File: nacl_test.go

package info (click to toggle)
docker.io 20.10.5%2Bdfsg1-1%2Bdeb11u2
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, bullseye-backports
  • size: 60,044 kB
  • sloc: sh: 5,527; makefile: 616; ansic: 179; python: 162; asm: 7
file content (88 lines) | stat: -rw-r--r-- 2,394 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
 
package encryption

import (
	cryptorand "crypto/rand"
	"io"
	"testing"

	"github.com/docker/swarmkit/api"
	"github.com/stretchr/testify/require"
)

// Using the same key to encrypt the same message, this encrypter produces two
// different ciphertexts because it produces two different nonces.  Both
// of these can be decrypted into the same data though.
func TestNACLSecretbox(t *testing.T) {
	key := make([]byte, 32)
	_, err := io.ReadFull(cryptorand.Reader, key)
	require.NoError(t, err)
	keyCopy := make([]byte, 32)
	copy(key, keyCopy)

	crypter1 := NewNACLSecretbox(key)
	crypter2 := NewNACLSecretbox(keyCopy)
	data := []byte("Hello again world")

	er1, err := crypter1.Encrypt(data)
	require.NoError(t, err)

	er2, err := crypter1.Encrypt(data)
	require.NoError(t, err)

	require.NotEqual(t, er1.Data, er2.Data)
	require.NotEmpty(t, er1.Nonce)
	require.NotEmpty(t, er2.Nonce)

	// both crypters can decrypt the other's text
	for _, decrypter := range []Decrypter{crypter1, crypter2} {
		for _, record := range []*api.MaybeEncryptedRecord{er1, er2} {
			result, err := decrypter.Decrypt(*record)
			require.NoError(t, err)
			require.Equal(t, data, result)
		}
	}
}

func TestNACLSecretboxInvalidAlgorithm(t *testing.T) {
	key := make([]byte, 32)
	_, err := io.ReadFull(cryptorand.Reader, key)
	require.NoError(t, err)

	crypter := NewNACLSecretbox(key)
	er, err := crypter.Encrypt([]byte("Hello again world"))
	require.NoError(t, err)
	er.Algorithm = api.MaybeEncryptedRecord_NotEncrypted

	_, err = crypter.Decrypt(*er)
	require.Error(t, err)
	require.Contains(t, err.Error(), "not a NACL secretbox")
}

func TestNACLSecretboxCannotDecryptWithoutRightKey(t *testing.T) {
	key := make([]byte, 32)
	_, err := io.ReadFull(cryptorand.Reader, key)
	require.NoError(t, err)

	crypter := NewNACLSecretbox(key)
	er, err := crypter.Encrypt([]byte("Hello again world"))
	require.NoError(t, err)

	crypter = NewNACLSecretbox([]byte{})
	_, err = crypter.Decrypt(*er)
	require.Error(t, err)
}

func TestNACLSecretboxInvalidNonce(t *testing.T) {
	key := make([]byte, 32)
	_, err := io.ReadFull(cryptorand.Reader, key)
	require.NoError(t, err)

	crypter := NewNACLSecretbox(key)
	er, err := crypter.Encrypt([]byte("Hello again world"))
	require.NoError(t, err)
	er.Nonce = er.Nonce[:20]

	_, err = crypter.Decrypt(*er)
	require.Error(t, err)
	require.Contains(t, err.Error(), "invalid nonce size")
}