From 298e2f6e76034ebd520f96f282d7393477a63a71 Mon Sep 17 00:00:00 2001
From: Pierre-Henri Symoneaux <pierre-henri.symoneaux@ovhcloud.com>
Date: Mon, 18 Nov 2024 18:14:47 +0100
Subject: [PATCH 1/2] test: add venom test-suite

Signed-off-by: Pierre-Henri Symoneaux <pierre-henri.symoneaux@ovhcloud.com>
---
 .gitignore             |   5 +-
 tests/cfg/vars.yaml    |   2 +
 tests/keys.yaml        | 329 +++++++++++++++++++++++++++++++++++++++++
 tests/lib/okms-cmd.yml |  18 +++
 tests/x509.yaml        |  73 +++++++++
 5 files changed, 426 insertions(+), 1 deletion(-)
 create mode 100644 tests/cfg/vars.yaml
 create mode 100644 tests/keys.yaml
 create mode 100644 tests/lib/okms-cmd.yml
 create mode 100644 tests/x509.yaml

diff --git a/.gitignore b/.gitignore
index 6233550..63030f9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -47,4 +47,7 @@ tmp.CHANGELOG.md
 /git-cliff-*
 
 .config/
-.cache/
\ No newline at end of file
+.cache/
+
+# Venom tests output
+tests/out
\ No newline at end of file
diff --git a/tests/cfg/vars.yaml b/tests/cfg/vars.yaml
new file mode 100644
index 0000000..8995c70
--- /dev/null
+++ b/tests/cfg/vars.yaml
@@ -0,0 +1,2 @@
+cmd_path: ../okms
+cfg_path: ../okms.yaml
diff --git a/tests/keys.yaml b/tests/keys.yaml
new file mode 100644
index 0000000..09ecbb8
--- /dev/null
+++ b/tests/keys.yaml
@@ -0,0 +1,329 @@
+name: okms-cli keys test suite
+description: Test the OKMS keys subcommand
+testcases:
+  - name: Create Keys
+    steps:
+      - name: Create an AES 256 key
+        type: okms-cmd
+        args: keys new --type oct --size 256 test-aes-1 --usage encrypt,decrypt,wrapKey,unwrapKey
+        assertions:
+          - result.code ShouldEqual 0
+        vars:
+          aesKeyId:
+            from: result.systemoutjson.id
+      - name: Create an RSA 2048 key pair
+        type: okms-cmd
+        args: keys new --type rsa --size 2048 test-rsa-1 --usage sign,verify
+        assertions:
+          - result.code ShouldEqual 0
+        vars:
+          rsaKeyId:
+            from: result.systemoutjson.id
+      - name: Create an ECDSA P-256 key pair
+        type: okms-cmd
+        args: keys new --type ec --curve P-256 test-ecdsa-1 --usage sign,verify
+        assertions:
+          - result.code ShouldEqual 0
+        vars:
+          ecKeyId:
+            from: result.systemoutjson.id
+      - name: Get the {{ .value.kind }} keys
+        type: okms-cmd
+        range:
+          - keyId: "{{ .Create-Keys.aesKeyId }}"
+            kind: AES
+          - keyId: "{{ .Create-Keys.rsaKeyId }}"
+            kind: RSA
+          - keyId: "{{ .Create-Keys.ecKeyId }}"
+            kind: ECDSA
+        args: keys get {{ .value.keyId }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson.id ShouldEqual {{ .value.keyId }}
+      - name: List the keys and check {{ .value.kind }}
+        type: okms-cmd
+        range:
+          - keyId: "{{ .Create-Keys.aesKeyId }}"
+            kind: AES
+          - keyId: "{{ .Create-Keys.rsaKeyId }}"
+            kind: RSA
+          - keyId: "{{ .Create-Keys.ecKeyId }}"
+            kind: ECDSA
+        args: keys ls
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson.objects_list ShouldJSONContainWithKey id {{ .value.keyId }}
+
+  - name: AES Encryption
+    steps:
+      - name: Encrypt data
+        type: okms-cmd
+        args: keys encrypt {{ .Create-Keys.aesKeyId }} "Hello World !!!"
+        assertions:
+          - result.code ShouldEqual 0
+        vars:
+          ciphertext:
+            from: result.systemoutjson
+      - name: Decrypt data
+        type: okms-cmd
+        args: keys decrypt {{ .Create-Keys.aesKeyId }} {{ .ciphertext }}
+        format: text
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemout ShouldEqual "Hello World !!!"
+
+  - name: Data Keys
+    steps:
+      - name: Generate data key
+        type: okms-cmd
+        args: keys datakey new {{ .Create-Keys.aesKeyId }} --name test-dk --size 256
+        vars:
+          plainDatakey:
+            from: result.systemoutjson.plain
+          cipherDatakey:
+            from: result.systemoutjson.encrypted
+        assertions:
+          - result.code ShouldEqual 0
+
+      - name: Decrypt data key
+        type: okms-cmd
+        args: keys datakey decrypt {{ .Create-Keys.aesKeyId }} "{{ .cipherDatakey }}"
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson ShouldEqual {{ .plainDatakey }}
+
+  - name: AEAD streaming encryption
+    steps:
+      - name: Create large file
+        script: mkdir -p ./data && dd if=/dev/urandom of=./data/plain.bin bs=51200 count=10000
+      - name: Checksum file
+        script: sha256sum ./data/plain.bin > data/checksum.txt
+      - name: Encrypt file
+        type: okms-cmd
+        args: keys encrypt --dk {{ .Create-Keys.aesKeyId }} @./data/plain.bin data/encrypted.out
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Decrypt file
+        type: okms-cmd
+        args: keys decrypt --dk {{ .Create-Keys.aesKeyId }} @data/encrypted.out ./data/plain.bin
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Verify decrypted output
+        script: sha256sum -c data/checksum.txt
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Cleanup files
+        script: rm -Rf ./data
+
+  - name: Asymmetric RSA signature
+    steps:
+      - name: Sign RS256
+        type: okms-cmd
+        args: keys sign --alg RS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!"
