cryptutil: more explicit decryption error (#1607)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

pkg/cryptutil/encrypt.go

@@ -44,7 +44,7 @@ func Decrypt(a cipher.AEAD, data, ad []byte) ([]byte, error) {
 	nonce := data[size:]
 	plaintext, err := a.Open(nil, nonce, ciphertext, ad)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("cryptutil: decryption failed (mismatched keys?): %w", err)
 	}
 	return plaintext, nil
 }

pkg/cryptutil/encrypt_test.go

@@ -23,22 +23,22 @@ func TestEncodeAndDecodeAccessToken(t *testing.T) {
 		t.Fatalf("plaintext is not encrypted plaintext:%v ciphertext:%x", plaintext, ciphertext)
 	}
 
-	got, err := Decrypt(c, ciphertext, nil)
+	diffKey, err := NewAEADCipher(NewKey())
 	if err != nil {
-		t.Fatalf("unexpected err decrypting: %v", err)
+		t.Fatalf("unexpected err: %v", err)
 	}
+	// key mismatch
+	_, err = Decrypt(diffKey, ciphertext, nil)
+	assert.Error(t, err)
 
-	// if less than 32 bytes, fail
+	// bad data size
 	_, err = Decrypt(c, []byte("oh"), nil)
-	if err == nil {
+	assert.Error(t, err)
-		t.Fatalf("should fail if <32 bytes output: %v", err)
-	}
 
-	if !reflect.DeepEqual(got, plaintext) {
+	// good
-		t.Logf(" got: %v", got)
+	got, err := Decrypt(c, ciphertext, nil)
-		t.Logf("want: %v", plaintext)
+	assert.NoError(t, err)
-		t.Fatal("got unexpected decrypted value")
+	assert.Equal(t, got, plaintext)
-	}
 }
 
 func TestNewAEADCipher(t *testing.T) {