Add keyring package

In preparation for introducing support for the new filesystem-level
keyrings, move the existing user keyring management code from
security/keyring.go and crypto/crypto.go into a new package, 'keyring'.

This package provides functions AddEncryptionKey, RemoveEncryptionKey,
and GetEncryptionKeyStatus which delegate to either the filesystem
keyring (added by a later patch) or to the user keyring.  This provides
a common interface to both types of keyrings, to the extent possible.

1 files changed, 95 insertions, 0 deletions

diff --git a/keyring/keyring_test.go b/keyring/keyring_test.go
new file mode 100644
index 0000000..10ff874
--- /dev/null
+++ b/keyring/keyring_test.go
@@ -0,0 +1,95 @@
+/*
+ * keyring_test.go - tests for the keyring package
+ *
+ * Copyright 2017 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy of
+ * the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package keyring
+
+import (
+	"testing"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/google/fscrypt/crypto"
+	"github.com/google/fscrypt/metadata"
+	"github.com/google/fscrypt/util"
+)
+
+// Reader that always returns the same byte
+type ConstReader byte
+
+func (r ConstReader) Read(b []byte) (n int, err error) {
+	for i := range b {
+		b[i] = byte(r)
+	}
+	return len(b), nil
+}
+
+// Makes a key of the same repeating byte
+func makeKey(b byte, n int) (*crypto.Key, error) {
+	return crypto.NewFixedLengthKeyFromReader(ConstReader(b), n)
+}
+
+var (
+	fakeValidDescriptor     = "0123456789abcdef"
+	defaultService          = unix.FSCRYPT_KEY_DESC_PREFIX
+	testUser, _             = util.EffectiveUser()
+	fakeValidPolicyKey, _   = makeKey(42, metadata.PolicyKeyLen)
+	fakeInvalidPolicyKey, _ = makeKey(42, metadata.PolicyKeyLen-1)
+)
+
+// Adds and removes a key with various services.
+func TestAddRemoveKeys(t *testing.T) {
+	for _, service := range []string{defaultService, "ext4:", "f2fs:"} {
+		options := &Options{
+			User:    testUser,
+			Service: service,
+		}
+		if err := AddEncryptionKey(fakeValidPolicyKey, fakeValidDescriptor, options); err != nil {
+			t.Error(err)
+		}
+		if err := RemoveEncryptionKey(fakeValidDescriptor, options); err != nil {
+			t.Error(err)
+		}
+	}
+}
+
+// Adds a key twice (both should succeed)
+func TestAddTwice(t *testing.T) {
+	options := &Options{
+		User:    testUser,
+		Service: defaultService,
+	}
+	if err := AddEncryptionKey(fakeValidPolicyKey, fakeValidDescriptor, options); err != nil {
+		t.Error(err)
+	}
+	if err := AddEncryptionKey(fakeValidPolicyKey, fakeValidDescriptor, options); err != nil {
+		t.Error("AddEncryptionKey should not fail if key already exists")
+	}
+	RemoveEncryptionKey(fakeValidDescriptor, options)
+}
+
+// Makes sure trying to add a key of the wrong length fails
+func TestAddWrongLengthKey(t *testing.T) {
+	options := &Options{
+		User:    testUser,
+		Service: defaultService,
+	}
+	if err := AddEncryptionKey(fakeInvalidPolicyKey, fakeValidDescriptor, options); err == nil {
+		RemoveEncryptionKey(fakeValidDescriptor, options)
+		t.Error("AddEncryptionKey should fail with wrong-length key")
+	}
+}