def test_encrypt_decrypt(self, key_template_name):
if key_template_name in _ADDITIONAL_KEY_TEMPLATES:
key_template, supported_langs = _ADDITIONAL_KEY_TEMPLATES[
key_template_name]
else:
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
supported_langs = (
supported_key_types.
SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[key_template_name])
self.assertNotEmpty(supported_langs)
# Take the first supported language to generate the private keyset.
private_keyset = testing_servers.new_keyset(supported_langs[0],
key_template)
supported_decs = [
testing_servers.hybrid_decrypt(lang, private_keyset)
for lang in supported_langs
]
unsupported_decs = [
testing_servers.hybrid_decrypt(lang, private_keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
public_keyset = testing_servers.public_keyset(supported_langs[0],
private_keyset)
supported_encs = [
testing_servers.hybrid_encrypt(lang, public_keyset)
for lang in supported_langs
]
unsupported_encs = [
testing_servers.hybrid_encrypt(lang, public_keyset)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
for enc in supported_encs:
plaintext = (
b'This is some plaintext message to be encrypted using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), enc.lang.encode('utf8')))
context_info = (
b'Some context info for %s using %s for encryption.' %
(key_template_name.encode('utf8'), enc.lang.encode('utf8')))
ciphertext = enc.encrypt(plaintext, context_info)
for dec in supported_decs:
output = dec.decrypt(ciphertext, context_info)
self.assertEqual(output, plaintext)
for dec in unsupported_decs:
with self.assertRaises(
tink.TinkError,
msg=
'Language %s supports hybrid decrypt with %s unexpectedly'
% (dec.lang, key_template_name)):
dec.decrypt(ciphertext, context_info)
for enc in unsupported_encs:
with self.assertRaises(
tink.TinkError,
msg=
'Language %s supports hybrid encrypt with %s unexpectedly'
% (enc.lang, key_template_name)):
enc.encrypt(b'plaintext', b'context_info')
def test_key_rotation(self, enc_lang, dec_lang, old_key_tmpl, new_key_tmpl):
# Do a key rotation from an old key generated from old_key_tmpl to a new
# key generated from new_key_tmpl. Encryption and decryption are done
# in languages enc_lang and dec_lang.
builder = keyset_builder.new_keyset_builder()
older_key_id = builder.add_new_key(old_key_tmpl)
builder.set_primary_key(older_key_id)
dec1 = testing_servers.hybrid_decrypt(enc_lang, builder.keyset())
enc1 = testing_servers.hybrid_encrypt(dec_lang, builder.public_keyset())
newer_key_id = builder.add_new_key(new_key_tmpl)
dec2 = testing_servers.hybrid_decrypt(enc_lang, builder.keyset())
enc2 = testing_servers.hybrid_encrypt(dec_lang, builder.public_keyset())
builder.set_primary_key(newer_key_id)
dec3 = testing_servers.hybrid_decrypt(enc_lang, builder.keyset())
enc3 = testing_servers.hybrid_encrypt(dec_lang, builder.public_keyset())
builder.disable_key(older_key_id)
dec4 = testing_servers.hybrid_decrypt(enc_lang, builder.keyset())
enc4 = testing_servers.hybrid_encrypt(dec_lang, builder.public_keyset())
self.assertNotEqual(older_key_id, newer_key_id)
# p1 encrypts with the older key. So p1, p2 and p3 can decrypt it,
# but not p4.
ciphertext1 = enc1.encrypt(b'plaintext', b'context')
self.assertEqual(dec1.decrypt(ciphertext1, b'context'), b'plaintext')
self.assertEqual(dec2.decrypt(ciphertext1, b'context'), b'plaintext')
self.assertEqual(dec3.decrypt(ciphertext1, b'context'), b'plaintext')
with self.assertRaises(tink.TinkError):
_ = dec4.decrypt(ciphertext1, b'context')
# p2 encrypts with the older key. So p1, p2 and p3 can decrypt it,
# but not p4.
ciphertext2 = enc2.encrypt(b'plaintext', b'context')
self.assertEqual(dec1.decrypt(ciphertext2, b'context'), b'plaintext')
self.assertEqual(dec2.decrypt(ciphertext2, b'context'), b'plaintext')
self.assertEqual(dec3.decrypt(ciphertext2, b'context'), b'plaintext')
with self.assertRaises(tink.TinkError):
_ = dec4.decrypt(ciphertext2, b'context')
# p3 encrypts with the newer key. So p2, p3 and p4 can decrypt it,
# but not p1.
ciphertext3 = enc3.encrypt(b'plaintext', b'context')
with self.assertRaises(tink.TinkError):
_ = dec1.decrypt(ciphertext3, b'context')
self.assertEqual(dec2.decrypt(ciphertext3, b'context'), b'plaintext')
self.assertEqual(dec3.decrypt(ciphertext3, b'context'), b'plaintext')
self.assertEqual(dec4.decrypt(ciphertext3, b'context'), b'plaintext')
