Started work in end2end encryption test

DenuxPlays · DenuxPlays · commit 332363180a96 · 2026-02-07T21:27:48.000+01:00
diff --git a/backend/src/main/kotlin/app/cliq/backend/utils/TokenGenerator.kt b/backend/src/main/kotlin/app/cliq/backend/utils/TokenGenerator.kt
@@ -22,7 +22,7 @@ class TokenGenerator(
 
     fun generatePasswordResetToken(): String = generateToken(RESET_PASSWORD_TOKEN_LENGTH).uppercase(getDefault())
 
-    private fun generateToken(length: UShort): String {
+    fun generateToken(length: UShort): String {
         val randomBytes = ByteArray(length.toInt())
         secureRandomGenerator.nextBytes(randomBytes)
 
diff --git a/backend/src/test/kotlin/app/cliq/backend/end2end/End2EndTest.kt b/backend/src/test/kotlin/app/cliq/backend/end2end/End2EndTest.kt
@@ -0,0 +1,34 @@
+package app.cliq.backend.end2end
+
+import app.cliq.backend.constants.Features
+import app.cliq.backend.support.DatabaseCleanupService
+import org.junit.jupiter.api.AfterEach
+import org.junit.jupiter.api.BeforeAll
+import org.junit.jupiter.api.Tag
+import org.junit.jupiter.api.TestInstance
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan
+import org.springframework.boot.test.context.SpringBootTest
+import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc
+import org.springframework.context.annotation.ComponentScan
+import org.springframework.test.context.ActiveProfiles
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@ConfigurationPropertiesScan(basePackages = ["app.cliq.backend.support"])
+@ComponentScan(basePackages = ["app.cliq.backend.support"])
+@AutoConfigureMockMvc
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@ActiveProfiles(Features.TEST)
+@Tag("end2end")
+annotation class End2EndTest
+
+@End2EndTest
+abstract class End2EndTester {
+    @BeforeAll
+    @AfterEach
+    fun clearDatabase(
+        @Autowired cleaner: DatabaseCleanupService,
+    ) {
+        cleaner.truncate()
+    }
+}
diff --git a/backend/src/test/kotlin/app/cliq/backend/end2end/auth/RegistrationTest.kt b/backend/src/test/kotlin/app/cliq/backend/end2end/auth/RegistrationTest.kt
@@ -0,0 +1,55 @@
+package app.cliq.backend.end2end.auth
+
+import app.cliq.backend.constants.EXAMPLE_EMAIL
+import app.cliq.backend.constants.EXAMPLE_PASSWORD
+import app.cliq.backend.end2end.End2EndTest
+import app.cliq.backend.end2end.End2EndTester
+import app.cliq.backend.support.EncryptionHelper
+import app.cliq.backend.support.KeyAndHashHelper
+import app.cliq.backend.utils.TokenGenerator
+import org.junit.jupiter.api.Test
+import org.springframework.beans.factory.annotation.Autowired
+
+@End2EndTest
+class RegistrationTest(
+    @Autowired
+    private val tokenGenerator: TokenGenerator,
+    @Autowired
+    private val keyAndHashHelper: KeyAndHashHelper,
+    @Autowired
+    private val encryptionHelper: EncryptionHelper,
+) : End2EndTester() {
+    /**
+     * This test should test the whole registration flow, including actions that are being done by the frontend.
+     */
+    @Test
+    fun `test registration with keys creation`() {
+        val email = EXAMPLE_EMAIL
+        val password = EXAMPLE_PASSWORD
+
+        // Generate salt
+        val salt = tokenGenerator.generateToken(16U)
+
+        // Generate UMK
+        val argon2Generator = keyAndHashHelper.buildArgon2BytesGenerator(salt)
+        val umk =  ByteArray(32)
+        argon2Generator.generateBytes(password.toByteArray(), umk)
+
+        // Generate DeviceKeyPair
+        val deviceKeyPair = keyAndHashHelper.generateX25519KeyPair()
+
+        // Generate DEK
+        val dek = tokenGenerator.generateToken(32U).toByteArray()
+        // dek would be saved to a private key store
+
+        // Encrypt DEK with UMK
+        val encryptedDek = encryptionHelper.encryptDEKWithUMK(dek, umk)
+        // umk should be "dropped" here, only salt should be saved for later use in login
+
+        // Encrypt DEK with DeviceKeyPair
