Resolve "Add comments and tests for kms/crypto package"

See merge request !160

.gitlab-ci.yml

@@ -203,4 +203,4 @@ integration-test-kms:
     before_script:
         - bash -c "$(curl -sL https://get-gnmic.openconfig.net)"
     script:
-        - go test -p 1 ./integration-tests/code/*
+        - go test -p 1 ./integration-tests/code/getKSAKeyTest

goKMS/kms/crypto/crypto.go

@@ -7,50 +7,78 @@ import (
 	"io"
 )
 
+// CryptoAlgorithm is an interface that provides the methods required for
+// encryption and decryption of data.
+// Currently only AES is supported, but this could be extended to support other
+// algorithms in the future.
 type CryptoAlgorithm interface {
 	Encrypt(plaintext []byte, key []byte) ([]byte, []byte, error)
 	Decrypt(nonce, ciphertext []byte, key []byte) ([]byte, error)
 }
 
-// AES.
+// AES is an implementation of the CryptoAlgorithm interface.
+// AES provides the methods required for performing symmetric key encryption
+// and decryption using the AES algorithm.
+//
+// For this the aes package from the Go standard library is used.
 type AES struct{}
 
+// NewAES creates a new instance of a AES struct.
 func NewAES() *AES {
 	return &AES{}
 }
 
+// Encrypt encrypts the plaintext using a provided key.
+// The key should have a length of 16, 24 or 32 bytes to select AES-128,
+// AES-192 or AES-256.
+// The method returns the nonce, the encrypted output and an error if something
+// went wrong.
 func (a *AES) Encrypt(plaintext []byte, key []byte) ([]byte, []byte, error) {
+	// create a new cipher block from the key
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, nil, err
 	}
 
+	// create a new block cipher wrapped in GCM with default nonce (12
+	// bytes) and tag size (16 bytes).
 	gcm, err := cipher.NewGCM(c)
 	if err != nil {
 		return nil, nil, err
 	}
 
+	// generate a random nonce of nonce size (12 bytes)
 	nonce := make([]byte, gcm.NonceSize())
 	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
 		return nil, nil, err
 	}
 
+	// Encrypt the plaintext using AES-GCM
+	// Destination is set to nil, therefore seal only contains the
+	// ciphertext with the tag appended.
 	seal := gcm.Seal(nil, nonce, plaintext, nil)
 
 	return nonce, seal, nil
 }
 
+// Decrypt decrypts the ciphertext using the provided key and nonce.
+// The key should have a length of 16, 24 or 32 bytes to select AES-128,
+// AES-192 or AES-256.
+// The method returns the decrypted input.
 func (a *AES) Decrypt(nonce, ciphertext []byte, key []byte) ([]byte, error) {
+	// create a new cipher block from the key
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
 	}
 
-	// Note: This works under the assumption of every other implementation using the commonly used nonce size of 12 bytes.
+	// create a new block cipher wrapped in GCM with default nonce (12
+	// bytes) and tag size (16 bytes).
 	gcm, err := cipher.NewGCM(c)
 	if err != nil {
 		return nil, err
 	}
 
+	// Decrypt the ciphertext using AES-GCM
 	return gcm.Open(nil, nonce, ciphertext, nil)
 }