+        vars:
+          signature:
+            from: result.systemoutjson
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Verify RS256
+        type: okms-cmd
+        args: keys verify --alg RS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Local verify RS256
+        type: okms-cmd
+        args: keys verify --alg RS256 --local {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Sign PS256
+        type: okms-cmd
+        args: keys sign --alg PS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!"
+        vars:
+          signature:
+            from: result.systemoutjson
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Verify PS256
+        type: okms-cmd
+        args: keys verify --alg PS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson ShouldJSONEqual true
+      - name: Local verify PS256
+        type: okms-cmd
+        args: keys verify --alg PS256 --local {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 0
+          # - result.systemoutjson ShouldJSONEqual true
+
+      - name: Verify wrong alg ES256
+        type: okms-cmd
+        args: keys verify --alg ES256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 1
+      - name: Verify RS256 failure
+        type: okms-cmd
+        args: keys verify --alg RS256 {{ .Create-Keys.rsaKeyId }} "hello world !!!" "bad signature"
+        assertions:
+          - result.code ShouldEqual 1
+          - result.systemoutjson ShouldJSONEqual false
+
+  - name: Asymmetric ECDSA signature
+    steps:
+      - name: Sign ES256
+        type: okms-cmd
+        args: keys sign --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!"
+        vars:
+          signature:
+            from: result.systemoutjson
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Verify ES256
+        type: okms-cmd
+        args: keys verify --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Local verify ES256
+        type: okms-cmd
+        args: keys verify --alg ES256 --local {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Sign ES256
+        type: okms-cmd
+        args: keys sign --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!"
+        vars:
+          signature:
+            from: result.systemoutjson
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Verify ES256
+        type: okms-cmd
+        args: keys verify --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson ShouldJSONEqual true
+      - name: Local verify ES256
+        type: okms-cmd
+        args: keys verify --alg ES256 --local {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 0
+          # - result.systemoutjson ShouldJSONEqual true
+
+      - name: Verify wrong alg ES384
+        type: okms-cmd
+        args: keys verify --alg ES384 {{ .Create-Keys.ecKeyId }} "hello world !!!" {{ .signature }}
+        assertions:
+          - result.code ShouldEqual 1
+      - name: Verify ES256 failure
+        type: okms-cmd
+        args: keys verify --alg ES256 {{ .Create-Keys.ecKeyId }} "hello world !!!" "bad signature"
+        assertions:
+          - result.code ShouldEqual 1
+          - result.systemoutjson ShouldJSONEqual false
+
+  - name: Key export
+    steps:
+      - name: Export AES
+        type: okms-cmd
+        format: text
+        args: keys export {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 1
+      - name: Export RSA to PKCS1
+        type: okms-cmd
+        format: text
+        args: keys export {{ .Create-Keys.rsaKeyId }} --format pkcs1
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemout ShouldStartWith "-----BEGIN RSA PUBLIC KEY-----"
+          - result.systemout ShouldEndWith "-----END RSA PUBLIC KEY-----"
+      - name: Export RSA to SPKI/PKIX
+        type: okms-cmd
+        format: text
+        args: keys export {{ .Create-Keys.rsaKeyId }} --format pkix
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemout ShouldStartWith "-----BEGIN PUBLIC KEY-----"
+          - result.systemout ShouldEndWith "-----END PUBLIC KEY-----"
+      - name: Export RSA to OpenSSH
+        type: okms-cmd
+        format: text
+        args: keys export {{ .Create-Keys.rsaKeyId }} --format openssh
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemout ShouldStartWith "ssh-rsa "
+      - name: Export ECDSA to PKCS1
+        type: okms-cmd
+        format: text
+        args: keys export {{ .Create-Keys.ecKeyId }} --format pkcs1
+        assertions:
+          - result.code ShouldEqual 1
+      - name: Export ECDSA to SPKI/PKIX
+        type: okms-cmd
+        format: text
+        args: keys export {{ .Create-Keys.ecKeyId }} --format pkix
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemout ShouldStartWith "-----BEGIN PUBLIC KEY-----"
+          - result.systemout ShouldEndWith "-----END PUBLIC KEY-----"
+      - name: Export ECDSA to OpenSSH
+        type: okms-cmd
+        format: text
+        args: keys export {{ .Create-Keys.ecKeyId }} --format openssh
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemout ShouldStartWith "ecdsa-sha2-nistp256 "
+
+  - name: Key import
+    steps:
+      - name: Import AES key
+        type: okms-cmd
+        args: keys import --usage encrypt,decrypt --symmetric test-import-aes YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Import RSA PKCS1 key
+        type: okms-cmd
+        args: keys import --usage sign,verify test-import-rsa-pkcs1 @testdata/rsa_pkcs1.priv.pem
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Import RSA PKCS8 key
+        type: okms-cmd
+        args: keys import --usage sign,verify test-import-rsa-pkcs8 @testdata/rsa_pkcs8.priv.pem
