2015-03-05 21:27:35 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
2015-03-05 22:03:00 +00:00
|
|
|
"bytes"
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
2015-05-27 23:42:42 +00:00
|
|
|
"encoding/json"
|
2015-03-05 21:27:35 +00:00
|
|
|
"testing"
|
|
|
|
|
2018-04-03 00:46:59 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
|
|
"github.com/hashicorp/vault/sdk/physical"
|
|
|
|
"github.com/hashicorp/vault/sdk/physical/inmem"
|
2015-03-05 21:27:35 +00:00
|
|
|
)
|
|
|
|
|
2016-04-26 03:10:32 +00:00
|
|
|
var (
|
2018-04-03 00:46:59 +00:00
|
|
|
logger = logging.NewVaultLogger(log.Trace)
|
2016-04-26 03:10:32 +00:00
|
|
|
)
|
|
|
|
|
2015-03-05 22:34:05 +00:00
|
|
|
// mockBarrier returns a physical backend, security barrier, and master key
|
2017-02-16 18:16:06 +00:00
|
|
|
func mockBarrier(t testing.TB) (physical.Backend, SecurityBarrier, []byte) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-03-05 22:34:05 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Initialize and unseal
|
|
|
|
key, _ := b.GenerateKey()
|
2018-01-19 06:44:44 +00:00
|
|
|
b.Initialize(context.Background(), key)
|
|
|
|
b.Unseal(context.Background(), key)
|
2015-03-05 22:34:05 +00:00
|
|
|
return inm, b, key
|
|
|
|
}
|
|
|
|
|
2015-03-05 21:27:35 +00:00
|
|
|
func TestAESGCMBarrier_Basic(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-03-05 21:27:35 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
testBarrier(t, b)
|
|
|
|
}
|
|
|
|
|
2015-05-28 00:10:08 +00:00
|
|
|
func TestAESGCMBarrier_Rotate(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-05-28 00:10:08 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
testBarrier_Rotate(t, b)
|
|
|
|
}
|
|
|
|
|
2015-05-28 23:42:32 +00:00
|
|
|
func TestAESGCMBarrier_Upgrade(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-05-28 23:42:32 +00:00
|
|
|
b1, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
b2, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
testBarrier_Upgrade(t, b1, b2)
|
|
|
|
}
|
|
|
|
|
2015-05-29 21:29:55 +00:00
|
|
|
func TestAESGCMBarrier_Upgrade_Rekey(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-05-29 21:29:55 +00:00
|
|
|
b1, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
b2, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
testBarrier_Upgrade_Rekey(t, b1, b2)
|
|
|
|
}
|
|
|
|
|
2015-05-28 00:17:03 +00:00
|
|
|
func TestAESGCMBarrier_Rekey(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-05-28 00:17:03 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
testBarrier_Rekey(t, b)
|
|
|
|
}
|
|
|
|
|
2015-05-27 23:42:42 +00:00
|
|
|
// Test an upgrade from the old (0.1) barrier/init to the new
|
|
|
|
// core/keyring style
|
|
|
|
func TestAESGCMBarrier_BackwardsCompatible(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-05-27 23:42:42 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate a barrier/init entry
|
|
|
|
encrypt, _ := b.GenerateKey()
|
|
|
|
init := &barrierInit{
|
|
|
|
Version: 1,
|
|
|
|
Key: encrypt,
|
|
|
|
}
|
|
|
|
buf, _ := json.Marshal(init)
|
|
|
|
|
|
|
|
// Protect with master key
|
|
|
|
master, _ := b.GenerateKey()
|
|
|
|
gcm, _ := b.aeadFromKey(master)
|
2018-09-05 15:49:32 +00:00
|
|
|
value, err := b.encrypt(barrierInitPath, initialKeyTerm, gcm, buf)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2015-05-27 23:42:42 +00:00
|
|
|
|
|
|
|
// Write to the physical backend
|
|
|
|
pe := &physical.Entry{
|
|
|
|
Key: barrierInitPath,
|
|
|
|
Value: value,
|
|
|
|
}
|
2018-01-19 06:44:44 +00:00
|
|
|
inm.Put(context.Background(), pe)
|
2015-05-27 23:42:42 +00:00
|
|
|
|
2015-07-07 22:01:52 +00:00
|
|
|
// Create a fake key
|
|
|
|
gcm, _ = b.aeadFromKey(encrypt)
|
2018-09-05 15:49:32 +00:00
|
|
|
value, err = b.encrypt("test/foo", initialKeyTerm, gcm, []byte("test"))
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2015-07-07 22:01:52 +00:00
|
|
|
pe = &physical.Entry{
|
|
|
|
Key: "test/foo",
|
2018-09-05 15:49:32 +00:00
|
|
|
Value: value,
|
2015-07-07 22:01:52 +00:00
|
|
|
}
|
2018-01-19 06:44:44 +00:00
|
|
|
inm.Put(context.Background(), pe)
|
2015-07-07 22:01:52 +00:00
