File: encryption_test.go

package info (click to toggle)
docker.io 20.10.5%2Bdfsg1-1%2Bdeb11u2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, bullseye-backports
  • size: 60,044 kB
  • sloc: sh: 5,527; makefile: 616; ansic: 179; python: 162; asm: 7
file content (153 lines) | stat: -rw-r--r-- 4,676 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
 
package encryption

import (
	"fmt"
	"testing"

	"github.com/stretchr/testify/require"
)

func TestEncryptDecrypt(t *testing.T) {
	// not providing an encrypter will fail
	msg := []byte("hello again swarmkit")
	_, err := Encrypt(msg, nil)
	require.Error(t, err)
	require.Contains(t, err.Error(), "no encrypter")

	// noop encrypter can encrypt
	encrypted, err := Encrypt(msg, NoopCrypter)
	require.NoError(t, err)

	// not providing a decrypter will fail
	_, err = Decrypt(encrypted, nil)
	require.Error(t, err)
	require.Contains(t, err.Error(), "no decrypter")

	// noop decrypter can decrypt
	decrypted, err := Decrypt(encrypted, NoopCrypter)
	require.NoError(t, err)
	require.Equal(t, msg, decrypted)

	// the default encrypter can produce something the default decrypter can read
	encrypter, decrypter := Defaults([]byte("key"), false)
	encrypted, err = Encrypt(msg, encrypter)
	require.NoError(t, err)
	decrypted, err = Decrypt(encrypted, decrypter)
	require.NoError(t, err)
	require.Equal(t, msg, decrypted)

	// mismatched encrypters and decrypters can't read the content produced by each
	encrypted, err = Encrypt(msg, NoopCrypter)
	require.NoError(t, err)
	_, err = Decrypt(encrypted, decrypter)
	require.Error(t, err)
	require.IsType(t, ErrCannotDecrypt{}, err)

	encrypted, err = Encrypt(msg, encrypter)
	require.NoError(t, err)
	_, err = Decrypt(encrypted, NoopCrypter)
	require.Error(t, err)
	require.IsType(t, ErrCannotDecrypt{}, err)
}

func TestHumanReadable(t *testing.T) {
	// we can produce human readable strings that can then be re-parsed
	key := GenerateSecretKey()
	keyString := HumanReadableKey(key)
	parsedKey, err := ParseHumanReadableKey(keyString)
	require.NoError(t, err)
	require.Equal(t, parsedKey, key)

	// if the prefix is wrong, we can't parse the key
	_, err = ParseHumanReadableKey("A" + keyString)
	require.Error(t, err)

	// With the right prefix, we can't parse if the key isn't base64 encoded
	_, err = ParseHumanReadableKey(humanReadablePrefix + "aaa*aa/")
	require.Error(t, err)

	// Extra padding also fails
	_, err = ParseHumanReadableKey(keyString + "=")
	require.Error(t, err)
}

type bothCrypter interface {
	Decrypter
	Encrypter
}

func TestMultiDecryptor(t *testing.T) {
	crypters := []bothCrypter{
		noopCrypter{},
		NewNACLSecretbox([]byte("key1")),
		NewNACLSecretbox([]byte("key2")),
		NewNACLSecretbox([]byte("key3")),
		NewFernet([]byte("key1")),
		NewFernet([]byte("key2")),
	}
	m := NewMultiDecrypter(
		crypters[0], crypters[1], crypters[2], crypters[4],
		NewMultiDecrypter(crypters[3], crypters[5]),
	)

	for i, c := range crypters {
		plaintext := []byte(fmt.Sprintf("message %d", i))
		ciphertext, err := Encrypt(plaintext, c)
		require.NoError(t, err)
		decrypted, err := Decrypt(ciphertext, m)
		require.NoError(t, err)
		require.Equal(t, plaintext, decrypted)

		// for sanity, make sure the other crypters can't decrypt
		for j, o := range crypters {
			if j == i {
				continue
			}
			_, err := Decrypt(ciphertext, o)
			require.IsType(t, ErrCannotDecrypt{}, err)
		}
	}

	// Test multidecryptor where it does not have a decryptor with the right key
	for _, d := range []MultiDecrypter{m, NewMultiDecrypter()} {
		plaintext := []byte("message")
		ciphertext, err := Encrypt(plaintext, NewNACLSecretbox([]byte("other")))
		require.NoError(t, err)
		_, err = Decrypt(ciphertext, d)
		require.IsType(t, ErrCannotDecrypt{}, err)
	}
}

// The default encrypter/decrypter, if FIPS is not enabled, is NACLSecretBox.
// However, it can decrypt using all other supported algorithms.  If FIPS is
// enabled, the encrypter/decrypter is Fernet only, because FIPS only permits
// (given the algorithms swarmkit supports) AES-128-CBC
func TestDefaults(t *testing.T) {
	plaintext := []byte("my message")

	// encrypt something without FIPS enabled
	c, d := Defaults([]byte("key"), false)
	ciphertext, err := Encrypt(plaintext, c)
	require.NoError(t, err)
	decrypted, err := Decrypt(ciphertext, d)
	require.NoError(t, err)
	require.Equal(t, plaintext, decrypted)

	// with fips enabled, defaults should return a fernet encrypter
	// and a decrypter that can't decrypt nacl
	c, d = Defaults([]byte("key"), true)
	_, err = Decrypt(ciphertext, d)
	require.Error(t, err)
	ciphertext, err = Encrypt(plaintext, c)
	require.NoError(t, err)
	decrypted, err = Decrypt(ciphertext, d)
	require.NoError(t, err)
	require.Equal(t, plaintext, decrypted)

	// without FIPS, and ensure we can decrypt the previous ciphertext
	// (encrypted with fernet) with the decrypter returned by defaults
	_, d = Defaults([]byte("key"), false)
	decrypted, err = Decrypt(ciphertext, d)
	require.NoError(t, err)
	require.Equal(t, plaintext, decrypted)
}