1 package encrypted
2
3 import (
4 "encoding/json"
5 "testing"
6
7 "github.com/stretchr/testify/assert"
8 )
9
10 var (
11 kdfVectors = map[KDFParameterStrength][]byte{
12 Legacy: []byte(`{"kdf":{"name":"scrypt","params":{"N":32768,"r":8,"p":1},"salt":"WO3mVvyTwJ9vwT5/Tk5OW5WPIBUofMjcpEfrLnfY4uA="},"cipher":{"name":"nacl/secretbox","nonce":"tCy7HcTFr4uxv4Nrg/DWmncuZ148U1MX"},"ciphertext":"08n43p5G5yviPEZpO7tPPF4aZQkWiWjkv4taFdhDBA0tamKH4nw="}`),
13 Standard: []byte(`{"kdf":{"name":"scrypt","params":{"N":65536,"r":8,"p":1},"salt":"FhzPOt9/bJG4PTq6lQ6ecG6GzaOuOy/ynG5+yRiFlNs="},"cipher":{"name":"nacl/secretbox","nonce":"aw1ng1jHaDz/tQ7V2gR9O2+IGQ8xJEuE"},"ciphertext":"HycvuLZL4sYH0BrYTh4E/H20VtAW6u5zL5Pr+IBjYLYnCPzDkq8="}`),
14 OWASP: []byte(`{"kdf":{"name":"scrypt","params":{"N":131072,"r":8,"p":1},"salt":"m38E3kouJTtiheLQN22NQ8DTito5hrjpUIskqcd375k="},"cipher":{"name":"nacl/secretbox","nonce":"Y6PM13yA+o44pE/W1ZBwczeGnTV/m9Zc"},"ciphertext":"6H8sqj1K6B6yDjtH5AQ6lbFigg/C2yDDJc4rYJ79w9aVPImFIPI="}`),
15 }
16 )
17
18 var plaintext = []byte("reallyimportant")
19
20 func TestRoundtrip(t *testing.T) {
21 passphrase := []byte("supersecret")
22
23 enc, err := Encrypt(plaintext, passphrase)
24 assert.Nil(t, err)
25
26
27 dec, err := Decrypt(enc, passphrase)
28 assert.Nil(t, err)
29 assert.Equal(t, plaintext, dec)
30
31
32 passphrase[0] = 0
33 dec, err = Decrypt(enc, passphrase)
34 assert.NotNil(t, err)
35 assert.Nil(t, dec)
36 }
37
38 func TestTamperedRoundtrip(t *testing.T) {
39 passphrase := []byte("supersecret")
40
41 enc, err := Encrypt(plaintext, passphrase)
42 assert.Nil(t, err)
43
44 data := &data{}
45 err = json.Unmarshal(enc, data)
46 assert.Nil(t, err)
47
48 data.Ciphertext[0] = ^data.Ciphertext[0]
49
50 enc, _ = json.Marshal(data)
51
52 dec, err := Decrypt(enc, passphrase)
53 assert.NotNil(t, err)
54 assert.Nil(t, dec)
55 }
56
57 func TestDecrypt(t *testing.T) {
58 enc := []byte(`{"kdf":{"name":"scrypt","params":{"N":32768,"r":8,"p":1},"salt":"N9a7x5JFGbrtB2uBR81jPwp0eiLR4A7FV3mjVAQrg1g="},"cipher":{"name":"nacl/secretbox","nonce":"2h8HxMmgRfuYdpswZBQaU3xJ1nkA/5Ik"},"ciphertext":"SEW6sUh0jf2wfdjJGPNS9+bkk2uB+Cxamf32zR8XkQ=="}`)
59 passphrase := []byte("supersecret")
60
61 dec, err := Decrypt(enc, passphrase)
62 assert.Nil(t, err)
63 assert.Equal(t, plaintext, dec)
64 }
65
66 func TestMarshalUnmarshal(t *testing.T) {
67 passphrase := []byte("supersecret")
68
69 wrapped, err := Marshal(plaintext, passphrase)
70 assert.Nil(t, err)
71 assert.NotNil(t, wrapped)
72
73 var protected []byte
74 err = Unmarshal(wrapped, &protected, passphrase)
75 assert.Nil(t, err)
76 assert.Equal(t, plaintext, protected)
77 }
78
79 func TestInvalidKDFSettings(t *testing.T) {
80 passphrase := []byte("supersecret")
81
82 wrapped, err := MarshalWithCustomKDFParameters(plaintext, passphrase, 0)
83 assert.Nil(t, err)
84 assert.NotNil(t, wrapped)
85
86 var protected []byte
87 err = Unmarshal(wrapped, &protected, passphrase)
88 assert.Nil(t, err)
89 assert.Equal(t, plaintext, protected)
90 }
91
92 func TestLegacyKDFSettings(t *testing.T) {
93 passphrase := []byte("supersecret")
94
95 wrapped, err := MarshalWithCustomKDFParameters(plaintext, passphrase, Legacy)
96 assert.Nil(t, err)
97 assert.NotNil(t, wrapped)
98
99 var protected []byte
100 err = Unmarshal(wrapped, &protected, passphrase)
101 assert.Nil(t, err)
102 assert.Equal(t, plaintext, protected)
103 }
104
105 func TestStandardKDFSettings(t *testing.T) {
106 passphrase := []byte("supersecret")
107
108 wrapped, err := MarshalWithCustomKDFParameters(plaintext, passphrase, Standard)
109 assert.Nil(t, err)
110 assert.NotNil(t, wrapped)
111
112 var protected []byte
113 err = Unmarshal(wrapped, &protected, passphrase)
114 assert.Nil(t, err)
115 assert.Equal(t, plaintext, protected)
116 }
117
118 func TestOWASPKDFSettings(t *testing.T) {
119 passphrase := []byte("supersecret")
120
121 wrapped, err := MarshalWithCustomKDFParameters(plaintext, passphrase, OWASP)
122 assert.Nil(t, err)
123 assert.NotNil(t, wrapped)
124
125 var protected []byte
126 err = Unmarshal(wrapped, &protected, passphrase)
127 assert.Nil(t, err)
128 assert.Equal(t, plaintext, protected)
129 }
130
131 func TestKDFSettingVectors(t *testing.T) {
132 passphrase := []byte("supersecret")
133
134 for _, v := range kdfVectors {
135 var protected []byte
136 err := Unmarshal(v, &protected, passphrase)
137 assert.Nil(t, err)
138 assert.Equal(t, plaintext, protected)
139 }
140 }
141
142 func TestUnsupportedKDFParameters(t *testing.T) {
143 enc := []byte(`{"kdf":{"name":"scrypt","params":{"N":99,"r":99,"p":99},"salt":"cZFcQJdwPhPyhU1R4qkl0qVOIjZd4V/7LYYAavq166k="},"cipher":{"name":"nacl/secretbox","nonce":"7vhRS7j0hEPBWV05skAdgLj81AkGeE7U"},"ciphertext":"6WYU/YSXVbYzl/NzaeAzmjLyfFhOOjLc0d8/GFV0aBFdJvyCcXc="}`)
144 passphrase := []byte("supersecret")
145
146 dec, err := Decrypt(enc, passphrase)
147 assert.NotNil(t, err)
148 assert.Nil(t, dec)
149 assert.ErrorContains(t, err, "unsupported scrypt parameters")
150 }
151
View as plain text