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Import RSA openssh key
+        type: okms-cmd
+        args: keys import --usage sign,verify test-import-rsa-ssh @testdata/rsa_ssh.priv.pem
+        assertions:
+          - result.code ShouldEqual 0
+
+      - name: Import ECDSA SEC1 key
+        type: okms-cmd
+        args: keys import --usage sign,verify test-import-ecdsa-sec1 @testdata/ecdsa_sec1.priv.pem
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Import ECDSA PKCS8 key
+        type: okms-cmd
+        args: keys import --usage sign,verify test-import-ecdsa-pkcs8 @testdata/ecdsa_pkcs8.priv.pem
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Import ECDSA openssh key
+        type: okms-cmd
+        args: keys import --usage sign,verify test-import-ecdsa-ssh @testdata/ecdsa_ssh.priv.pem
+        assertions:
+          - result.code ShouldEqual 0
+
+  - name: Delete the keys
+    steps:
+      - name: Force delete the {{ .value.kind }} key
+        type: okms-cmd
+        range:
+          - keyId: "{{ .Create-Keys.aesKeyId }}"
+            kind: AES
+          - keyId: "{{ .Create-Keys.rsaKeyId }}"
+            kind: RSA
+          - keyId: "{{ .Create-Keys.ecKeyId }}"
+            kind: ECDSA
+        args: keys delete {{ .value.keyId }} --force
+        assertions:
+          - result.code ShouldEqual 0
diff --git a/tests/lib/okms-cmd.yml b/tests/lib/okms-cmd.yml
new file mode 100644
index 0000000..48f8e4e
--- /dev/null
+++ b/tests/lib/okms-cmd.yml
@@ -0,0 +1,18 @@
+executor: okms-cmd
+input:
+  args: {}
+  format: json
+steps:
+  - script: mkdir -p ./out/coverage && GOCOVERDIR=./out/coverage {{ .cmd_path }} -c {{ .cfg_path }} --output {{ .input.format }} {{ .input.args }}
+    # info: "{{ .cmd_path }} -c {{ .cfg_path }} --output {{ .input.format }} {{ .input.args }}"
+    vars:
+      code:
+        from: result.code
+      systemout:
+        from: result.systemout
+    assertions:
+      # Needed to overwrite default assertion which checks that code is equal to 0
+      - result.code ShouldNotBeNil
+output:
+  code: "{{.code}}"
+  systemout: "{{.systemout}}"
diff --git a/tests/x509.yaml b/tests/x509.yaml
new file mode 100644
index 0000000..c8c6b4b
--- /dev/null
+++ b/tests/x509.yaml
@@ -0,0 +1,73 @@
+name: okms-cli x509 test suite
+description: Test the OKMS x509 subcommand
+testcases:
+  - name: Create Keys
+    steps:
+      - name: Create an RSA 2048 key pair
+        type: okms-cmd
+        args: keys new --type rsa --size 2048 test-rsa-1 --usage sign,verify
+        assertions:
+          - result.code ShouldEqual 0
+        vars:
+          rsaKeyId:
+            from: result.systemoutjson.id
+      - name: Create an ECDSA P-256 key pair
+        type: okms-cmd
+        args: keys new --type ec --curve P-256 test-ecdsa-1 --usage sign,verify
+        assertions:
+          - result.code ShouldEqual 0
+        vars:
+          ecKeyId:
+            from: result.systemoutjson.id
+
+  - name: Create CA
+    steps:
+      - name: Create self-signed CA
+        type: okms-cmd
+        args: x509 create ca {{ .Create-Keys.rsaKeyId }} --cn Test-CA-RSA > out/ca.pem
+        assertions:
+          - result.code ShouldEqual 0
+
+  - name: Create certificate
+    steps:
+      - name: Create self-signed certificate
+        type: okms-cmd
+        args: x509 create cert {{ .Create-Keys.ecKeyId }} --cn Test-cert-ECDSA --server-auth
+        assertions:
+          - result.code ShouldEqual 0
+
+  - name: Create and sign CSR
+    steps:
+      - name: Create CSR
+        type: okms-cmd
+        args: x509 create csr {{ .Create-Keys.ecKeyId }} --cn Test-cert-ECDSA > out/csr.pem
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Sign CSR without CA Key Id
+        type: okms-cmd
+        args: x509 sign out/csr.pem out/ca.pem --client-auth
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Sign CSR with CA Key Id
+        type: okms-cmd
+        args: x509 sign out/csr.pem out/ca.pem {{ .Create-Keys.rsaKeyId }} --client-auth
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Sign CSR with wrong CA Key Id
+        type: okms-cmd
+        args: x509 sign out/csr.pem out/ca.pem {{ .Create-Keys.ecKeyId }} --client-auth
+        assertions:
+          - result.code ShouldEqual 1
+
+  - name: Delete the keys
+    steps:
+      - name: Force delete the {{ .value.kind }} key
+        type: okms-cmd
+        range:
+          - keyId: "{{ .Create-Keys.rsaKeyId }}"
+            kind: RSA
+          - keyId: "{{ .Create-Keys.ecKeyId }}"
+            kind: ECDSA
+        args: keys delete {{ .value.keyId }} --force
+        assertions:
+          - result.code ShouldEqual 0

From e1a9e960af9dcf23c80a7cefa93741bf9d8a58ee Mon Sep 17 00:00:00 2001
From: Pierre-Henri Symoneaux <pierre-henri.symoneaux@ovhcloud.com>
Date: Mon, 18 Nov 2024 18:15:27 +0100
Subject: [PATCH 2/2] test: call venom tests in github-action CI

Signed-off-by: Pierre-Henri Symoneaux <pierre-henri.symoneaux@ovhcloud.com>
---
 .github/workflows/build.yaml        |   2 -
 .github/workflows/main-branch.yaml  |  23 ++++++
 .github/workflows/pull-request.yaml |   5 ++
 .github/workflows/release.yaml      |   9 ++-
 .github/workflows/test.yaml         |  56 +++++++++++++++
 README.md                           |   2 +-
 tests/Makefile                      |   6 ++
 tests/keys.yaml                     | 104 +++++++++++++++++++++++++++-
 tests/lib/okms-cmd.yml              |   1 -
 tests/testdata/ecdsa_pkcs8.priv.pem |   5 ++
 tests/testdata/ecdsa_sec1.priv.pem  |   5 ++
