95 lines
2.4 KiB
Go
95 lines
2.4 KiB
Go
package service
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/base64"
|
|
"testing"
|
|
)
|
|
|
|
func TestNewAESGCMProtectorFromBase64(t *testing.T) {
|
|
if _, err := NewAESGCMProtectorFromBase64(""); err == nil {
|
|
t.Fatalf("expected error for empty key")
|
|
}
|
|
if _, err := NewAESGCMProtectorFromBase64("not-base64"); err == nil {
|
|
t.Fatalf("expected error for invalid base64")
|
|
}
|
|
shortKey := make([]byte, 16)
|
|
if _, err := NewAESGCMProtectorFromBase64(base64.StdEncoding.EncodeToString(shortKey)); err == nil {
|
|
t.Fatalf("expected error for non-32-byte key")
|
|
}
|
|
}
|
|
|
|
func TestAESGCMProtector_EncryptDecrypt_RoundTrip(t *testing.T) {
|
|
key := make([]byte, 32)
|
|
for i := range key {
|
|
key[i] = byte(i + 1)
|
|
}
|
|
p, err := NewAESGCMProtectorFromBase64(base64.StdEncoding.EncodeToString(key))
|
|
if err != nil {
|
|
t.Fatalf("new protector: %v", err)
|
|
}
|
|
|
|
plain := []byte("hello-secret")
|
|
ciphertext, err := p.Encrypt(plain)
|
|
if err != nil {
|
|
t.Fatalf("encrypt: %v", err)
|
|
}
|
|
if bytes.Equal(ciphertext, plain) {
|
|
t.Fatalf("ciphertext should differ from plain")
|
|
}
|
|
|
|
decrypted, err := p.Decrypt(ciphertext)
|
|
if err != nil {
|
|
t.Fatalf("decrypt: %v", err)
|
|
}
|
|
if !bytes.Equal(decrypted, plain) {
|
|
t.Fatalf("decrypted plaintext mismatch")
|
|
}
|
|
}
|
|
|
|
func TestAESGCMProtector_Decrypt_CiphertextTooShort(t *testing.T) {
|
|
key := make([]byte, 32)
|
|
for i := range key {
|
|
key[i] = byte(i + 1)
|
|
}
|
|
p, err := NewAESGCMProtectorFromBase64(base64.StdEncoding.EncodeToString(key))
|
|
if err != nil {
|
|
t.Fatalf("new protector: %v", err)
|
|
}
|
|
|
|
if _, err := p.Decrypt([]byte("short")); err == nil {
|
|
t.Fatalf("expected ciphertext too short error")
|
|
}
|
|
}
|
|
|
|
func TestAESGCMProtector_Decrypt_TamperedCiphertext(t *testing.T) {
|
|
key := make([]byte, 32)
|
|
for i := range key {
|
|
key[i] = byte(i + 1)
|
|
}
|
|
p, err := NewAESGCMProtectorFromBase64(base64.StdEncoding.EncodeToString(key))
|
|
if err != nil {
|
|
t.Fatalf("new protector: %v", err)
|
|
}
|
|
|
|
ciphertext, err := p.Encrypt([]byte("hello-secret"))
|
|
if err != nil {
|
|
t.Fatalf("encrypt: %v", err)
|
|
}
|
|
ciphertext[len(ciphertext)-1] ^= 0x01
|
|
|
|
if _, err := p.Decrypt(ciphertext); err == nil {
|
|
t.Fatalf("expected auth failure for tampered ciphertext")
|
|
}
|
|
}
|
|
|
|
func TestAESGCMProtector_EncryptDecrypt_InvalidKey(t *testing.T) {
|
|
p := &AESGCMProtector{key: []byte("short")}
|
|
if _, err := p.Encrypt([]byte("hello")); err == nil {
|
|
t.Fatalf("expected encrypt error for invalid key")
|
|
}
|
|
if _, err := p.Decrypt([]byte("cipher")); err == nil {
|
|
t.Fatalf("expected decrypt error for invalid key")
|
|
}
|
|
}
|