github.com/zntrio/harp/v2@v2.0.9/pkg/container/seal/v2/helpers_test.go (about) 1 // Licensed to Elasticsearch B.V. under one or more contributor 2 // license agreements. See the NOTICE file distributed with 3 // this work for additional information regarding copyright 4 // ownership. Elasticsearch B.V. licenses this file to you under 5 // the Apache License, Version 2.0 (the "License"); you may 6 // not use this file except in compliance with the License. 7 // You may obtain a copy of the License at 8 // 9 // http://www.apache.org/licenses/LICENSE-2.0 10 // 11 // Unless required by applicable law or agreed to in writing, 12 // software distributed under the License is distributed on an 13 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 14 // KIND, either express or implied. See the License for the 15 // specific language governing permissions and limitations 16 // under the License. 17 18 package v2 19 20 import ( 21 "bytes" 22 "crypto/elliptic" 23 "crypto/rand" 24 "reflect" 25 "testing" 26 27 "github.com/awnumar/memguard" 28 "github.com/stretchr/testify/assert" 29 30 containerv1 "github.com/zntrio/harp/v2/api/gen/go/harp/container/v1" 31 "github.com/zntrio/harp/v2/pkg/sdk/security/crypto/deterministicecdsa" 32 ) 33 34 func Test_deriveSharedKeyFromRecipient(t *testing.T) { 35 key1, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 36 assert.NoError(t, err) 37 assert.NotNil(t, key1) 38 39 key2, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 40 assert.NoError(t, err) 41 assert.NotNil(t, key2) 42 43 dk1, err := deriveSharedKeyFromRecipient(&key1.PublicKey, key2, nil) 44 assert.NoError(t, err) 45 assert.Equal(t, &[32]byte{ 46 0xfa, 0x88, 0x52, 0x30, 0x55, 0xe8, 0xd6, 0x8a, 47 0xa8, 0x11, 0xa9, 0xf7, 0x92, 0x79, 0x2a, 0xe6, 48 0x10, 0x12, 0xbd, 0x9d, 0xee, 0x98, 0x54, 0x9e, 49 0x50, 0x25, 0xb3, 0xaa, 0x79, 0x77, 0xce, 0xd3, 50 }, dk1) 51 52 dk2, err := deriveSharedKeyFromRecipient(&key2.PublicKey, key1, nil) 53 assert.NoError(t, err) 54 assert.Equal(t, dk1, dk2) 55 } 56 57 func Test_deriveSharedKeyFromRecipient_WithPSK(t *testing.T) { 58 var psk [preSharedKeySize]byte 59 memguard.WipeBytes(psk[:]) // Ensure zeroed psk 60 61 key1, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 62 assert.NoError(t, err) 63 assert.NotNil(t, key1) 64 65 key2, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 66 assert.NoError(t, err) 67 assert.NotNil(t, key2) 68 69 dk1, err := deriveSharedKeyFromRecipient(&key1.PublicKey, key2, &psk) 70 assert.NoError(t, err) 71 assert.Equal(t, &[32]byte{ 72 0x95, 0xd9, 0xca, 0xce, 0x6d, 0x6c, 0x83, 0x93, 73 0xa0, 0x4d, 0x84, 0xe5, 0x36, 0x81, 0x62, 0xc3, 74 0xa5, 0x86, 0x72, 0xba, 0xe1, 0xac, 0x2f, 0x6a, 75 0xa2, 0xae, 0x50, 0x3, 0xe3, 0xd1, 0xb5, 0x1a, 76 }, dk1) 77 78 