initial prototype based on nat-as-server
Some checks failed
PHPUnit / test (push) Has been cancelled

This commit is contained in:
tom.hempel
2026-06-29 12:39:55 +02:00
commit f1caa9e681
148 changed files with 34905 additions and 0 deletions

View File

@ -0,0 +1,51 @@
<?php
declare(strict_types=1);
namespace Tests\Unit;
use InvalidArgumentException;
use PHPUnit\Framework\TestCase;
final class EncryptedPayloadTest extends TestCase
{
public function testEnvelopeRoundTrip(): void
{
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
$token = bin2hex(random_bytes(32));
$json = '{"clientCode":"X","answers":[]}';
$env = qdb_sensitive_envelope($json, $token);
$this->assertTrue($env['encrypted']);
$this->assertSame('A256GCM', $env['alg']);
$plain = qdb_decrypt_sensitive_envelope($env, $token);
$this->assertSame($json, $plain);
}
public function testLegacyCbcEnvelopeStillDecrypts(): void
{
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
$token = bin2hex(random_bytes(32));
$json = '{"legacy":true}';
$key = hkdf_session_key_from_token($token);
$env = [
'encrypted' => true,
'payload' => base64_encode(aes256_cbc_encrypt_bytes($json, $key)),
];
$this->assertSame($json, qdb_decrypt_sensitive_envelope($env, $token));
}
public function testWrongTokenFailsDecrypt(): void
{
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
$env = qdb_sensitive_envelope('{}', bin2hex(random_bytes(32)));
$this->expectException(\Exception::class);
qdb_decrypt_sensitive_envelope($env, bin2hex(random_bytes(32)));
}
public function testInvalidEnvelopeRejected(): void
{
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
$this->expectException(InvalidArgumentException::class);
qdb_decrypt_sensitive_envelope(['encrypted' => false], bin2hex(random_bytes(8)));
}
}