v1.14.6/builtin/logical/transit/path_wrapping_key_test.go - hashicorp/vault - Git at Google

 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: MPL-2.0

 package transit

 import (
 	"context"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"testing"

 	"github.com/hashicorp/vault/sdk/logical"
 )

 const (
 	storagePath = "policy/import/" + WrappingKeyName
 )

 func TestTransit_WrappingKey(t *testing.T) {
 	// Set up shared backend for subtests
 	b, s := createBackendWithStorage(t)

 	// Ensure the key does not exist before requesting it.
 	keyEntry, err := s.Get(context.Background(), storagePath)
 	if err != nil {
 		t.Fatalf("error retrieving wrapping key from storage: %s", err)
 	}
 	if keyEntry != nil {
 		t.Fatal("wrapping key unexpectedly exists")
 	}

 	// Generate the key pair by requesting the public key.
 	req := &logical.Request{
 		Storage:   s,
 		Operation: logical.ReadOperation,
 		Path:      "wrapping_key",
 	}
 	resp, err := b.HandleRequest(context.Background(), req)
 	if err != nil {
 		t.Fatalf("unexpected request error: %s", err)
 	}
 	if resp == nil || resp.Data == nil || resp.Data["public_key"] == nil {
 		t.Fatal("expected non-nil response")
 	}
 	pubKeyPEM := resp.Data["public_key"]

 	// Ensure the returned key is a 4096-bit RSA key.
 	pubKeyBlock, _ := pem.Decode([]byte(pubKeyPEM.(string)))
 	rawPubKey, err := x509.ParsePKIXPublicKey(pubKeyBlock.Bytes)
 	if err != nil {
 		t.Fatalf("failed to parse public wrapping key: %s", err)
 	}
 	wrappingKey, ok := rawPubKey.(*rsa.PublicKey)
 	if !ok || wrappingKey.Size() != 512 {
 		t.Fatal("public wrapping key is not a 4096-bit RSA key")
 	}

 	// Request the wrapping key again to ensure it isn't regenerated.
 	req = &logical.Request{
 		Storage:   s,
 		Operation: logical.ReadOperation,
 		Path:      "wrapping_key",
 	}
 	resp, err = b.HandleRequest(context.Background(), req)
 	if err != nil {
 		t.Fatalf("unexpected request error: %s", err)
 	}
 	if resp == nil || resp.Data == nil || resp.Data["public_key"] == nil {
 		t.Fatal("expected non-nil response")
 	}
 	if resp.Data["public_key"] != pubKeyPEM {
 		t.Fatal("wrapping key public component changed between requests")
 	}
 }
	// Copyright (c) HashiCorp, Inc.
	// SPDX-License-Identifier: MPL-2.0

	package transit

	import (
	"context"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"testing"

	"github.com/hashicorp/vault/sdk/logical"
	)

	const (
	storagePath = "policy/import/" + WrappingKeyName
	)

	func TestTransit_WrappingKey(t *testing.T) {
	// Set up shared backend for subtests
	b, s := createBackendWithStorage(t)

	// Ensure the key does not exist before requesting it.
	keyEntry, err := s.Get(context.Background(), storagePath)
	if err != nil {
	t.Fatalf("error retrieving wrapping key from storage: %s", err)
	}
	if keyEntry != nil {
	t.Fatal("wrapping key unexpectedly exists")
	}

	// Generate the key pair by requesting the public key.
	req := &logical.Request{
	Storage: s,
	Operation: logical.ReadOperation,
	Path: "wrapping_key",
	}
	resp, err := b.HandleRequest(context.Background(), req)
	if err != nil {
	t.Fatalf("unexpected request error: %s", err)
	}
	if resp == nil \|\| resp.Data == nil \|\| resp.Data["public_key"] == nil {
	t.Fatal("expected non-nil response")
	}
	pubKeyPEM := resp.Data["public_key"]

	// Ensure the returned key is a 4096-bit RSA key.
	pubKeyBlock, _ := pem.Decode([]byte(pubKeyPEM.(string)))
	rawPubKey, err := x509.ParsePKIXPublicKey(pubKeyBlock.Bytes)
	if err != nil {
	t.Fatalf("failed to parse public wrapping key: %s", err)
	}
	wrappingKey, ok := rawPubKey.(*rsa.PublicKey)
	if !ok \|\| wrappingKey.Size() != 512 {
	t.Fatal("public wrapping key is not a 4096-bit RSA key")
	}

	// Request the wrapping key again to ensure it isn't regenerated.
	req = &logical.Request{
	Storage: s,
	Operation: logical.ReadOperation,
	Path: "wrapping_key",
	}
	resp, err = b.HandleRequest(context.Background(), req)
	if err != nil {
	t.Fatalf("unexpected request error: %s", err)
	}
	if resp == nil \|\| resp.Data == nil \|\| resp.Data["public_key"] == nil {
	t.Fatal("expected non-nil response")
	}
	if resp.Data["public_key"] != pubKeyPEM {
	t.Fatal("wrapping key public component changed between requests")
	}
	}