lyrebird 0.0.0 → 1.0.0.alpha2

data/lib/lyrebird/signature.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module Lyrebird
+  class Signature
+    def initialize(element, certificate)
+      @element = element
+      @certificate = certificate
+    end
+
+    def sign!
+      issuer = @element.elements["saml:Issuer"]
+      @element.insert_after(issuer, signature_element)
+      self
+    end
+
+    private
+
+    def signature_element
+      REXML::Element.new("ds:Signature").tap do |sig|
+        sig.add_namespace("ds", XMLDSIG_NS)
+        sig.add_element(signed_info)
+        sig.add_element(signature_value)
+        sig.add_element(key_info)
+      end
+    end
+
+    def signed_info
+      REXML::Element.new("ds:SignedInfo").tap do |si|
+        cm = si.add_element("ds:CanonicalizationMethod")
+        cm.add_attribute("Algorithm", EXC_C14N)
+        sm = si.add_element("ds:SignatureMethod")
+        sm.add_attribute("Algorithm", RSA_SHA256)
+        si.add_element(reference)
+      end
+    end
+
+    def signature_value
+      REXML::Element.new("ds:SignatureValue").tap do |sv|
+        sig = @certificate.private_key.sign("SHA256", signed_info.to_s)
+        sv.text = Base64.strict_encode64(sig)
+      end
+    end
+
+    def key_info
+      REXML::Element.new("ds:KeyInfo").tap do |ki|
+        x = ki.add_element("ds:X509Data")
+        x.add_element("ds:X509Certificate").text = @certificate.base64
+      end
+    end
+
+    def reference
+      REXML::Element.new("ds:Reference").tap do |ref|
+        ref.add_attribute("URI", "##{@element.attributes["ID"]}")
+        ref.add_element(transforms)
+        dm = ref.add_element("ds:DigestMethod")
+        dm.add_attribute("Algorithm", SHA256_DIGEST)
+        ref.add_element("ds:DigestValue").text = compute_digest(@element)
+      end
+    end
+
+    def transforms
+      REXML::Element.new("ds:Transforms").tap do |t|
+        enveloped = t.add_element("ds:Transform")
+        enveloped.add_attribute("Algorithm", ENVELOPED_SIG)
+        c14n = t.add_element("ds:Transform")
+        c14n.add_attribute("Algorithm", EXC_C14N)
+      end
+    end
+
+    def compute_digest(element)
+      digest = OpenSSL::Digest::SHA256.digest(element.to_s)
+      Base64.strict_encode64(digest)
+    end
+  end
+end

data/lib/lyrebird/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Lyrebird
-  VERSION = "0.0.0"
+  VERSION = "1.0.0.alpha2"
 end

data/lib/lyrebird.rb

@@ -1,8 +1,22 @@
 # frozen_string_literal: true
 
+require "base64"
+require "openssl"
+require "ostruct"
+require "rexml"
+require "securerandom"
+require "time"
+
+require_relative "lyrebird/assertion"
+require_relative "lyrebird/certificate"
+require_relative "lyrebird/defaults"
+require_relative "lyrebird/encryption"
+require_relative "lyrebird/id"
+require_relative "lyrebird/namespaces"
+require_relative "lyrebird/response"
+require_relative "lyrebird/signature"
 require_relative "lyrebird/version"
 
 module Lyrebird
   class Error < StandardError; end
-  # Your code goes here...
 end

data/lyrebird.gemspec

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require_relative "lib/lyrebird/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "lyrebird"
+  spec.version = Lyrebird::VERSION
+  spec.authors = ["Josh"]
+
+  spec.summary = "Mimics SAML Identity Provider (IdP) responses for testing"
+  spec.required_ruby_version = ">= 3.2.0"
+
+  spec.files = `git ls-files -z`.split("\x0")
+  spec.files.delete("Gemfile")
+  spec.files.delete(".gitignore")
+  spec.files.reject! { |f| f.start_with?("bin/") }
+
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "base64"
+  spec.add_dependency "ostruct"
+  spec.add_dependency "rexml"
+
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "rake"
+end

