 0x33, 229 0x28, 0xdf, 0xcd, 0xea, 0x80, 0xc4, 0xad, 0x5e, 230 }, recipient.Identifier) 231 assert.Equal(t, []byte{ 232 0x30, 0x30, 0x30, 0x30, 0x33, 0x2d, 0x64, 0x65, 233 0x74, 0x65, 0x72, 0x6d, 0x69, 0x6e, 0x69, 0x73, 234 0x74, 0x69, 0x63, 0x2d, 0x62, 0x75, 0x66, 0x66, 235 0x63, 0xc1, 0x70, 0x34, 0x3c, 0xde, 0xfd, 0xff, 236 0x27, 0x68, 0x14, 0xbf, 0x1f, 0xa, 0x1d, 0x95, 237 0x75, 0x90, 0xa8, 0xfd, 0x8e, 0x54, 0x51, 0xce, 238 0xbc, 0xe6, 0x12, 0x11, 0xa3, 0x25, 0xba, 0xf2, 239 0xdb, 0x25, 0xd3, 0x4f, 0x69, 0xdc, 0x11, 0xbe, 240 0xb9, 0x47, 0x57, 0xf5, 0x5f, 0x5b, 0x6a, 0x2b, 241 }, recipient.Key) 242 } 243 244 func Test_tryRecipientKeys(t *testing.T) { 245 payloadKey := &[32]byte{} 246 247 pk1, sk1, err := box.GenerateKey(bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 248 assert.NoError(t, err) 249 assert.NotNil(t, pk1) 250 assert.NotNil(t, sk1) 251 252 pk2, sk2, err := box.GenerateKey(bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 253 assert.NoError(t, err) 254 assert.NotNil(t, pk2) 255 assert.NotNil(t, sk2) 256 257 recipient, err := packRecipient(bytes.NewReader([]byte("00003-deterministic-buffer-for-tests")), payloadKey, sk1, pk2, nil) 258 assert.NoError(t, err) 259 assert.NotNil(t, recipient) 260 assert.Equal(t, []byte{ 261 0xdd, 0x3e, 0x93, 0x8a, 0x57, 0x74, 0xbd, 0xf5, 262 0xed, 0xe, 0x9a, 0xae, 0x86, 0xd5, 0xd6, 0xf7, 263 0xfc, 0xbb, 0x3d, 0xe0, 0x54, 0xa8, 0x18, 0x38, 264 0x5e, 0xea, 0xa6, 0x46, 0xa9, 0xb0, 0xc8, 0x57, 265 }, recipient.Identifier) 266 assert.Equal(t, []byte{ 267 0x30, 0x30, 0x30, 0x30, 0x33, 0x2d, 0x64, 0x65, 268 0x74, 0x65, 0x72, 0x6d, 0x69, 0x6e, 0x69, 0x73, 269 0x74, 0x69, 0x63, 0x2d, 0x62, 0x75, 0x66, 0x66, 270 0xc7, 0xc3, 0x15, 0x7a, 0x5b, 0x1b, 0x47, 0x31, 271 0x5b, 0xb7, 0xb4, 0x4d, 0xe5, 0x92, 0x32, 0xd6, 272 0xbf, 0xe7, 0x52, 0x9a, 0xff, 0x84, 0xb7, 0xaf, 273 0x5f, 0x7, 0x47, 0xca, 0x57, 0x8f, 0x4e, 0x3c, 274 0x28, 0x3a, 0x66, 0xa0, 0x4b, 0xec, 0x12, 0x23, 275 0x7e, 0xa4, 0x37, 0x47, 0xf5, 0x53, 0x2a, 0xbb, 276 }, recipient.Key) 277 278 // ------------------------------------------------------------------------- 279 // ECDH(pk2, sk1) 280 dk, err := deriveSharedKeyFromRecipient(pk2, sk1, nil) 281 assert.NoError(t, err) 282 assert.Equal(t, &[32]byte{ 283 0xd1, 0xc0, 0x22, 0x38, 0x31, 0x6d, 0x7d, 0x6b, 284 0x57, 0x88, 0x72, 0x3d, 0xc2, 0x82, 0xd7, 0xe2, 285 0xfa, 0x6, 0x43, 0xb0, 0x98, 0x6f, 0x8, 0xe6, 286 0x28, 0xb0, 0x86, 0x73, 0x15, 0x2e, 0x6e, 0x5, 287 }, dk) 288 289 expectedID := []byte{ 290 0xdd, 0x3e, 0x93, 0x8a, 0x57, 0x74, 0xbd, 0xf5, 291 0xed, 0xe, 0x9a, 0xae, 0x86, 0xd5, 0xd6, 0xf7, 292 0xfc, 0xbb, 0x3d, 0xe0, 0x54, 0xa8, 0x18, 0x38, 293 0x5e, 0xea, 0xa6, 0x46, 0xa9, 0xb0, 0xc8, 0x57, 294 } 295 id, err := keyIdentifierFromDerivedKey(dk, nil) 296 assert.NoError(t, err) 297 assert.Equal(t, expectedID, id) 