|
|
|
|
2015-05-27 23:42:42 +00:00
|
|
|
// Should still be initialized
|
2018-01-19 06:44:44 +00:00
|
|
|
isInit, err := b.Initialized(context.Background())
|
2015-05-27 23:42:42 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if !isInit {
|
|
|
|
t.Fatalf("should be initialized")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Unseal should work and migrate online
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Unseal(context.Background(), master)
|
2015-05-27 23:42:42 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2018-03-20 18:54:10 +00:00
|
|
|
// Check for migration
|
2018-01-19 06:44:44 +00:00
|
|
|
out, err := inm.Get(context.Background(), barrierInitPath)
|
2015-05-27 23:42:42 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out != nil {
|
|
|
|
t.Fatalf("should delete old barrier init")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should have keyring
|
2018-01-19 06:44:44 +00:00
|
|
|
out, err = inm.Get(context.Background(), keyringPath)
|
2015-05-27 23:42:42 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if out == nil {
|
|
|
|
t.Fatalf("should have keyring file")
|
|
|
|
}
|
2015-07-07 22:01:52 +00:00
|
|
|
|
|
|
|
// Attempt to read encrypted key
|
2018-01-19 06:44:44 +00:00
|
|
|
entry, err := b.Get(context.Background(), "test/foo")
|
2015-07-07 22:01:52 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if string(entry.Value) != "test" {
|
|
|
|
t.Fatalf("bad: %#v", entry)
|
|
|
|
}
|
2015-05-27 23:42:42 +00:00
|
|
|
}
|
|
|
|
|
2015-03-05 22:03:00 +00:00
|
|
|
// Verify data sent through is encrypted
|
2015-03-05 21:27:35 +00:00
|
|
|
func TestAESGCMBarrier_Confidential(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-03-05 22:03:00 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Initialize and unseal
|
|
|
|
key, _ := b.GenerateKey()
|
2018-01-19 06:44:44 +00:00
|
|
|
b.Initialize(context.Background(), key)
|
|
|
|
b.Unseal(context.Background(), key)
|
2015-03-05 22:03:00 +00:00
|
|
|
|
|
|
|
// Put a logical entry
|
2019-01-31 14:25:18 +00:00
|
|
|
entry := &logical.StorageEntry{Key: "test", Value: []byte("test")}
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Put(context.Background(), entry)
|
2015-03-05 22:03:00 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2018-03-20 18:54:10 +00:00
|
|
|
// Check the physical entry
|
2018-01-19 06:44:44 +00:00
|
|
|
pe, err := inm.Get(context.Background(), "test")
|
2015-03-05 22:03:00 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if pe == nil {
|
|
|
|
t.Fatalf("missing physical entry")
|
|
|
|
}
|
|
|
|
|
|
|
|
if pe.Key != "test" {
|
|
|
|
t.Fatalf("bad: %#v", pe)
|
|
|
|
}
|
|
|
|
if bytes.Equal(pe.Value, entry.Value) {
|
|
|
|
t.Fatalf("bad: %#v", pe)
|
|
|
|
}
|
2015-03-05 21:27:35 +00:00
|
|
|
}
|
|
|
|
|
2015-09-19 19:33:18 +00:00
|
|
|
// Verify data sent through cannot be tampered with
|
2015-03-05 21:27:35 +00:00
|
|
|
func TestAESGCMBarrier_Integrity(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-03-05 22:03:00 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Initialize and unseal
|
|
|
|
key, _ := b.GenerateKey()
|
2018-01-19 06:44:44 +00:00
|
|
|
b.Initialize(context.Background(), key)
|
|
|
|
b.Unseal(context.Background(), key)
|
2015-03-05 22:03:00 +00:00
|
|
|
|
|
|
|
// Put a logical entry
|
2019-01-31 14:25:18 +00:00
|
|
|
entry := &logical.StorageEntry{Key: "test", Value: []byte("test")}
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Put(context.Background(), entry)
|
2015-03-05 22:03:00 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Change a byte in the underlying physical entry
|
2018-01-19 06:44:44 +00:00
|
|
|
pe, _ := inm.Get(context.Background(), "test")
|
2015-03-05 22:03:00 +00:00
|
|
|
pe.Value[15]++
|
2018-01-19 06:44:44 +00:00
|
|
|
err = inm.Put(context.Background(), pe)
|
2015-03-05 22:03:00 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read from the barrier
|
2018-01-19 06:44:44 +00:00
|
|
|
_, err = b.Get(context.Background(), "test")
|
2015-03-05 22:03:00 +00:00
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("should fail!")