data/test/lyrebird/assertion_test.rb

@@ -0,0 +1,329 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+module Lyrebird
+  class AssertionTest < Minitest::Test
+    def setup
+      @assertion = Assertion.new.document
+      @root = @assertion.root
+      @subject = @root.elements["saml:Subject"]
+      @sc = @subject.elements["saml:SubjectConfirmation"]
+      @scd = @sc.elements["saml:SubjectConfirmationData"]
+      @conditions = @root.elements["saml:Conditions"]
+      @audience_restriction = @conditions.elements["saml:AudienceRestriction"]
+      @authn_statement = @root.elements["saml:AuthnStatement"]
+    end
+
+    def test_root_name
+      assert_equal "Assertion", @root.name
+      assert_equal "saml", @root.prefix
+    end
+
+    def test_root_namespace
+      assert_equal SAML_ASSERTION_NS, @root.namespace
+    end
+
+    def test_root_id
+      assert @root.attributes["ID"].start_with?("_")
+    end
+
+    def test_root_version
+      assert_equal "2.0", @root.attributes["Version"]
+    end
+
+    def test_root_issue_instant
+      instant = Time.iso8601(@root.attributes["IssueInstant"])
+      assert_in_delta Time.now.to_i, instant.to_i, 1
+    end
+
+    def test_issuer
+      issuer = @root.elements["saml:Issuer"]
+      assert_equal "Issuer", issuer.name
+      assert_equal "saml", issuer.prefix
+      assert_equal DEFAULTS.issuer, issuer.text
+    end
+
+    def test_issuer_override
+      assertion = Assertion.new(issuer: "https://test.example.com").document
+      issuer = assertion.root.elements["saml:Issuer"]
+      assert_equal "https://test.example.com", issuer.text
+    end
+
+    def test_subject
+      assert_equal "Subject", @subject.name
+      assert_equal "saml", @subject.prefix
+    end
+
+    def test_name_id
+      name_id = @subject.elements["saml:NameID"]
+      assert_equal "NameID", name_id.name
+      assert_equal "saml", name_id.prefix
+      assert_equal DEFAULTS.name_id, name_id.text
+    end
+
+    def test_name_id_format_default
+      name_id = @subject.elements["saml:NameID"]
+      assert_equal NAMEID_EMAIL, name_id.attributes["Format"]
+    end
+
+    def test_name_id_override
+      email = "user@test.com"
+      refute_equal email, DEFAULTS.name_id
+      assertion = Assertion.new(name_id: email).document
+      name_id = assertion.root.elements["saml:Subject/saml:NameID"]
+      assert_equal email, name_id.text
+    end
+
+    def test_name_id_format_override
+      format = NAMEID_PERSISTENT
+      refute_equal format, DEFAULTS.name_id_format
+      assertion = Assertion.new(name_id_format: format).document
+      name_id = assertion.root.elements["saml:Subject/saml:NameID"]
+      assert_equal format, name_id.attributes["Format"]
+    end
+
+    def test_subject_confirmation
+      assert_equal "SubjectConfirmation", @sc.name
+      assert_equal "saml", @sc.prefix
+    end
+
+    def test_subject_confirmation_method
+      assert_equal CM_BEARER, @sc.attributes["Method"]
+    end
+
+    def test_subject_confirmation_data
+      assert_equal "SubjectConfirmationData", @scd.name
+      assert_equal "saml", @scd.prefix
+    end
+
+    def test_valid_for_default
+      not_on_or_after = Time.iso8601(@scd.attributes["NotOnOrAfter"])
+      expected = Time.now.utc + DEFAULTS.valid_for
+      assert_in_delta expected.to_i, not_on_or_after.to_i, 1
+    end
+
+    def test_recipient_default
+      assert_equal DEFAULTS.recipient, @scd.attributes["Recipient"]
+    end
+
+    def test_in_response_to_default
+      assert_equal DEFAULTS.in_response_to, @scd.attributes["InResponseTo"]
+    end
+
+    def test_recipient_override
+      recipient = "https://custom.example.com/acs"
+      refute_equal recipient, DEFAULTS.recipient
+      assertion = Assertion.new(recipient: recipient).document
+      subject = assertion.root.elements["saml:Subject"]
+      sc = subject.elements["saml:SubjectConfirmation"]
+      scd = sc.elements["saml:SubjectConfirmationData"]
+      assert_equal recipient, scd.attributes["Recipient"]
+    end
+
+    def test_in_response_to_override
+      in_response_to = "_custom_request"