298 assert.Equal(t, expectedID, recipient.Identifier) 299 300 decodedPayloadKey, err := tryRecipientKeys(dk, []*containerv1.Recipient{ 301 recipient, 302 }, nil) 303 assert.NoError(t, err) 304 assert.Equal(t, payloadKey[:], decodedPayloadKey) 305 } 306 307 func Test_tryRecipientKeys_WithPSK(t *testing.T) { 308 var psk [preSharedKeySize]byte 309 memguard.WipeBytes(psk[:]) // Ensure zeroed psk 310 311 payloadKey := &[32]byte{} 312 313 pk1, sk1, err := box.GenerateKey(bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 314 assert.NoError(t, err) 315 assert.NotNil(t, pk1) 316 assert.NotNil(t, sk1) 317 318 pk2, sk2, err := box.GenerateKey(bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 319 assert.NoError(t, err) 320 assert.NotNil(t, pk2) 321 assert.NotNil(t, sk2) 322 323 recipient, err := packRecipient(bytes.NewReader([]byte("00003-deterministic-buffer-for-tests")), payloadKey, sk1, pk2, &psk) 324 assert.NoError(t, err) 325 assert.NotNil(t, recipient) 326 assert.Equal(t, []byte{ 327 0x67, 0xbc, 0xce, 0x91, 0x97, 0xb1, 0xf9, 0xa, 328 0xc1, 0xdc, 0x86, 0x9a, 0xc3, 0xac, 0xf7, 0xe2, 329 0x68, 0xeb, 0x5a, 0xec, 0x2f, 0xe9, 0x69, 0x33, 330 0x28, 0xdf, 0xcd, 0xea, 0x80, 0xc4, 0xad, 0x5e, 331 }, recipient.Identifier) 332 assert.Equal(t, []byte{ 333 0x30, 0x30, 0x30, 0x30, 0x33, 0x2d, 0x64, 0x65, 334 0x74, 0x65, 0x72, 0x6d, 0x69, 0x6e, 0x69, 0x73, 335 0x74, 0x69, 0x63, 0x2d, 0x62, 0x75, 0x66, 0x66, 336 0x63, 0xc1, 0x70, 0x34, 0x3c, 0xde, 0xfd, 0xff, 337 0x27, 0x68, 0x14, 0xbf, 0x1f, 0xa, 0x1d, 0x95, 338 0x75, 0x90, 0xa8, 0xfd, 0x8e, 0x54, 0x51, 0xce, 339 0xbc, 0xe6, 0x12, 0x11, 0xa3, 0x25, 0xba, 0xf2, 340 0xdb, 0x25, 0xd3, 0x4f, 0x69, 0xdc, 0x11, 0xbe, 341 0xb9, 0x47, 0x57, 0xf5, 0x5f, 0x5b, 0x6a, 0x2b, 342 }, recipient.Key) 343 344 // ------------------------------------------------------------------------- 345 // ECDH-PSK(pk2, sk1, psk) 346 dk, err := deriveSharedKeyFromRecipient(pk2, sk1, &psk) 347 assert.NoError(t, err) 348 assert.Equal(t, &[32]byte{ 349 0xa2, 0x1c, 0xe3, 0xca, 0x42, 0x75, 0x71, 0x95, 350 0x7, 0x9e, 0x96, 0x10, 0xa1, 0x7c, 0x83, 0x2, 351 0x44, 0xda, 0x91, 0xef, 0xc3, 0x56, 0xb5, 0x1e, 352 0x2d, 0x4b, 0x24, 0xde, 0x3f, 0x7c, 0x5b, 0x19, 353 }, dk) 354 355 expectedID := []byte{ 356 0x67, 0xbc, 0xce, 0x91, 0x97, 0xb1, 0xf9, 0xa, 357 0xc1, 0xdc, 0x86, 0x9a, 0xc3, 0xac, 0xf7, 0xe2, 358 0x68, 0xeb, 0x5a, 0xec, 0x2f, 0xe9, 0x69, 0x33, 359 0x28, 0xdf, 0xcd, 0xea, 0x80, 0xc4, 0xad, 0x5e, 360 } 361 id, err := keyIdentifierFromDerivedKey(dk, &psk) 362 assert.NoError(t, err) 363 assert.Equal(t, expectedID, id) 364 assert.Equal(t, expectedID, recipient.Identifier) 365 366 decodedPayloadKey, err := tryRecipientKeys(dk, []*containerv1.Recipient{ 367 recipient, 368 }, &psk) 369 assert.NoError(t, err) 370 assert.Equal(t, payloadKey[:], decodedPayloadKey) 371 }