Adding additional tests for RawAesKeyring and RawRsaKeyring

Author: WesleyRosenblum

src/test/java/com/amazonaws/encryptionsdk/keyrings/RawAesKeyringTest.java

@@ -13,72 +13,113 @@
 
 package com.amazonaws.encryptionsdk.keyrings;
 
+import com.amazonaws.encryptionsdk.model.DecryptionMaterials;
+import com.amazonaws.encryptionsdk.model.EncryptionMaterials;
 import com.amazonaws.encryptionsdk.model.KeyBlob;
 import org.apache.commons.lang3.ArrayUtils;
 import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mock;
-import org.mockito.junit.MockitoJUnitRunner;
 
-import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
 import java.nio.charset.StandardCharsets;
 
+import static com.amazonaws.encryptionsdk.internal.RandomBytesGenerator.generate;
+import static com.amazonaws.encryptionsdk.keyrings.RawKeyringTest.ALGORITHM;
+import static com.amazonaws.encryptionsdk.keyrings.RawKeyringTest.DATA_KEY;
+import static com.amazonaws.encryptionsdk.keyrings.RawKeyringTest.ENCRYPTION_CONTEXT;
 import static com.amazonaws.encryptionsdk.keyrings.RawKeyringTest.KEYNAME;
 import static com.amazonaws.encryptionsdk.keyrings.RawKeyringTest.KEYNAMESPACE;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
-@RunWith(MockitoJUnitRunner.class)
 public class RawAesKeyringTest {
 
-    @Mock
-    private SecretKey wrappingKey;
+    private final RawAesKeyring keyring = new RawAesKeyring(KEYNAMESPACE, KEYNAME, new SecretKeySpec(generate(32), "AES"));
 
     @Test
     public void testValidToDecrypt() {
-        RawAesKeyring rawAesKeyring = new RawAesKeyring(KEYNAMESPACE, KEYNAME, wrappingKey);
-
-        assertTrue(rawAesKeyring.validToDecrypt(new KeyBlob(
+        assertTrue(keyring.validToDecrypt(new KeyBlob(
                 KEYNAMESPACE, KEYNAME.getBytes(StandardCharsets.UTF_8), new byte[]{})));
-        assertTrue(rawAesKeyring.validToDecrypt(new KeyBlob(
-                KEYNAMESPACE, ArrayUtils.add(KEYNAME.getBytes(StandardCharsets.UTF_8), (byte)5), new byte[]{})));
+        assertTrue(keyring.validToDecrypt(new KeyBlob(
+                KEYNAMESPACE, ArrayUtils.add(KEYNAME.getBytes(StandardCharsets.UTF_8), (byte) 5), new byte[]{})));
         //Bad namespace
-        assertFalse(rawAesKeyring.validToDecrypt(new KeyBlob(
+        assertFalse(keyring.validToDecrypt(new KeyBlob(
                 "WrongNamespace", KEYNAME.getBytes(StandardCharsets.UTF_8), new byte[]{})));
         //Bad provider info
-        assertFalse(rawAesKeyring.validToDecrypt(new KeyBlob(
+        assertFalse(keyring.validToDecrypt(new KeyBlob(
                 KEYNAMESPACE, new byte[]{1,2,3}, new byte[]{})));
     }
 