+      refute_equal in_response_to, DEFAULTS.in_response_to
+      assertion = Assertion.new(in_response_to: in_response_to).document
+      subject = assertion.root.elements["saml:Subject"]
+      sc = subject.elements["saml:SubjectConfirmation"]
+      scd = sc.elements["saml:SubjectConfirmationData"]
+      assert_equal in_response_to, scd.attributes["InResponseTo"]
+    end
+
+    def test_in_response_to_omitted_when_nil
+      assertion = Assertion.new(in_response_to: nil).document
+      subject = assertion.root.elements["saml:Subject"]
+      sc = subject.elements["saml:SubjectConfirmation"]
+      scd = sc.elements["saml:SubjectConfirmationData"]
+      assert_nil scd.attributes["InResponseTo"]
+    end
+
+    def test_valid_for_override
+      valid_for = 600 # 10 minutes
+      refute_equal valid_for, DEFAULTS.valid_for
+      assertion = Assertion.new(valid_for: valid_for).document
+      subject = assertion.root.elements["saml:Subject"]
+      sc = subject.elements["saml:SubjectConfirmation"]
+      scd = sc.elements["saml:SubjectConfirmationData"]
+      not_on_or_after = Time.iso8601(scd.attributes["NotOnOrAfter"])
+      expected = Time.now.utc + valid_for
+      assert_in_delta expected.to_i, not_on_or_after.to_i, 1
+    end
+
+    def test_conditions
+      assert_equal "Conditions", @conditions.name
+      assert_equal "saml", @conditions.prefix
+    end
+
+    def test_conditions_not_before
+      not_before = Time.iso8601(@conditions.attributes["NotBefore"])
+      assert_in_delta Time.now.to_i, not_before.to_i, 1
+    end
+
+    def test_conditions_not_before_override
+      not_before = Time.now.utc - 60
+      assertion = Assertion.new(not_before: not_before).document
+      conditions = assertion.root.elements["saml:Conditions"]
+      assert_equal not_before.iso8601, conditions.attributes["NotBefore"]
+    end
+
+    def test_conditions_not_on_or_after
+      not_on_or_after = Time.iso8601(@conditions.attributes["NotOnOrAfter"])
+      expected = Time.now.utc + DEFAULTS.valid_for
+      assert_in_delta expected.to_i, not_on_or_after.to_i, 1
+    end
+
+    def test_conditions_valid_for_override
+      valid_for = 600 # 10 minutes
+      refute_equal valid_for, DEFAULTS.valid_for
+      assertion = Assertion.new(valid_for: valid_for).document
+      conditions = assertion.root.elements["saml:Conditions"]
+      not_on_or_after = Time.iso8601(conditions.attributes["NotOnOrAfter"])
+      expected = Time.now.utc + valid_for
+      assert_in_delta expected.to_i, not_on_or_after.to_i, 1
+    end
+
+    def test_audience_restriction
+      assert_equal "AudienceRestriction", @audience_restriction.name
+      assert_equal "saml", @audience_restriction.prefix
+    end
+
+    def test_audience
+      audience = @audience_restriction.elements["saml:Audience"]
+      assert_equal "Audience", audience.name
+      assert_equal "saml", audience.prefix
+      assert_equal DEFAULTS.audience, audience.text
+    end
+
+    def test_audience_override
+      audience = "https://custom.sp.example.com"
+      refute_equal audience, DEFAULTS.audience
+      assertion = Assertion.new(audience: audience).document
+      conditions = assertion.root.elements["saml:Conditions"]
+      ar = conditions.elements["saml:AudienceRestriction"]
+      assert_equal audience, ar.elements["saml:Audience"].text
+    end
+
+    def test_authn_statement
+      assert_equal "AuthnStatement", @authn_statement.name
+      assert_equal "saml", @authn_statement.prefix
+    end
+
+    def test_authn_statement_authn_instant
+      authn_instant = Time.iso8601(@authn_statement.attributes["AuthnInstant"])
+      assert_in_delta Time.now.to_i, authn_instant.to_i, 1
+    end
+
+    def test_authn_statement_session_index
+      assert @authn_statement.attributes["SessionIndex"].start_with?("_")
+    end
+
+    def test_authn_context
+      authn_context = @authn_statement.elements["saml:AuthnContext"]
+      assert_equal "AuthnContext", authn_context.name
+      assert_equal "saml", authn_context.prefix
+    end
+
+    def test_authn_context_class_ref
