-
Notifications
You must be signed in to change notification settings - Fork 46
/
Copy pathcrypt_test.go
135 lines (106 loc) · 3.53 KB
/
crypt_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
package encryption_test
import (
"bytes"
"crypto/des"
"crypto/rand"
"io"
"code.cloudfoundry.org/bbs/encryption"
"code.cloudfoundry.org/bbs/encryption/encryptionfakes"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)
var _ = Describe("Crypt", func() {
var cryptor encryption.Cryptor
var keyManager encryption.KeyManager
var prng io.Reader
BeforeEach(func() {
key, err := encryption.NewKey("label", "pass phrase")
Expect(err).NotTo(HaveOccurred())
keyManager, err = encryption.NewKeyManager(key, nil)
Expect(err).NotTo(HaveOccurred())
prng = rand.Reader
})
JustBeforeEach(func() {
cryptor = encryption.NewCryptor(keyManager, prng)
})
It("successfully encrypts and decrypts with a key", func() {
input := []byte("some plaintext data")
encrypted, err := cryptor.Encrypt(input)
Expect(err).NotTo(HaveOccurred())
Expect(encrypted.CipherText).NotTo(HaveLen(0))
Expect(encrypted.CipherText).NotTo(Equal(input))
plaintext, err := cryptor.Decrypt(encrypted)
Expect(err).NotTo(HaveOccurred())
Expect(plaintext).NotTo(HaveLen(0))
Expect(plaintext).To(Equal(input))
})
It("has the expected nonce length", func() {
input := []byte("some plaintext data")
encrypted, err := cryptor.Encrypt(input)
Expect(err).NotTo(HaveOccurred())
Expect(encrypted.Nonce).To(HaveLen(encryption.NonceSize))
})
Context("when the nonce is incorrect", func() {
It("fails to decrypt", func() {
input := []byte("some plaintext data")
encrypted, err := cryptor.Encrypt(input)
Expect(err).NotTo(HaveOccurred())
Expect(encrypted.CipherText).NotTo(HaveLen(0))
Expect(encrypted.CipherText).NotTo(Equal(input))
encrypted.Nonce = []byte("123456789012")
_, err = cryptor.Decrypt(encrypted)
Expect(err).To(HaveOccurred())
Expect(err).To(MatchError("cipher: message authentication failed"))
})
})
Context("when the key is not found", func() {
It("fails to decrypt", func() {
encrypted := encryption.Encrypted{
KeyLabel: "doesnt-exist",
Nonce: []byte("123456789012"),
}
_, err := cryptor.Decrypt(encrypted)
Expect(err).To(HaveOccurred())
Expect(err).To(MatchError(`Key with label "doesnt-exist" was not found`))
})
})
Context("when the ciphertext is modified", func() {
It("fails to decrypt", func() {
input := []byte("some plaintext data")
encrypted, err := cryptor.Encrypt(input)
Expect(err).NotTo(HaveOccurred())
Expect(encrypted.CipherText).NotTo(HaveLen(0))
Expect(encrypted.CipherText).NotTo(Equal(input))
encrypted.CipherText[0] ^= 1
_, err = cryptor.Decrypt(encrypted)
Expect(err).To(HaveOccurred())
Expect(err).To(MatchError("cipher: message authentication failed"))
})
})
Context("when the random number generator fails", func() {
BeforeEach(func() {
prng = bytes.NewBuffer([]byte{})
})
It("fails to encrypt", func() {
input := []byte("some plaintext data")
_, err := cryptor.Encrypt(input)
Expect(err).To(MatchError(`Unable to generate random nonce: "EOF"`))
})
})
Context("when the encryption key is invalid", func() {
var key *encryptionfakes.FakeKey
BeforeEach(func() {
desCipher, err := des.NewCipher([]byte("12345678"))
Expect(err).NotTo(HaveOccurred())
key = &encryptionfakes.FakeKey{}
key.BlockReturns(desCipher)
keyManager, err = encryption.NewKeyManager(key, nil)
Expect(err).NotTo(HaveOccurred())
})
It("returns an error", func() {
input := []byte("some plaintext data")
_, err := cryptor.Encrypt(input)
Expect(err).To(MatchError(HavePrefix("Unable to create GCM-wrapped cipher:")))
})
})
})