diff options
Diffstat (limited to 'encrypted/encrypted_test.go')
-rw-r--r-- | encrypted/encrypted_test.go | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/encrypted/encrypted_test.go b/encrypted/encrypted_test.go new file mode 100644 index 0000000..7365fb3 --- /dev/null +++ b/encrypted/encrypted_test.go @@ -0,0 +1,150 @@ +package encrypted + +import ( + "encoding/json" + "testing" + + "github.com/stretchr/testify/assert" +) + +var ( + kdfVectors = map[KDFParameterStrength][]byte{ + Legacy: []byte(`{"kdf":{"name":"scrypt","params":{"N":32768,"r":8,"p":1},"salt":"WO3mVvyTwJ9vwT5/Tk5OW5WPIBUofMjcpEfrLnfY4uA="},"cipher":{"name":"nacl/secretbox","nonce":"tCy7HcTFr4uxv4Nrg/DWmncuZ148U1MX"},"ciphertext":"08n43p5G5yviPEZpO7tPPF4aZQkWiWjkv4taFdhDBA0tamKH4nw="}`), + Standard: []byte(`{"kdf":{"name":"scrypt","params":{"N":65536,"r":8,"p":1},"salt":"FhzPOt9/bJG4PTq6lQ6ecG6GzaOuOy/ynG5+yRiFlNs="},"cipher":{"name":"nacl/secretbox","nonce":"aw1ng1jHaDz/tQ7V2gR9O2+IGQ8xJEuE"},"ciphertext":"HycvuLZL4sYH0BrYTh4E/H20VtAW6u5zL5Pr+IBjYLYnCPzDkq8="}`), + OWASP: []byte(`{"kdf":{"name":"scrypt","params":{"N":131072,"r":8,"p":1},"salt":"m38E3kouJTtiheLQN22NQ8DTito5hrjpUIskqcd375k="},"cipher":{"name":"nacl/secretbox","nonce":"Y6PM13yA+o44pE/W1ZBwczeGnTV/m9Zc"},"ciphertext":"6H8sqj1K6B6yDjtH5AQ6lbFigg/C2yDDJc4rYJ79w9aVPImFIPI="}`), + } +) + +var plaintext = []byte("reallyimportant") + +func TestRoundtrip(t *testing.T) { + passphrase := []byte("supersecret") + + enc, err := Encrypt(plaintext, passphrase) + assert.Nil(t, err) + + // successful decrypt + dec, err := Decrypt(enc, passphrase) + assert.Nil(t, err) + assert.Equal(t, plaintext, dec) + + // wrong passphrase + passphrase[0] = 0 + dec, err = Decrypt(enc, passphrase) + assert.NotNil(t, err) + assert.Nil(t, dec) +} + +func TestTamperedRoundtrip(t *testing.T) { + passphrase := []byte("supersecret") + + enc, err := Encrypt(plaintext, passphrase) + assert.Nil(t, err) + + data := &data{} + err = json.Unmarshal(enc, data) + assert.Nil(t, err) + + data.Ciphertext[0] = ^data.Ciphertext[0] + + enc, _ = json.Marshal(data) + + dec, err := Decrypt(enc, passphrase) + assert.NotNil(t, err) + assert.Nil(t, dec) +} + +func TestDecrypt(t *testing.T) { + enc := []byte(`{"kdf":{"name":"scrypt","params":{"N":32768,"r":8,"p":1},"salt":"N9a7x5JFGbrtB2uBR81jPwp0eiLR4A7FV3mjVAQrg1g="},"cipher":{"name":"nacl/secretbox","nonce":"2h8HxMmgRfuYdpswZBQaU3xJ1nkA/5Ik"},"ciphertext":"SEW6sUh0jf2wfdjJGPNS9+bkk2uB+Cxamf32zR8XkQ=="}`) + passphrase := []byte("supersecret") + + dec, err := Decrypt(enc, passphrase) + assert.Nil(t, err) + assert.Equal(t, plaintext, dec) +} + +func TestMarshalUnmarshal(t *testing.T) { + passphrase := []byte("supersecret") + + wrapped, err := Marshal(plaintext, passphrase) + assert.Nil(t, err) + assert.NotNil(t, wrapped) + + var protected []byte + err = Unmarshal(wrapped, &protected, passphrase) + assert.Nil(t, err) + assert.Equal(t, plaintext, protected) +} + +func TestInvalidKDFSettings(t *testing.T) { + passphrase := []byte("supersecret") + + wrapped, err := MarshalWithCustomKDFParameters(plaintext, passphrase, 0) + assert.Nil(t, err) + assert.NotNil(t, wrapped) + + var protected []byte + err = Unmarshal(wrapped, &protected, passphrase) + assert.Nil(t, err) + assert.Equal(t, plaintext, protected) +} + +func TestLegacyKDFSettings(t *testing.T) { + passphrase := []byte("supersecret") + + wrapped, err := MarshalWithCustomKDFParameters(plaintext, passphrase, Legacy) + assert.Nil(t, err) + assert.NotNil(t, wrapped) + + var protected []byte + err = Unmarshal(wrapped, &protected, passphrase) + assert.Nil(t, err) + assert.Equal(t, plaintext, protected) +} + +func TestStandardKDFSettings(t *testing.T) { + passphrase := []byte("supersecret") + + wrapped, err := MarshalWithCustomKDFParameters(plaintext, passphrase, Standard) + assert.Nil(t, err) + assert.NotNil(t, wrapped) + + var protected []byte + err = Unmarshal(wrapped, &protected, passphrase) + assert.Nil(t, err) + assert.Equal(t, plaintext, protected) +} + +func TestOWASPKDFSettings(t *testing.T) { + passphrase := []byte("supersecret") + + wrapped, err := MarshalWithCustomKDFParameters(plaintext, passphrase, OWASP) + assert.Nil(t, err) + assert.NotNil(t, wrapped) + + var protected []byte + err = Unmarshal(wrapped, &protected, passphrase) + assert.Nil(t, err) + assert.Equal(t, plaintext, protected) +} + +func TestKDFSettingVectors(t *testing.T) { + passphrase := []byte("supersecret") + + for _, v := range kdfVectors { + var protected []byte + err := Unmarshal(v, &protected, passphrase) + assert.Nil(t, err) + assert.Equal(t, plaintext, protected) + } +} + +func TestUnsupportedKDFParameters(t *testing.T) { + enc := []byte(`{"kdf":{"name":"scrypt","params":{"N":99,"r":99,"p":99},"salt":"cZFcQJdwPhPyhU1R4qkl0qVOIjZd4V/7LYYAavq166k="},"cipher":{"name":"nacl/secretbox","nonce":"7vhRS7j0hEPBWV05skAdgLj81AkGeE7U"},"ciphertext":"6WYU/YSXVbYzl/NzaeAzmjLyfFhOOjLc0d8/GFV0aBFdJvyCcXc="}`) + passphrase := []byte("supersecret") + + dec, err := Decrypt(enc, passphrase) + assert.NotNil(t, err) + assert.Nil(t, dec) + assert.ErrorContains(t, err, "unsupported scrypt parameters") +} |