From 23c36bc1a1341dbdf76c6a57e576c006d986b811 Mon Sep 17 00:00:00 2001
From: Spyros Seimenis <spyros.seimenis@canonical.com>
Date: Wed, 7 Feb 2024 13:48:53 +0100
Subject: [PATCH] keydata_test.go: add test case for derivation info fields

---
 export_test.go  |  4 ++++
 keydata_test.go | 62 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/export_test.go b/export_test.go
index cdba8e34..8332d009 100644
--- a/export_test.go
+++ b/export_test.go
@@ -145,3 +145,7 @@ func MockHashAlgAvailable() (restore func()) {
 		hashAlgAvailable = orig
 	}
 }
+
+func (d *KeyData) DerivePassphraseKeys(passphrase string, kdf KDF) (key, iv, auth []byte, err error) {
+	return d.derivePassphraseKeys(passphrase, kdf)
+}
diff --git a/keydata_test.go b/keydata_test.go
index 1adab78e..7b4a95f4 100644
--- a/keydata_test.go
+++ b/keydata_test.go
@@ -1428,6 +1428,68 @@ func (s *keyDataSuite) TestReadKeyData4(c *C) {
 		authorized: false})
 }
 
+func (s *keyDataSuite) TestKeyDataDerivePassphraseKeysExpectedInfoFields(c *C) {
+	// Test that key derivation from passphrase is using expected info fields
+	s.handler.passphraseSupport = true
+
+	// Valid KeyData with passphrase "passphrase"
+	j := []byte(
+		`{` +
+			`"version":2,` +
+			`"platform_name":"mock",` +
+			`"platform_handle":` +
+			`{` +
+			`"key":"PNmzLCfVurOXSYAFaLAOdHuhBMo7fmrFS2RtNooe3fw=",` +
+			`"iv":"D84HW2UYyF6nOMyfEPMtiQ==",` +
+			`"auth-key-hmac":"EAMRNlNzn3Tz47uM9kLTgXBaM341G4D6W3f57PDc8xs=",` +
+			`"exp-version":2,` +
+			`"exp-kdf_alg":5,` +
+			`"exp-auth-mode":1},` +
+			`"kdf_alg":"sha256",` +
+			`"encrypted_payload":"JV78CDs5AG/KQfJC/Q0kg9zrUX+3l7x9jDZyalg3+roBhkCEcNZiV4AMwreO01uDJyKdovTRHPoCYlNwpwfVBEuTlfvrpQ==",` +
+			`"passphrase_params":` +
+			`{` +
+			`"kdf":` +
+			`{` +
+			`"type":"argon2i",` +
+			`"salt":"cFP5Mb1Djp3EP160ejEClg==",` +
+			`"time":4,` +
+			`"memory":1024063,` +
+			`"cpus":4},` +
+			`"encryption":"aes-cfb",` +
+			`"derived_key_size":32,` +
+			`"encryption_key_size":32,` +
+			`"auth_key_size":32},` +
+			`"authorized_snap_models":` +
+			`{` +
+			`"alg":"sha256",` +
+			`"kdf_alg":"sha256",` +
+			`"key_digest":` +
+			`{` +
+			`"alg":"sha256",` +
+			`"salt":"g1zdFrK4+AKyQpaDiQ2Udwijdf/sKvfbRKKWxSBl7sc=",` +
+			`"digest":"8sVvLZOkRD6RWjLFSp/pOPrKoibsr+VWyGhv4M2aph8="},` +
+			`"hmacs":null}}
+`)
+	expectedKey, err := base64.StdEncoding.DecodeString("C058QWvAAc5sp6Ef2NeQwk0mJk8OS4wrcceYEruHXno=")
+	c.Check(err, IsNil)
+	expectedIV, err := base64.StdEncoding.DecodeString("x78OL7OTqRQfONsOb8yaPQ==")
+	c.Check(err, IsNil)
+	expectedAuth, err := base64.StdEncoding.DecodeString("+AdPOck2Ek8CyCVfSOV3eYClrQMiNqAri0Ra4Ldbohc=")
+	c.Check(err, IsNil)
+
+	kd, err := ReadKeyData(&mockKeyDataReader{"foo", bytes.NewReader(j)})
+	c.Assert(err, IsNil)
+
+	var kdf testutil.MockKDF
+	key, iv, auth, err := kd.DerivePassphraseKeys("passphrase", &kdf)
+	c.Assert(err, IsNil)
+
+	c.Check(key, DeepEquals, expectedKey)
+	c.Check(iv, DeepEquals, expectedIV)
+	c.Check(auth, DeepEquals, expectedAuth)
+}
+
 // Legacy tests
 func (s *keyDataSuite) TestReadAndWriteWithUnsaltedKeyDigest(c *C) {
 	// Verify that we can read an old key data with an unsalted HMAC key