 tests/testdata/ecdsa_ssh.priv.pem   |   9 +++
 tests/testdata/ecdsa_ssh.pub.pem    |   1 +
 tests/testdata/rsa_pkcs1.priv.pem   |  27 ++++++++
 tests/testdata/rsa_pkcs8.priv.pem   |  28 ++++++++
 tests/testdata/rsa_ssh.priv.pem     |  38 ++++++++++
 tests/testdata/rsa_ssh.pub.pem      |   1 +
 17 files changed, 314 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/main-branch.yaml
 create mode 100644 .github/workflows/test.yaml
 create mode 100644 tests/Makefile
 create mode 100644 tests/testdata/ecdsa_pkcs8.priv.pem
 create mode 100644 tests/testdata/ecdsa_sec1.priv.pem
 create mode 100644 tests/testdata/ecdsa_ssh.priv.pem
 create mode 100644 tests/testdata/ecdsa_ssh.pub.pem
 create mode 100644 tests/testdata/rsa_pkcs1.priv.pem
 create mode 100644 tests/testdata/rsa_pkcs8.priv.pem
 create mode 100644 tests/testdata/rsa_ssh.priv.pem
 create mode 100644 tests/testdata/rsa_ssh.pub.pem

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index c179d71..da47cd8 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -4,8 +4,6 @@
 name: build
 
 on:
-  push:
-    branches: ["main"]
   workflow_call: {}
 
 jobs:
diff --git a/.github/workflows/main-branch.yaml b/.github/workflows/main-branch.yaml
new file mode 100644
index 0000000..825702a
--- /dev/null
+++ b/.github/workflows/main-branch.yaml
@@ -0,0 +1,23 @@
+name: release
+
+on:
+  push:
+    # run only against tags
+    branches: 
+      - main
+
+permissions:
+  contents: write
+  packages: write
+  # issues: write
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+    secrets: inherit
+    
+  integration-tests:
+    needs: build
+    uses: ./.github/workflows/test.yaml
+    secrets: inherit
+    
\ No newline at end of file
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
index 084ab4e..1043ac6 100644
--- a/.github/workflows/pull-request.yaml
+++ b/.github/workflows/pull-request.yaml
@@ -28,4 +28,9 @@ jobs:
     needs:
       - commitlint
     uses: ./.github/workflows/build.yaml
+    secrets: inherit
+
+  test:
+    needs: build
+    uses: ./.github/workflows/test.yaml
     secrets: inherit
\ No newline at end of file
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f41de70..cc7bcff 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,9 +15,14 @@ jobs:
   build:
     uses: ./.github/workflows/build.yaml
     secrets: inherit
+    
+  integration-tests:
+    needs: build
+    uses: ./.github/workflows/test.yaml
+    secrets: inherit
 
   docker-build:
-    needs: build
+    needs: integration-tests
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -37,7 +42,7 @@ jobs:
       - run: KO_DOCKER_REPO=ghcr.io/ovh/okms-cli ko build --tags ${{ github.ref_name }},latest --push --bare --platform=linux/arm64,linux/amd64 ./cmd/okms
   
   goreleaser:
-    needs: build
+    needs: integration-tests
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 0000000..baf11e2
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,56 @@
+name: test
+
+on:
+  workflow_call: {}
+
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-build-env
+      - name: Build CLI
+        run: go build -cover ./cmd/okms
+      - name: Setup Venom
+        run: |
+          wget https://github.com/ovh/venom/releases/download/v1.2.0/venom.linux-amd64
+          mv venom.linux-amd64 venom
+          chmod +x venom
+      - name: Setup okms config file
+        run: |
+          echo "${{secrets.CERTIFICATE}}" > tls.crt
+          echo "${{secrets.PRIVATE_KEY}}" > tls.key
+
+          cat > okms.yaml <<-EOF
+          version: 1
+          profile: default
+          profiles:
+            default: # default profile
+              http:
+                endpoint: ${{secrets.KMS_HTTP_ENDPOINT}}
+                auth:
+                  type: mtls
+                  cert: $(pwd)/tls.crt
+                  key: $(pwd)/tls.key
+          EOF
+      - name: Test connectivity to KMS dmain
+        run: ./okms keys ls -d -c okms.yaml
+      - name: Execute tests
+        run: make -C tests
+      - uses: actions/upload-artifact@v4
+        with:
+          name: test_results
+          path: |
+            ./tests/out/test_results.html
+            ./tests/out/venom.log
+          retention-days: 5
+        if: always()
+      - uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: |
+            ./tests/out/coverage.txt
+            ./tests/out/coverage.html
+          retention-days: 5
+    
\ No newline at end of file
diff --git a/README.md b/README.md
index ab99c50..36956d0 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 # okms-cli
-[![build](https://github.com/ovh/okms-cli/actions/workflows/build.yaml/badge.svg?branch=main)](https://github.com/ovh/okms-cli/actions/workflows/build.yaml)
+[![build](https://github.com/ovh/okms-cli/actions/workflows/main-branch.yaml/badge.svg?branch=main)](https://github.com/ovh/okms-cli/actions/workflows/main-branch.yaml)
 [![license](https://img.shields.io/badge/license-Apache%202.0-red.svg?style=flat)](https://raw.githubusercontent.com/ovh/okms-sdk-go/master/LICENSE) [![Go Report Card](https://goreportcard.com/badge/github.com/ovh/okms-cli)](https://goreportcard.com/report/github.com/ovh/okms-cli)
 
 The CLI to interact with your [OVHcloud KMS](https://help.ovhcloud.com/csm/en-ie-kms-quick-start?id=kb_article_view&sysparm_article=KB0063362) services.
diff --git a/tests/Makefile b/tests/Makefile
new file mode 100644
index 0000000..27c0de7
--- /dev/null
+++ b/tests/Makefile
@@ -0,0 +1,6 @@
+test:
+	rm -Rf out
+	../venom run --html-report --output-dir=out --var-from-file cfg/vars.yaml -v .
