def test_encrypt_decrypt_with_key_rotation(self):
dec, enc, dec_key, enc_key = new_primitives_and_keys(
1234, tink_pb2.TINK)
enc_pset = core.new_primitive_set(hybrid_encrypt.HybridEncrypt)
enc_pset.set_primary(enc_pset.add_primitive(enc, enc_key))
wrapped_enc = hybrid_encrypt_wrapper.HybridEncryptWrapper().wrap(
enc_pset)
ciphertext = wrapped_enc.encrypt(b'plaintext', b'context_info')
new_dec, new_enc, new_dec_key, new_enc_key = new_primitives_and_keys(
5678, tink_pb2.TINK)
new_enc_pset = core.new_primitive_set(hybrid_encrypt.HybridEncrypt)
new_enc_pset.set_primary(
new_enc_pset.add_primitive(new_enc, new_enc_key))
new_wrapped_enc = hybrid_encrypt_wrapper.HybridEncryptWrapper().wrap(
new_enc_pset)
new_dec, new_enc, new_dec_key, new_enc_key = new_primitives_and_keys(
5678, tink_pb2.TINK)
new_dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt)
new_dec_pset.add_primitive(dec, dec_key)
new_dec_pset.set_primary(
new_dec_pset.add_primitive(new_dec, new_dec_key))
new_wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap(
new_dec_pset)
new_ciphertext = new_wrapped_enc.encrypt(b'new_plaintext',
b'new_context_info')
self.assertEqual(new_wrapped_dec.decrypt(ciphertext, b'context_info'),
b'plaintext')
self.assertEqual(
new_wrapped_dec.decrypt(new_ciphertext, b'new_context_info'),
b'new_plaintext')
def test_encrypt_decrypt_with_key_rotation_from_raw(self):
raw_dec, raw_enc, raw_dec_key, raw_enc_key = new_primitives_and_keys(
1234, tink_pb2.RAW)
old_raw_ciphertext = raw_enc.encrypt(b'old_raw_ciphertext',
b'context_info')
new_dec, new_enc, new_dec_key, new_enc_key = new_primitives_and_keys(
5678, tink_pb2.TINK)
enc_pset = core.new_primitive_set(hybrid_encrypt.HybridEncrypt)
enc_pset.add_primitive(raw_enc, raw_enc_key)
enc_pset.set_primary(enc_pset.add_primitive(new_enc, new_enc_key))
wrapped_enc = hybrid_encrypt_wrapper.HybridEncryptWrapper().wrap(
enc_pset)
dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt)
dec_pset.add_primitive(raw_dec, raw_dec_key)
dec_pset.set_primary(dec_pset.add_primitive(new_dec, new_dec_key))
wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap(
dec_pset)
new_ciphertext = wrapped_enc.encrypt(b'new_plaintext',
b'new_context_info')
self.assertEqual(
wrapped_dec.decrypt(old_raw_ciphertext, b'context_info'),
b'old_raw_ciphertext')
self.assertEqual(
wrapped_dec.decrypt(new_ciphertext, b'new_context_info'),
b'new_plaintext')
def test_list_of_entries_can_be_modified(self):
primitive_set = core.new_primitive_set(mac.Mac)
key = helper.fake_key(key_id=1)
primitive_set.add_primitive(helper.FakeMac('FakeMac'), key)
entries = primitive_set.primitive(key)
entries.append('Something')
self.assertLen(primitive_set.primitive(key), 1)
def test_decrypt_wrong_associated_data_fails(self):
dec, enc, dec_key, enc_key = new_primitives_and_keys(
1234, tink_pb2.TINK)
dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt)
dec_pset.set_primary(dec_pset.add_primitive(dec, dec_key))
wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap(
dec_pset)
enc_pset = core.new_primitive_set(hybrid_encrypt.HybridEncrypt)
enc_pset.set_primary(enc_pset.add_primitive(enc, enc_key))
wrapped_enc = hybrid_encrypt_wrapper.HybridEncryptWrapper().wrap(
