-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathkeys_test.go
More file actions
122 lines (100 loc) · 3.3 KB
/
keys_test.go
File metadata and controls
122 lines (100 loc) · 3.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
// keys_test.go -- Test harness for keys
//
// (c) 2016 Sudhi Herle <sudhi@herle.net>
//
// Licensing Terms: GPLv2
//
// If you need a commercial license for this work, please contact
// the author.
//
// This software does not come with any express or implied
// warranty; it is provided "as is". No claim is made to its
// suitability for any purpose.
package sigtool
import (
"errors"
"testing"
"github.com/opencoff/sigtool/internal/pb"
)
var goodPw = []byte("abc")
var badPw = []byte("def")
var nilPw []byte
// return a hardcoded password
func fixedPw() ([]byte, error) {
return goodPw, nil
}
func wrongPw() ([]byte, error) {
return badPw, nil
}
func emptyPw() ([]byte, error) {
return nilPw, nil
}
func TestKeysMarshal(t *testing.T) {
assert := newAsserter(t)
sk, err := NewPrivateKey(t.Name())
assert(err == nil, "NewPrivateKey() fail: %s", err)
skb, err := sk.Marshal(fixedPw)
assert(err == nil, "marshal sk: %s", err)
assert(skb != nil, "marshal sk: nil bytes")
sk2, err := ParsePrivateKey(skb, wrongPw)
assert(err != nil, "unmarshal sk: wrong pw accepted")
assert(sk2 == nil, "unmarshal sk: wrong pw worked")
sk2, err = ParsePrivateKey(skb, fixedPw)
assert(err == nil, "unmarshal sk: %s", err)
assert(sk2 != nil, "unmarshal sk: nil sk2")
assert(sk.Equal(sk2), "unmarshal: unequal keys")
pk := sk.PublicKey()
pkb, err := pk.Marshal()
assert(err == nil, "marshal pk: %s", err)
assert(pkb != nil, "marshal pk: nil bytes")
pk2, err := ParsePublicKey(pkb)
assert(err == nil, "unmarshal pk: %s", err)
assert(pk2 != nil, "unmarshal pk: nil pk2")
assert(pk.Equal(pk2), "unmarshal pk: unequal keys")
}
// TestValidateArgonParams exercises every rejection branch of the KDF
// parameter gate. These parameters come from an attacker-supplied PEM, so
// validation is the first line of defence against DoS via crafted Argon
// params — fuzzing proved that a malformed Time=0 otherwise panics inside
// x/crypto/argon2.
func TestValidateArgonParams(t *testing.T) {
assert := newAsserter(t)
good := func() *pb.Argon {
return &pb.Argon{
Time: _Argon2id_time,
Mem: _Argon2id_mem,
Proc: _Argon2id_proc,
Salt: make([]byte, 32),
}
}
// Baseline: the good params must validate.
assert(validateArgonParams(good()) == nil, "good params should validate")
// nil input
assert(errors.Is(validateArgonParams(nil), ErrBadKDFParams), "nil accepted")
cases := []struct {
name string
mutate func(a *pb.Argon)
}{
{"time=0", func(a *pb.Argon) { a.Time = 0 }},
{"time=too-big", func(a *pb.Argon) { a.Time = _Argon_maxTime + 1 }},
{"mem=0", func(a *pb.Argon) { a.Mem = 0 }},
{"mem=too-big", func(a *pb.Argon) { a.Mem = _Argon_maxMem + 1 }},
{"proc=0", func(a *pb.Argon) { a.Proc = 0 }},
{"proc=too-big", func(a *pb.Argon) { a.Proc = _Argon_maxProc + 1 }},
{"salt=empty", func(a *pb.Argon) { a.Salt = nil }},
{"salt=too-short", func(a *pb.Argon) { a.Salt = make([]byte, _Argon_minSalt-1) }},
{"salt=too-long", func(a *pb.Argon) { a.Salt = make([]byte, _Argon_maxSalt+1) }},
}
for _, c := range cases {
a := good()
c.mutate(a)
err := validateArgonParams(a)
assert(errors.Is(err, ErrBadKDFParams), "%s: expected ErrBadKDFParams, got %v", c.name, err)
}
}
func Benchmark_Keygen(b *testing.B) {
for i := 0; i < b.N; i++ {
_, _ = NewPrivateKey("bench-key")
}
}
// vim: noexpandtab:ts=8:sw=8:tw=92: