From bbffc141783b364d91626db8019be03f17690581 Mon Sep 17 00:00:00 2001 From: James Pickett Date: Wed, 17 Apr 2024 08:41:56 -0700 Subject: [PATCH] pass private key pointer instead of value (#39) * pass private key pointer instead of value * fix lint * moar lint * add test-cmds to exclude dirs * add test-cmds to .gitignore --- .gitignore | 1 + .golangci.yml | 6 +++--- cross_language_tests/aes_cross_test.go | 2 +- cross_language_tests/boxer_cross_test.go | 5 ++++- cross_language_tests/challenge_cross_test.go | 11 ++++++----- cross_language_tests/rsa_cross_test.go | 5 ++++- pkg/challenge/challenge_test.go | 4 ++-- pkg/challenge/response.go | 4 ++-- pkg/secureenclave/secureenclave_test.go | 4 ++-- 9 files changed, 25 insertions(+), 17 deletions(-) diff --git a/.gitignore b/.gitignore index ab479ba..414d680 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ coverage.out /Gemfile.lock /.vscode +/test-cmds/ diff --git a/.golangci.yml b/.golangci.yml index e40fc47..3f95eea 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,6 +1,4 @@ run: - skip-dirs: - - test-cmds timeout: 5m linters: @@ -32,8 +30,10 @@ linters-settings: simplify: false issues: + exclude-dirs: + - test-cmds exclude-rules: # False positive: https://github.com/kunwardeep/paralleltest/issues/8. - linters: - paralleltest - text: "does not use range value in test Run" \ No newline at end of file + text: "does not use range value in test Run" diff --git a/cross_language_tests/aes_cross_test.go b/cross_language_tests/aes_cross_test.go index 8503c76..4604dbb 100644 --- a/cross_language_tests/aes_cross_test.go +++ b/cross_language_tests/aes_cross_test.go @@ -40,7 +40,6 @@ func TestAesRuby(t *testing.T) { {AuthData: mkrand(t, 32), Plaintext: mkrand(t, 1024)}, } - //#nosec G306 -- Need readable files for _, tt := range tests { tt := tt t.Run("", func(t *testing.T) { @@ -60,6 +59,7 @@ func TestAesRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) }) diff --git a/cross_language_tests/boxer_cross_test.go b/cross_language_tests/boxer_cross_test.go index 7f69e12..1788d68 100644 --- a/cross_language_tests/boxer_cross_test.go +++ b/cross_language_tests/boxer_cross_test.go @@ -70,7 +70,6 @@ func TestBoxerRuby(t *testing.T) { } // Ruby Decrypt Tests - //#nosec G306 -- Need readable files for _, message := range testMessages { message := message @@ -93,6 +92,7 @@ func TestBoxerRuby(t *testing.T) { b, err := msgpack.Marshal(rubyCommand) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(rubyInFile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) @@ -160,6 +160,7 @@ func TestBoxerRuby(t *testing.T) { var png bytes.Buffer pngFile := path.Join(dir, ulid.New()+".png") require.NoError(t, aliceBoxer.EncodePng(responseTo, message, &png)) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(pngFile, png.Bytes(), 0644)) tests := []boxerCrossTestCase{ @@ -200,6 +201,7 @@ func TestBoxerRuby(t *testing.T) { // b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) @@ -248,6 +250,7 @@ func TestBoxerRuby(t *testing.T) { b, err := msgpack.Marshal(rubyCommand) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(rubyInFile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) diff --git a/cross_language_tests/challenge_cross_test.go b/cross_language_tests/challenge_cross_test.go index 2846421..5acc7ef 100644 --- a/cross_language_tests/challenge_cross_test.go +++ b/cross_language_tests/challenge_cross_test.go @@ -196,7 +196,7 @@ func TestChallenge_GoGenerate_RubyRespond(t *testing.T) { outerResponse, err := challenge.UnmarshalResponse(tamperWithResponse(t, challengeOuterBoxBytes, outerResponseBytes)) require.NoError(t, err) - _, err = outerResponse.Open(*challengePrivateEncryptionKey) + _, err = outerResponse.Open(challengePrivateEncryptionKey) require.Error(t, err) }) @@ -210,11 +210,11 @@ func TestChallenge_GoGenerate_RubyRespond(t *testing.T) { // try to open with a bad key _, malloryPrivKey, err := box.GenerateKey(rand.Reader) require.NoError(t, err) - _, err = outerResponse.Open(*malloryPrivKey) + _, err = outerResponse.Open(malloryPrivKey) require.Error(t, err) // open with legit key - innerResponse, err := outerResponse.Open(*challengePrivateEncryptionKey) + innerResponse, err := outerResponse.Open(challengePrivateEncryptionKey) require.NoError(t, err) // verify data @@ -225,7 +225,6 @@ func TestChallenge_GoGenerate_RubyRespond(t *testing.T) { } } -// #nosec G306 -- Need readable files func