def main(unused_argv):
aead.register()
daead.register()
hybrid.register()
mac.register()
prf.register()
signature.register()
streaming_aead.register()
jwt.register_jwt_mac()
fake_kms.register_client()
server = grpc.server(futures.ThreadPoolExecutor(max_workers=2))
testing_api_pb2_grpc.add_MetadataServicer_to_server(
services.MetadataServicer(), server)
testing_api_pb2_grpc.add_KeysetServicer_to_server(
services.KeysetServicer(), server)
testing_api_pb2_grpc.add_AeadServicer_to_server(services.AeadServicer(),
server)
testing_api_pb2_grpc.add_DeterministicAeadServicer_to_server(
services.DeterministicAeadServicer(), server)
testing_api_pb2_grpc.add_MacServicer_to_server(services.MacServicer(),
server)
testing_api_pb2_grpc.add_PrfSetServicer_to_server(
services.PrfSetServicer(), server)
testing_api_pb2_grpc.add_HybridServicer_to_server(
services.HybridServicer(), server)
testing_api_pb2_grpc.add_SignatureServicer_to_server(
services.SignatureServicer(), server)
testing_api_pb2_grpc.add_StreamingAeadServicer_to_server(
services.StreamingAeadServicer(), server)
testing_api_pb2_grpc.add_JwtServicer_to_server(jwt_service.JwtServicer(),
server)
server.add_secure_port('[::]:%d' % FLAGS.port,
grpc.local_server_credentials())
server.start()
server.wait_for_termination()
def setUpModule():
aead.register()
daead.register()
mac.register()
hybrid.register()
signature.register()
testing_servers.start('key_generation_consistency')
def setUpModule():
aead.register()
daead.register()
mac.register()
hybrid.register()
signature.register()
testing_servers.start()
def setUpClass(cls):
super().setUpClass()
aead.register()
daead.register()
mac.register()
hybrid.register()
signature.register()
def register():
aead.register()
daead.register()
hybrid.register()
mac.register()
prf.register()
signature.register()
streaming_aead.register()
def main(argv):
if len(argv) != 5:
raise app.UsageError(
'Expected 4 arguments, got %d.\n'
'Usage: %s keyset-file signature-file message-file output-file' %
(len(argv) - 1, argv[0]))
keyset_filename = argv[1]
signature_filename = argv[2]
message_filename = argv[3]
output_filename = argv[4]
logging.info(
'Using keyset from file %s to sign %s file.\n'
'The signature will be written to file %s\n', keyset_filename,
message_filename, output_filename)
# Initialise Tink
try:
signature.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
# Read the keyset into keyset_handle
try:
keyset_handle = read_keyset(keyset_filename)
except tink.TinkError as e:
logging.error('Error reading key: %s', e)
return 1
# Get the primitive
try:
verify_primitive = keyset_handle.primitive(signature.PublicKeyVerify)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
# Read the message
with open(message_filename, 'rb') as message_file:
message_data = message_file.read()
# Read the signature
with open(signature_filename, 'rb') as signature_file:
signature_data = signature_file.read()
result = b'valid'
try:
verify_primitive.verify(signature_data, message_data)
except tink.TinkError as e:
result = b'invalid'
logging.error('Error verifiying the message: %s', e)
with open(output_filename, 'wb') as output_file:
output_file.write(result)
logging.info('All done.')
def setUpModule():
signature.register()
def setUpModule():
signature.register()
testing_servers.start()
def main(argv):
del argv # Unused.
# Initialise Tink
try:
signature.register()
except tink.TinkError as e:
logging.exception('Error initialising Tink: %s', e)
return 1
# Read the keyset into a keyset_handle
with open(FLAGS.keyset_path, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.exception('Error reading key: %s', e)
return 1
with open(FLAGS.data_path, 'rb') as data_file:
data = data_file.read()
if FLAGS.mode == 'sign':
# Get the primitive
try:
cipher = keyset_handle.primitive(signature.PublicKeySign)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# Sign data
sig = cipher.sign(data)
with open(FLAGS.signature_path, 'wb') as signature_file:
signature_file.write(binascii.hexlify(sig))
return 0
# Get the primitive
try:
cipher = keyset_handle.primitive(signature.PublicKeyVerify)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# Verify data
with open(FLAGS.signature_path, 'rb') as signature_file:
try:
expected_signature = binascii.unhexlify(
signature_file.read().strip())
except binascii.Error as e:
logging.exception('Error reading expected code: %s', e)
return 1
try:
cipher.verify(expected_signature, data)
logging.info('Signature verification succeeded.')
return 0
except binascii.Error as e:
logging.exception('Error reading expected signature: %s', e)
except tink.TinkError as e:
logging.info('Signature verification failed.')
