Accueil Explorer Aide
Connexion
AetherVPN
/
slackhq.nebula
miroir de https://github.com/slackhq/nebula.git
3
0
Fork 0
Fichiers Tickets 0 Wiki
Aborescence: d2adebf26d
Branches Tags
slackhq.nebula
/
cert
/
crypto_test.go

crypto_test.go 4.2 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 
  1. package cert
    2. 

  2. 

  3. import (
    4. 

  4. 	"testing"
    5. 

  5. 

  6. 	"github.com/stretchr/testify/assert"
    7. 

  7. 	"github.com/stretchr/testify/require"
    8. 

  8. 	"golang.org/x/crypto/argon2"
    9. 

  9. )
    10. 

  10. 

  11. func TestNewArgon2Parameters(t *testing.T) {
    12. 

  12. 	p := NewArgon2Parameters(64*1024, 4, 3)
    13. 

  13. 	assert.Equal(t, &Argon2Parameters{
    14. 

  14. 		version:     argon2.Version,
    15. 

  15. 		Memory:      64 * 1024,
    16. 

  16. 		Parallelism: 4,
    17. 

  17. 		Iterations:  3,
    18. 

  18. 	}, p)
    19. 

  19. 	p = NewArgon2Parameters(2*1024*1024, 2, 1)
    20. 

  20. 	assert.Equal(t, &Argon2Parameters{
    21. 

  21. 		version:     argon2.Version,
    22. 

  22. 		Memory:      2 * 1024 * 1024,
    23. 

  23. 		Parallelism: 2,
    24. 

  24. 		Iterations:  1,
    25. 

  25. 	}, p)
    26. 

  26. }
    27. 

  27. 

  28. func TestDecryptAndUnmarshalSigningPrivateKey(t *testing.T) {
    29. 

  29. 	passphrase := []byte("DO NOT USE THIS KEY")
    30. 

  30. 	privKey := []byte(`# A good key
    31. 

  31. -----BEGIN NEBULA ED25519 ENCRYPTED PRIVATE KEY-----
    32. 

  32. CjwKC0FFUy0yNTYtR0NNEi0IExCAgIABGAEgBCognnjujd67Vsv99p22wfAjQaDT
    33. 

  33. oCMW1mdjkU3gACKNW4MSXOWR9Sts4C81yk1RUku2gvGKs3TB9LYoklLsIizSYOLl
    34. 

  34. +Vs//O1T0I1Xbml2XBAROsb/VSoDln/6LMqR4B6fn6B3GOsLBBqRI8daDl9lRMPB
    35. 

  35. qrlJ69wer3ZUHFXA
    36. 

  36. -----END NEBULA ED25519 ENCRYPTED PRIVATE KEY-----
    37. 

  37. `)
    38. 

  38. 	shortKey := []byte(`# A key which, once decrypted, is too short
    39. 

  39. -----BEGIN NEBULA ED25519 ENCRYPTED PRIVATE KEY-----
    40. 

  40. CjwKC0FFUy0yNTYtR0NNEi0IExCAgIABGAEgBCoga5h8owMEBWRSMMJKzuUvWce7
    41. 

  41. k0qlBkQmCxiuLh80MuASW70YcKt8jeEIS2axo2V6zAKA9TSMcCsJW1kDDXEtL/xe
    42. 

  42. GLF5T7sDl5COp4LU3pGxpV+KoeQ/S3gQCAAcnaOtnJQX+aSDnbO3jCHyP7U9CHbs
    43. 

  43. rQr3bdH3Oy/WiYU=
    44. 

  44. -----END NEBULA ED25519 ENCRYPTED PRIVATE KEY-----
    45. 

  45. `)
    46. 

  46. 	invalidBanner := []byte(`# Invalid banner (not encrypted)
    47. 

  47. -----BEGIN NEBULA ED25519 PRIVATE KEY-----
    48. 

  48. bWRp2CTVFhW9HD/qCd28ltDgK3w8VXSeaEYczDWos8sMUBqDb9jP3+NYwcS4lURG
    49. 

  49. XgLvodMXZJuaFPssp+WwtA==
    50. 

  50. -----END NEBULA ED25519 PRIVATE KEY-----
    51. 

  51. `)
    52. 

  52. 	invalidPem := []byte(`# Not a valid PEM format
    53. 

  53. -BEGIN NEBULA ED25519 ENCRYPTED PRIVATE KEY-----
    54. 

