burrito_secrets/
lib.rs

1/*
2 * Copyright (c) 2024.
3 *
4 * Licensed under the MIT license <http://opensource.org/licenses/MIT>.
5 */
6extern crate core;
7
8
9pub mod database;
10pub mod waiters;
11pub mod signing;
12pub mod encryption;
13
14#[cfg(test)]
15mod tests {
16    use crate::database::Metadata;
17    use crate::encryption::{EncryptionWaiter, EncryptionWaiterSymmetric};
18    use crate::waiters::burrito_box::BurritoBox;
19    use crate::waiters::burrito_box_sym::BurritoBoxSym;
20    use crate::waiters::sensitive_text::SensitiveText;
21    use crate::waiters::Waiter;
22    use crate::signing::Signing;
23    use bson::Bson;
24    use dryoc::dryocbox::protected::SecretKey;
25    use dryoc::types::NewBytes;
26
27    fn blank_key() -> SecretKey {
28        SecretKey::new_bytes()
29    }
30
31
32    #[test]
33    fn sym_sign_test() {
34        let plaintext = SensitiveText::new("Hello World!");
35        let secret_key = blank_key();
36
37        let encrypted = BurritoBox::encrypt(plaintext.into_entry(), secret_key).expect("Failed to encrypt");
38
39        let secret_key = blank_key();
40        let encrypted = encrypted.into_entry().sign_sym(secret_key);
41
42        let secret_key = blank_key();
43        let mut verify = encrypted.verify_sym(secret_key).expect("Failed to verify signature");
44
45        let x = verify.get_mut("ENCRYPTED").expect("Failed to get data");
46        let Bson::Binary(b) = x else { panic!("Failed to get binary") };
47        b.bytes.swap_remove(12); // ...oopsie! Our signature is invalid now!
48
49        let secret_key = blank_key();
50        let _err = verify.verify_sym(secret_key).expect_err("Signature should not be valid!");
51    }
52
53    #[test]
54    fn sign_test() {
55        use dryoc::sign::SigningKeyPair;
56        use dryoc::sign::protected::PublicKey;
57        use dryoc::sign::protected::SecretKey;
58
59        let keypair = SigningKeyPair::<PublicKey, SecretKey>::gen();
60
61        let plaintext = SensitiveText::new("Hello World!");
62
63        let plaintext = plaintext.sign(keypair.secret_key.clone());
64
65        let plaintext = plaintext.verify().expect("Signature must be correct.");
66
67        let plaintext = plaintext.with_security(keypair.secret_key.clone());
68
69        assert!(plaintext.is_secure());
70    }
71
72    #[test]
73    fn password_sym_test() {
74        let plaintext = SensitiveText::new("Hello World!");
75        let encrypted = BurritoBoxSym::of_password(plaintext.into_entry(), "Hello World!".to_string());
76        let decrypted = encrypted.decrypt_password("Hello World!".to_string()).expect("Failed to decrypt");
77        println!("{:#}", bson::to_bson(&decrypted).unwrap());
78    }
79
80    #[test]
81    fn encrypt_decrypt_test() {
82        use dryoc::keypair::KeyPair;
83        use dryoc::dryocbox::protected::SecretKey;
84        use dryoc::dryocbox::protected::PublicKey;
85
86        let keypair: KeyPair<PublicKey, SecretKey> = KeyPair::gen();
87
88        let public_key = &keypair.public_key;
89        let secret_key = &keypair.secret_key;
90
91        let plaintext = SensitiveText::new("Hello World!").into_entry().sign_sym(public_key.clone());
92        let encrypted = BurritoBox::encrypt(plaintext, public_key.clone()).expect("Failed to encrypt");
93
94        println!("{:#}", bson::to_bson(&encrypted).unwrap());
95
96        let decrypted = encrypted.decrypt(secret_key.clone()).expect("Failed to decrypt");
97        println!("{:#}", bson::to_bson(&decrypted).unwrap());
98    }
99
100    #[test]
101    fn security_attestation_test() {
102        use dryoc::sign::SigningKeyPair;
103        use dryoc::sign::protected::PublicKey;
104        use dryoc::sign::protected::SecretKey;
105
106        let plaintext = SensitiveText::new("Hello World!");
107        let keypair = SigningKeyPair::<PublicKey, SecretKey>::gen();
108        let plaintext = plaintext.with_security(keypair.secret_key.clone());
109        let is_secure = plaintext.is_secure();
110
111        assert!(is_secure);
112
113        let plaintext = plaintext.sign(keypair.secret_key.clone());
114
115        let plaintext = plaintext.verify().expect("Signature must be correct.");
116
117        // By adding a signature, we actually modified the document store, so it should not be secure!
118        // This is by design, to prevent accidentally adding unintended extra data to a security-authorized
119        // document.
120        assert!(!plaintext.is_secure());
121    }
122
123    #[test]
124    fn encrypt_decrypt_sym_test() {
125        let plaintext = SensitiveText::new("Hello World!");
126        let secret_box = BurritoBoxSym::encrypt_sym(plaintext.into_entry(), blank_key()).expect("Failed to encrypt");
127
128        println!("{:#}", bson::to_bson(&secret_box).unwrap());
129    }
130
131    #[test]
132    fn serialize_test() {
133        let plaintext = SensitiveText::new("Hello World!").and_defaults::<SensitiveText>().sign_sym(blank_key());
134        println!("{:#}", bson::to_bson(&plaintext).unwrap());
135        let verified = plaintext.verify_sym(blank_key()).expect("Failed to verify signature");
136        println!("{:#}", bson::to_bson(&verified).unwrap());
137
138        let entry = verified.into_entry();
139        println!("{:#}", bson::to_bson(&entry).unwrap());
140        let plaintext = SensitiveText::from_entry(entry).expect("Failed to verify signature");
141        let _plaintext = plaintext.verify_sym(blank_key()).expect("Failed to verify signature");
142    }
143}
burrito_secrets/lib.rs

burrito_secrets/
lib.rs
