blob: 468c3f4de7ee2648593e4bb1c069438ca7b028a9 [file] [log] [blame] [edit]
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
package transit
import (
"context"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"testing"
"github.com/hashicorp/vault/sdk/logical"
)
const (
storagePath = "policy/import/" + WrappingKeyName
)
func TestTransit_WrappingKey(t *testing.T) {
// Set up shared backend for subtests
b, s := createBackendWithStorage(t)
// Ensure the key does not exist before requesting it.
keyEntry, err := s.Get(context.Background(), storagePath)
if err != nil {
t.Fatalf("error retrieving wrapping key from storage: %s", err)
}
if keyEntry != nil {
t.Fatal("wrapping key unexpectedly exists")
}
// Generate the key pair by requesting the public key.
req := &logical.Request{
Storage: s,
Operation: logical.ReadOperation,
Path: "wrapping_key",
}
resp, err := b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatalf("unexpected request error: %s", err)
}
if resp == nil || resp.Data == nil || resp.Data["public_key"] == nil {
t.Fatal("expected non-nil response")
}
pubKeyPEM := resp.Data["public_key"]
// Ensure the returned key is a 4096-bit RSA key.
pubKeyBlock, _ := pem.Decode([]byte(pubKeyPEM.(string)))
rawPubKey, err := x509.ParsePKIXPublicKey(pubKeyBlock.Bytes)
if err != nil {
t.Fatalf("failed to parse public wrapping key: %s", err)
}
wrappingKey, ok := rawPubKey.(*rsa.PublicKey)
if !ok || wrappingKey.Size() != 512 {
t.Fatal("public wrapping key is not a 4096-bit RSA key")
}
// Request the wrapping key again to ensure it isn't regenerated.
req = &logical.Request{
Storage: s,
Operation: logical.ReadOperation,
Path: "wrapping_key",
}
resp, err = b.HandleRequest(context.Background(), req)
if err != nil {
t.Fatalf("unexpected request error: %s", err)
}
if resp == nil || resp.Data == nil || resp.Data["public_key"] == nil {
t.Fatal("expected non-nil response")
}
if resp.Data["public_key"] != pubKeyPEM {
t.Fatal("wrapping key public component changed between requests")
}
}