goKMS/kms/crypto/crypto_test.go

+package crypto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCrypto_AES_Encrypt(t *testing.T) {
+	tests := map[string]struct {
+		plaintext                []byte
+		key                      []byte
+		error                    bool
+		expectedCipherTextLength int
+	}{
+		"AES-128": {
+			plaintext:                []byte("testMessage"),
+			key:                      []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
+			error:                    false,
+			expectedCipherTextLength: 27,
+		},
+		"AES-192": {
+			plaintext:                []byte("testMessage"),
+			key:                      []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
+			error:                    false,
+			expectedCipherTextLength: 27,
+		},
+		"AES-256": {
+			plaintext:                []byte("testMessage"),
+			key:                      []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
+			error:                    false,
+			expectedCipherTextLength: 27,
+		},
+		"AES-256 longer plaintext": {
+			plaintext:                []byte("testMessageThatIsLonger"),
+			key:                      []byte{0x54, 0x39, 0xc8, 0x71, 0x4e, 0x79, 0x27, 0x92, 0xa6, 0x1, 0xf0, 0xfc, 0xff, 0xa0, 0x3c, 0x76, 0x5f, 0x33, 0xc8, 0xa6, 0x42, 0x3c, 0x14, 0x67, 0x64, 0xbf, 0x22, 0xac, 0x84, 0x55, 0x9, 0x13},
+			error:                    false,
+			expectedCipherTextLength: 39,
+		},
+		"wrong key size": {
+			plaintext:                []byte("testMessage"),
+			key:                      []byte{0xff, 0x99, 0x54, 0xec, 0xde, 0x7b, 0xf7, 0x66, 0x2f, 0xff, 0xbc, 0xe0, 0x1e, 0x75, 0x4, 0xb2, 0x1d, 0x4e, 0x46, 0x9b, 0x71, 0x4e, 0xf9, 0xe7, 0xc1, 0x20, 0xa1, 0x58, 0xbe, 0x52},
+			error:                    true,
+			expectedCipherTextLength: 0,
+		},
+	}
+
+	for name, test := range tests {
+		test := test
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			aes := NewAES()
+			nonce, cipherText, err := aes.Encrypt(test.plaintext, test.key)
+			if test.error {
+				assert.Error(t, err)
+				assert.Len(t, nonce, 0)
+			} else {
+				assert.NoError(t, err)
+				assert.Len(t, nonce, 12)
+			}
+			assert.Len(t, cipherText, test.expectedCipherTextLength)
+		})
+	}
+}
+
+func TestCrypto_AES_Decrypt(t *testing.T) {
+	tests := map[string]struct {
+		cipherText        []byte
+		key               []byte
+		nonce             []byte
+		error             bool
+		expectedPlainText string
+	}{
+		"AES-128": {
+			cipherText:        []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10, 0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
+			key:               []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
+			nonce:             []byte{0x1a, 0x1e, 0xeb, 0x20, 0x8e, 0xd4, 0xbb, 0x77, 0x58, 0x6a, 0xd, 0x82},
+			error:             false,
+			expectedPlainText: "testMessage",
+		},
+		"AES-128 faulty nonce": {
+			cipherText:        []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10, 0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
+			key:               []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
+			nonce:             []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-128 faulty key": {
+			cipherText:        []byte{0x7b, 0x45, 0x4b, 0x44, 0xcf, 0xc6, 0x5b, 0xe8, 0x7b, 0xc0, 0x10, 0x36, 0xea, 0x41, 0xc4, 0x25, 0x32, 0xe7, 0xe7, 0x9, 0x38, 0xca, 0xf9, 0x47, 0x8d, 0xdf, 0xac},
+			key:               []byte{0x2b, 0x1c, 0xc9, 0x6d, 0xa2, 0x17, 0x25, 0x21, 0xa9, 0x9a, 0x8e, 0x17, 0x49, 0xc7, 0x3d, 0x32},
+			nonce:             []byte{0x1a, 0x1e, 0xeb, 0x20, 0x8e, 0xd4, 0xbb, 0x77, 0x58, 0x6a, 0xd, 0x82},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-128 faulty cipherText": {
+			cipherText:        []byte{0x94, 0x7f, 0xd2, 0xd1, 0x71, 0xf8, 0xe7, 0x31, 0x23, 0x37, 0xad, 0x88, 0xfa, 0x5c, 0xcc, 0xdd, 0xd, 0xc2, 0x78, 0xee, 0x4d, 0xbe, 0xb, 0x2e, 0xf4, 0x77, 0xda},
+			key:               []byte{0xaa, 0xdf, 0x4f, 0x20, 0x9e, 0x35, 0xe0, 0x9c, 0xde, 0x6f, 0xf8, 0x51, 0x29, 0x98, 0x49, 0xae},
+			nonce:             []byte{0x1a, 0x1e, 0xeb, 0x20, 0x8e, 0xd4, 0xbb, 0x77, 0x58, 0x6a, 0xd, 0x82},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-192": {
+			cipherText:        []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1, 0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
+			key:               []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
+			nonce:             []byte{0x33, 0x55, 0xb8, 0x34, 0x3b, 0x4, 0xc5, 0xd7, 0xef, 0x8b, 0x49, 0x9e},
+			error:             false,
+			expectedPlainText: "testMessage",
+		},
+		"AES-192 faulty nonce": {
+			cipherText:        []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1, 0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
+			key:               []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
+			nonce:             []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-192 faulty key": {