     @Test
-    public void testTraceOnEncrypt() {
-        RawAesKeyring rawAesKeyring = new RawAesKeyring(KEYNAMESPACE, KEYNAME, wrappingKey);
-
-        KeyringTrace trace = new KeyringTrace();
-
-        rawAesKeyring.traceOnEncrypt(trace);
-        assertEquals(1, trace.getEntries().size());
-        assertEquals(KEYNAME, trace.getEntries().get(0).getKeyName());
-        assertEquals(KEYNAMESPACE, trace.getEntries().get(0).getKeyNamespace());
-        assertEquals(2, trace.getEntries().get(0).getFlags().size());
-        assertTrue(trace.getEntries().get(0).getFlags().contains(KeyringTraceFlag.ENCRYPTED_DATA_KEY));
-        assertTrue(trace.getEntries().get(0).getFlags().contains(KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT));
+    public void testEncryptDecryptExistingDataKey() {
+        EncryptionMaterials encryptionMaterials = EncryptionMaterials.newBuilder()
+                .setAlgorithm(ALGORITHM)
+                .setCleartextDataKey(DATA_KEY)
+                .setKeyringTrace(new KeyringTrace())
+                .setEncryptionContext(ENCRYPTION_CONTEXT)
+                .build();
+
+        keyring.onEncrypt(encryptionMaterials);
+
+        assertEquals(1, encryptionMaterials.getEncryptedDataKeys().size());
+        assertEquals(1, encryptionMaterials.getKeyringTrace().getEntries().size());
+        assertEquals(KEYNAME, encryptionMaterials.getKeyringTrace().getEntries().get(0).getKeyName());
+        assertEquals(KEYNAMESPACE, encryptionMaterials.getKeyringTrace().getEntries().get(0).getKeyNamespace());
+        assertEquals(2, encryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().size());
+        assertTrue(encryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().contains(KeyringTraceFlag.ENCRYPTED_DATA_KEY));
+        assertTrue(encryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().contains(KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT));
+
+        DecryptionMaterials decryptionMaterials = DecryptionMaterials.newBuilder()
+                .setAlgorithm(ALGORITHM)
+                .setEncryptionContext(ENCRYPTION_CONTEXT)
+                .setKeyringTrace(new KeyringTrace())
+                .build();
+
+        keyring.onDecrypt(decryptionMaterials, encryptionMaterials.getEncryptedDataKeys());
+
+        assertEquals(DATA_KEY, decryptionMaterials.getCleartextDataKey());
+        assertEquals(KEYNAME, decryptionMaterials.getKeyringTrace().getEntries().get(0).getKeyName());
+        assertEquals(KEYNAMESPACE, decryptionMaterials.getKeyringTrace().getEntries().get(0).getKeyNamespace());
+        assertEquals(2, decryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().size());
+        assertTrue(decryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().contains(KeyringTraceFlag.DECRYPTED_DATA_KEY));
+        assertTrue(decryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().contains(KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT));
     }
 
     @Test
-    public void testTraceOnDecrypt() {
-        RawAesKeyring rawAesKeyring = new RawAesKeyring(KEYNAMESPACE, KEYNAME, wrappingKey);
-
-        KeyringTrace trace = new KeyringTrace();
-
-        rawAesKeyring.traceOnDecrypt(trace);
-        assertEquals(1, trace.getEntries().size());
-        assertEquals(KEYNAME, trace.getEntries().get(0).getKeyName());
-        assertEquals(KEYNAMESPACE, trace.getEntries().get(0).getKeyNamespace());
-        assertEquals(2, trace.getEntries().get(0).getFlags().size());
-        assertTrue(trace.getEntries().get(0).getFlags().contains(KeyringTraceFlag.DECRYPTED_DATA_KEY));
-        assertTrue(trace.getEntries().get(0).getFlags().contains(KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT));
+    public void testEncryptDecryptGenerateDataKey() {
+        EncryptionMaterials encryptionMaterials = EncryptionMaterials.newBuilder()
+                .setAlgorithm(ALGORITHM)
+                .setKeyringTrace(new KeyringTrace())
+                .setEncryptionContext(ENCRYPTION_CONTEXT)
+                .build();
+
+        keyring.onEncrypt(encryptionMaterials);
+
+        assertNotNull(encryptionMaterials.getCleartextDataKey());
+        assertEquals(encryptionMaterials.getCleartextDataKey().getAlgorithm(), ALGORITHM.getDataKeyAlgo());
+        assertEquals(1, encryptionMaterials.getEncryptedDataKeys().size());
+        assertEquals(2, encryptionMaterials.getKeyringTrace().getEntries().size());
+        assertEquals(1, encryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().size());
+        assertTrue(encryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().contains(KeyringTraceFlag.GENERATED_DATA_KEY));
+        assertEquals(2, encryptionMaterials.getKeyringTrace().getEntries().get(1).getFlags().size());
+        assertTrue(encryptionMaterials.getKeyringTrace().getEntries().get(1).getFlags().contains(KeyringTraceFlag.ENCRYPTED_DATA_KEY));
+        assertTrue(encryptionMaterials.getKeyringTrace().getEntries().get(1).getFlags().contains(KeyringTraceFlag.SIGNED_ENCRYPTION_CONTEXT));
+
+        DecryptionMaterials decryptionMaterials = DecryptionMaterials.newBuilder()
+                .setAlgorithm(ALGORITHM)
+                .setEncryptionContext(ENCRYPTION_CONTEXT)
+                .setKeyringTrace(new KeyringTrace())
+                .build();
+
+        keyring.onDecrypt(decryptionMaterials, encryptionMaterials.getEncryptedDataKeys());
+
+        assertEquals(encryptionMaterials.getCleartextDataKey(), decryptionMaterials.getCleartextDataKey());
+        assertEquals(KEYNAME, decryptionMaterials.getKeyringTrace().getEntries().get(0).getKeyName());
+        assertEquals(KEYNAMESPACE, decryptionMaterials.getKeyringTrace().getEntries().get(0).getKeyNamespace());
+        assertEquals(2, decryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().size());
+        assertTrue(decryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().contains(KeyringTraceFlag.DECRYPTED_DATA_KEY));
+        assertTrue(decryptionMaterials.getKeyringTrace().getEntries().get(0).getFlags().contains(KeyringTraceFlag.VERIFIED_ENCRYPTION_CONTEXT));
     }
 
