$ docker run --rm --name validator-libsodium-usage-ruby-rbnacl-auth-onetime-2732 -t --mount type=bind,src=/tmp/validator-status-libsodium-usage-ruby-rbnacl-auth-onetime,dst=/validator/status validator-libsodium-shared bash -lc 'set -euo pipefail
/validator/tests/_shared/install_override_debs.sh
exec /validator/tests/_shared/run_library_tests.sh "$@"' validator-testcase libsodium usage-ruby-rbnacl-auth-onetime -- bash -c 'PS4=$1; shift; set -x; source "$@"' validator-xtrace '__VALIDATOR_XTRACE__ ' /validator/tests/libsodium/tests/cases/usage/usage-ruby-rbnacl-auth-onetime.sh
no override packages found; continuing with apt originals
key = ("\x42".b * RbNaCl::OneTimeAuths::Poly1305.key_bytes)
message = "validator one-time auth payload"
auth = RbNaCl::OneTimeAuths::Poly1305.new(key)
tag = auth.auth(message)
raise "unexpected tag length: #{tag.bytesize}" unless tag.bytesize == 16

# Matching tag must verify (no exception).
auth.verify(tag, message)

# A tampered tag must be rejected.
tampered = tag.dup
tampered.setbyte(0, tampered.getbyte(0) ^ 0x01)
rejected_tampered = false
begin
  auth.verify(tampered, message)
rescue RbNaCl::BadAuthenticatorError
  rejected_tampered = true
end
raise "tampered tag accepted" unless rejected_tampered

# A wrong key must also reject the original tag.
wrong = RbNaCl::OneTimeAuths::Poly1305.new(("\x43".b * 32))
rejected_wrong = false
begin
  wrong.verify(tag, message)
rescue RbNaCl::BadAuthenticatorError
  rejected_wrong = true
end
raise "wrong key accepted tag" unless rejected_wrong

puts tag.unpack1("H*")
'
b2d5ddeb3dfdffaa2789f6b5e3adb9d3