  54. CjwKC0FFUy0yNTYtR0NNEi0IExCAgIABGAEgBCognnjujd67Vsv99p22wfAjQaDT
    55. 

  55. oCMW1mdjkU3gACKNW4MSXOWR9Sts4C81yk1RUku2gvGKs3TB9LYoklLsIizSYOLl
    56. 

  56. +Vs//O1T0I1Xbml2XBAROsb/VSoDln/6LMqR4B6fn6B3GOsLBBqRI8daDl9lRMPB
    57. 

  57. qrlJ69wer3ZUHFXA
    58. 

  58. -END NEBULA ED25519 ENCRYPTED PRIVATE KEY-----
    59. 

  59. `)
    60. 

  60. 

  61. 	keyBundle := appendByteSlices(privKey, shortKey, invalidBanner, invalidPem)
    62. 

  62. 

  63. 	// Success test case
    64. 

  64. 	curve, k, rest, err := DecryptAndUnmarshalSigningPrivateKey(passphrase, keyBundle)
    65. 

  65. 	require.NoError(t, err)
    66. 

  66. 	assert.Equal(t, Curve_CURVE25519, curve)
    67. 

  67. 	assert.Len(t, k, 64)
    68. 

  68. 	assert.Equal(t, rest, appendByteSlices(shortKey, invalidBanner, invalidPem))
    69. 

  69. 

  70. 	// Fail due to short key
    71. 

  71. 	curve, k, rest, err = DecryptAndUnmarshalSigningPrivateKey(passphrase, rest)
    72. 

  72. 	require.EqualError(t, err, "key was not 64 bytes, is invalid ed25519 private key")
    73. 

  73. 	assert.Nil(t, k)
    74. 

  74. 	assert.Equal(t, rest, appendByteSlices(invalidBanner, invalidPem))
    75. 

  75. 

  76. 	// Fail due to invalid banner
    77. 

  77. 	curve, k, rest, err = DecryptAndUnmarshalSigningPrivateKey(passphrase, rest)
    78. 

  78. 	require.EqualError(t, err, "bytes did not contain a proper nebula encrypted Ed25519/ECDSA private key banner")
    79. 

  79. 	assert.Nil(t, k)
    80. 

  80. 	assert.Equal(t, rest, invalidPem)
    81. 

  81. 

  82. 	// Fail due to ivalid PEM format, because
    83. 

  83. 	// it's missing the requisite pre-encapsulation boundary.
    84. 

  84. 	curve, k, rest, err = DecryptAndUnmarshalSigningPrivateKey(passphrase, rest)
    85. 

  85. 	require.EqualError(t, err, "input did not contain a valid PEM encoded block")
    86. 

  86. 	assert.Nil(t, k)
    87. 

  87. 	assert.Equal(t, rest, invalidPem)
    88. 

  88. 

  89. 	// Fail due to invalid passphrase
    90. 

  90. 	curve, k, rest, err = DecryptAndUnmarshalSigningPrivateKey([]byte("invalid passphrase"), privKey)
    91. 

  91. 	require.EqualError(t, err, "invalid passphrase or corrupt private key")
    92. 

  92. 	assert.Nil(t, k)
    93. 

  93. 	assert.Equal(t, []byte{}, rest)
    94. 

  94. }
    95. 

  95. 

  96. func TestEncryptAndMarshalSigningPrivateKey(t *testing.T) {
    97. 

  97. 	// Having proved that decryption works correctly above, we can test the
    98. 

  98. 	// encryption function produces a value which can be decrypted
    99. 

  99. 	passphrase := []byte("passphrase")
    100. 

  100. 	bytes := []byte("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
    101. 

  101. 	kdfParams := NewArgon2Parameters(64*1024, 4, 3)
    102. 

  102. 	key, err := EncryptAndMarshalSigningPrivateKey(Curve_CURVE25519, bytes, passphrase, kdfParams)
    103. 

  103. 	require.NoError(t, err)
    104. 

  104. 

  105. 	// Verify the "key" can be decrypted successfully
    106. 

  106. 	curve, k, rest, err := DecryptAndUnmarshalSigningPrivateKey(passphrase, key)
    107. 

  107. 	assert.Len(t, k, 64)
    108. 

  108. 	assert.Equal(t, Curve_CURVE25519, curve)
    109. 

  109. 	assert.Equal(t, []byte{}, rest)
    110. 

  110. 	require.NoError(t, err)
    111. 

  111. 

  112. 	// EncryptAndMarshalEd25519PrivateKey does not create any errors itself
    113. 

  113. }
    114.