|
|
|
|
}
|
2015-03-05 21:27:35 +00:00
|
|
|
}
|
2015-04-30 17:15:41 +00:00
|
|
|
|
2015-09-19 19:33:18 +00:00
|
|
|
// Verify data sent through cannot be moved
|
|
|
|
func TestAESGCMBarrier_MoveIntegrityV1(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-09-19 19:33:18 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
b.currentAESGCMVersionByte = AESGCMVersion1
|
|
|
|
|
|
|
|
// Initialize and unseal
|
|
|
|
key, _ := b.GenerateKey()
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Initialize(context.Background(), key)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Unseal(context.Background(), key)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Put a logical entry
|
2019-01-31 14:25:18 +00:00
|
|
|
entry := &logical.StorageEntry{Key: "test", Value: []byte("test")}
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Put(context.Background(), entry)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Change the location of the underlying physical entry
|
2018-01-19 06:44:44 +00:00
|
|
|
pe, _ := inm.Get(context.Background(), "test")
|
2015-09-19 19:33:18 +00:00
|
|
|
pe.Key = "moved"
|
2018-01-19 06:44:44 +00:00
|
|
|
err = inm.Put(context.Background(), pe)
|
2017-07-04 17:58:28 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-09-19 19:33:18 +00:00
|
|
|
|
|
|
|
// Read from the barrier
|
2018-01-19 06:44:44 +00:00
|
|
|
_, err = b.Get(context.Background(), "moved")
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("should succeed with version 1!")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAESGCMBarrier_MoveIntegrityV2(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-09-19 19:33:18 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
b.currentAESGCMVersionByte = AESGCMVersion2
|
|
|
|
|
|
|
|
// Initialize and unseal
|
|
|
|
key, _ := b.GenerateKey()
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Initialize(context.Background(), key)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Unseal(context.Background(), key)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Put a logical entry
|
2019-01-31 14:25:18 +00:00
|
|
|
entry := &logical.StorageEntry{Key: "test", Value: []byte("test")}
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Put(context.Background(), entry)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Change the location of the underlying physical entry
|
2018-01-19 06:44:44 +00:00
|
|
|
pe, _ := inm.Get(context.Background(), "test")
|
2015-09-19 19:33:18 +00:00
|
|
|
pe.Key = "moved"
|
2018-01-19 06:44:44 +00:00
|
|
|
err = inm.Put(context.Background(), pe)
|
2017-07-04 17:58:28 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-09-19 19:33:18 +00:00
|
|
|
|
|
|
|
// Read from the barrier
|
2018-01-19 06:44:44 +00:00
|
|
|
_, err = b.Get(context.Background(), "moved")
|
2015-09-19 19:33:18 +00:00
|
|
|
if err == nil {
|
|
|
|
t.Fatalf("should fail with version 2!")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAESGCMBarrier_UpgradeV1toV2(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-09-19 19:33:18 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
b.currentAESGCMVersionByte = AESGCMVersion1
|
|
|
|
|
|
|
|
// Initialize and unseal
|
|
|
|
key, _ := b.GenerateKey()
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Initialize(context.Background(), key)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Unseal(context.Background(), key)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Put a logical entry
|
2019-01-31 14:25:18 +00:00
|
|
|
entry := &logical.StorageEntry{Key: "test", Value: []byte("test")}
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Put(context.Background(), entry)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Seal
|
|
|
|
err = b.Seal()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Open again as version 2
|
|
|
|