# p4 encrypts with the newer key. So p2, p3 and p4 can decrypt it,
# but not p1.
ciphertext4 = enc4.encrypt(b'plaintext', b'context')
with self.assertRaises(tink.TinkError):
_ = dec1.decrypt(ciphertext4, b'context')
self.assertEqual(dec2.decrypt(ciphertext4, b'context'), b'plaintext')
self.assertEqual(dec3.decrypt(ciphertext4, b'context'), b'plaintext')
self.assertEqual(dec4.decrypt(ciphertext4, b'context'), b'plaintext')
def test_encrypt_decrypt(self, key_template_name, supported_langs):
self.assertNotEmpty(supported_langs)
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
# Take the first supported language to generate the private keyset.
private_keyset = testing_servers.new_keyset(supported_langs[0],
key_template)
supported_decs = [
testing_servers.hybrid_decrypt(lang, private_keyset)
for lang in supported_langs
]
unsupported_decs = [
testing_servers.hybrid_decrypt(lang, private_keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
public_keyset = testing_servers.public_keyset('java', private_keyset)
supported_encs = [
testing_servers.hybrid_encrypt(lang, public_keyset)
for lang in supported_langs
]
unsupported_encs = [
testing_servers.hybrid_encrypt(lang, public_keyset)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
for enc in supported_encs:
plaintext = (
b'This is some plaintext message to be encrypted using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), enc.lang.encode('utf8')))
context_info = (
b'Some context info for %s using %s for encryption.' %
(key_template_name.encode('utf8'), enc.lang.encode('utf8')))
ciphertext = enc.encrypt(plaintext, context_info)
for dec in supported_decs:
output = dec.decrypt(ciphertext, context_info)
self.assertEqual(output, plaintext)
for dec in unsupported_decs:
with self.assertRaises(tink.TinkError):
dec.decrypt(ciphertext, context_info)
for enc in unsupported_encs:
with self.assertRaises(tink.TinkError):
enc.encrypt(b'plaintext', b'context_info')
def test_encrypt_decrypt(self, key_template_name, supported_langs):
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
private_handle = testing_servers.new_keyset_handle(
'java', key_template)
supported_decs = [
testing_servers.hybrid_decrypt(lang, private_handle)
for lang in supported_langs
]
unsupported_decs = [
testing_servers.hybrid_decrypt(lang, private_handle)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
public_handle = private_handle.public_keyset_handle()
supported_encs = [
testing_servers.hybrid_encrypt(lang, public_handle)
for lang in supported_langs
]
unsupported_encs = [
testing_servers.hybrid_encrypt(lang, public_handle)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
for enc in supported_encs:
plaintext = (
b'This is some plaintext message to be encrypted using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), enc.lang.encode('utf8')))
context_info = (
b'Some context info for %s using %s for encryption.' %
(key_template_name.encode('utf8'), enc.lang.encode('utf8')))
ciphertext = enc.encrypt(plaintext, context_info)
for dec in supported_decs:
output = dec.decrypt(ciphertext, context_info)
self.assertEqual(output, plaintext)
for dec in unsupported_decs:
with self.assertRaises(tink.TinkError):
dec.decrypt(ciphertext, context_info)
for enc in unsupported_encs:
with self.assertRaises(tink.TinkError):
enc.encrypt(b'plaintext', b'context_info')
def test_hybrid(self, lang):
private_handle = testing_servers.new_keyset(
lang,
hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM)
public_handle = testing_servers.public_keyset(lang, private_handle)
enc_primitive = testing_servers.hybrid_encrypt(lang, public_handle)
data = b'The quick brown fox jumps over the lazy dog'
context_info = b'context'
ciphertext = enc_primitive.encrypt(data, context_info)
dec_primitive = testing_servers.hybrid_decrypt(lang, private_handle)
output = dec_primitive.decrypt(ciphertext, context_info)
self.assertEqual(output, data)
with self.assertRaises(tink.TinkError):
dec_primitive.decrypt(b'foo', context_info)
def test_hybrid_without_primary(self, key_template_name, lang):
"""Unsets the primary key and tries to use hybrid encryption."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
private_keyset = testing_servers.new_keyset(lang, template)
public_keyset = testing_servers.public_keyset(lang, private_keyset)
ciphertext = testing_servers.hybrid_encrypt(
lang, public_keyset).encrypt(b'foo', b'context_info')
dec_without_primary = testing_servers.hybrid_decrypt(
lang, unset_primary(private_keyset))
with self.assertRaises(tink.TinkError):
dec_without_primary.decrypt(ciphertext, b'context_info')
enc_without_primary = testing_servers.hybrid_encrypt(
lang, unset_primary(public_keyset))
with self.assertRaises(tink.TinkError):
enc_without_primary.encrypt(b'foo', b'context_info')
