diff options
Diffstat (limited to 'security-utils/src/test/java/com/yahoo')
-rw-r--r-- | security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java b/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java index 35b52d13b1d..875877aed6a 100644 --- a/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java +++ b/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java @@ -9,7 +9,7 @@ import java.io.IOException; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; -import java.util.Base64; +import java.util.Optional; import static com.yahoo.security.ArrayUtils.hex; import static org.junit.jupiter.api.Assertions.assertArrayEquals; @@ -232,6 +232,29 @@ public class SharedKeyTest { assertEquals(terrifyingSecret, decrypted); } + @Test + void shared_key_can_be_resealed_via_interactive_resealing_session() { + var originalReceiverKp = KeyUtils.generateX25519KeyPair(); + var shared = SharedKeyGenerator.generateForReceiverPublicKey(originalReceiverKp.getPublic(), KEY_ID_1); + var secret = hex(shared.secretKey().getEncoded()); + + // Resealing requester side; ask for token to be resealed for ephemeral session public key + var session = SharedKeyResealingSession.newEphemeralSession(); + var wrappedResealRequest = session.resealingRequestFor(shared.sealedSharedKey()); + + // Resealing request handler side; reseal using private key for original token + var unwrappedResealRequest = SharedKeyResealingSession.ResealingRequest.fromSerializedString(wrappedResealRequest.toSerializedString()); + var wrappedResponse = SharedKeyResealingSession.reseal(unwrappedResealRequest, + (keyId) -> Optional.ofNullable(keyId.equals(KEY_ID_1) ? originalReceiverKp.getPrivate() : null)); + + // Back to resealing requester side + var unwrappedResponse = SharedKeyResealingSession.ResealingResponse.fromSerializedString(wrappedResponse.toSerializedString()); + var resealed = session.openResealingResponse(unwrappedResponse); + + var resealedSecret = hex(resealed.secretKey().getEncoded()); + assertEquals(secret, resealedSecret); + } + // javax.crypto.CipherOutputStream swallows exceptions caused by MAC failures in cipher // decryption mode (!) and must therefore _not_ be used for this purpose. This is documented, // but still very surprising behavior. |