+	go tool covdata percent -i out/coverage
+	go tool covdata textfmt -i out/coverage -o out/coverage.txt
+	go tool cover -html out/coverage.txt -o out/coverage.html
\ No newline at end of file
diff --git a/tests/keys.yaml b/tests/keys.yaml
index 09ecbb8..8051f88 100644
--- a/tests/keys.yaml
+++ b/tests/keys.yaml
@@ -54,6 +54,73 @@ testcases:
           - result.code ShouldEqual 0
           - result.systemoutjson.objects_list ShouldJSONContainWithKey id {{ .value.keyId }}
 
+  - name: Update key
+    steps:
+      - name: Check AES key current name
+        type: okms-cmd
+        args: keys get {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson.name ShouldEqual "test-aes-1"
+      - name: Update AES key name
+        type: okms-cmd
+        args: keys update {{ .Create-Keys.aesKeyId }} --name test-aes-1-updated
+      - name: Check AES key new name
+        type: okms-cmd
+        args: keys get {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson.name ShouldEqual "test-aes-1-updated"
+
+  - name: Activate and Deactivate
+    steps:
+      - name: Check AES key is active
+        type: okms-cmd
+        args: keys get {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson.attributes.state ShouldEqual "active"
+      - name: Try activate AES key
+        type: okms-cmd
+        args: keys activate {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Deactivate AES key
+        type: okms-cmd
+        args: keys deactivate {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Check AES key is deactivated
+        type: okms-cmd
+        args: keys get {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson.attributes.state ShouldEqual "deactivated"
+      - name: Compromise AES key
+        type: okms-cmd
+        args: keys deactivate {{ .Create-Keys.aesKeyId }} --reason key_compromise
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Check AES key is compromised
+        type: okms-cmd
+        args: keys get {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson.attributes.state ShouldEqual "compromised"
+          - result.systemoutjson.attributes.compromise_date ShouldNotBeNil
+      - name: Reactivate AES key
+        type: okms-cmd
+        args: keys activate {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Check AES key is active
+        type: okms-cmd
+        args: keys get {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+          - result.systemoutjson.attributes.state ShouldEqual "active"
+          - result.systemoutjson.attributes.compromise_date ShouldBeNil
+
   - name: AES Encryption
     steps:
       - name: Encrypt data
@@ -281,6 +348,9 @@ testcases:
         args: keys import --usage encrypt,decrypt --symmetric test-import-aes YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
         assertions:
           - result.code ShouldEqual 0
+        vars:
+          toDeleteAesKeyId:
+            from: result.systemoutjson.id
       - name: Import RSA PKCS1 key
         type: okms-cmd
         args: keys import --usage sign,verify test-import-rsa-pkcs1 @testdata/rsa_pkcs1.priv.pem
@@ -315,11 +385,24 @@ testcases:
 
   - name: Delete the keys
     steps:
+      - name: Try delete active AES key
+        type: okms-cmd
+        args: keys delete {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 1
+      - name: Deactivate AES key
+        type: okms-cmd
+        args: keys deactivate {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
+      - name: Delete deactivated AES key
+        type: okms-cmd