enc_pset)
ciphertext = wrapped_enc.encrypt(b'plaintext', b'context_info')
with self.assertRaisesRegex(core.TinkError, 'Decryption failed'):
wrapped_dec.decrypt(ciphertext, b'wrong_context_info')
def test_add_invalid_key_fails(self):
primitive_set = core.new_primitive_set(mac.Mac)
key = helper.fake_key()
key.ClearField('output_prefix_type')
with self.assertRaisesRegex(core.TinkError,
'invalid OutputPrefixType'):
primitive_set.add_primitive(helper.FakeMac(), key)
def test_signature_wrapper_is_correctly_registered(self):
sig1, key1 = _new_primitive_and_key(
signature.signature_key_templates.ECDSA_P256,
signature.PublicKeySign, tink_pb2.TINK)
sig2, key2 = _new_primitive_and_key(
signature.signature_key_templates.ECDSA_P256,
signature.PublicKeySign, tink_pb2.TINK)
ver1, pubkey1 = _public_primitive_and_key(key1,
signature.PublicKeyVerify,
tink_pb2.TINK)
ver2, pubkey2 = _public_primitive_and_key(key2,
signature.PublicKeyVerify,
tink_pb2.TINK)
pset = core.PrimitiveSet(signature.PublicKeySign)
pset.add_primitive(sig1, key1)
pset.set_primary(pset.add_primitive(sig2, key2))
wrapped_sig = core.Registry.wrap(pset)
pset_verify = core.new_primitive_set(signature.PublicKeyVerify)
pset_verify.add_primitive(ver1, pubkey1)
pset_verify.set_primary(pset_verify.add_primitive(ver2, pubkey2))
wrapped_ver = core.Registry.wrap(pset_verify)
sig = wrapped_sig.sign(b'data')
wrapped_ver.verify(sig, b'data')
def _mac_set(mac_list):
"""Converts a List of Mac in a PrimitiveSet and sets the last primary."""
mac_set = core.new_primitive_set(mac.Mac)
for i, primitive in enumerate(mac_list):
mac_set.set_primary(
mac_set.add_primitive(
primitive,
helper.fake_key(key_id=i, output_prefix_type=tink_pb2.RAW)))
return mac_set
def test_verify_legacy_mac(self):
primitive, key = self.new_primitive_key_pair(1234, tink_pb2.LEGACY)
pset = core.new_primitive_set(mac.Mac)
pset.set_primary(pset.add_primitive(primitive, key))
wrapped_mac = mac_wrapper.MacWrapper().wrap(pset)
tag = wrapped_mac.compute_mac(b'data')
# No exception raised, no return value.
self.assertIsNone(wrapped_mac.verify_mac(tag, b'data'))
def test_verify_old_raw_mac_with_new_key(self):
primitive, key = self.new_primitive_key_pair(1234, tink_pb2.RAW)
tag = primitive.compute_mac(b'data')
pset = core.new_primitive_set(mac.Mac)
pset.add_primitive(primitive, key)
new_primitive, new_key = self.new_primitive_key_pair(5678, tink_pb2.TINK)
pset.set_primary(pset.add_primitive(new_primitive, new_key))
wrapped_mac = mac_wrapper.MacWrapper().wrap(pset)
self.assertIsNone(wrapped_mac.verify_mac(tag, b'data'))
def test_primary_returns_primary(self):
primitive_set = core.new_primitive_set(mac.Mac)
key = helper.fake_key(key_id=1)
fake_mac = helper.FakeMac('FakeMac')
entry = primitive_set.add_primitive(fake_mac, key)
primitive_set.set_primary(entry)
entry = primitive_set.primary()
self.assertEqual(fake_mac, entry.primitive)
self.assertEqual(tink_pb2.ENABLED, entry.status)
self.assertEqual(crypto_format.output_prefix(key), entry.identifier)
def test_primitive_from_identifier_returns_entry(self):
primitive_set = core.new_primitive_set(mac.Mac)
key = helper.fake_key(key_id=1)
fake_mac = helper.FakeMac('FakeMac')
