More test coverage

Author: connorwstein

keystore/admin.go

@@ -23,9 +23,6 @@ var (
 	ErrUnsupportedKeyType = fmt.Errorf("unsupported key type")
 )
 
-// CreateKeysRequest represents a request to create multiple keys.
-// The Keys slice will be processed in order, and the response will preserve this order.
-// It's atomic in that all keys are created or none are created.
 type CreateKeysRequest struct {
 	Keys []CreateKeyRequest
 }
@@ -35,9 +32,6 @@ type CreateKeyRequest struct {
 	KeyType KeyType
 }
 
-// CreateKeysResponse contains the created keys in the same order as they were
-// requested in CreateKeysRequest.Keys. This ordering guarantee allows clients
-// to rely on consistent indexing when processing the response.
 type CreateKeysResponse struct {
 	Keys []CreateKeyResponse
 }
@@ -135,10 +129,8 @@ func ValidKeyName(name string) error {
 	return nil
 }
 
-// CreateKeys creates multiple keys in a single operation. The keys are processed
-// in the order they appear in req.Keys, and the response preserves this exact order.
-// This ordering guarantee allows clients to rely on consistent indexing when
-// processing the response (e.g., keys[0] corresponds to req.Keys[0]).
+// CreateKeys creates multiple keys in a single operation. The response preserves the order of the request.
+// It's atomic - either all keys are created or none are created.
 func (ks *keystore) CreateKeys(ctx context.Context, req CreateKeysRequest) (CreateKeysResponse, error) {
 	ks.mu.Lock()
 	defer ks.mu.Unlock()

keystore/encryptor.go

@@ -287,10 +287,6 @@ func (k *keystore) DeriveSharedSecret(ctx context.Context, req DeriveSharedSecre
 	k.mu.RLock()
 	defer k.mu.RUnlock()
 
-	if req.LocalKeyName == "" || len(req.RemotePubKey) == 0 {
-		return DeriveSharedSecretResponse{}, ErrEncryptionFailed
-	}
-
 	key, ok := k.keystore[req.LocalKeyName]
 	if !ok {
 		return DeriveSharedSecretResponse{}, ErrEncryptionFailed
@@ -314,6 +310,9 @@ func (k *keystore) DeriveSharedSecret(ctx context.Context, req DeriveSharedSecre
 		if err != nil {
 			return DeriveSharedSecretResponse{}, ErrEncryptionFailed
 		}
+		if len(req.RemotePubKey) == 32 {
+			return DeriveSharedSecretResponse{}, ErrEncryptionFailed
+		}
 		remotePub, err := curve.NewPublicKey(req.RemotePubKey)
 		if err != nil {
 			return DeriveSharedSecretResponse{}, ErrEncryptionFailed

keystore/encryptor_test.go

@@ -81,6 +81,32 @@ func TestEncryptDecrypt(t *testing.T) {
 	}
 }
 
+func TestEncryptDecrypt_SharedSecret(t *testing.T) {
+	ctx := context.Background()
+	ks, err := keystore.LoadKeystore(ctx, storage.NewMemoryStorage(), keystore.EncryptionParams{
+		Password:     "test-password",
+		ScryptParams: keystore.FastScryptParams,
+	})
+	require.NoError(t, err)
+
+	for _, keyType := range keystore.AllEncryptionKeyTypes {
+		t.Run(fmt.Sprintf("keyType_%s", keyType), func(t *testing.T) {
+			keyName := fmt.Sprintf("test-key-%s", keyType)
+			keys, err := ks.CreateKeys(ctx, keystore.CreateKeysRequest{
+				Keys: []keystore.CreateKeyRequest{
+					{KeyName: keyName, KeyType: keyType},
+				},
+			})
+			require.NoError(t, err)
+			_, err = ks.DeriveSharedSecret(ctx, keystore.DeriveSharedSecretRequest{
+				LocalKeyName: keyName,
+				RemotePubKey: keys.Keys[0].KeyInfo.PublicKey,
+			})
+			require.NoError(t, err)
+		})
+	}
+}
+
 func TestEncryptDecrypt_PayloadSizeLimit(t *testing.T) {
 	ctx := context.Background()
 	ks, err := keystore.LoadKeystore(ctx, storage.NewMemoryStorage(), keystore.EncryptionParams{
@@ -89,7 +115,7 @@ func TestEncryptDecrypt_PayloadSizeLimit(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	for _, keyType := range []keystore.KeyType{keystore.EcdhP256} {
+	for _, keyType := range keystore.AllEncryptionKeyTypes {
 		t.Run(fmt.Sprintf("keyType_%s", keyType), func(t *testing.T) {
 			keyName := fmt.Sprintf("test-key-%s", keyType)
 			keys, err := ks.CreateKeys(ctx, keystore.CreateKeysRequest{