+			cipherText:        []byte{0x80, 0x8, 0xa9, 0x68, 0x51, 0x6a, 0x93, 0xf8, 0xc7, 0x96, 0xb1, 0xc4, 0x9d, 0xf8, 0x8c, 0xde, 0x43, 0x20, 0xe9, 0x11, 0x7a, 0x6e, 0x4c, 0x74, 0xb1, 0xf8, 0xa4},
+			key:               []byte{0x2b, 0x1c, 0xc9, 0x6d, 0xa2, 0x17, 0x25, 0x21, 0xa9, 0x9a, 0x8e, 0x17, 0x49, 0xc7, 0x3d, 0x32, 0x24, 0x78, 0xb2, 0xc1, 0x15, 0x9f, 0x8b, 0xf3},
+			nonce:             []byte{0x33, 0x55, 0xb8, 0x34, 0x3b, 0x4, 0xc5, 0xd7, 0xef, 0x8b, 0x49, 0x9e},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-192 faulty cipherText": {
+			cipherText:        []byte{0x94, 0x7f, 0xd2, 0xd1, 0x71, 0xf8, 0xe7, 0x31, 0x23, 0x37, 0xad, 0x88, 0xfa, 0x5c, 0xcc, 0xdd, 0xd, 0xc2, 0x78, 0xee, 0x4d, 0xbe, 0xb, 0x2e, 0xf4, 0x77, 0xda},
+			key:               []byte{0x67, 0xc8, 0x12, 0x60, 0x8, 0x1e, 0x1f, 0x2e, 0x1d, 0x58, 0x60, 0xb1, 0x9c, 0xf, 0x14, 0x4d, 0xe2, 0x9e, 0xd3, 0xc1, 0x9f, 0xa8, 0x9f, 0x59},
+			nonce:             []byte{0x33, 0x55, 0xb8, 0x34, 0x3b, 0x4, 0xc5, 0xd7, 0xef, 0x8b, 0x49, 0x9e},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-256": {
+			cipherText:        []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0, 0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+			key:               []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
+			nonce:             []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+			error:             false,
+			expectedPlainText: "testMessage",
+		},
+		"AES-256 faulty nonce": {
+			cipherText:        []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0, 0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+			key:               []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
+			nonce:             []byte{0x91, 0x66, 0x68, 0x5b, 0x64, 0x84, 0x5a, 0x81, 0xfd, 0xce, 0x89, 0x93},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-256 faulty key": {
+			cipherText:        []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0, 0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+			key:               []byte{0x2b, 0x1c, 0xc9, 0x6d, 0xa2, 0x17, 0x25, 0x21, 0xa9, 0x9a, 0x8e, 0x17, 0x49, 0xc7, 0x3d, 0x32, 0x24, 0x78, 0xb2, 0xc1, 0x15, 0x9f, 0x8b, 0xf3, 0xa9, 0x54, 0xc4, 0x90, 0x26, 0x33, 0x9, 0x60},
+			nonce:             []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-256 faulty cipherText": {
+			cipherText:        []byte{0x94, 0x7f, 0xd2, 0xd1, 0x71, 0xf8, 0xe7, 0x31, 0x23, 0x37, 0xad, 0x88, 0xfa, 0x5c, 0xcc, 0xdd, 0xd, 0xc2, 0x78, 0xee, 0x4d, 0xbe, 0xb, 0x2e, 0xf4, 0x77, 0xda},
+			key:               []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9, 0x8c, 0xf},
+			nonce:             []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+			error:             true,
+			expectedPlainText: "",
+		},
+		"AES-256 longer cipherText": {
+			cipherText:        []byte{0x44, 0x35, 0x7a, 0x70, 0x19, 0x31, 0x11, 0xbf, 0xab, 0xf1, 0x32, 0x9d, 0x7b, 0x73, 0xcc, 0x78, 0x7b, 0x5, 0xe7, 0x87, 0xcf, 0xd9, 0xe6, 0x28, 0xa8, 0x53, 0xbf, 0x70, 0x37, 0x64, 0x2f, 0x14, 0x2c, 0xc, 0xeb, 0x53, 0x1, 0x22, 0xd0},
+			key:               []byte{0x54, 0x39, 0xc8, 0x71, 0x4e, 0x79, 0x27, 0x92, 0xa6, 0x1, 0xf0, 0xfc, 0xff, 0xa0, 0x3c, 0x76, 0x5f, 0x33, 0xc8, 0xa6, 0x42, 0x3c, 0x14, 0x67, 0x64, 0xbf, 0x22, 0xac, 0x84, 0x55, 0x9, 0x13},
+			nonce:             []byte{0x59, 0xf6, 0x94, 0xeb, 0x6a, 0x5a, 0xdc, 0x3a, 0x89, 0xa9, 0xbb, 0x53},
+			error:             false,
+			expectedPlainText: "testMessageThatIsLonger",
+		},
+		"wrong key size": {
+			cipherText:        []byte{0xea, 0x80, 0x9c, 0xd8, 0x21, 0x2b, 0x50, 0x42, 0x8, 0x4d, 0xd0, 0xb3, 0x6b, 0x48, 0x1e, 0x90, 0xd0, 0xa, 0x76, 0x85, 0x58, 0xc2, 0x39, 0xfb, 0x66, 0xe7, 0x5},
+			key:               []byte{0xf6, 0x4e, 0x81, 0x5f, 0x90, 0x87, 0x78, 0x66, 0x33, 0x7b, 0xc, 0xe2, 0x8, 0xcd, 0xe, 0x49, 0xd1, 0x26, 0x4d, 0x35, 0xa6, 0x36, 0xde, 0x5c, 0x58, 0xfa, 0xa3, 0x83, 0xc0, 0xc9},
+			nonce:             []byte{0x59, 0xf5, 0x6, 0xa8, 0x82, 0x2, 0xa2, 0x3d, 0x28, 0xac, 0x85, 0x45},
+			error:             true,
+			expectedPlainText: "",
+		},
+	}
+
+	for name, test := range tests {
+		test := test
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			aes := NewAES()
+			plainText, err := aes.Decrypt(test.nonce, test.cipherText, test.key)
+			if test.error {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+			assert.Equal(t, test.expectedPlainText, string(plainText))
+		})
+	}
+}
+
+func TestCrypto_AES_EncryptAndDecryptPlaintext(t *testing.T) {
+	secret := []byte("this is a secret")
+	key := []byte{0xfe, 0x34, 0x64, 0x9e, 0xdf, 0x1a, 0xf1, 0xc, 0xb7, 0x28, 0xee, 0x98, 0xe7, 0x7, 0x40, 0x8f, 0x3b, 0x8, 0x9a, 0xad, 0x45, 0x7a, 0x21, 0xe8, 0x84, 0x79, 0xc5, 0x1b, 0x25, 0x13, 0xa2, 0x3c}
+
+	aes := NewAES()
+
+	// encrypt the secret with encrypt method
+	nonce, encryptedSecret, err := aes.Encrypt(secret, key)
+	assert.NoError(t, err)
+
+	// decrypt the encryptedSecret with decrypt method
+	decryptedSecret, err := aes.Decrypt(nonce, encryptedSecret, key)
+	assert.NoError(t, err)
+	assert.Equal(t, secret, decryptedSecret)
+}

