/* Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ package crypto import ( "crypto/x509" "testing" "github.com/edgelesssys/constellation/v2/internal/crypto/testvector" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "go.uber.org/goleak" ) func TestMain(m *testing.M) { goleak.VerifyTestMain(m, goleak.IgnoreAnyFunction("github.com/bazelbuild/rules_go/go/tools/bzltestutil.RegisterTimeoutHandler.func1")) } func TestDeriveKey(t *testing.T) { assert := assert.New(t) require := require.New(t) key, err := DeriveKey([]byte("secret"), []byte("salt"), nil, 32) assert.NoError(err) assert.Len(key, 32) key1, err := DeriveKey([]byte("secret"), []byte("salt"), []byte("first"), 32) require.NoError(err) key2, err := DeriveKey([]byte("secret"), []byte("salt"), []byte("first"), 32) require.NoError(err) assert.Equal(key1, key2) key3, err := DeriveKey([]byte("secret"), []byte("salt"), []byte("second"), 32) require.NoError(err) assert.NotEqual(key1, key3) zeroInput := testvector.HKDFZero out, err := DeriveKey(zeroInput.Secret, zeroInput.Salt, []byte(zeroInput.InfoPrefix+zeroInput.Info), zeroInput.Length) require.NoError(err) assert.Equal(zeroInput.Output, out) fInput := testvector.HKDF0xFF out, err = DeriveKey(fInput.Secret, fInput.Salt, []byte(fInput.InfoPrefix+fInput.Info), fInput.Length) require.NoError(err) assert.Equal(fInput.Output, out) } func TestVectorsHKDF(t *testing.T) { testCases := map[string]struct { secret []byte salt []byte info []byte length uint wantKey []byte }{ "rfc Test Case 1": { secret: testvector.HKDFrfc1.Secret, salt: testvector.HKDFrfc1.Salt, info: []byte(testvector.HKDFrfc1.Info), length: testvector.HKDFrfc1.Length, wantKey: testvector.HKDFrfc1.Output, }, "rfc Test Case 2": { secret: testvector.HKDFrfc2.Secret, salt: testvector.HKDFrfc2.Salt, info: []byte(testvector.HKDFrfc2.Info), length: testvector.HKDFrfc2.Length, wantKey: testvector.HKDFrfc2.Output, }, "rfc Test Case 3": { secret: testvector.HKDFrfc3.Secret, salt: testvector.HKDFrfc3.Salt, info: []byte(testvector.HKDFrfc3.Info), length: testvector.HKDFrfc3.Length, wantKey: testvector.HKDFrfc3.Output, }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) require := require.New(t) out, err := DeriveKey(tc.secret, tc.salt, tc.info, tc.length) require.NoError(err) assert.Equal(tc.wantKey, out) }) } } func TestGenerateCertificateSerialNumber(t *testing.T) { assert := assert.New(t) require := require.New(t) s1, err := GenerateCertificateSerialNumber() require.NoError(err) s2, err := GenerateCertificateSerialNumber() require.NoError(err) assert.NotEqual(s1, s2) } func TestGenerateRandomBytes(t *testing.T) { assert := assert.New(t) require := require.New(t) n1, err := GenerateRandomBytes(32) require.NoError(err) assert.Len(n1, 32) n2, err := GenerateRandomBytes(32) require.NoError(err) assert.Equal(len(n1), len(n2)) assert.NotEqual(n1, n2) n3, err := GenerateRandomBytes(16) require.NoError(err) assert.Len(n3, 16) } func TestPemToX509Cert(t *testing.T) { testCases := map[string]struct { pemCert []byte wantErr bool }{ // TODO(msanft): Add more test cases with testdata "invalid cert": { pemCert: []byte("invalid"), wantErr: true, }, "empty cert": { pemCert: []byte{}, wantErr: true, }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) _, err := PemToX509Cert(tc.pemCert) if tc.wantErr { assert.Error(err) } else { assert.NoError(err) } }) } } func TestX509ToPemCert(t *testing.T) { testCases := map[string]struct { cert *x509.Certificate wantErr bool }{ "success": { cert: &x509.Certificate{}, }, // TODO(msanft): Add more test cases with testdata } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) _, err := X509CertToPem(tc.cert) if tc.wantErr { assert.Error(err) } else { assert.NoError(err) } }) } }