+      ac = @authn_statement.elements["saml:AuthnContext"]
+      class_ref = ac.elements["saml:AuthnContextClassRef"]
+      assert_equal "AuthnContextClassRef", class_ref.name
+      assert_equal "saml", class_ref.prefix
+      assert_equal DEFAULTS.authn_context, class_ref.text
+    end
+
+    def test_authn_context_override
+      custom_ref = "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"
+      refute_equal custom_ref, DEFAULTS.authn_context
+      assertion = Assertion.new(authn_context: custom_ref).document
+      as = assertion.root.elements["saml:AuthnStatement"]
+      ac = as.elements["saml:AuthnContext"]
+      class_ref = ac.elements["saml:AuthnContextClassRef"]
+      assert_equal custom_ref, class_ref.text
+    end
+
+    def test_default_attributes
+      as = @root.elements["saml:AttributeStatement"]
+      attrs = as.elements.to_a("saml:Attribute")
+      assert_equal 2, attrs.size
+
+      first = attrs.find { |a| a.attributes["Name"] == "first_name" }
+      assert_equal "Test", first.elements["saml:AttributeValue"].text
+
+      last = attrs.find { |a| a.attributes["Name"] == "last_name" }
+      assert_equal "User", last.elements["saml:AttributeValue"].text
+    end
+
+    def test_no_attribute_statement_when_empty
+      assertion = Assertion.new(attributes: {}).document
+      assert_nil assertion.root.elements["saml:AttributeStatement"]
+    end
+
+    def test_attribute_statement_with_single_value
+      attributes = { "email" => "user@example.com" }
+      assertion = Assertion.new(attributes: attributes).document
+      as = assertion.root.elements["saml:AttributeStatement"]
+      assert_equal "AttributeStatement", as.name
+      assert_equal "saml", as.prefix
+    end
+
+    def test_attribute_name_and_format
+      attributes = { "email" => "user@example.com" }
+      assertion = Assertion.new(attributes: attributes).document
+      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
+      assert_equal "Attribute", attr.name
+      assert_equal "saml", attr.prefix
+      assert_equal "email", attr.attributes["Name"]
+      assert_equal ATTR_NAME_FORMAT, attr.attributes["NameFormat"]
+    end
+
+    def test_attribute_single_value
+      attributes = { "email" => "user@example.com" }
+      assertion = Assertion.new(attributes: attributes).document
+      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
+      value = attr.elements["saml:AttributeValue"]
+      assert_equal "AttributeValue", value.name
+      assert_equal "saml", value.prefix
+      assert_equal "user@example.com", value.text
+    end
+
+    def test_attribute_multi_value
+      attributes = { "groups" => ["admin", "users", "developers"] }
+      assertion = Assertion.new(attributes: attributes).document
+      attr = assertion.root.elements["saml:AttributeStatement/saml:Attribute"]
+      values = attr.elements.to_a("saml:AttributeValue")
+      assert_equal 3, values.size
+      assert_equal "admin", values[0].text
+      assert_equal "users", values[1].text
+      assert_equal "developers", values[2].text
+    end
+
+    def test_multiple_attributes
+      attributes = {
+        email: "user@example.com",
+        name: "Test User",
+        groups: ["admin", "users"]
+      }
+
+      assertion = Assertion.new(attributes: attributes).document
+      as = assertion.root.elements["saml:AttributeStatement"]
+      attrs = as.elements.to_a("saml:Attribute")
+      assert_equal 3, attrs.size
+
+      email_attr = attrs.find { |a| a.attributes["Name"] == "email" }
+      email_value = email_attr.elements["saml:AttributeValue"].text
+      assert_equal "user@example.com", email_value
+
+      name_attr = attrs.find { |a| a.attributes["Name"] == "name" }
+      name_value = name_attr.elements["saml:AttributeValue"].text
+      assert_equal "Test User", name_value
+
+      groups_attr = attrs.find { |a| a.attributes["Name"] == "groups" }
+      group_values = groups_attr.elements.to_a("saml:AttributeValue")
+      assert_equal 2, group_values.size
+      assert_equal "admin", group_values[0].text
+      assert_equal "users", group_values[1].text
+    end
+  end
+end

