From c299cce6d1864a530d9d8af815ed56b89f9ecee6 Mon Sep 17 00:00:00 2001 From: Hugo Rosenkranz-Costa Date: Fri, 1 Mar 2024 12:06:10 +0100 Subject: [PATCH] test: add example of KMS edit policy `rename` and `add` --- tests/KMS.test.ts | 24 +++++------- tests/cover_crypt.test.ts | 82 +++++++++++++++++++++++++++++++++++---- 2 files changed, 85 insertions(+), 21 deletions(-) diff --git a/tests/KMS.test.ts b/tests/KMS.test.ts index 92ba859b..fad03cb0 100644 --- a/tests/KMS.test.ts +++ b/tests/KMS.test.ts @@ -492,7 +492,7 @@ test( ) test( - "Key rotation security when importing with tempered access policy", + "Key rekey security when importing with tempered access policy", async () => { const { Policy, PolicyAxis } = await CoverCrypt() @@ -548,14 +548,10 @@ test( return await client?.coverCryptDecrypt(userKeyID, ciphertext) }).rejects.toThrow() - // After rekeying, the temperedUserKey get access to new and old TopSecret key - { - const { plaintext } = await client.coverCryptDecrypt( - temperedUserKeyID, - ciphertext, - ) - expect(plaintext).toEqual(plaintext) - } + // After rekeying, the temperedUserKey gains no access to TopSecret + await expect(async () => { + return await client.coverCryptDecrypt(temperedUserKeyID, ciphertext) + }).rejects.toThrow() const newCiphertext = await client.coverCryptEncrypt( mpkID, @@ -567,10 +563,10 @@ test( return await client?.coverCryptDecrypt(userKeyID, newCiphertext) }).rejects.toThrow() - // TODO fix this bug, this should fail (cannot decrypt with the tempered user key) - // await expect(async () => { - // return await client.coverCryptDecrypt(temperedUserKeyID, newCiphertext); - // }).rejects.toThrow() + // Cannot decrypt with the tempered user key) + await expect(async () => { + return await client.coverCryptDecrypt(temperedUserKeyID, newCiphertext) + }).rejects.toThrow() }, { timeout: 30 * 1000, @@ -578,7 +574,7 @@ test( ) test( - "Decrypt old ciphertext after rotation", + "Decrypt old ciphertext after rekeying", async () => { const { CoverCryptHybridEncryption, diff --git a/tests/cover_crypt.test.ts b/tests/cover_crypt.test.ts index eb0a3c3b..be32a34a 100644 --- a/tests/cover_crypt.test.ts +++ b/tests/cover_crypt.test.ts @@ -158,7 +158,6 @@ test("Demo using KMS", async () => { new PolicyAxis( "Department", // this axis name [ - { name: "R&D", isHybridized: false }, { name: "HR", isHybridized: false }, { name: "MKG", isHybridized: false }, { name: "FIN", isHybridized: false }, @@ -376,7 +375,7 @@ test("Demo using KMS", async () => { "Department::MKG", ) - // Decrypting old messages will fail even with the rekeyed key + // decrypting old messages will fail even with the rekeyed key try { // will throw await client.coverCryptDecrypt( @@ -387,12 +386,81 @@ test("Demo using KMS", async () => { // ==> the non rekeyed key cannot decrypt the new message after rotation } - // Decrypting the new message will still work - const newConfidentialMkgCleartext_ = await client.coverCryptDecrypt( - confidentialMkgUserKeyUid, - newConfidentialMkgCiphertext, + // decrypting the new message will still work + { + const newConfidentialMkgCleartext = await client.coverCryptDecrypt( + confidentialMkgUserKeyUid, + newConfidentialMkgCiphertext, + ) + expect(confidentialMkgData).toEqual(newConfidentialMkgCleartext.plaintext) + } + + // + // Edit Policy + // + + // Rename attribute "Department::MKG" to "Department::Marketing" + await client.renameCoverCryptAttribute( + masterSecretKeyUID, + "Department::MKG", + "Marketing", ) - expect(confidentialMkgData).toEqual(newConfidentialMkgCleartext_.plaintext) + + // decryption rights have not been modified even for previously generated keys and ciphers + { + const newConfidentialMkgCleartext = await client.coverCryptDecrypt( + confidentialMkgUserKeyUid, + newConfidentialMkgCiphertext, + ) + expect(confidentialMkgData).toEqual(newConfidentialMkgCleartext.plaintext) + } + + // new encryption or user key generation must use the new attribute name + { + const topSecretMkgCiphertext = await client.coverCryptEncrypt( + masterPublicKeyUID, + "Department::Marketing && Security Level::Top Secret", + topSecretMkgData, + ) + + // new "Marketing" message can still be decrypted with "MKG" keys + const topSecretMkgCleartext = await client.coverCryptDecrypt( + topSecretMkgFinUserKeyUid, + topSecretMkgCiphertext, + ) + expect(topSecretMkgData).toEqual(topSecretMkgCleartext.plaintext) + } + + // Add new attributes + await client.addCoverCryptAttribute( + masterSecretKeyUID, + "Department::R&D", + false, + ) + + // encrypt a message for the newly created `R&D` attribute + const protectedRdData = new TextEncoder().encode("protected_rd_message") + const protectedRdCiphertext = await client.coverCryptEncrypt( + masterPublicKeyUID, + "Department::R&D && Security Level::Protected", + protectedRdData, + ) + + // and generate a user key with access rights for this attribute + const confidentialRdFinUserKeyUid = + await client.createCoverCryptUserDecryptionKey( + "(Department::R&D || Department::FIN) && Security Level::Confidential", + masterSecretKeyUID, + ) + + // decrypt the R&D message with the new user key + { + const protectedRdCleartext = await client.coverCryptDecrypt( + confidentialRdFinUserKeyUid, + protectedRdCiphertext, + ) + expect(protectedRdData).toEqual(protectedRdCleartext.plaintext) + } }) test("Generate non-regression tests vector", async () => {