dk2, err := deriveSharedKeyFromRecipient(&key2.PublicKey, key1, &psk) 79 assert.NoError(t, err) 80 assert.Equal(t, dk1, dk2) 81 } 82 83 func Test_keyIdentifierFromDerivedKey(t *testing.T) { 84 dk := &[32]byte{ 85 0x9f, 0x6c, 0xb8, 0x33, 0xf4, 0x7a, 0x4, 0xb2, 86 0xba, 0x65, 0x30, 0xf2, 0xc, 0x7c, 0xb1, 0x30, 87 0x22, 0xa0, 0x6a, 0x15, 0x57, 0x73, 0xc1, 0xa9, 88 0xc7, 0x21, 0x48, 0xdd, 0x3c, 0xc8, 0x36, 0xc7, 89 } 90 91 id, err := keyIdentifierFromDerivedKey(dk, nil) 92 assert.NoError(t, err) 93 assert.Equal(t, []byte{ 94 0xe0, 0xe9, 0xd5, 0xc5, 0x7a, 0x9e, 0x1c, 0x3, 95 0x9d, 0x4b, 0xc0, 0x21, 0x6e, 0x72, 0x1a, 0xda, 96 0xac, 0xd0, 0x57, 0xb8, 0x21, 0x16, 0x48, 0xac, 97 0x46, 0x7c, 0x64, 0xf9, 0x4d, 0xe5, 0x86, 0x23, 98 }, id) 99 } 100 101 func Test_keyIdentifierFromDerivedKey_WithPSK(t *testing.T) { 102 var psk [preSharedKeySize]byte 103 memguard.WipeBytes(psk[:]) // Ensure zeroed psk 104 105 dk := &[32]byte{ 106 0x9f, 0x6c, 0xb8, 0x33, 0xf4, 0x7a, 0x4, 0xb2, 107 0xba, 0x65, 0x30, 0xf2, 0xc, 0x7c, 0xb1, 0x30, 108 0x22, 0xa0, 0x6a, 0x15, 0x57, 0x73, 0xc1, 0xa9, 109 0xc7, 0x21, 0x48, 0xdd, 0x3c, 0xc8, 0x36, 0xc7, 110 } 111 112 id, err := keyIdentifierFromDerivedKey(dk, &psk) 113 assert.NoError(t, err) 114 assert.Equal(t, []byte{ 115 0x70, 0x5e, 0xe6, 0x3e, 0x5f, 0xf7, 0x78, 0x22, 116 0xda, 0x79, 0x1c, 0xd6, 0x92, 0x53, 0xd8, 0x66, 117 0xbb, 0xb, 0xcf, 0xf1, 0x86, 0x7b, 0x9e, 0x9b, 118 0x7b, 0x1d, 0x9f, 0xaf, 0x65, 0x6d, 0xa5, 0x7f, 119 }, id) 120 } 121 122 func Test_packRecipient(t *testing.T) { 123 payloadKey := &[32]byte{} 124 125 key1, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 126 assert.NoError(t, err) 127 assert.NotNil(t, key1) 128 129 key2, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 130 assert.NoError(t, err) 131 assert.NotNil(t, key2) 132 133 recipient, err := packRecipient(rand.Reader, payloadKey, key1, &key2.PublicKey, nil) 134 assert.NoError(t, err) 135 assert.NotNil(t, recipient) 136 assert.Equal(t, []byte{ 137 0xaa, 0xc5, 0x2b, 0x2e, 0xdf, 0x44, 0x9e, 0x87, 138 0xc3, 0xc9, 0x9a, 0x98, 0xb1, 0xad, 0x7a, 0xcd, 139 0x70, 0xe9, 0xa1, 0x56, 0xf6, 0xd5, 0x87, 0xb8, 140 0x25, 0x94, 0x18, 0x3f, 0xf7, 0x8e, 0xdc, 0x46, 141 }, recipient.Identifier) 142 assert.Equal(t, seedSize+encryptionKeySize+macSize, len(recipient.Key)) 143 } 144 145 func Test_packRecipient_WithPSK(t *testing.T) { 146 var psk [preSharedKeySize]byte 147 memguard.WipeBytes(psk[:]) // Ensure zeroed psk 148 149 payloadKey := &[32]byte{} 150 151 key1, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 152 assert.NoError(t, err) 153 assert.NotNil(t, key1) 154 155 key2, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 156 assert.NoError(t, err) 157 assert.NotNil(t, key2) 158 159 recipient, err := packRecipient(rand.Reader, payloadKey, key1, &key2.PublicKey, &psk) 160 assert.NoError(t, err) 161 assert.NotNil(t, recipient) 162 assert.Equal(t, []byte{ 163 0xe0, 0x83, 0xf2, 0x13, 0xea, 0x5f, 0x48, 0x2b, 164 0xa1, 0x4e, 0x77, 0x55, 0xa9, 0x5b, 0x58, 0xdc, 165 0x2c, 0xb3, 0x11, 0xcb, 0xbc, 0xf8, 0xfd, 0x2c, 166 0xca, 0xb7, 0x9, 0x41, 0xc9, 0x28, 0xb1, 0x29, 167 }, recipient.Identifier) 168 assert.Equal(t, seedSize+encryptionKeySize+macSize, len(recipient.Key)) 169 } 170 171 func Test_tryRecipientKeys(t *testing.T) { 172 payloadKey := &[32]byte{} 173 174 key1, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 175 assert.NoError(t, err) 176 assert.NotNil(t, key1) 177 178 key2, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 179 assert.NoError(t, err) 180 assert.NotNil(t, key2) 181 182 recipient, err := packRecipient(rand.Reader, payloadKey, key1, &key2.PublicKey, nil) 183 assert.NoError(t, err) 184 assert.NotNil(t, recipient) 185 assert.Equal(t, []byte{ 186 0xaa, 0xc5, 0x2b, 0x2e, 0xdf, 0x44, 0x9e, 0x87, 187 0xc3, 0xc9, 0x9a, 0x98, 0xb1, 0xad, 0x7a, 0xcd, 188 0x70, 0xe9, 0xa1, 0x56, 0xf6, 0xd5, 0x87, 0xb8, 189 0x25, 0x94, 0x18, 0x3f, 0xf7, 0x8e, 0xdc, 0x46, 190 }, recipient.Identifier) 191 assert.Equal(t, seedSize+encryptionKeySize+macSize, len(recipient.Key)) 192 193 // ------------------------------------------------------------------------- 194 dk, err := deriveSharedKeyFromRecipient(&key1.PublicKey, key2, nil) 195 assert.NoError(t, err) 196 assert.Equal(t, &[32]byte{ 197 0xfa, 0x88, 0x52, 0x30, 0x55, 0xe8, 0xd6, 0x8a, 198 0xa8, 0x11, 0xa9, 0xf7, 0x92, 0x79, 0x2a, 0xe6, 199 0x10, 0x12, 0xbd, 0x9d, 0xee, 0x98, 0x54, 0x9e, 200 0x50, 0x25, 0xb3, 0xaa, 0x79, 0x77, 0xce, 0xd3, 201 }, dk) 202 203 expectedID := []byte{ 204 0xaa, 0xc5, 0x2b, 0x2e, 0xdf, 0x44, 0x9e, 0x87, 205 0xc3, 0xc9, 0x9a, 0x98, 0xb1, 0xad, 0x7a, 0xcd, 206 0x70, 0xe9, 0xa1, 0x56, 0xf6, 0xd5, 0x87, 0xb8, 207 0x25, 0x94, 0x18, 0x3f, 0xf7, 0x8e, 0xdc, 0x46, 208 } 209 id, err := keyIdentifierFromDerivedKey(dk, nil) 210 assert.NoError(t, err) 211 assert.Equal(t, expectedID, id) 212 assert.Equal(t, expectedID, recipient.Identifier) 213 214 decodedPayloadKey, err := tryRecipientKeys(dk, []*containerv1.Recipient{ 215 recipient, 216 }, nil) 217 assert.NoError(t, err) 218 assert.Equal(t, payloadKey, decodedPayloadKey) 219 } 220 221 func Test_tryRecipientKeys_WithPSK(t *testing.T) { 222 var psk [preSharedKeySize]byte 223 memguard.WipeBytes(psk[:]) // Ensure zeroed psk 224 225 payloadKey := &[32]byte{} 226 227 key1, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00001-deterministic-buffer-for-tests-26FBE7DED9E992BC36C06C988C1AC8A1E672B4B5959EF60672A983EFA7C8EE0F"))) 228 assert.NoError(t, err) 229 assert.NotNil(t, key1) 230 231 key2, err := deterministicecdsa.GenerateKey(elliptic.P384(), bytes.NewReader([]byte("00002-deterministic-buffer-for-tests-37ACB0DD3A3CE5A0960CCE0F6A0D7E663DFFD221FBE8EEB03B20D3AD91BCDD55"))) 232 assert.NoError(t, err) 233 assert.NotNil(t, key2) 234 235 recipient, err := packRecipient(rand.Reader, payloadKey, key1, &key2.PublicKey, &psk) 236 assert.NoError(t, err) 237 assert.NotNil(t, recipient) 238 assert.Equal(t, []byte{ 239 0xe0, 0x83, 0xf2, 0x13, 0xea, 0x5f, 0x48, 0x2b, 240 0xa1, 0x4e, 0x77, 0x55, 0xa9, 0x5b, 0x58, 0xdc, 241 0x2c, 0xb3, 0x11, 0xcb, 0xbc, 0xf8, 0xfd, 0x2c, 242 0xca, 0xb7, 0x9, 0x41, 0xc9, 0x28, 0xb1, 0x29, 243 }, recipient.Identifier) 244 assert.Equal(t, seedSize+encryptionKeySize+macSize, len(recipient.Key)) 245 246 // ------------------------------------------------------------------------- 247 dk, err := deriveSharedKeyFromRecipient(&key1.PublicKey, key2, &psk) 248 assert.NoError(t, err) 249 assert.Equal(t, &[32]byte{ 250 0x95, 0xd9, 0xca, 0xce, 0x6d, 0x6c, 0x83, 0x93, 251 0xa0, 0x4d, 0x84, 0xe5, 0x36, 0x81, 0x62, 0xc3, 252 0xa5, 0x86, 0x72, 0xba, 0xe1, 0xac, 0x2f, 0x6a, 253 0xa2, 0xae, 0x50, 0x3, 0xe3, 0xd1, 0xb5, 0x1a, 254 }, dk) 255 256 expectedID := []byte{ 257 0xe0, 0x83, 0xf2, 0x13, 0xea, 0x5f, 0x48, 0x2b, 258 0xa1, 0x4e, 0x77, 0x55, 0xa9, 0x5b, 0x58, 0xdc, 259 0x2c, 0xb3, 0x11, 0xcb, 0xbc, 0xf8, 0xfd, 0x2c, 260 0xca, 0xb7, 0x9, 0x41, 0xc9, 0x28, 0xb1, 0x29, 261 } 262 id, err := keyIdentifierFromDerivedKey(dk, &psk) 263 assert.NoError(t, err) 264 assert.Equal(t, expectedID, id) 265 assert.Equal(t, expectedID, recipient.Identifier) 266 267 decodedPayloadKey, err := tryRecipientKeys(dk, []*containerv1.Recipient{ 268 recipient, 269 }, &psk) 270 assert.NoError(t, err) 271 assert.Equal(t, payloadKey, decodedPayloadKey) 272 } 273 274 func TestPreAuthenticationEncoding(t *testing.T) { 275 type args struct { 276 pieces [][]byte 277 } 278 tests := []struct { 279 name string 280 args args 281 want []byte 282 wantErr bool 283 }{ 284 { 285 name: "empty", 286 args: args{ 287 pieces: nil, 288 }, 289 wantErr: false, 290 want: []byte{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, 291 }, 292 { 293 name: "one", 294 args: args{ 295 pieces: [][]byte{ 296 []byte("test"), 297 }, 298 }, 299 wantErr: false, 300 want: []byte{ 301 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Count 302 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Length 303 't', 'e', 's', 't', 304 }, 305 }, 306 } 307 for _, tt := range tests { 308 t.Run(tt.name, func(t *testing.T) { 309 got, err := pae(tt.args.pieces...) 310 if (err != nil) != tt.wantErr { 311 t.Errorf("pae() error = %v, wantErr %v", err, tt.wantErr) 312 return 313 } 314 if !reflect.DeepEqual(got, tt.want) { 315 t.Errorf("pae() = %v, want %v", got, tt.want) 316 } 317 }) 318 } 319 }