52 lines
1.8 KiB
PHP
52 lines
1.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Unit;
|
|
|
|
use InvalidArgumentException;
|
|
use PHPUnit\Framework\TestCase;
|
|
|
|
final class EncryptedPayloadTest extends TestCase
|
|
{
|
|
public function testEnvelopeRoundTrip(): void
|
|
{
|
|
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
|
|
$token = bin2hex(random_bytes(32));
|
|
$json = '{"clientCode":"X","answers":[]}';
|
|
$env = qdb_sensitive_envelope($json, $token);
|
|
$this->assertTrue($env['encrypted']);
|
|
$this->assertSame('A256GCM', $env['alg']);
|
|
$plain = qdb_decrypt_sensitive_envelope($env, $token);
|
|
$this->assertSame($json, $plain);
|
|
}
|
|
|
|
public function testLegacyCbcEnvelopeStillDecrypts(): void
|
|
{
|
|
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
|
|
$token = bin2hex(random_bytes(32));
|
|
$json = '{"legacy":true}';
|
|
$key = hkdf_session_key_from_token($token);
|
|
$env = [
|
|
'encrypted' => true,
|
|
'payload' => base64_encode(aes256_cbc_encrypt_bytes($json, $key)),
|
|
];
|
|
$this->assertSame($json, qdb_decrypt_sensitive_envelope($env, $token));
|
|
}
|
|
|
|
public function testWrongTokenFailsDecrypt(): void
|
|
{
|
|
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
|
|
$env = qdb_sensitive_envelope('{}', bin2hex(random_bytes(32)));
|
|
$this->expectException(\Exception::class);
|
|
qdb_decrypt_sensitive_envelope($env, bin2hex(random_bytes(32)));
|
|
}
|
|
|
|
public function testInvalidEnvelopeRejected(): void
|
|
{
|
|
require_once dirname(__DIR__, 2) . '/lib/encrypted_payload.php';
|
|
$this->expectException(InvalidArgumentException::class);
|
|
qdb_decrypt_sensitive_envelope(['encrypted' => false], bin2hex(random_bytes(8)));
|
|
}
|
|
}
|