1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15//////////////////////////////////////////////////////////////////////////////// 16 17package fakekms_test 18 19import ( 20 "bytes" 21 "testing" 22 23 "github.com/google/tink/go/testing/fakekms" 24) 25 26const keyURI = "fake-kms://CM2b3_MDElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEIK75t5L-adlUwVhWvRuWUwYARABGM2b3_MDIAE" 27const anotherKeyURI = "fake-kms://CLHW_5cHElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEIZ-2h9InfZTbbkJjaJBsVgYARABGLHW_5cHIAE" 28 29func TestValidKeyURIs(t *testing.T) { 30 newKeyURI, err := fakekms.NewKeyURI() 31 if err != nil { 32 t.Fatal(err) 33 } 34 var testCases = []string{ 35 keyURI, 36 anotherKeyURI, 37 newKeyURI, 38 } 39 for _, tc := range testCases { 40 t.Run(tc, func(t *testing.T) { 41 client, err := fakekms.NewClient(tc) 42 if err != nil { 43 t.Fatalf("testutil.NewFakeKMSClient(keyURI) failed: %v", err) 44 } 45 if !client.Supported(tc) { 46 t.Fatalf("client.Supported(keyURI) is false, want true") 47 } 48 primitive, err := client.GetAEAD(tc) 49 if err != nil { 50 t.Fatalf("client.GetAEAD(keyURI) failed: %v", err) 51 } 52 53 plaintext := []byte("some data to encrypt") 54 aad := []byte("extra data to authenticate") 55 ciphertext, err := primitive.Encrypt(plaintext, aad) 56 if err != nil { 57 t.Fatalf("primitive.Encrypt(plaintext, aad) failed: %v", err) 58 } 59 decrypted, err := primitive.Decrypt(ciphertext, aad) 60 if err != nil { 61 t.Fatalf("primitive.Decrypt(ciphertext, aad) failed: %v", err) 62 } 63 if !bytes.Equal(plaintext, decrypted) { 64 t.Fatalf("decrypted data doesn't match plaintext, got: %q, want: %q", decrypted, plaintext) 65 } 66 }) 67 } 68} 69 70func TestBadUriPrefix(t *testing.T) { 71 _, err := fakekms.NewClient("bad-prefix://encodedkeyset") 72 if err == nil { 73 t.Fatalf("fakekms.NewClient('bad-prefix://encodedkeyset') succeeded, want fail") 74 } 75} 76 77func TestValidPrefix(t *testing.T) { 78 uriPrefix := "fake-kms://CM2b" // is a prefix of keyURI 79 client, err := fakekms.NewClient(uriPrefix) 80 if err != nil { 81 t.Fatalf("fakekms.NewClient(uriPrefix) failed: %v", err) 82 } 83 if !client.Supported(keyURI) { 84 t.Fatalf("client with URI prefix %s should support key URI %s", uriPrefix, keyURI) 85 } 86 _, err = client.GetAEAD(keyURI) 87 if err != nil { 88 t.Fatalf("client.GetAEAD(anotherKeyURI) failed: %v", err) 89 } 90} 91 92func TestInvalidPrefix(t *testing.T) { 93 uriPrefix := "fake-kms://CM2x" // is not a prefix of keyURI 94 client, err := fakekms.NewClient(uriPrefix) 95 if err != nil { 96 t.Fatalf("fakekms.NewClient(uriPrefix) failed: %v", err) 97 } 98 if client.Supported(keyURI) { 99 t.Fatalf("client with URI prefix %s should not support key URI %s", uriPrefix, keyURI) 100 } 101 _, err = client.GetAEAD(keyURI) 102 if err == nil { 103 t.Fatalf("client.GetAEAD(keyURI) succeeded, want fail") 104 } 105} 106 107func TestGetAeadFailsWithBadKeysetEncoding(t *testing.T) { 108 client, err := fakekms.NewClient("fake-kms://bad") 109 if err != nil { 110 t.Fatalf("fakekms.NewClient('fake-kms://bad') failed: %v", err) 111 } 112 _, err = client.GetAEAD("fake-kms://badencoding") 113 if err == nil { 114 t.Fatalf("client.GetAEAD('fake-kms://badencoding') succeeded, want fail") 115 } 116} 117