+        val encryptedDekWithDeviceKeyPair = encryptionHelper.encryptDEKWithDeviceKeyPair(dek, deviceKeyPair)
+
+        // Encrypt DEK with DeviceKeyPair
+        println()
+    }
+}
diff --git a/backend/src/test/kotlin/app/cliq/backend/support/EncryptionHelper.kt b/backend/src/test/kotlin/app/cliq/backend/support/EncryptionHelper.kt
@@ -0,0 +1,45 @@
+package app.cliq.backend.support
+
+import org.springframework.boot.test.context.TestComponent
+import java.security.SecureRandom
+import javax.crypto.Cipher
+import javax.crypto.spec.GCMParameterSpec
+import javax.crypto.spec.SecretKeySpec
+
+@TestComponent
+class EncryptionHelper {
+    data class EncryptedDEK(
+        val nonce: ByteArray,
+        val ciphertext: ByteArray,
+    )
+
+    fun encryptDEKWithUMK(
+        dek: ByteArray,
+        umk: ByteArray,
+    ): EncryptedDEK {
+        val cipher = Cipher.getInstance("AES/GCM/NoPadding")
+
+        val nonce = ByteArray(12)
+        SecureRandom().nextBytes(nonce)
+
+        val keySpec = SecretKeySpec(umk, "AES")
+        val gcmSpec = GCMParameterSpec(128, nonce)
+
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, gcmSpec)
+
+        // Optional but recommended: bind context
+        cipher.updateAAD("DEK_V1".toByteArray())
+
+        val ciphertext = cipher.doFinal(dek)
+
+        return EncryptedDEK(
+            nonce = nonce,
+            ciphertext = ciphertext
+        )
+    }
+
+    fun encryptDEKWithDeviceKeyPair(
+        dek: ByteArray,
+        deviceKeyPair: Pair<ByteArray, ByteArray>,
+    ): EncryptedDEK = encryptDEKWithUMK(dek, deviceKeyPair.second)
+}
diff --git a/backend/src/test/kotlin/app/cliq/backend/support/KeyAndHashHelper.kt b/backend/src/test/kotlin/app/cliq/backend/support/KeyAndHashHelper.kt
@@ -0,0 +1,59 @@
+package app.cliq.backend.support
+
+import org.bouncycastle.crypto.AsymmetricCipherKeyPair
+import org.bouncycastle.crypto.generators.Argon2BytesGenerator
+import org.bouncycastle.crypto.generators.X25519KeyPairGenerator
+import org.bouncycastle.crypto.params.Argon2Parameters
+import org.bouncycastle.crypto.params.X25519KeyGenerationParameters
+import org.bouncycastle.crypto.params.X25519PrivateKeyParameters
+import org.bouncycastle.crypto.params.X25519PublicKeyParameters
+import org.springframework.boot.test.context.TestComponent
+import java.security.SecureRandom
+
+@TestComponent
+class KeyAndHashHelper {
+    fun buildArgon2BytesGenerator(salt: String): Argon2BytesGenerator {
+        val builder = Argon2Parameters.Builder(Argon2Parameters.ARGON2_id)
+            .withVersion(Argon2Parameters.ARGON2_VERSION_13)
+            .withMemoryAsKB(65_536) // 64MB
+            .withSalt(salt.toByteArray())
+            .withIterations(2)
+            .withParallelism(1)
+        val params = builder.build()
+
+        val generator = Argon2BytesGenerator()
+        generator.init(params)
+
+        return generator
+    }
+
+    /**
+     * @return Pair(publicKey, privateKey)
+     */
+    fun generateX25519KeyPair(): Pair<ByteArray, ByteArray> {
+        val generator = this.getX25519KeyPairGenerator()
+
+        val keyPair: AsymmetricCipherKeyPair = generator.generateKeyPair()
+
+        val privateKeyParams = keyPair.private as X25519PrivateKeyParameters
+        val publicKeyParams = keyPair.public as X25519PublicKeyParameters
+
+        val privateKey = ByteArray(X25519PrivateKeyParameters.KEY_SIZE)
+        val publicKey = ByteArray(X25519PublicKeyParameters.KEY_SIZE)
+
+        privateKeyParams.encode(privateKey, 0)
+        publicKeyParams.encode(publicKey, 0)
+
+        return publicKey to privateKey
+    }
+
+    private fun getX25519KeyPairGenerator(): X25519KeyPairGenerator {
+        val random = SecureRandom()
+        val params = X25519KeyGenerationParameters(random)
+
+        val generator = X25519KeyPairGenerator()
+        generator.init(params)
+
+        return generator
+    }
+}