 }

src/test/java/com/amazonaws/encryptionsdk/keyrings/RawKeyringTest.java

@@ -19,10 +19,10 @@
 import com.amazonaws.encryptionsdk.model.DecryptionMaterials;
 import com.amazonaws.encryptionsdk.model.EncryptionMaterials;
 import com.amazonaws.encryptionsdk.model.KeyBlob;
+import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.ArgumentCaptor;
-import org.mockito.Captor;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 
@@ -33,7 +33,6 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
-import java.util.function.Function;
 
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
@@ -47,30 +46,50 @@ public class RawKeyringTest {
 
     static final String KEYNAME = "testKeyname";
     static final String KEYNAMESPACE = "testKeynamespace";
-    private static final CryptoAlgorithm ALGORITHM = CryptoAlgorithm.ALG_AES_192_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384;
+    static final CryptoAlgorithm ALGORITHM = CryptoAlgorithm.ALG_AES_192_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384;
     static final SecretKey DATA_KEY = new SecretKeySpec(new byte[]{10, 11, 12}, ALGORITHM.getDataKeyAlgo());
+    static final Map<String, String> ENCRYPTION_CONTEXT = Collections.singletonMap("myKey", "myValue");
     private static final EncryptedDataKey ENCRYPTED_DATA_KEY = new KeyBlob("keyProviderId", new byte[]{1, 2, 3}, new byte[]{4, 5, 6});
-    private static final Map<String, String> ENCRYPTION_CONTEXT = Collections.singletonMap("myKey", "myValue");
+    private static final EncryptedDataKey INVALID_DATA_KEY = new KeyBlob("invalidProviderId", new byte[]{1, 2, 3}, new byte[]{4, 5, 6});
     private static final KeyringTraceEntry ENCRYPTED_DATA_KEY_TRACE = new KeyringTraceEntry(KEYNAMESPACE, KEYNAME, Collections.singleton(KeyringTraceFlag.ENCRYPTED_DATA_KEY));
     private static final KeyringTraceEntry DECRYPTED_DATA_KEY_TRACE = new KeyringTraceEntry(KEYNAMESPACE, KEYNAME, Collections.singleton(KeyringTraceFlag.DECRYPTED_DATA_KEY));
     private static final KeyringTraceEntry GENERATED_DATA_KEY_TRACE = new KeyringTraceEntry(KEYNAMESPACE, KEYNAME, Collections.singleton(KeyringTraceFlag.GENERATED_DATA_KEY));
     @Mock
     private JceKeyCipher jceKeyCipher;
-    @Captor
-    private ArgumentCaptor<byte[]> dataKeyCaptor;
+    private Keyring keyring;
 
-    @Test
-    public void testEncryptDecryptExistingDataKey() throws GeneralSecurityException {
-        Keyring keyring = newRawKeyring(jceKeyCipher, (edk) -> true, ENCRYPTED_DATA_KEY_TRACE, DECRYPTED_DATA_KEY_TRACE);
+    @Before
+    public void setup() throws Exception {
+        when(jceKeyCipher.encryptKey(DATA_KEY.getEncoded(), KEYNAME, KEYNAMESPACE, ENCRYPTION_CONTEXT)).thenReturn(ENCRYPTED_DATA_KEY);
+        when(jceKeyCipher.decryptKey(ENCRYPTED_DATA_KEY, KEYNAME, ENCRYPTION_CONTEXT)).thenReturn(DATA_KEY.getEncoded());
+
+        keyring = new RawKeyring(KEYNAMESPACE, KEYNAME, jceKeyCipher) {
+            @Override
+            boolean validToDecrypt(EncryptedDataKey encryptedDataKey) {
+                return !encryptedDataKey.getProviderId().equals(INVALID_DATA_KEY.getProviderId());
+            }
+
+            @Override
+            void traceOnEncrypt(KeyringTrace keyringTrace) {
+                keyringTrace.add(KEYNAMESPACE, KEYNAME, ENCRYPTED_DATA_KEY_TRACE.getFlags().toArray(new KeyringTraceFlag[]{}));
+            }
 
