hpke: compress query string (#4147)

* hpke: compress query string * only use v2 in authenticate if v2 was used for the initial request * fix comment
2025-06-01 18:33:19 +02:00 · 2023-05-02 14:12:34 -06:00 · 2023-05-02 14:12:34 -06:00 · facf9ab093
commit facf9ab093
parent 69713d38af
6 changed files with 184 additions and 52 deletions
--- a/pkg/hpke/url_test.go
+++ b/pkg/hpke/url_test.go
@ -2,6 +2,7 @@ package hpke

 import (
 	"net/url"
+	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
@ -9,29 +10,70 @@ import (
 )

 func TestEncryptURLValues(t *testing.T) {
+	t.Parallel()
+
 	k1, err := GeneratePrivateKey()
 	require.NoError(t, err)
 	k2, err := GeneratePrivateKey()
 	require.NoError(t, err)

-	encrypted, err := EncryptURLValues(k1, k2.PublicKey(), url.Values{
-		"a": {"b", "c"},
-		"x": {"y", "z"},
+	t.Run("v1", func(t *testing.T) {
+		t.Parallel()
+
+		encrypted, err := EncryptURLValuesV1(k1, k2.PublicKey(), url.Values{
+			"a": {"b", "c"},
+			"x": {"y", "z"},
+		})
+		assert.NoError(t, err)
+		assert.True(t, encrypted.Has(paramSenderPublicKey))
+		assert.True(t, encrypted.Has(paramQuery))
+
+		assert.True(t, IsEncryptedURL(encrypted))
+
+		encrypted.Set("extra", "value")
+		encrypted.Set("a", "notb")
+		senderPublicKey, decrypted, err := DecryptURLValues(k2, encrypted)
+		assert.NoError(t, err)
+		assert.Equal(t, url.Values{
+			"a":     {"b", "c"},
+			"x":     {"y", "z"},
+			"extra": {"value"},
+		}, decrypted)
+		assert.Equal(t, k1.PublicKey().String(), senderPublicKey.String())
 	})
-	assert.NoError(t, err)
-	assert.True(t, encrypted.Has(ParamSenderPublicKey))
-	assert.True(t, encrypted.Has(ParamQuery))
+	t.Run("v2", func(t *testing.T) {
+		t.Parallel()

-	assert.True(t, IsEncryptedURL(encrypted))
+		encrypted, err := EncryptURLValuesV2(k1, k2.PublicKey(), url.Values{
+			"a": {"b", "c"},
+			"x": {"y", "z"},
+		})
+		assert.NoError(t, err)
+		assert.True(t, encrypted.Has(paramSenderPublicKeyV2))
+		assert.True(t, encrypted.Has(paramQueryV2))

-	encrypted.Set("extra", "value")
-	encrypted.Set("a", "notb")
-	senderPublicKey, decrypted, err := DecryptURLValues(k2, encrypted)
-	assert.NoError(t, err)
-	assert.Equal(t, url.Values{
-		"a":     {"b", "c"},
-		"x":     {"y", "z"},
-		"extra": {"value"},
-	}, decrypted)
-	assert.Equal(t, k1.PublicKey().String(), senderPublicKey.String())
+		assert.True(t, IsEncryptedURL(encrypted))
+
+		encrypted.Set("extra", "value")
+		encrypted.Set("a", "notb")
+		senderPublicKey, decrypted, err := DecryptURLValues(k2, encrypted)
+		assert.NoError(t, err)
+		assert.Equal(t, url.Values{
+			"a":     {"b", "c"},
+			"x":     {"y", "z"},
+			"extra": {"value"},
+		}, decrypted)
+		assert.Equal(t, k1.PublicKey().String(), senderPublicKey.String())
+	})
+
+	t.Run("compresses", func(t *testing.T) {
+		t.Parallel()
+
+		encrypted, err := EncryptURLValuesV2(k1, k2.PublicKey(), url.Values{
+			"a": {strings.Repeat("b", 1024*128)},
+		})
+		assert.NoError(t, err)
+
+		assert.Less(t, len(encrypted.Encode()), 1024)
+	})
 }