194 lines
5.6 KiB
Rust
194 lines
5.6 KiB
Rust
use arbiter_server::{
|
|
actors::{
|
|
GlobalActors,
|
|
keyholder::{Bootstrap, Seal},
|
|
user_agent::{
|
|
UserAgentSession,
|
|
session::connection::{HandleUnsealEncryptedKey, HandleUnsealRequest, UnsealError},
|
|
},
|
|
},
|
|
db,
|
|
safe_cell::{SafeCell, SafeCellHandle as _},
|
|
};
|
|
use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
|
|
use diesel::{ExpressionMethods as _, QueryDsl as _, insert_into};
|
|
use diesel_async::RunQueryDsl;
|
|
use kameo::actor::Spawn as _;
|
|
use x25519_dalek::{EphemeralSecret, PublicKey};
|
|
|
|
async fn setup_sealed_user_agent(
|
|
seal_key: &[u8],
|
|
) -> (db::DatabasePool, kameo::actor::ActorRef<UserAgentSession>) {
|
|
let db = db::create_test_pool().await;
|
|
let actors = GlobalActors::spawn(db.clone()).await.unwrap();
|
|
|
|
actors
|
|
.key_holder
|
|
.ask(Bootstrap {
|
|
seal_key_raw: SafeCell::new(seal_key.to_vec()),
|
|
})
|
|
.await
|
|
.unwrap();
|
|
actors.key_holder.ask(Seal).await.unwrap();
|
|
|
|
let session = UserAgentSession::spawn(UserAgentSession::new_test(db.clone(), actors));
|
|
|
|
(db, session)
|
|
}
|
|
|
|
async fn client_dh_encrypt(
|
|
user_agent: &kameo::actor::ActorRef<UserAgentSession>,
|
|
key_to_send: &[u8],
|
|
) -> HandleUnsealEncryptedKey {
|
|
let client_secret = EphemeralSecret::random();
|
|
let client_public = PublicKey::from(&client_secret);
|
|
|
|
let response = user_agent
|
|
.ask(HandleUnsealRequest {
|
|
client_pubkey: client_public,
|
|
})
|
|
.await
|
|
.unwrap();
|
|
|
|
let server_pubkey = response.server_pubkey;
|
|
|
|
let shared_secret = client_secret.diffie_hellman(&server_pubkey);
|
|
let cipher = XChaCha20Poly1305::new(shared_secret.as_bytes().into());
|
|
let nonce = XNonce::from([0u8; 24]);
|
|
let associated_data = b"unseal";
|
|
let mut ciphertext = key_to_send.to_vec();
|
|
cipher
|
|
.encrypt_in_place(&nonce, associated_data, &mut ciphertext)
|
|
.unwrap();
|
|
|
|
HandleUnsealEncryptedKey {
|
|
nonce: nonce.to_vec(),
|
|
ciphertext,
|
|
associated_data: associated_data.to_vec(),
|
|
}
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[test_log::test]
|
|
pub async fn test_unseal_success() {
|
|
let seal_key = b"test-seal-key";
|
|
let (_db, user_agent) = setup_sealed_user_agent(seal_key).await;
|
|
|
|
let encrypted_key = client_dh_encrypt(&user_agent, seal_key).await;
|
|
|
|
let response = user_agent.ask(encrypted_key).await;
|
|
assert!(matches!(response, Ok(())));
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[test_log::test]
|
|
pub async fn test_unseal_wrong_seal_key() {
|
|
let (_db, user_agent) = setup_sealed_user_agent(b"correct-key").await;
|
|
|
|
let encrypted_key = client_dh_encrypt(&user_agent, b"wrong-key").await;
|
|
|
|
let response = user_agent.ask(encrypted_key).await;
|
|
assert!(matches!(
|
|
response,
|
|
Err(kameo::error::SendError::HandlerError(
|
|
UnsealError::InvalidKey
|
|
))
|
|
));
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[test_log::test]
|
|
pub async fn test_unseal_corrupted_ciphertext() {
|
|
let (_db, user_agent) = setup_sealed_user_agent(b"test-key").await;
|
|
|
|
let client_secret = EphemeralSecret::random();
|
|
let client_public = PublicKey::from(&client_secret);
|
|
|
|
user_agent
|
|
.ask(HandleUnsealRequest {
|
|
client_pubkey: client_public,
|
|
})
|
|
.await
|
|
.unwrap();
|
|
|
|
let response = user_agent
|
|
.ask(HandleUnsealEncryptedKey {
|
|
nonce: vec![0u8; 24],
|
|
ciphertext: vec![0u8; 32],
|
|
associated_data: vec![],
|
|
})
|
|
.await;
|
|
|
|
assert!(matches!(
|
|
response,
|
|
Err(kameo::error::SendError::HandlerError(
|
|
UnsealError::InvalidKey
|
|
))
|
|
));
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[test_log::test]
|
|
pub async fn test_unseal_retry_after_invalid_key() {
|
|
let seal_key = b"real-seal-key";
|
|
let (_db, user_agent) = setup_sealed_user_agent(seal_key).await;
|
|
|
|
{
|
|
let encrypted_key = client_dh_encrypt(&user_agent, b"wrong-key").await;
|
|
|
|
let response = user_agent.ask(encrypted_key).await;
|
|
assert!(matches!(
|
|
response,
|
|
Err(kameo::error::SendError::HandlerError(
|
|
UnsealError::InvalidKey
|
|
))
|
|
));
|
|
}
|
|
|
|
{
|
|
let encrypted_key = client_dh_encrypt(&user_agent, seal_key).await;
|
|
|
|
let response = user_agent.ask(encrypted_key).await;
|
|
assert!(matches!(response, Ok(())));
|
|
}
|
|
}
|
|
|
|
#[tokio::test]
|
|
#[test_log::test]
|
|
pub async fn test_unseal_backfills_missing_pubkey_integrity_tags() {
|
|
let seal_key = b"test-seal-key";
|
|
let (db, user_agent) = setup_sealed_user_agent(seal_key).await;
|
|
|
|
{
|
|
let mut conn = db.get().await.unwrap();
|
|
insert_into(arbiter_server::db::schema::useragent_client::table)
|
|
.values((
|
|
arbiter_server::db::schema::useragent_client::public_key
|
|
.eq(vec![1u8, 2u8, 3u8, 4u8]),
|
|
arbiter_server::db::schema::useragent_client::key_type.eq(1i32),
|
|
arbiter_server::db::schema::useragent_client::pubkey_integrity_tag
|
|
.eq(Option::<Vec<u8>>::None),
|
|
))
|
|
.execute(&mut conn)
|
|
.await
|
|
.unwrap();
|
|
}
|
|
|
|
let encrypted_key = client_dh_encrypt(&user_agent, seal_key).await;
|
|
let response = user_agent.ask(encrypted_key).await;
|
|
assert!(matches!(response, Ok(())));
|
|
|
|
{
|
|
let mut conn = db.get().await.unwrap();
|
|
let tags: Vec<Option<Vec<u8>>> = arbiter_server::db::schema::useragent_client::table
|
|
.select(arbiter_server::db::schema::useragent_client::pubkey_integrity_tag)
|
|
.load(&mut conn)
|
|
.await
|
|
.unwrap();
|
|
assert!(
|
|
tags.iter()
|
|
.all(|tag| matches!(tag, Some(v) if v.len() == 32))
|
|
);
|
|
}
|
|
}
|