data/test/lyrebird/certificate_test.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+module Lyrebird
+  class CertificateTest < Minitest::Test
+    def setup
+      @certificate = Certificate.generate
+    end
+
+    def test_private_key_is_rsa
+      assert_instance_of OpenSSL::PKey::RSA, @certificate.private_key
+    end
+
+    def test_private_key_defaults_to_2048_bits
+      assert_equal 2048, @certificate.private_key.n.num_bits
+    end
+
+    def test_private_key_with_custom_bits
+      certificate = Certificate.generate(bits: 4096)
+      assert_equal 4096, certificate.private_key.n.num_bits
+    end
+
+    def test_certificate_is_x509
+      assert_instance_of OpenSSL::X509::Certificate, @certificate.certificate
+    end
+
+    def test_certificate_not_before_is_now
+      assert_in_delta Time.now, @certificate.certificate.not_before, 1
+    end
+
+    def test_certificate_not_after_is_one_year_from_now
+      one_year = 365 * 24 * 60 * 60
+      assert_in_delta Time.now + one_year, @certificate.certificate.not_after, 1
+    end
+
+    def test_certificate_is_signed
+      assert @certificate.certificate.verify(@certificate.private_key)
+    end
+
+    def test_certificate_with_custom_subject
+      certificate = Certificate.generate(cn: "Test", o: "Acme")
+      assert_equal "/CN=Test/O=Acme", certificate.certificate.subject.to_s
+    end
+
+    def test_certificate_with_custom_valid_for
+      certificate = Certificate.generate(valid_for: 30).certificate
+      thirty_days = 30 * 24 * 60 * 60
+      assert_in_delta Time.now + thirty_days, certificate.not_after, 1
+    end
+
+    def test_certificate_with_valid_until
+      valid_until = Time.new(2030, 1, 1)
+      certificate = Certificate.generate(valid_until: valid_until)
+      assert_equal valid_until, certificate.certificate.not_after
+    end
+
+    def test_private_key_pem
+      assert @certificate.private_key_pem.start_with?("-----BEGIN")
+    end
+
+    def test_certificate_pem
+      assert @certificate.certificate_pem.start_with?("-----BEGIN")
+    end
+
+    def test_fingerprint
+      der = @certificate.certificate.to_der
+      expected = OpenSSL::Digest::SHA256.hexdigest(der)
+      assert_equal expected, @certificate.fingerprint
+    end
+
+    def test_base64
+      der = @certificate.certificate.to_der
+      expected = Base64.strict_encode64(der)
+      assert_equal expected, @certificate.base64
+    end
+
+    def test_load
+      certificate = Certificate.load(
+        private_key_pem: @certificate.private_key_pem,
+        certificate_pem: @certificate.certificate_pem,
+      )
+
+      assert_equal @certificate.fingerprint, certificate.fingerprint
+    end
+  end
+end