b, err = NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
b.currentAESGCMVersionByte = AESGCMVersion2
|
|
|
|
|
|
|
|
// Unseal
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Unseal(context.Background(), key)
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check successful decryption
|
2018-01-19 06:44:44 +00:00
|
|
|
_, err = b.Get(context.Background(), "test")
|
2015-09-19 19:33:18 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Upgrade unsuccessful")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-30 17:15:41 +00:00
|
|
|
func TestEncrypt_Unique(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-04-30 17:15:41 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
key, _ := b.GenerateKey()
|
2018-01-19 06:44:44 +00:00
|
|
|
b.Initialize(context.Background(), key)
|
|
|
|
b.Unseal(context.Background(), key)
|
2015-04-30 17:15:41 +00:00
|
|
|
|
2015-05-27 23:01:25 +00:00
|
|
|
if b.keyring == nil {
|
2015-04-30 17:37:47 +00:00
|
|
|
t.Fatalf("barrier is sealed")
|
2015-04-30 17:15:41 +00:00
|
|
|
}
|
|
|
|
|
2019-01-31 14:25:18 +00:00
|
|
|
entry := &logical.StorageEntry{Key: "test", Value: []byte("test")}
|
2015-05-27 23:01:25 +00:00
|
|
|
term := b.keyring.ActiveTerm()
|
|
|
|
primary, _ := b.aeadForTerm(term)
|
|
|
|
|
2018-09-05 15:49:32 +00:00
|
|
|
first, err := b.encrypt("test", term, primary, entry.Value)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
second, err := b.encrypt("test", term, primary, entry.Value)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2015-04-30 17:15:41 +00:00
|
|
|
|
2015-04-30 17:37:47 +00:00
|
|
|
if bytes.Equal(first, second) == true {
|
|
|
|
t.Fatalf("improper random seeding detected")
|
2015-04-30 17:15:41 +00:00
|
|
|
}
|
|
|
|
}
|
2015-04-30 18:12:47 +00:00
|
|
|
|
|
|
|
func TestInitialize_KeyLength(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2015-04-30 18:12:47 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
long := []byte("ThisKeyDoesNotHaveTheRightLength!")
|
|
|
|
middle := []byte("ThisIsASecretKeyAndMore")
|
|
|
|
short := []byte("Key")
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Initialize(context.Background(), long)
|
2015-04-30 18:12:47 +00:00
|
|
|
|
|
|
|
if err == nil {
|
2015-04-30 18:27:32 +00:00
|
|
|
t.Fatalf("key length protection failed")
|
2015-04-30 18:12:47 +00:00
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Initialize(context.Background(), middle)
|
2015-04-30 18:12:47 +00:00
|
|
|
|
|
|
|
if err == nil {
|
2015-04-30 18:27:32 +00:00
|
|
|
t.Fatalf("key length protection failed")
|
2015-04-30 18:12:47 +00:00
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
err = b.Initialize(context.Background(), short)
|
2015-04-30 18:12:47 +00:00
|
|
|
|
|
|
|
if err == nil {
|
2015-04-30 18:27:32 +00:00
|
|
|
t.Fatalf("key length protection failed")
|
2015-04-30 18:12:47 +00:00
|
|
|
}
|
|
|
|
}
|
2017-02-17 04:09:39 +00:00
|
|
|
|
|
|
|
func TestEncrypt_BarrierEncryptor(t *testing.T) {
|
2017-08-03 17:24:27 +00:00
|
|
|
inm, err := inmem.NewInmem(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-02-17 04:09:39 +00:00
|
|
|
b, err := NewAESGCMBarrier(inm)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Initialize and unseal
|
|
|
|
key, _ := b.GenerateKey()
|
2018-01-19 06:44:44 +00:00
|
|
|
b.Initialize(context.Background(), key)
|
|
|
|
b.Unseal(context.Background(), key)
|
2017-02-17 04:09:39 +00:00
|
|
|
|
2018-01-19 10:31:55 +00:00
|
|
|
cipher, err := b.Encrypt(context.Background(), "foo", []byte("quick brown fox"))
|
2017-02-17 04:09:39 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2018-01-19 10:31:55 +00:00
|
|
|
plain, err := b.Decrypt(context.Background(), "foo", cipher)
|
2017-02-17 04:09:39 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if string(plain) != "quick brown fox" {
|
|
|
|
t.Fatalf("bad: %s", plain)
|
|
|
|
}
|
|
|
|
}
|