primitive_set.add_primitive(fake_mac, key)
ident = crypto_format.output_prefix(key)
entries = primitive_set.primitive_from_identifier(ident)
self.assertLen(entries, 1)
entry = entries[0]
self.assertEqual(fake_mac, entry.primitive)
self.assertEqual(tink_pb2.ENABLED, entry.status)
self.assertEqual(ident, entry.identifier)
def test_verify_unknown_mac_fails(self):
unknown_tag = helper.FakeMac('UnknownfakeMac').compute_mac(b'data')
pset = core.new_primitive_set(mac.Mac)
primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW)
new_primitive, new_key = self.new_primitive_key_pair(5678, tink_pb2.TINK)
pset.add_primitive(primitive, raw_key)
new_entry = pset.add_primitive(new_primitive, new_key)
pset.set_primary(new_entry)
wrapped_mac = mac_wrapper.MacWrapper().wrap(pset)
with self.assertRaisesRegex(core.TinkError, 'invalid MAC'):
wrapped_mac.verify_mac(unknown_tag, b'data')
def test_verify_macs_from_two_raw_keys(self):
primitive1, raw_key1 = self.new_primitive_key_pair(1234, tink_pb2.RAW)
primitive2, raw_key2 = self.new_primitive_key_pair(5678, tink_pb2.RAW)
tag1 = primitive1.compute_mac(b'data1')
tag2 = primitive2.compute_mac(b'data2')
pset = core.new_primitive_set(mac.Mac)
pset.add_primitive(primitive1, raw_key1)
pset.set_primary(pset.add_primitive(primitive2, raw_key2))
wrapped_mac = mac_wrapper.MacWrapper().wrap(pset)
self.assertIsNone(wrapped_mac.verify_mac(tag1, b'data1'))
self.assertIsNone(wrapped_mac.verify_mac(tag2, b'data2'))
self.assertIsNone(
wrapped_mac.verify_mac(wrapped_mac.compute_mac(b'data'), b'data'))
def test_decrypt_unknown_ciphertext_fails(self):
unknown_enc = helper.FakeHybridEncrypt('unknownHybrid')
unknown_ciphertext = unknown_enc.encrypt(b'plaintext', b'context_info')
dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt)
dec1, _, dec1_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW)
dec2, _, dec2_key, _ = new_primitives_and_keys(5678, tink_pb2.TINK)
dec_pset.add_primitive(dec1, dec1_key)
dec_pset.set_primary(dec_pset.add_primitive(dec2, dec2_key))
wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap(
dec_pset)
with self.assertRaisesRegex(core.TinkError, 'Decryption failed'):
wrapped_dec.decrypt(unknown_ciphertext, b'context_info')
def test_encrypt_decrypt_two_raw_keys(self):
dec1, enc1, dec1_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW)
raw_ciphertext1 = enc1.encrypt(b'plaintext1', b'context_info1')
dec2, enc2, dec2_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW)
raw_ciphertext2 = enc2.encrypt(b'plaintext2', b'context_info2')
dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt)
dec_pset.add_primitive(dec1, dec1_key)
dec_pset.set_primary(dec_pset.add_primitive(dec2, dec2_key))
wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap(
dec_pset)
self.assertEqual(
wrapped_dec.decrypt(raw_ciphertext1, b'context_info1'),
b'plaintext1')
self.assertEqual(
wrapped_dec.decrypt(raw_ciphertext2, b'context_info2'),
b'plaintext2')
def test_same_key_id_and_prefix_type(self):
primitive_set = core.new_primitive_set(mac.Mac)
key1 = helper.fake_key(key_id=1, status=tink_pb2.ENABLED)
fake_mac1 = helper.FakeMac('FakeMac1')
primitive_set.add_primitive(fake_mac1, key1)
key2 = helper.fake_key(key_id=1, status=tink_pb2.DISABLED)
