glm-5.1
eae47c366b
Per ADR-038, DerivedKey.private_key now derives Zeroize with #[zeroize(drop)] ensuring sensitive key material is zeroized before deallocation. DerivedKey is now move-only (no Clone), and JSON/debug output redacts private_key as "[REDACTED]". Deserialization still works for postcard/irpc wire format. Also fixes clippy needless_borrows_for_generic_args in encryption.rs and applies cargo fmt to existing code.
59 lines
1.9 KiB
Rust
59 lines
1.9 KiB
Rust
//! Integration tests for AES-256-GCM encryption and decryption.
|
|
//!
|
|
//! These tests verify round-trip encryption, key version handling,
|
|
//! and wire format compatibility.
|
|
|
|
use alknet_secret::encryption::CURRENT_KEY_VERSION;
|
|
use alknet_secret::service::SecretServiceHandle;
|
|
|
|
#[test]
|
|
fn test_encrypt_decrypt_round_trip_via_service() {
|
|
let service = SecretServiceHandle::new();
|
|
service.unlock_new(24).unwrap();
|
|
|
|
let plaintext = "sk-proj-abc123xyz789";
|
|
|
|
let encrypted = service.encrypt(plaintext, CURRENT_KEY_VERSION).unwrap();
|
|
let decrypted = service.decrypt(&encrypted).unwrap();
|
|
|
|
assert_eq!(decrypted, plaintext);
|
|
}
|
|
|
|
#[test]
|
|
fn test_encrypt_produces_different_ciphertext_each_time() {
|
|
let service = SecretServiceHandle::new();
|
|
service.unlock_new(24).unwrap();
|
|
|
|
let plaintext = "same input different ciphertexts";
|
|
|
|
let encrypted1 = service.encrypt(plaintext, CURRENT_KEY_VERSION).unwrap();
|
|
let encrypted2 = service.encrypt(plaintext, CURRENT_KEY_VERSION).unwrap();
|
|
|
|
// Different IVs mean different ciphertexts
|
|
assert_ne!(encrypted1.iv, encrypted2.iv);
|
|
assert_ne!(encrypted1.data, encrypted2.data);
|
|
// But same key version
|
|
assert_eq!(encrypted1.key_version, encrypted2.key_version);
|
|
}
|
|
|
|
#[test]
|
|
fn test_encrypted_data_serialization() {
|
|
let service = SecretServiceHandle::new();
|
|
service.unlock_new(24).unwrap();
|
|
|
|
let plaintext = "test serialization";
|
|
let encrypted = service.encrypt(plaintext, CURRENT_KEY_VERSION).unwrap();
|
|
|
|
// Verify EncryptedData serializes to JSON
|
|
let json = serde_json::to_string(&encrypted).unwrap();
|
|
assert!(json.contains("key_version"));
|
|
assert!(json.contains("salt"));
|
|
assert!(json.contains("iv"));
|
|
assert!(json.contains("data"));
|
|
|
|
// Verify round-trip through JSON
|
|
let deserialized: alknet_secret::encryption::EncryptedData =
|
|
serde_json::from_str(&json).unwrap();
|
|
assert_eq!(deserialized, encrypted);
|
|
}
|