+        args: keys delete {{ .Create-Keys.aesKeyId }}
+        assertions:
+          - result.code ShouldEqual 0
       - name: Force delete the {{ .value.kind }} key
         type: okms-cmd
         range:
-          - keyId: "{{ .Create-Keys.aesKeyId }}"
-            kind: AES
           - keyId: "{{ .Create-Keys.rsaKeyId }}"
             kind: RSA
           - keyId: "{{ .Create-Keys.ecKeyId }}"
@@ -327,3 +410,20 @@ testcases:
         args: keys delete {{ .value.keyId }} --force
         assertions:
           - result.code ShouldEqual 0
+
+  - name: Cleanup Domain
+    steps:
+      - name: List all keys
+        type: okms-cmd
+        args: keys ls
+        assertions:
+          - result.code ShouldEqual 0
+        vars:
+          allKeys:
+            from: result.systemoutjson.objects_list
+      - name: Force delete {{ .value.type }} key {{ .value.name }}
+        type: okms-cmd
+        range: "{{.allKeys}}"
+        args: keys delete {{ .value.id }} --force
+        assertions:
+          - result.code ShouldEqual 0
diff --git a/tests/lib/okms-cmd.yml b/tests/lib/okms-cmd.yml
index 48f8e4e..a4306ee 100644
--- a/tests/lib/okms-cmd.yml
+++ b/tests/lib/okms-cmd.yml
@@ -4,7 +4,6 @@ input:
   format: json
 steps:
   - script: mkdir -p ./out/coverage && GOCOVERDIR=./out/coverage {{ .cmd_path }} -c {{ .cfg_path }} --output {{ .input.format }} {{ .input.args }}
-    # info: "{{ .cmd_path }} -c {{ .cfg_path }} --output {{ .input.format }} {{ .input.args }}"
     vars:
       code:
         from: result.code
diff --git a/tests/testdata/ecdsa_pkcs8.priv.pem b/tests/testdata/ecdsa_pkcs8.priv.pem
new file mode 100644
index 0000000..841b97f
--- /dev/null
+++ b/tests/testdata/ecdsa_pkcs8.priv.pem
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKksp+sxRTdMBUnSK
+KLCLQX28FV3zjUmrvs10gK1ZFnuhRANCAASmwId0fcOWQ6DnskzMDVquh5FEqLeV
+6SW9kHs7FOW7t2u82fmkDl0z/X3L2D2IZ/aaGpOg3qQAKkvgYCO26HGm
+-----END PRIVATE KEY-----
diff --git a/tests/testdata/ecdsa_sec1.priv.pem b/tests/testdata/ecdsa_sec1.priv.pem
new file mode 100644
index 0000000..fa126f8
--- /dev/null
+++ b/tests/testdata/ecdsa_sec1.priv.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICpLKfrMUU3TAVJ0iiiwi0F9vBVd841Jq77NdICtWRZ7oAoGCCqGSM49
+AwEHoUQDQgAEpsCHdH3DlkOg57JMzA1aroeRRKi3leklvZB7OxTlu7drvNn5pA5d
+M/19y9g9iGf2mhqToN6kACpL4GAjtuhxpg==
+-----END EC PRIVATE KEY-----
\ No newline at end of file
diff --git a/tests/testdata/ecdsa_ssh.priv.pem b/tests/testdata/ecdsa_ssh.priv.pem
new file mode 100644
index 0000000..8add87c
--- /dev/null
+++ b/tests/testdata/ecdsa_ssh.priv.pem
@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSlsnz7VFcaNPliN2lduCBW01hecfUL
+zjqE83PaNl29sSQe08TZEa2C94Mw851NGvwSSmGWk5m6ky+nZnnoLoYMAAAAsHvkvOJ75L
+ziAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWyfPtUVxo0+WI3
+aV24IFbTWF5x9QvOOoTzc9o2Xb2xJB7TxNkRrYL3gzDznU0a/BJKYZaTmbqTL6dmeeguhg
+wAAAAgUDmUuoD7DVc+Dr70WqNZgPj++GDr5nnowfXzt7vpG7IAAAAVcHN5bW9uZWFAQzAy
+RkwwOE5NTDdMAQID
+-----END OPENSSH PRIVATE KEY-----
diff --git a/tests/testdata/ecdsa_ssh.pub.pem b/tests/testdata/ecdsa_ssh.pub.pem
new file mode 100644
index 0000000..0a0104e
--- /dev/null
+++ b/tests/testdata/ecdsa_ssh.pub.pem
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWyfPtUVxo0+WI3aV24IFbTWF5x9QvOOoTzc9o2Xb2xJB7TxNkRrYL3gzDznU0a/BJKYZaTmbqTL6dmeeguhgw= psymonea@C02FL08NML7L
diff --git a/tests/testdata/rsa_pkcs1.priv.pem b/tests/testdata/rsa_pkcs1.priv.pem
new file mode 100644
index 0000000..c007b10
--- /dev/null
+++ b/tests/testdata/rsa_pkcs1.priv.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqDzr5t25wAd9qDnEEqwfLdGV5jTLbFRTQIP2rKIzqXGIqVnV