goKMS/kms/crypto/utils.go

@@ -7,6 +7,8 @@ import (
 	"github.com/google/uuid"
 )
 
+// Key is a struct that holds a key as a byte array and as a base64 encoded
+// string and the id of the key.
 type Key struct {
 	// ID is the id of the key
 	ID uuid.UUID
@@ -16,13 +18,18 @@ type Key struct {
 	KeyAsBase64 string
 }
 
+// Random256BitKey generates a random 256 bit key and returns it as a Key
+// struct.
 func Random256BitKey() (*Key, error) {
+	// Create a new byte array with a length of 32 bytes
 	b := make([]byte, 32)
+	// fill the byte array with random bytes
 	_, err := rand.Read(b)
 	if err != nil {
 		return nil, err
 	}
 
+	// Encode the byte array to a base64 encoded string
 	keyAsBase64String := base64.StdEncoding.EncodeToString(b)
 
 	return &Key{

goKMS/kms/crypto/utils_test.go

+package crypto
+
+import (
+	"encoding/base64"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCrypto_Random256BitKey(t *testing.T) {
+	key, err := Random256BitKey()
+	assert.NoError(t, err)
+
+	// check key id is not nil
+	assert.NotEqual(t, uuid.Nil, key.ID)
+
+	// check for correct key length
+	assert.Len(t, key.Key, 32)
+	assert.NotEqual(t, make([]byte, 32), key.Key)
+
+	// decode base64 encoded string
+	keyFromBase64, err := base64.StdEncoding.DecodeString(key.KeyAsBase64)
+	assert.NoError(t, err)
+
+	// check for correct key length
+	assert.Len(t, keyFromBase64, 32)
+	// check if both keys represent the same value
+	assert.Equal(t, key.Key, keyFromBase64)
+}