+            @Override
+            void traceOnDecrypt(KeyringTrace keyringTrace) {
+                keyringTrace.add(KEYNAMESPACE, KEYNAME, DECRYPTED_DATA_KEY_TRACE.getFlags().toArray(new KeyringTraceFlag[]{}));
+            }
+        };
+    }
+
+    @Test
+    public void testEncryptDecryptExistingDataKey() {
         EncryptionMaterials encryptionMaterials = EncryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM)
                 .setCleartextDataKey(DATA_KEY)
                 .setKeyringTrace(new KeyringTrace())
                 .setEncryptionContext(ENCRYPTION_CONTEXT)
                 .build();
 
-        when(jceKeyCipher.encryptKey(DATA_KEY.getEncoded(), KEYNAME, KEYNAMESPACE, ENCRYPTION_CONTEXT)).thenReturn(ENCRYPTED_DATA_KEY);
         keyring.onEncrypt(encryptionMaterials);
 
         assertEquals(1, encryptionMaterials.getEncryptedDataKeys().size());
@@ -84,23 +103,21 @@ public void testEncryptDecryptExistingDataKey() throws GeneralSecurityException
                 .setKeyringTrace(new KeyringTrace())
                 .build();
 
-        when(jceKeyCipher.decryptKey(encryptionMaterials.getEncryptedDataKeys().get(0), KEYNAME, ENCRYPTION_CONTEXT)).thenReturn(DATA_KEY.getEncoded());
-        keyring.onDecrypt(decryptionMaterials, encryptionMaterials.getEncryptedDataKeys());
+        keyring.onDecrypt(decryptionMaterials, Collections.singletonList(ENCRYPTED_DATA_KEY));
 
         assertEquals(DATA_KEY, decryptionMaterials.getCleartextDataKey());
         assertEquals(DECRYPTED_DATA_KEY_TRACE, decryptionMaterials.getKeyringTrace().getEntries().get(0));
     }
 
     @Test
     public void testEncryptNullDataKey() {
-        Keyring keyring = newRawKeyring(jceKeyCipher, (edk) -> true, ENCRYPTED_DATA_KEY_TRACE, null);
-
         EncryptionMaterials encryptionMaterials = EncryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM)
                 .setKeyringTrace(new KeyringTrace())
                 .setEncryptionContext(ENCRYPTION_CONTEXT)
                 .build();
 
+        ArgumentCaptor<byte[]> dataKeyCaptor = ArgumentCaptor.forClass(byte[].class);
         when(jceKeyCipher.encryptKey(dataKeyCaptor.capture(), eq(KEYNAME), eq(KEYNAMESPACE), eq(ENCRYPTION_CONTEXT))).thenReturn(ENCRYPTED_DATA_KEY);
         keyring.onEncrypt(encryptionMaterials);
 
@@ -116,8 +133,6 @@ public void testEncryptNullDataKey() {
 
     @Test(expected = IllegalArgumentException.class)
     public void testEncryptBadDataKeyAlgorithm() {
-        Keyring keyring = newRawKeyring(jceKeyCipher, (edk) -> true, null, null);
-
         EncryptionMaterials encryptionMaterials = EncryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM)
                 .setCleartextDataKey(new SecretKeySpec(DATA_KEY.getEncoded(), "OtherAlgorithm"))
@@ -130,8 +145,6 @@ public void testEncryptBadDataKeyAlgorithm() {
 
     @Test
     public void testDecryptAlreadyDecryptedDataKey() {
-        Keyring keyring = newRawKeyring(jceKeyCipher, (edk) -> true, null, null);
-
         DecryptionMaterials decryptionMaterials = DecryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM)
                 .setCleartextDataKey(DATA_KEY)
@@ -147,36 +160,28 @@ public void testDecryptAlreadyDecryptedDataKey() {
 
     @Test
     public void testDecryptNoValidDataKey() {
-        Keyring keyring = newRawKeyring(jceKeyCipher, (edk) -> false, null, null);
-
         DecryptionMaterials decryptionMaterials = DecryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM)
                 .setEncryptionContext(ENCRYPTION_CONTEXT)
                 .setKeyringTrace(new KeyringTrace())
                 .build();
 
-        keyring.onDecrypt(decryptionMaterials, Collections.singletonList(ENCRYPTED_DATA_KEY));
+        keyring.onDecrypt(decryptionMaterials, Collections.singletonList(INVALID_DATA_KEY));
 
         assertNull(decryptionMaterials.getCleartextDataKey());
         assertEquals(0, decryptionMaterials.getKeyringTrace().getEntries().size());
     }
 
