func TestAEAD(t *testing.T) { key, err := rand.RandomBytes(32) pkg.AssertError(t, false, err) a := &AEAD{ Key: key, } for i := 0; i < 100; i++ { plain := []byte(uuid.New()) ct, err := a.Encrypt(plain) pkg.AssertError(t, false, err) res, err := a.Decrypt(ct) pkg.AssertError(t, false, err) assert.Equal(t, plain, res) } }
func TestMain(m *testing.M) { var session *r.Session var err error c, err := dockertest.ConnectToRethinkDB(20, time.Second, func(url string) bool { if session, err = r.Connect(r.ConnectOpts{Address: url, Database: "hydra"}); err != nil { return false } else if _, err = r.DBCreate("hydra").RunWrite(session); err != nil { log.Printf("Database exists: %s", err) return false } else if _, err = r.TableCreate("hydra_keys").RunWrite(session); err != nil { log.Printf("Could not create table: %s", err) return false } key, err := rand.RandomBytes(32) if err != nil { log.Printf("Could not watch: %s", err) return false } rethinkManager = &RethinkManager{ Keys: map[string]jose.JsonWebKeySet{}, Session: session, Table: r.Table("hydra_keys"), Cipher: &AEAD{ Key: key, }, } rethinkManager.Watch(context.Background()) time.Sleep(100 * time.Millisecond) return true }) if session != nil { defer session.Close() } if err != nil { log.Fatalf("Could not connect to database: %s", err) } managers["rethink"] = rethinkManager retCode := m.Run() c.KillRemove() os.Exit(retCode) }
// GenerateAuthorizeCode generates a new authorize code or returns an error. set secret // This method implements rfc6819 Section 5.1.4.2.2: Use High Entropy for Secrets. func (c *HMACSHAEnigma) GenerateChallenge(secret []byte) (*Challenge, error) { if len(secret) < minimumSecretLength/2 || len(c.GlobalSecret) < minimumSecretLength/2 { return nil, errors.New("Secret or GlobalSecret are not strong enough") } if c.AuthCodeEntropy < minimumEntropy { c.AuthCodeEntropy = minimumEntropy } // When creating secrets not intended for usage by human users (e.g., // client secrets or token handles), the authorization server should // include a reasonable level of entropy in order to mitigate the risk // of guessing attacks. The token value should be >=128 bits long and // constructed from a cryptographically strong random or pseudo-random // number sequence (see [RFC4086] for best current practice) generated // by the authorization server. randomBytes, err := rand.RandomBytes(c.AuthCodeEntropy) if err != nil { return nil, errors.New(err) } if len(randomBytes) < c.AuthCodeEntropy { return nil, errors.New("Could not read enough random data for key generation") } useSecret := append([]byte{}, c.GlobalSecret...) mac := hmac.New(sha256.New, append(useSecret, secret...)) _, err = mac.Write(randomBytes) if err != nil { return nil, errors.New(err) } signature := mac.Sum([]byte{}) return &Challenge{ Key: b64.EncodeToString(randomBytes), Signature: b64.EncodeToString(signature), }, nil }