diff --git a/.gitignore b/.gitignore index 6233550..63030f9 100644 --- a/.gitignore +++ b/.gitignore @@ -47,4 +47,7 @@ tmp.CHANGELOG.md /git-cliff-* .config/ -.cache/ \ No newline at end of file +.cache/ + +# Venom tests output +tests/out \ No newline at end of file diff --git a/tests/cfg/vars.yaml b/tests/cfg/vars.yaml new file mode 100644 index 0000000..8995c70 --- /dev/null +++ b/tests/cfg/vars.yaml @@ -0,0 +1,2 @@ +cmd_path: ../okms +cfg_path: ../okms.yaml diff --git a/tests/keys.yaml b/tests/keys.yaml new file mode 100644 index 0000000..09ecbb8 --- /dev/null +++ b/tests/keys.yaml @@ -0,0 +1,329 @@ +name: okms-cli keys test suite +description: Test the OKMS keys subcommand +testcases: + - name: Create Keys + steps: + - name: Create an AES 256 key + type: okms-cmd + args: keys new --type oct --size 256 test-aes-1 --usage encrypt,decrypt,wrapKey,unwrapKey + assertions: + - result.code ShouldEqual 0 + vars: + aesKeyId: + from: result.systemoutjson.id + - name: Create an RSA 2048 key pair + type: okms-cmd + args: keys new --type rsa --size 2048 test-rsa-1 --usage sign,verify + assertions: + - result.code ShouldEqual 0 + vars: + rsaKeyId: + from: result.systemoutjson.id + - name: Create an ECDSA P-256 key pair + type: okms-cmd + args: keys new --type ec --curve P-256 test-ecdsa-1 --usage sign,verify + assertions: + - result.code ShouldEqual 0 + vars: + ecKeyId: + from: result.systemoutjson.id + - name: Get the {{ .value.kind }} keys + type: okms-cmd + range: + - keyId: "{{ .Create-Keys.aesKeyId }}" + kind: AES + - keyId: "{{ .Create-Keys.rsaKeyId }}" + kind: RSA + - keyId: "{{ .Create-Keys.ecKeyId }}" + kind: ECDSA + args: keys get {{ .value.keyId }} + assertions: + - result.code ShouldEqual 0 + - result.systemoutjson.id ShouldEqual {{ .value.keyId }} + - name: List the keys and check {{ .value.kind }} + type: okms-cmd + range: + - keyId: "{{ .Create-Keys.aesKeyId }}" + kind: AES + - keyId: "{{ .Create-Keys.rsaKeyId }}" + kind: RSA + - keyId: "{{ .Create-Keys.ecKeyId }}" + kind: ECDSA + args: keys ls + assertions: + - result.code ShouldEqual 0 + - result.systemoutjson.objects_list ShouldJSONContainWithKey id {{ .value.keyId }} + + - name: AES Encryption + steps: + - name: Encrypt data + type: okms-cmd + args: keys encrypt {{ .Create-Keys.aesKeyId }} "Hello World !!!" + assertions: + - result.code ShouldEqual 0 + vars: + ciphertext: + from: result.systemoutjson + - name: Decrypt data + type: okms-cmd + args: keys decrypt {{ .Create-Keys.aesKeyId }} {{ .ciphertext }} + format: text + assertions: + - result.code ShouldEqual 0 + - result.systemout ShouldEqual "Hello World !!!" + + - name: Data Keys + steps: + - name: Generate data key + type: okms-cmd + args: keys datakey new {{ .Create-Keys.aesKeyId }} --name test-dk --size 256 + vars: + plainDatakey: + from: result.systemoutjson.plain + cipherDatakey: + from: result.systemoutjson.encrypted + assertions: + - result.code ShouldEqual 0 + + - name: Decrypt data key + type: okms-cmd + args: keys datakey decrypt {{ .Create-Keys.aesKeyId }} "{{ .cipherDatakey }}" + assertions: + - result.code ShouldEqual 0 + - result.systemoutjson ShouldEqual {{ .plainDatakey }} + + - name: AEAD streaming encryption + steps: + - name: Create large file + script: mkdir -p ./data && dd if=/dev/urandom of=./data/plain.bin bs=51200 count=10000 + - name: Checksum file + script: sha256sum ./data/plain.bin > data/checksum.txt + - name: Encrypt file + type: okms-cmd + args: keys encrypt --dk {{ .Create-Keys.aesKeyId }} @./data/plain.bin data/encrypted.out + assertions: + - result.code ShouldEqual 0 + - name: Decrypt file + type: okms-cmd + args: keys decrypt --dk {{ .Create-Keys.aesKeyId }} @data/encrypted.out ./data/plain.bin + assertions: + - result.code ShouldEqual 0 + - name: Verify decrypted output + script: sha256sum -c data/checksum.txt + assertions: + - result.code ShouldEqual 0 + - name: Cleanup files + script: rm -Rf ./data + + - name: Asymmetric RSA signature + steps: + - name: Sign RS256 + type: okms-cmd + args: keys sign --alg RS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" + vars: + signature: + from: result.systemoutjson + assertions: + - result.code ShouldEqual 0 + - name: Verify RS256 + type: okms-cmd + args: keys verify --alg RS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 0 + - name: Local verify RS256 + type: okms-cmd + args: keys verify --alg RS256 --local {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 0 + - name: Sign PS256 + type: okms-cmd + args: keys sign --alg PS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" + vars: + signature: + from: result.systemoutjson + assertions: + - result.code ShouldEqual 0 + - name: Verify PS256 + type: okms-cmd + args: keys verify --alg PS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 0 + - result.systemoutjson ShouldJSONEqual true + - name: Local verify PS256 + type: okms-cmd + args: keys verify --alg PS256 --local {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 0 + # - result.systemoutjson ShouldJSONEqual true + + - name: Verify wrong alg ES256 + type: okms-cmd + args: keys verify --alg ES256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 1 + - name: Verify RS256 failure + type: okms-cmd + args: keys verify --alg RS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" "bad signature" + assertions: + - result.code ShouldEqual 1 + - result.systemoutjson ShouldJSONEqual false + + - name: Asymmetric ECDSA signature + steps: + - name: Sign ES256 + type: okms-cmd + args: keys sign --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!" + vars: + signature: + from: result.systemoutjson + assertions: + - result.code ShouldEqual 0 + - name: Verify ES256 + type: okms-cmd + args: keys verify --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 0 + - name: Local verify ES256 + type: okms-cmd + args: keys verify --alg ES256 --local {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 0 + - name: Sign ES256 + type: okms-cmd + args: keys sign --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!" + vars: + signature: + from: result.systemoutjson + assertions: + - result.code ShouldEqual 0 + - name: Verify ES256 + type: okms-cmd + args: keys verify --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 0 + - result.systemoutjson ShouldJSONEqual true + - name: Local verify ES256 + type: okms-cmd + args: keys verify --alg ES256 --local {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 0 + # - result.systemoutjson ShouldJSONEqual true + + - name: Verify wrong alg ES384 + type: okms-cmd + args: keys verify --alg ES384 {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }} + assertions: + - result.code ShouldEqual 1 + - name: Verify ES256 failure + type: okms-cmd + args: keys verify --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!" "bad signature" + assertions: + - result.code ShouldEqual 1 + - result.systemoutjson ShouldJSONEqual false + + - name: Key export + steps: + - name: Export AES + type: okms-cmd + format: text + args: keys export {{ .Create-Keys.aesKeyId }} + assertions: + - result.code ShouldEqual 1 + - name: Export RSA to PKCS1 + type: okms-cmd + format: text + args: keys export {{ .Create-Keys.rsaKeyId }} --format pkcs1 + assertions: + - result.code ShouldEqual 0 + - result.systemout ShouldStartWith "-----BEGIN RSA PUBLIC KEY-----" + - result.systemout ShouldEndWith "-----END RSA PUBLIC KEY-----" + - name: Export RSA to SPKI/PKIX + type: okms-cmd + format: text + args: keys export {{ .Create-Keys.rsaKeyId }} --format pkix + assertions: + - result.code ShouldEqual 0 + - result.systemout ShouldStartWith "-----BEGIN PUBLIC KEY-----" + - result.systemout ShouldEndWith "-----END PUBLIC KEY-----" + - name: Export RSA to OpenSSH + type: okms-cmd + format: text + args: keys export {{ .Create-Keys.rsaKeyId }} --format openssh + assertions: + - result.code ShouldEqual 0 + - result.systemout ShouldStartWith "ssh-rsa " + - name: Export ECDSA to PKCS1 + type: okms-cmd + format: text + args: keys export {{ .Create-Keys.ecKeyId }} --format pkcs1 + assertions: + - result.code ShouldEqual 1 + - name: Export ECDSA to SPKI/PKIX + type: okms-cmd + format: text + args: keys export {{ .Create-Keys.ecKeyId }} --format pkix + assertions: + - result.code ShouldEqual 0 + - result.systemout ShouldStartWith "-----BEGIN PUBLIC KEY-----" + - result.systemout ShouldEndWith "-----END PUBLIC KEY-----" + - name: Export ECDSA to OpenSSH + type: okms-cmd + format: text + args: keys export {{ .Create-Keys.ecKeyId }} --format openssh + assertions: + - result.code ShouldEqual 0 + - result.systemout ShouldStartWith "ecdsa-sha2-nistp256 " + + - name: Key import + steps: + - name: Import AES key + type: okms-cmd + args: keys import --usage encrypt,decrypt --symmetric test-import-aes YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE= + assertions: + - result.code ShouldEqual 0 + - name: Import RSA PKCS1 key + type: okms-cmd + args: keys import --usage sign,verify test-import-rsa-pkcs1 @testdata/rsa_pkcs1.priv.pem + assertions: + - result.code ShouldEqual 0 + - name: Import RSA PKCS8 key + type: okms-cmd + args: keys import --usage sign,verify test-import-rsa-pkcs8 @testdata/rsa_pkcs8.priv.pem + assertions: + - result.code ShouldEqual 0 + - name: Import RSA openssh key + type: okms-cmd + args: keys import --usage sign,verify test-import-rsa-ssh @testdata/rsa_ssh.priv.pem + assertions: + - result.code ShouldEqual 0 + + - name: Import ECDSA SEC1 key + type: okms-cmd + args: keys import --usage sign,verify test-import-ecdsa-sec1 @testdata/ecdsa_sec1.priv.pem + assertions: + - result.code ShouldEqual 0 + - name: Import ECDSA PKCS8 key + type: okms-cmd + args: keys import --usage sign,verify test-import-ecdsa-pkcs8 @testdata/ecdsa_pkcs8.priv.pem + assertions: + - result.code ShouldEqual 0 + - name: Import ECDSA openssh key + type: okms-cmd + args: keys import --usage sign,verify test-import-ecdsa-ssh @testdata/ecdsa_ssh.priv.pem + assertions: + - result.code ShouldEqual 0 + + - name: Delete the keys + steps: + - name: Force delete the {{ .value.kind }} key + type: okms-cmd + range: + - keyId: "{{ .Create-Keys.aesKeyId }}" + kind: AES + - keyId: "{{ .Create-Keys.rsaKeyId }}" + kind: RSA + - keyId: "{{ .Create-Keys.ecKeyId }}" + kind: ECDSA + args: keys delete {{ .value.keyId }} --force + assertions: + - result.code ShouldEqual 0 diff --git a/tests/lib/okms-cmd.yml b/tests/lib/okms-cmd.yml new file mode 100644 index 0000000..48f8e4e --- /dev/null +++ b/tests/lib/okms-cmd.yml @@ -0,0 +1,18 @@ +executor: okms-cmd +input: + args: {} + format: json +steps: + - script: mkdir -p ./out/coverage && GOCOVERDIR=./out/coverage {{ .cmd_path }} -c {{ .cfg_path }} --output {{ .input.format }} {{ .input.args }} + # info: "{{ .cmd_path }} -c {{ .cfg_path }} --output {{ .input.format }} {{ .input.args }}" + vars: + code: + from: result.code + systemout: + from: result.systemout + assertions: + # Needed to overwrite default assertion which checks that code is equal to 0 + - result.code ShouldNotBeNil +output: + code: "{{.code}}" + systemout: "{{.systemout}}" diff --git a/tests/x509.yaml b/tests/x509.yaml new file mode 100644 index 0000000..c8c6b4b --- /dev/null +++ b/tests/x509.yaml @@ -0,0 +1,73 @@ +name: okms-cli x509 test suite +description: Test the OKMS x509 subcommand +testcases: + - name: Create Keys + steps: + - name: Create an RSA 2048 key pair + type: okms-cmd + args: keys new --type rsa --size 2048 test-rsa-1 --usage sign,verify + assertions: + - result.code ShouldEqual 0 + vars: + rsaKeyId: + from: result.systemoutjson.id + - name: Create an ECDSA P-256 key pair + type: okms-cmd + args: keys new --type ec --curve P-256 test-ecdsa-1 --usage sign,verify + assertions: + - result.code ShouldEqual 0 + vars: + ecKeyId: + from: result.systemoutjson.id + + - name: Create CA + steps: + - name: Create self-signed CA + type: okms-cmd + args: x509 create ca {{ .Create-Keys.rsaKeyId }} --cn Test-CA-RSA > out/ca.pem + assertions: + - result.code ShouldEqual 0 + + - name: Create certificate + steps: + - name: Create self-signed certificate + type: okms-cmd + args: x509 create cert {{ .Create-Keys.ecKeyId }} --cn Test-cert-ECDSA --server-auth + assertions: + - result.code ShouldEqual 0 + + - name: Create and sign CSR + steps: + - name: Create CSR + type: okms-cmd + args: x509 create csr {{ .Create-Keys.ecKeyId }} --cn Test-cert-ECDSA > out/csr.pem + assertions: + - result.code ShouldEqual 0 + - name: Sign CSR without CA Key Id + type: okms-cmd + args: x509 sign out/csr.pem out/ca.pem --client-auth + assertions: + - result.code ShouldEqual 0 + - name: Sign CSR with CA Key Id + type: okms-cmd + args: x509 sign out/csr.pem out/ca.pem {{ .Create-Keys.rsaKeyId }} --client-auth + assertions: + - result.code ShouldEqual 0 + - name: Sign CSR with wrong CA Key Id + type: okms-cmd + args: x509 sign out/csr.pem out/ca.pem {{ .Create-Keys.ecKeyId }} --client-auth + assertions: + - result.code ShouldEqual 1 + + - name: Delete the keys + steps: + - name: Force delete the {{ .value.kind }} key + type: okms-cmd + range: + - keyId: "{{ .Create-Keys.rsaKeyId }}" + kind: RSA + - keyId: "{{ .Create-Keys.ecKeyId }}" + kind: ECDSA + args: keys delete {{ .value.keyId }} --force + assertions: + - result.code ShouldEqual 0