     @Test
-    public void testDecryptMultipleKeysOneInvalid() throws GeneralSecurityException {
-        final EncryptedDataKey BAD_DATA_KEY = new KeyBlob("badProviderId", new byte[]{1, 2, 3}, new byte[]{4, 5, 6});
-
-        Keyring keyring = newRawKeyring(jceKeyCipher, (edk) -> !edk.getProviderId().equals(BAD_DATA_KEY.getProviderId()), null, DECRYPTED_DATA_KEY_TRACE);
-
+    public void testDecryptMultipleKeysOneInvalid() {
         DecryptionMaterials decryptionMaterials = DecryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM)
                 .setEncryptionContext(ENCRYPTION_CONTEXT)
                 .setKeyringTrace(new KeyringTrace())
                 .build();
 
-        when(jceKeyCipher.decryptKey(ENCRYPTED_DATA_KEY, KEYNAME, ENCRYPTION_CONTEXT)).thenReturn(DATA_KEY.getEncoded());
-
         final List<EncryptedDataKey> edks = new ArrayList<>();
-        edks.add(BAD_DATA_KEY);
+        edks.add(INVALID_DATA_KEY);
         edks.add(ENCRYPTED_DATA_KEY);
 
         keyring.onDecrypt(decryptionMaterials, edks);
@@ -187,9 +192,7 @@ public void testDecryptMultipleKeysOneInvalid() throws GeneralSecurityException
 
     @Test
     public void testDecryptMultipleKeysOneException() throws GeneralSecurityException {
-        final EncryptedDataKey BAD_DATA_KEY = new KeyBlob("badProviderId", new byte[]{1, 2, 3}, new byte[]{4, 5, 6});
-
-        Keyring keyring = newRawKeyring(jceKeyCipher, (edk) -> true, null, DECRYPTED_DATA_KEY_TRACE);
+        final EncryptedDataKey BAD_DATA_KEY = new KeyBlob("exceptionProvider", new byte[]{1, 2, 3}, new byte[]{4, 5, 6});
 
         DecryptionMaterials decryptionMaterials = DecryptionMaterials.newBuilder()
                 .setAlgorithm(ALGORITHM)
@@ -199,7 +202,6 @@ public void testDecryptMultipleKeysOneException() throws GeneralSecurityExceptio
 
         when(jceKeyCipher.decryptKey(BAD_DATA_KEY, KEYNAME, ENCRYPTION_CONTEXT))
                 .thenThrow(new GeneralSecurityException("could not decrypt key"));
-        when(jceKeyCipher.decryptKey(ENCRYPTED_DATA_KEY, KEYNAME, ENCRYPTION_CONTEXT)).thenReturn(DATA_KEY.getEncoded());
 
         final List<EncryptedDataKey> edks = new ArrayList<>();
         edks.add(BAD_DATA_KEY);
@@ -211,32 +213,6 @@ public void testDecryptMultipleKeysOneException() throws GeneralSecurityExceptio
         assertEquals(DECRYPTED_DATA_KEY_TRACE, decryptionMaterials.getKeyringTrace().getEntries().get(0));
     }
 
-    private Keyring newRawKeyring(JceKeyCipher jceKeyCipher, Function<EncryptedDataKey, Boolean> validToDecrypt,
-                                  KeyringTraceEntry encryptTraceEntry, KeyringTraceEntry decryptTraceEntry) {
-        return new RawKeyring(KEYNAMESPACE, KEYNAME, jceKeyCipher) {
-            @Override
-            boolean validToDecrypt(EncryptedDataKey encryptedDataKey) {
-                return validToDecrypt.apply(encryptedDataKey);
-            }
-
-            @Override
-            void traceOnEncrypt(KeyringTrace keyringTrace) {
-                if (encryptTraceEntry != null) {
-                    keyringTrace.add(encryptTraceEntry.getKeyNamespace(), encryptTraceEntry.getKeyName(),
-                            encryptTraceEntry.getFlags().toArray(new KeyringTraceFlag[]{}));
-                }
-            }
-
-            @Override
-            void traceOnDecrypt(KeyringTrace keyringTrace) {
-                if (decryptTraceEntry != null) {
-                    keyringTrace.add(decryptTraceEntry.getKeyNamespace(), decryptTraceEntry.getKeyName(),
-                            decryptTraceEntry.getFlags().toArray(new KeyringTraceFlag[]{}));
-                }
-            }
-        };
-    }
-
     private void assertEncryptedDataKeyEquals(EncryptedDataKey expected, EncryptedDataKey actual) {
         assertEquals(expected.getProviderId(), actual.getProviderId());
         assertArrayEquals(expected.getProviderInformation(), actual.getProviderInformation());