data/test/lyrebird/defaults_test.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+module Lyrebird
+  class DefaultsTest < Minitest::Test
+    def test_issuer
+      assert_equal "https://idp.example.com", DEFAULTS.issuer
+    end
+  end
+end

data/test/lyrebird/encryption_test.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+module Lyrebird
+  class EncryptionTest < Minitest::Test
+    def setup
+      @assertion = Assertion.new.document
+      @element = @assertion.root
+      @certificate = Certificate.generate
+      @encrypted = Encryption.new(@element, @certificate).encrypt
+      @ed = @encrypted.elements["xenc:EncryptedData"]
+      @ki = @ed.elements["ds:KeyInfo"]
+      @ek = @ki.elements["xenc:EncryptedKey"]
+      @cd = @ed.elements["xenc:CipherData"]
+    end
+
+    def test_returns_encrypted_assertion_element
+      assert_equal "EncryptedAssertion", @encrypted.name
+      assert_equal "saml", @encrypted.prefix
+    end
+
+    def test_encrypted_assertion_namespace
+      assert_equal SAML_ASSERTION_NS, @encrypted.namespace
+    end
+
+    def test_encrypted_data_element
+      assert_equal "EncryptedData", @ed.name
+      assert_equal "xenc", @ed.prefix
+    end
+
+    def test_encrypted_data_namespace
+      assert_equal XMLENC_NS, @ed.namespace
+    end
+
+    def test_encrypted_data_type
+      assert_equal "#{XMLENC_NS}Element", @ed.attributes["Type"]
+    end
+
+    def test_encryption_method_element
+      em = @ed.elements["xenc:EncryptionMethod"]
+      assert_equal "EncryptionMethod", em.name
+      assert_equal "xenc", em.prefix
+    end
+
+    def test_encryption_method_algorithm
+      em = @ed.elements["xenc:EncryptionMethod"]
+      assert_equal AES256_CBC, em.attributes["Algorithm"]
+    end
+
+    def test_cipher_data_element
+      assert_equal "CipherData", @cd.name
+      assert_equal "xenc", @cd.prefix
+    end
+
+    def test_cipher_value_element
+      cv = @cd.elements["xenc:CipherValue"]
+      assert_equal "CipherValue", cv.name
+      assert_equal "xenc", cv.prefix
+    end
+
+    def test_cipher_value_is_base64
+      cv = @cd.elements["xenc:CipherValue"]
+      decoded = Base64.strict_decode64(cv.text)
+      assert decoded.bytesize > 16
+    end
+
+    def test_cipher_value_starts_with_iv
+      cv = @cd.elements["xenc:CipherValue"]
+      decoded = Base64.strict_decode64(cv.text)
+      iv = decoded[0, 16]
+      assert_equal 16, iv.bytesize
+    end
+
+    def test_key_info_element
+      assert_equal "KeyInfo", @ki.name
+      assert_equal "ds", @ki.prefix
+    end
+
+    def test_key_info_namespace
+      assert_equal XMLDSIG_NS, @ki.namespace
+    end
+
+    def test_encrypted_key_element
+      assert_equal "EncryptedKey", @ek.name
+      assert_equal "xenc", @ek.prefix
+    end
+
+    def test_encrypted_key_namespace
+      assert_equal XMLENC_NS, @ek.namespace
+    end
+
+    def test_encrypted_key_encryption_method
+      em = @ek.elements["xenc:EncryptionMethod"]
+      assert_equal "EncryptionMethod", em.name
+      assert_equal RSA_OAEP, em.attributes["Algorithm"]
+    end
+
+    def test_encrypted_key_cipher_data
+      cd = @ek.elements["xenc:CipherData"]
+      assert_equal "CipherData", cd.name
+      assert_equal "xenc", cd.prefix
+    end
+
+    def test_encrypted_key_cipher_value
+      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      assert_equal "CipherValue", cv.name
+      assert_equal "xenc", cv.prefix
+    end
+
+    def test_encrypted_key_cipher_value_is_base64
+      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      decoded = Base64.strict_decode64(cv.text)
+      assert decoded.bytesize > 0
+    end
+
+    def test_encrypted_key_can_be_decrypted
+      cv = @ek.elements["xenc:CipherData/xenc:CipherValue"]
+      encrypted_key = Base64.strict_decode64(cv.text)
+      private_key = @certificate.private_key
+      padding = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING
+      decrypted_key = private_key.private_decrypt(encrypted_key, padding)
+      assert_equal 32, decrypted_key.bytesize
+    end
+  end
+end