Ejemplo n.º 1
0
func TestAEAD(t *testing.T) {
	key, err := rand.RandomBytes(32)
	pkg.AssertError(t, false, err)

	a := &AEAD{
		Key: key,
	}

	for i := 0; i < 100; i++ {
		plain := []byte(uuid.New())
		ct, err := a.Encrypt(plain)
		pkg.AssertError(t, false, err)

		res, err := a.Decrypt(ct)
		pkg.AssertError(t, false, err)
		assert.Equal(t, plain, res)
	}
}
Ejemplo n.º 2
0
func TestMain(m *testing.M) {
	var session *r.Session
	var err error

	c, err := dockertest.ConnectToRethinkDB(20, time.Second, func(url string) bool {
		if session, err = r.Connect(r.ConnectOpts{Address: url, Database: "hydra"}); err != nil {
			return false
		} else if _, err = r.DBCreate("hydra").RunWrite(session); err != nil {
			log.Printf("Database exists: %s", err)
			return false
		} else if _, err = r.TableCreate("hydra_keys").RunWrite(session); err != nil {
			log.Printf("Could not create table: %s", err)
			return false
		}

		key, err := rand.RandomBytes(32)
		if err != nil {
			log.Printf("Could not watch: %s", err)
			return false
		}
		rethinkManager = &RethinkManager{
			Keys:    map[string]jose.JsonWebKeySet{},
			Session: session,
			Table:   r.Table("hydra_keys"),
			Cipher: &AEAD{
				Key: key,
			},
		}
		rethinkManager.Watch(context.Background())
		time.Sleep(100 * time.Millisecond)
		return true
	})
	if session != nil {
		defer session.Close()
	}
	if err != nil {
		log.Fatalf("Could not connect to database: %s", err)
	}
	managers["rethink"] = rethinkManager

	retCode := m.Run()
	c.KillRemove()
	os.Exit(retCode)
}
Ejemplo n.º 3
0
// GenerateAuthorizeCode generates a new authorize code or returns an error. set secret
// This method implements rfc6819 Section 5.1.4.2.2: Use High Entropy for Secrets.
func (c *HMACSHAEnigma) GenerateChallenge(secret []byte) (*Challenge, error) {
	if len(secret) < minimumSecretLength/2 || len(c.GlobalSecret) < minimumSecretLength/2 {
		return nil, errors.New("Secret or GlobalSecret are not strong enough")
	}

	if c.AuthCodeEntropy < minimumEntropy {
		c.AuthCodeEntropy = minimumEntropy
	}

	// When creating secrets not intended for usage by human users (e.g.,
	// client secrets or token handles), the authorization server should
	// include a reasonable level of entropy in order to mitigate the risk
	// of guessing attacks.  The token value should be >=128 bits long and
	// constructed from a cryptographically strong random or pseudo-random
	// number sequence (see [RFC4086] for best current practice) generated
	// by the authorization server.
	randomBytes, err := rand.RandomBytes(c.AuthCodeEntropy)
	if err != nil {
		return nil, errors.New(err)
	}

	if len(randomBytes) < c.AuthCodeEntropy {
		return nil, errors.New("Could not read enough random data for key generation")
	}

	useSecret := append([]byte{}, c.GlobalSecret...)
	mac := hmac.New(sha256.New, append(useSecret, secret...))
	_, err = mac.Write(randomBytes)
	if err != nil {
		return nil, errors.New(err)
	}
	signature := mac.Sum([]byte{})

	return &Challenge{
		Key:       b64.EncodeToString(randomBytes),
		Signature: b64.EncodeToString(signature),
	}, nil
}