lib

Core libraries for Radroots
git clone https://radroots.dev/git/lib.git
Log | Files | Refs | README | LICENSE

coverage.rs (3239B)

      1 use radroots_protected_store::{
      2     RADROOTS_PROTECTED_STORE_KEY_LENGTH, RADROOTS_PROTECTED_STORE_NONCE_LENGTH,
      3     RadrootsProtectedStoreEnvelope,
      4 };
      5 use radroots_secret_vault::RadrootsSecretKeyWrapping;
      6 
      7 #[derive(Default)]
      8 struct TestVault;
      9 
     10 impl RadrootsSecretKeyWrapping for TestVault {
     11     type Error = ();
     12 
     13     fn wrap_data_key(&self, key_slot: &str, plaintext_key: &[u8]) -> Result<Vec<u8>, Self::Error> {
     14         let mut wrapped = key_slot.as_bytes().to_vec();
     15         wrapped.push(0);
     16         wrapped.extend(plaintext_key.iter().map(|byte| byte ^ 0x5a));
     17         Ok(wrapped)
     18     }
     19 
     20     fn unwrap_data_key(&self, key_slot: &str, wrapped_key: &[u8]) -> Result<Vec<u8>, Self::Error> {
     21         let separator = wrapped_key.iter().position(|byte| *byte == 0).ok_or(())?;
     22         if &wrapped_key[..separator] != key_slot.as_bytes() {
     23             return Err(());
     24         }
     25 
     26         Ok(wrapped_key[separator + 1..]
     27             .iter()
     28             .map(|byte| byte ^ 0x5a)
     29             .collect())
     30     }
     31 }
     32 
     33 #[test]
     34 fn public_roundtrip_apis_cover_external_lib_regions() {
     35     let vault = TestVault;
     36     let generated = RadrootsProtectedStoreEnvelope::seal_with_wrapped_key(
     37         &vault,
     38         "drafts/default",
     39         b"generated roundtrip",
     40     )
     41     .expect("seal with runtime entropy succeeds");
     42     let generated_plaintext = generated
     43         .open_with_wrapped_key(&vault)
     44         .expect("generated envelope opens");
     45     assert_eq!(generated_plaintext, b"generated roundtrip");
     46 
     47     let deterministic = RadrootsProtectedStoreEnvelope::seal_with_wrapped_key_and_material(
     48         &vault,
     49         "drafts/default",
     50         b"deterministic roundtrip",
     51         [7_u8; RADROOTS_PROTECTED_STORE_KEY_LENGTH],
     52         [9_u8; RADROOTS_PROTECTED_STORE_NONCE_LENGTH],
     53     )
     54     .expect("deterministic seal succeeds");
     55     let encoded = deterministic.encode_json().expect("encode succeeds");
     56     let decoded = RadrootsProtectedStoreEnvelope::decode_json(&encoded).expect("decode succeeds");
     57     let deterministic_plaintext = decoded
     58         .open_with_wrapped_key(&vault)
     59         .expect("deterministic envelope opens");
     60     assert_eq!(deterministic_plaintext, b"deterministic roundtrip");
     61 
     62     let malformed = RadrootsProtectedStoreEnvelope {
     63         header: decoded.header.clone(),
     64         wrapped_key: vec![1, 2, 3, 4],
     65         ciphertext: decoded.ciphertext.clone(),
     66     };
     67     let err = malformed
     68         .open_with_wrapped_key(&vault)
     69         .expect_err("wrapped key without separator must fail");
     70     assert_eq!(
     71         format!("{err:?}"),
     72         "KeyUnwrapFailed",
     73         "public wrapper should surface the vault unwrap failure",
     74     );
     75 
     76     let mismatched = RadrootsProtectedStoreEnvelope {
     77         header: decoded.header.clone(),
     78         wrapped_key: TestVault
     79             .wrap_data_key("drafts/other", &[7_u8; RADROOTS_PROTECTED_STORE_KEY_LENGTH])
     80             .expect("alternate slot wrap succeeds"),
     81         ciphertext: decoded.ciphertext,
     82     };
     83     let err = mismatched
     84         .open_with_wrapped_key(&vault)
     85         .expect_err("wrapped key slot mismatch must fail");
     86     assert_eq!(
     87         format!("{err:?}"),
     88         "KeyUnwrapFailed",
     89         "public wrapper should surface the slot mismatch unwrap failure",
     90     );
     91 }