#!perl
use strict;
my $path = $ENV{HSM_PROVIDER} // '';
plan skip_all => '' unless -e $path;
my $provider = Crypt::HSM->load($path);
my @slots = $provider->slots(1);
my $session = $slots[0]->open_session;
$session->login('user', $ENV{HSM_PIN}) if $ENV{HSM_PIN};
my $old_key = $session->generate_key('aes-key-gen', { 'value-len' => 32, token => 0, label => 'apepper-1' });
my $key = $session->generate_key('aes-key-gen', { 'value-len' => 32, token => 0, label => 'apepper-2' });
my $passphrase = Crypt::Passphrase->new(
encoder => {
module => 'Argon2::HSM',
session => $session,
prefix => 'apepper-',
active => 2,
memory_cost => '16M',
time_cost => 2,
},
);
my $password = 'password';
my $salt = "\0" x 16;
my $hash1 = $passphrase->hash_password($password);
ok($passphrase->verify_password($password, $hash1), 'Self-generated password validates');
ok(!$passphrase->needs_rehash($hash1), 'Self-generated password doesn\'t need to be regenerated');
ok($hash1 =~ / \A \$ argon2id-encrypted-aes-cbc \$ /x, 'Hash header looks like what we expect');
my $hash2 = '$argon2id$v=19$m=16384,t=2,p=1$AAAAAAAAAAAAAAAAAAAAAA$AcpOEUs9E88hQnLWQYw/ow';
ok($passphrase->verify_password($password, $hash2), 'Unencrypted hash validates');
ok($passphrase->needs_rehash($hash2), 'Unencrypted hash needs rehash');
my $old_passphrase = Crypt::Passphrase->new(
encoder => {
module => 'Argon2::HSM',
session => $session,
prefix => 'apepper-',
active => 1,
memory_cost => '16M',
time_cost => 2,
},
);
my $hash3 = $old_passphrase->hash_password($password);
ok($passphrase->verify_password($password, $hash3), 'Hash encrypted with old pepper still validates');
ok($passphrase->needs_rehash($hash3), 'Hash encrypted with old pepper needs rehash');
done_testing;