From 232fdb6fb21757b5860582fc83799df442b82395 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rodolphe=20Br=C3=A9ard?= <v.code.ngyvz7vf@what.tf>
Date: Mon, 11 Mar 2024 10:44:08 +0100
Subject: [PATCH] Add decryption tests

---
 src/encryption.rs | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/src/encryption.rs b/src/encryption.rs
index 0b93e77..05e4b02 100644
--- a/src/encryption.rs
+++ b/src/encryption.rs
@@ -82,6 +82,7 @@ mod tests {
 	use super::*;
 	use crate::{DataContext, KeyContext};
 
+	const TEST_CIPHERTEXT: &str = "AQAAAA:elFanOvp5DNewgq75T5U6wLYNn8zzo1n:9izU-8cw4oSIU4lqcYrfEBzOXluS7lVcUbF_KnEg0HFp2srx6xq3Bir91A:NgAAAAAAAAA";
 	const TEST_DATA: &[u8] = b"Lorem ipsum dolor sit amet.";
 	const TEST_KEY_CTX: [&str; 3] = ["db_name", "table_name", "column_name"];
 	const TEST_DATA_CTX: [&str; 1] = ["018db876-3d9d-79af-9460-55d17da991d8"];
@@ -164,4 +165,49 @@ mod tests {
 		let plaintext = res.unwrap();
 		assert_eq!(plaintext, TEST_DATA);
 	}
+
+	#[test]
+	fn decrypt_invalid_ciphertext() {
+		let tests = &[
+			("", "empty data"),
+			("AQAATA:elFanOvp5DNewgq75T5U6wLYNn8zzo1n:9izU-8cw4oSIU4lqcYrfEBzOXluS7lVcUbF_KnEg0HFp2srx6xq3Bir91A:NgAAAAAAAAA", "unknown ikm id"),
+			("AQAAAA:MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0:9izU-8cw4oSIU4lqcYrfEBzOXluS7lVcUbF_KnEg0HFp2srx6xq3Bir91A:NgAAAAAAAAA", "invalid nonce"),
+			("AQAAAA:elFanOvp5DNewgq75T5U6wLYNn8zzo1n:8izU-8cw4oSIU4lqcYrfEBzOXluS7lVcUbF_KnEg0HFp2srx6xq3Bir91A:NgAAAAAAAAA", "invalid ciphertext"),
+			("AQAAAA:elFanOvp5DNewgq75T5U6wLYNn8zzo1n:9izU-8cw4oSIU4lqcYrfEBzOXluS7lVcUbF_KnEg0HFp2srx6xq3Bir91A:NaAAAAAAAAA", "invalid time period"),
+			("AQAAAA:elFanOvp5DNewgq75T5U6wLYNn8zzo1n:9izU-8cw4oSIU4lqcYrfEBzOXluS7lVcUbF_KnEg0HFp2srx6xq3Bir91A:", "empty time period"),
+			("AQAAAA:elFanOvp5DNewgq75T5U6wLYNn8zzo1n:9izU-8cw4oSIU4lqcYrfEBzOXluS7lVcUbF_KnEg0HFp2srx6xq3Bir91A", "missing time period"),
+		];
+
+		let lst = get_ikm_lst();
+		let key_ctx = KeyContext::from(TEST_KEY_CTX);
+		let data_ctx = DataContext::from(TEST_DATA_CTX);
+
+		// Test if the reference ciphertext used for the tests is actually valid
+		let res = decrypt(&lst, &key_ctx, TEST_CIPHERTEXT, &data_ctx);
+		assert!(res.is_ok(), "invalid reference ciphertext");
+
+		// Test if altered versions of the reference ciphertext are refused
+		for (ciphertext, error_str) in tests {
+			let res = decrypt(&lst, &key_ctx, ciphertext, &data_ctx);
+			assert!(res.is_err(), "failed error detection: {error_str}");
+		}
+	}
+
+	#[test]
+	fn invalid_context() {
+		let lst = get_ikm_lst();
+		let key_ctx = KeyContext::from(TEST_KEY_CTX);
+		let data_ctx = DataContext::from(TEST_DATA_CTX);
+
+		let res = decrypt(&lst, &key_ctx, TEST_CIPHERTEXT, &data_ctx);
+		assert!(res.is_ok(), "invalid reference ciphertext");
+
+		let invalid_key_ctx = KeyContext::from(["invalid", "key", "context"]);
+		let res = decrypt(&lst, &invalid_key_ctx, TEST_CIPHERTEXT, &data_ctx);
+		assert!(res.is_err(), "failed error detection: invalid key context");
+
+		let invalid_data_ctx = DataContext::from(["invalid", "data", "context"]);
+		let res = decrypt(&lst, &key_ctx, TEST_CIPHERTEXT, &invalid_data_ctx);
+		assert!(res.is_err(), "failed error detection: invalid key context");
+	}
 }