+ZWZwj1LOpJGVnzCCHQi60uHScouT0wLuqBXF7iGcw+STb2fWNXNUzohF1Dewp2MP
+rIK5OImF5TFzYwMdfK5W5EMSF4BpZ3P++yWsa4TPh5caN22fGBJpc8qYuDXqfB1C
+I6E7Fsz7TK2dBBGi665szd6iUReqcTI+yJH+QRVvUrwDE2RoKcMTFahZsZ5Zv+W1
+QaDcPq4lx4FEaWdBdVCp/qzZOfyNjjc9WNh5xTi/O4nXeLXFel66sTlnKp45dqmt
+fhZx8ttvZv4WxHdajcEYj9EdPWDK4gUfasog5wIDAQABAoIBAEslUxV+6k4symLO
+0paojRCxMexunoJXtAv4JcF8fejsjmdeeePd+t751NVLNfKx/xwq3w/80Dxbvf6d
+q64mc49nMheJzJURY2vihPnvgolFCsHpjIG4rjTjsIvsJ6cNKCmd0bAJiVY4BFyy
+Qi056abo3q2ov4wMieh9qN6QmuCEcsK9if0fcNqnkP8eLtjsV7hbgDQJzXgLAPDj
+VXoSg0lbZh0LOHDppr8KCgFn/g74OhuCxbqurEa6IttLAoRZKEu2uNhIYsl53MPp
+q2186OIj+5CMPS0W8PuJ9ipr4ObHZyg3759CGumSqAjx/UQdtV1IL+6JnqWakqL2
+vMKlyhkCgYEA3yvNJijkeS6kXUeANmD/kx/4fB/OWCZIry88WWF/VUwRTR4OT4cm
+L8gSJea7i2HUw4h+B8gzgelDZMnxVNS1jRjDwenoWJ8qwrs+GcAzUe/UZPVHvkq9
+CgyQXtKmUhC2stD/SZe85sjkU+iF8YBR7bFPbQK0PFYx9xQNkH4g+a0CgYEAwPxx
+eY6Cz8Iu3UuBUhxmj8ARnt0CFT4EiZ9o9E0OSv/IyL8jqXRimn9Up6VV+yhevIyX
+94Q3HXjOMyozAGvLoOwEKSnOgZ7T8QZ/GJEutx2PHpnUYfsiZxXffBMrC8Xi0lK7
+xLnClNkF3TR79OdroMOp8+c13LQQoLx9oCP4P2MCgYB4pg9kP9s0gDivjQYNX+cL
+PM9zGybMlPXab2jq0UCrdlIsJMGL0P6d+kWFY/Wj5qHFi7bGsj7WTqr2hA4J1GzJ
++Mdrv+6yamoNmHh8J2IXO9bRNaExiOol0qECAlOULiD3DvHUcUnYYma9zgkLhFnG
+bIMJ5dpWfCrK7nZe1TEyiQKBgQCPkwAFFE4jrO7aulLCuNhgt98kFn53OUV88bjO
+kAlDKNrC5tjsN+cn0/UyKCI4kYcxtVNV1OqAJaEalZmOBaRf21cZHL5C1twM4+1o
+ZJKhrv8MIBvOrVyh3rb+gvAyeQ1Ptjd1m1G1FWR0dpiF0inTV94309rRkLESNEkt
++7SzywKBgE6nJbK8YL30kyxqyz0pWB6CSfQEVCD+4nVpBlYrmiNpGDnfJOKW8tCW
+DexYna2ADOk54TU6kaRegPGKH1+FF6HMn20lUjqtQpu2mV3vbvVMcyj7ubz+Mc3H
+qE/XihloiUusYkcPi3+Ksrd/vatIBBFkTVH1TD16js7qK0GHzfo3
+-----END RSA PRIVATE KEY-----
\ No newline at end of file
diff --git a/tests/testdata/rsa_pkcs8.priv.pem b/tests/testdata/rsa_pkcs8.priv.pem
new file mode 100644
index 0000000..596fbbf
--- /dev/null
+++ b/tests/testdata/rsa_pkcs8.priv.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCxOpNU1lFtNH3s
+3w1SUubV0s8bLJqYHX4NEGjJPmY8Htiy4aI2qmf2emM+mbUALyTY8vGajmnpcDH9
+KcEAY2b/yV9F53Z5C8Z4FCyWiYXKutO9vP+xTX75IGjfzMrOAJAGqCaYvIA3j/3+
+xpSy1FeEgrjGKiSt8i9SSYogbk2B4EqKQZJfzK9/bbPVTwJRbLqC9pqc0ZZLnp5a
+mVSTIrlqmzHEMHdUB6zY1YUflEvGSvjhirUwrc8xBO4heqGb2ptUAND/6oVUwEfw
+j7xKt2uG93yFMNyBNsAqz088dN+t1Ybsj4bRBhITKShlkzwl6BpsSAlx/NicjxMD
+6E/x1GARAgMBAAECggEAAKuwEwoclMU2FMdjTYRyyyxZDElG7HxwFaySOPC7gk67
+kzG3Y22RpyUfawU54h5LjWad82/GhtOd3M9jo5S8twsUCTevAxZAUgQBhzBOCU5b
+rsQgU5Nvf5HX08D6o3ztDplkS/+qnIs28tfdiC+1hRLZkCZorR/VfgI5O5YvROaK
+xCHVyZwGJb2cwVqd9Wbfo99/1CUejxAzXABzBA3lrBdXol2Mq/SAgKYm9xBnywIY
+G/wOSqIgZSooN6SZib8M5IkAmw2eRyLld0DKPnMQA8qYn0gqo+U8zzo55eS/SnCk
+ZWx0vBYFHyCgqafG3wgPXR8t7UDrHq0QCcr5xa3i4QKBgQDjDMVHXTqnrC3wAZLI
+vuunq4YJOR4fE+OpndLAWy02GsTZe5D5tXIiRXVXSUJe4Ffr6BCf1fIyAeAyZTY1
+JnLlcHCu3hpjNhLTzyDlSVd5ZsRFAm5FxbyEo6lLXHyzaA0HUEA2KxR3BTcITNAV
+YIhwCtdyFJOOyl86I1VX2SY1bwKBgQDH05MV5+0exxwn/axrGec5S/DgNU2T7rAy
+dseX0+t5AFag1+rOpaF0vg3/KYzpX99RBbGKUgsRh1j78RnqCXFfm2nLXXPrqdpA
+XQoyoQ7zTw2g7Uz95OTcFIfzPDTiyfs/iun9ghFkMU0uQZlRSpsg5xKbDAXOXmK5
+BsDWY1sCfwKBgCFwXA2qmVzgatOSJ8AQ/jvvcwogs2L4VutAJy3VP89cGem93Rgp
+tOl/OUzlqTS37br8rpYbuFPNGuvRJC6nvvwzlyTp6RD7gcJYGwwpxQxIKlfPh9YW
+zTDruZ8zu9ngVSriktJnfdgZmIVMasj7Mpztu9U9Wo4JGAVD9um9PXdZAoGBAIel
+kAsmzUg/UVW0Vf6+LsAuVO1eQbNSLDmVeBgQu6AAIs48xCBTPy7IdSfpRMaHVkjh
+3ItQ9kKH5lfgav78OgH0tfRfE/m963IVtn535nY0C8RaUhFn+BONvFvZWu04v117
+Jyv3x2aEMShdT35nbrb/JRorJyXX3JxNgUoHWBhxAoGAXBsrEEif9jF02GDpnDsv
+WSheFEFl+iC4g8Pwj0J/PvIMddFZ5tDUYX3IapYT2hXOrwTTy5E3QwPBpxk1eKDp
+Dn6xoM6+dlHPPWA6l48GJK8nmEpgmqemJXwIQ8ODZi2TDE3kWvnZiR3SuP+UJEdS
+aZYApzOejZbQzdygUp7Xeg4=
+-----END PRIVATE KEY-----