rubyChallengeExec(rubyCmd, dir string, inputData rubyChallengeCmd) ([]byte, error) { testCaseBytes, err := msgpack.Marshal(inputData) if err != nil { @@ -236,7 +235,9 @@ func rubyChallengeExec(rubyCmd, dir string, inputData rubyChallengeCmd) ([]byte, inFilePath := filepath.Join(dir, "in") - if err := os.WriteFile(inFilePath, testCaseBytesBase64, 0644); err != nil { + //#nosec G306 -- Need readable files + err = os.WriteFile(inFilePath, testCaseBytesBase64, 0644) + if err != nil { return nil, err } diff --git a/cross_language_tests/rsa_cross_test.go b/cross_language_tests/rsa_cross_test.go index c85b701..7bd8591 100644 --- a/cross_language_tests/rsa_cross_test.go +++ b/cross_language_tests/rsa_cross_test.go @@ -37,7 +37,6 @@ func TestRsaRuby(t *testing.T) { {Plaintext: mkrand(t, 128)}, } - //#nosec G306 -- Need readable files for _, tt := range tests { tt := tt t.Run("", func(t *testing.T) { @@ -72,6 +71,7 @@ func TestRsaRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) cmd := exec.CommandContext(ctx, "ruby", rsaRB, "decrypt", testfile, path.Join(dir, "ruby-decrypt")) @@ -98,6 +98,7 @@ func TestRsaRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) cmd := exec.CommandContext(ctx, "ruby", rsaRB, "encrypt", testfile, path.Join(dir, "ruby-encrypt")) @@ -130,6 +131,7 @@ func TestRsaRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) cmd := exec.CommandContext(ctx, "ruby", rsaRB, "verify", testfile, path.Join(dir, "ruby-verify")) @@ -157,6 +159,7 @@ func TestRsaRuby(t *testing.T) { b, err := msgpack.Marshal(tt) require.NoError(t, err) + //#nosec G306 -- Need readable files require.NoError(t, os.WriteFile(testfile, []byte(base64.StdEncoding.EncodeToString(b)), 0644)) cmd := exec.CommandContext(ctx, "ruby", rsaRB, "sign", testfile, path.Join(dir, "ruby-signed")) diff --git a/pkg/challenge/challenge_test.go b/pkg/challenge/challenge_test.go index bec92bd..f8c1163 100644 --- a/pkg/challenge/challenge_test.go +++ b/pkg/challenge/challenge_test.go @@ -107,11 +107,11 @@ func TestChallengeHappyPath(t *testing.T) { // try to open with a bad key _, malloryPrivKey, err := box.GenerateKey(rand.Reader) require.NoError(t, err) - _, err = outerResponse.Open(*malloryPrivKey) + _, err = outerResponse.Open(malloryPrivKey) require.Error(t, err) // open with legit key - innerResponse, err := outerResponse.Open(*challengePrivateEncryptionKey) + innerResponse, err := outerResponse.Open(challengePrivateEncryptionKey) require.NoError(t, err) // verify data diff --git a/pkg/challenge/response.go b/pkg/challenge/response.go index d994084..ff6dbba 100644 --- a/pkg/challenge/response.go +++ b/pkg/challenge/response.go @@ -21,8 +21,8 @@ type OuterResponse struct { ChallengeId []byte `msgpack:"challengeId"` } -func (o *OuterResponse) Open(privateEncryptionKey [32]byte) (*InnerResponse, error) { - innerResponseBytes, err := echelper.OpenNaCl(o.Msg, &o.PublicEncryptionKey, &privateEncryptionKey) +func (o *OuterResponse) Open(privateEncryptionKey *[32]byte) (*InnerResponse, error) { + innerResponseBytes, err := echelper.OpenNaCl(o.Msg, &o.PublicEncryptionKey, privateEncryptionKey) if err != nil { return nil, fmt.Errorf("opening challenge response box: %w", err) } diff --git a/pkg/secureenclave/secureenclave_test.go b/pkg/secureenclave/secureenclave_test.go index a5e25aa..2b571e5 100644 --- a/pkg/secureenclave/secureenclave_test.go +++ b/pkg/secureenclave/secureenclave_test.go @@ -111,14 +111,13 @@ func TestSecureEnclaveErrors(t *testing.T) { require.Error(t, err, "new secure enclave keyer should error with nil existing key") } -// #nosec G306 -- Need readable files func copyFile(t *testing.T, source, destination string) { bytes, err := os.ReadFile(source) require.NoError(t, err) + // #nosec G306 -- Need readable files require.NoError(t, os.WriteFile(destination, bytes, 0700)) } -// #nosec G204 -- This triggers due to using env var in cmd, making exception for test func signApp(t *testing.T, appRootDir string) { codeSignId := os.Getenv("MACOS_CODESIGN_IDENTITY") require.NotEmpty(t, codeSignId, "need MACOS_CODESIGN_IDENTITY env var to sign app, such as [Mac Developer: Jane Doe (ABCD123456)]") @@ -126,6 +125,7 @@ func signApp(t *testing.T, appRootDir string) { ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) defer cancel() + // #nosec G204 -- This triggers due to using env var in cmd, making exception for test cmd := exec.CommandContext( ctx, "codesign",