fake_mac2 = helper.FakeMac('FakeMac2')
primitive_set.add_primitive(fake_mac2, key2)
expected_ident = crypto_format.output_prefix(key1)
entries = primitive_set.primitive(key1)
self.assertLen(entries, 2)
self.assertEqual(fake_mac1, entries[0].primitive)
self.assertEqual(fake_mac2, entries[1].primitive)
self.assertEqual(tink_pb2.ENABLED, entries[0].status)
self.assertEqual(tink_pb2.DISABLED, entries[1].status)
self.assertEqual(expected_ident, entries[0].identifier)
self.assertEqual(expected_ident, entries[1].identifier)
self.assertLen(primitive_set.primitive(key2), 2)
def test_raw_primitives(self):
primitive_set = core.new_primitive_set(mac.Mac)
primitive_set.add_primitive(helper.FakeMac('FakeMac1'),
helper.fake_key(key_id=1))
key2 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.RAW)
fake_mac2 = helper.FakeMac('FakeMac2')
primitive_set.add_primitive(fake_mac2, key2)
key3 = helper.fake_key(key_id=3,
status=tink_pb2.DISABLED,
output_prefix_type=tink_pb2.RAW)
fake_mac3 = helper.FakeMac('FakeMac3')
primitive_set.add_primitive(fake_mac3, key3)
entries = primitive_set.raw_primitives()
self.assertLen(entries, 2)
self.assertEqual(fake_mac2, entries[0].primitive)
self.assertEqual(tink_pb2.ENABLED, entries[0].status)
self.assertEqual(crypto_format.RAW_PREFIX, entries[0].identifier)
self.assertEqual(fake_mac3, entries[1].primitive)
self.assertEqual(tink_pb2.DISABLED, entries[1].status)
self.assertEqual(crypto_format.RAW_PREFIX, entries[1].identifier)
def test_same_key_id_but_different_prefix_type(self):
primitive_set = core.new_primitive_set(mac.Mac)
key1 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.TINK)
fake_mac1 = helper.FakeMac('FakeMac1')
primitive_set.add_primitive(fake_mac1, key1)
key2 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.LEGACY)
fake_mac2 = helper.FakeMac('FakeMac2')
primitive_set.add_primitive(fake_mac2, key2)
entries1 = primitive_set.primitive(key1)
self.assertLen(entries1, 1)
self.assertEqual(fake_mac1, entries1[0].primitive)
self.assertEqual(tink_pb2.ENABLED, entries1[0].status)
self.assertEqual(crypto_format.output_prefix(key1),
entries1[0].identifier)
entries2 = primitive_set.primitive(key2)
self.assertLen(entries2, 1)
self.assertEqual(fake_mac2, entries2[0].primitive)
self.assertEqual(tink_pb2.ENABLED, entries2[0].status)
self.assertEqual(crypto_format.output_prefix(key2),
entries2[0].identifier)
def test_primary_returns_none(self):
primitive_set = core.new_primitive_set(mac.Mac)
primitive_set.add_primitive(helper.FakeMac('FakeMac'),
helper.fake_key(key_id=1))
self.assertEqual(primitive_set.primary(), None)
def test_unknown_key_returns_empty_list(self):
primitive_set = core.new_primitive_set(mac.Mac)
unknown_key = helper.fake_key(key_id=1)
self.assertEqual(primitive_set.primitive(unknown_key), [])
def test_primitive_class(self):
primitive_set = core.new_primitive_set(mac.Mac)
self.assertEqual(primitive_set.primitive_class(), mac.Mac)
def test_add_wrong_primitive_fails(self):
primitive_set = core.new_primitive_set(aead.Aead)
with self.assertRaisesRegex(core.TinkError,
'The primitive is not an instance of '):
primitive_set.add_primitive(helper.FakeMac(), helper.fake_key())