\ No newline at end of file
diff --git a/tests/testdata/rsa_ssh.priv.pem b/tests/testdata/rsa_ssh.priv.pem
new file mode 100644
index 0000000..5f0fa10
--- /dev/null
+++ b/tests/testdata/rsa_ssh.priv.pem
@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEAtPNBI/FsGIwXm12a2G37lgx49Z+U+CVPMjIrZmT9zGsuOWDeXq1i
+5yRLUj22KA6N8KTNDJrgrzV07D1GgVd6OcNFcAGvcPCentEGjDs0POYv+FMWnrLSU1jFok
+tjqgbB3eNKOu3gDbcZ8DYgCVpTeBIfUR9pDHtfXMuCJjOQx+DE6t0OoC5cJ8D4SnEaCMXH
+aZguEIIVxw3A6mEht6bgsC0ZkrqSqzIQbcU+m7ypy8yZC58a/xFsjPoUOLgxAQqKcRdpry
+oOK8I3JLwLcnMjt+HtHUzWbMDNN9wFb7I0r6gM4DoN6TQE2rE241iwPhH+sv2rXLfGdRVR
+xy1Wp+9F59u9YS/LnWKX88yy+BYt1rwyMkPtf5EKeltjd2XrJg5EIX1AuQ0ystoMzYR0iQ
+IKVaIYVzhGRq4LTI6tRPqGL+qUYSKMsYTd8E7GCI2NmTffHngDLs/GO41VHP+MVRx/CED2
+I8Q9fyn1qIEXEyAv3sEo1wBazGRAZnto4sal+hLrAAAFkCZvX6Ymb1+mAAAAB3NzaC1yc2
+EAAAGBALTzQSPxbBiMF5tdmtht+5YMePWflPglTzIyK2Zk/cxrLjlg3l6tYuckS1I9tigO
+jfCkzQya4K81dOw9RoFXejnDRXABr3Dwnp7RBow7NDzmL/hTFp6y0lNYxaJLY6oGwd3jSj
+rt4A23GfA2IAlaU3gSH1EfaQx7X1zLgiYzkMfgxOrdDqAuXCfA+EpxGgjFx2mYLhCCFccN
+wOphIbem4LAtGZK6kqsyEG3FPpu8qcvMmQufGv8RbIz6FDi4MQEKinEXaa8qDivCNyS8C3
+JzI7fh7R1M1mzAzTfcBW+yNK+oDOA6Dek0BNqxNuNYsD4R/rL9q1y3xnUVUcctVqfvRefb
+vWEvy51il/PMsvgWLda8MjJD7X+RCnpbY3dl6yYORCF9QLkNMrLaDM2EdIkCClWiGFc4Rk
+auC0yOrUT6hi/qlGEijLGE3fBOxgiNjZk33x54Ay7PxjuNVRz/jFUcfwhA9iPEPX8p9aiB
+FxMgL97BKNcAWsxkQGZ7aOLGpfoS6wAAAAMBAAEAAAGBAKgUvRFyFALJPrRmwor/vo6mj0
+U5Mts9bM8nowC+FrJnbMyHmoc/b3tdT0nZYPbcbiR2MLHgu4yEj1NRp8hFRZeaN0nPhvPV
+zsGfUAG6jM900mJMa9qGKLCa6RnUBYPOOw6tLiqHA3Q5/LIQ1LlbWeVSkBx+nMmnX/GGaC
+KsC3Re6Qtww0EvTxLuQLSFUrWLYaxIW6Gh9DCuKeCM0RESxetgOTz+aXb0TiZo7bskCGTy
+a8dLx3ve54IcWeRF098vtdFruP639jZUSlS0qamd7Nog/6Fuo83N5RkdM84atL1ATtPlQN
+pllhhvVlk8d9wPGVziyZdY9FEbAmx5CebAh5oilTiqsIfTIJSa8HiRfxrNzplGPLg8MCeU
+Svz7ZDvlwhMAQJ68ywaLweKGyUIdMX+1HtpB1Tsd9OsPoma+cdoCk9E9hRYE+Qkso7gS26
+sGdNnhaQ4DEJUUi/fT9do3jXWK6M6m+bMGeCwulE7KfHgZXxzAn0aWoi0v3pPgpCnK4QAA
+AMEAncS7nI3ZGiIhkY5ZC7hyhgOwgjuhZhTlyZuLc1zFbILhq5rLj9yldazRU2Kg1KWmhM
+m8bhJC+TkC2rMrn+QcNU8nkCiZrcyO/aIFc4B3DRQD19RrLv+XQmnGR6g/euwZsnMNoreA
+WVNg9N2ZbtMHa+CKYyzTC+RnLyOYhyZL8JcA2hW19Y21EIFLU6A4Cy+J2fUDxGhBKagKc1
+EAw+ODkfLRebS2hxqHSVD1E8HuykKoh+6hKBIt7R3pAlgj3hFpAAAAwQDaQWA104yjT2JJ
+fhsoZjIEnspae/AR2R9Fe5QDvG2SrHW7oJK44Jy/QTimyAFpH41QRFZ87ibOnJquby/qqQ
+iFcaC005vwYGlqtvlpmZYiDjYQKOLhcrmTFPJzWQm+OdHpa92fe4+6pDQIGwtvJSP8wFLP
+Dwy29AhLLUqhojeF2sGvQm4+XpBfw2jCtBVvnXAdOU5Z1kh+juffH/jfluldWnhZZup5ea
+RPlehdWOE8X8/AgXTljQq63qqJ0PRR/j0AAADBANQ+TPvIBwyRTvkncFr5a9rNAsHQY9am
+iTsEbYn5onoiLXjbIXdzryrww3pniLI7kzIxyy9F92n8W+UatS5efGKOg/mEzdnFVpZtDi
+su/5MeJFbnSpyIjmtI/MsrEbf9ofiKr30X4NLOLThdO6WNOFABlhlbko7JvULLlmLzRwJA
+v3PIglolFDq3WQOdM1btWGEMXYhwK3c7amFqpUe+6YhqZHONR5vvFKEAk6oXzJRk6tm0lz
+/qxPP8Gm1ZpQfQRwAAABVwc3ltb25lYUBDMDJGTDA4Tk1MN0wBAgME
+-----END OPENSSH PRIVATE KEY-----
diff --git a/tests/testdata/rsa_ssh.pub.pem b/tests/testdata/rsa_ssh.pub.pem
new file mode 100644
index 0000000..e2312dc
--- /dev/null
+++ b/tests/testdata/rsa_ssh.pub.pem
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC080Ej8WwYjBebXZrYbfuWDHj1n5T4JU8yMitmZP3May45YN5erWLnJEtSPbYoDo3wpM0MmuCvNXTsPUaBV3o5w0VwAa9w8J6e0QaMOzQ85i/4UxaestJTWMWiS2OqBsHd40o67eANtxnwNiAJWlN4Eh9RH2kMe19cy4ImM5DH4MTq3Q6gLlwnwPhKcRoIxcdpmC4QghXHDcDqYSG3puCwLRmSupKrMhBtxT6bvKnLzJkLnxr/EWyM+hQ4uDEBCopxF2mvKg4rwjckvAtycyO34e0dTNZswM033AVvsjSvqAzgOg3pNATasTbjWLA+Ef6y/atct8Z1FVHHLVan70Xn271hL8udYpfzzLL4Fi3WvDIyQ+1/kQp6W2N3ZesmDkQhfUC5DTKy2gzNhHSJAgpVohhXOEZGrgtMjq1E+oYv6pRhIoyxhN3wTsYIjY2ZN98eeAMuz8Y7jVUc/4xVHH8IQPYjxD1/KfWogRcTIC/ewSjXAFrMZEBme2jixqX6Eus= psymonea@C02FL08NML7L