return 1
def register():
aead.register()
daead.register()
hybrid.register()
mac.register()
signature.register()
def main(argv):
if len(argv) != 5:
raise app.UsageError(
'Expected 4 arguments, got %d.\n'
'Usage: %s sign/verify keyset-file data-file signature-file' %
(len(argv) - 1, argv[0]))
mode = argv[1]
keyset_filename = argv[2]
data_filename = argv[3]
signature_filename = argv[4]
if mode not in ['sign', 'verify']:
logging.error('Incorrect mode. Please select "sign" or "verify".')
return 1
# Initialise Tink
try:
signature.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
# Read the keyset into a keyset_handle
with open(keyset_filename, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.error('Error reading key: %s', e)
return 1
with open(data_filename, 'rb') as data_file:
data = data_file.read()
if mode == 'sign':
# Get the primitive
try:
cipher = keyset_handle.primitive(signature.PublicKeySign)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# Sign data
sig = cipher.sign(data)
with open(signature_filename, 'wb') as signature_file:
signature_file.write(binascii.hexlify(sig))
return 0
# Get the primitive
try:
cipher = keyset_handle.primitive(signature.PublicKeyVerify)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# Verify data
with open(signature_filename, 'rb') as signature_file:
try:
expected_signature = binascii.unhexlify(
signature_file.read().strip())
except binascii.Error as e:
logging.exception('Error reading expected code: %s', e)
return 1
try:
cipher.verify(expected_signature, data)
logging.info('Signature verification succeeded.')
return 0
except binascii.Error as e:
logging.exception('Error reading expected signature: %s', e)
except tink.TinkError as e:
logging.info('Signature verification failed.')
return 1
def example():
"""Sign and verify using digital signatures."""
# Register the signature key managers. This is needed to create
# PublicKeySign and PublicKeyVerify primitives later.
signature.register()
# A private keyset created with
# "tinkey create-keyset --key-template=ECDSA_P256 --out private_keyset.cfg".
# Note that this keyset has the secret key information in cleartext.
private_keyset = r"""{
"key": [{
"keyData": {
"keyMaterialType":
"ASYMMETRIC_PRIVATE",
"typeUrl":
"type.googleapis.com/google.crypto.tink.EcdsaPrivateKey",
"value":
"EkwSBggDEAIYAhogEiSZ9u2nDtvZuDgWgGsVTIZ5/V08N4ycUspTX0RYRrkiIHpEwHxQd1bImkyMvV2bqtUbgMh5uPSTdnUEGrPXdt56GiEA3iUi+CRN71qy0fOCK66xAW/IvFyjOGtxjppRhSFUneo="
},
"keyId": 611814836,
"outputPrefixType": "TINK",
"status": "ENABLED"
}],
"primaryKeyId": 611814836
}"""
# The corresponding public keyset created with
# "tinkey create-public-keyset --in private_keyset.cfg"
public_keyset = r"""{
"key": [{
"keyData": {
"keyMaterialType":
"ASYMMETRIC_PUBLIC",
"typeUrl":
"type.googleapis.com/google.crypto.tink.EcdsaPublicKey",
"value":
"EgYIAxACGAIaIBIkmfbtpw7b2bg4FoBrFUyGef1dPDeMnFLKU19EWEa5IiB6RMB8UHdWyJpMjL1dm6rVG4DIebj0k3Z1BBqz13beeg=="
},
"keyId": 611814836,
"outputPrefixType": "TINK",
"status": "ENABLED"
}],
"primaryKeyId": 611814836
}"""
# Create a keyset handle from the cleartext keyset in the previous
# step. The keyset handle provides abstract access to the underlying keyset to
# limit the exposure of accessing the raw key material. WARNING: In practice
# it is unlikely you will want to use a cleartext_keyset_handle, as it implies
# that your key material is passed in cleartext which is a security risk.
private_keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(private_keyset))
# Retrieve the PublicKeySign primitive we want to use from the keyset
# handle.
sign_primitive = private_keyset_handle.primitive(signature.PublicKeySign)
# Use the primitive to sign a message. In this case the primary key of the
# keyset will be used (which is also the only key in this example).
sig = sign_primitive.sign(b'msg')
# Create a keyset handle from the keyset containing the public key. Note that
# we could have also created `kh_public` directly using
# `kh_priv.public_keyset_handle()`.
public_keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(public_keyset))
# Retrieve the PublicKeyVerify primitive we want to use from the keyset
# handle.
verify_primitive = public_keyset_handle.primitive(
signature.PublicKeyVerify)
# Use the primitive to verify that `sig` is valid signature for the message.
# Verify finds the correct key in the keyset. If no key is found or
# verification fails, it raises an error.
verify_primitive.verify(sig, b'msg')
def main(argv):
if len(argv) not in (4, 5):
raise app.UsageError(
'Expected 3 or 4 arguments, got %d.\n Usage: %s sign/verify keyset-file'
' data-file [expected-signature-file]' % (len(argv) - 1, argv[0]))
mode = argv[1]
keyset_filename = argv[2]
data_filename = argv[3]
if mode not in ['sign', 'verify']:
logging.error('Incorrect mode. Please select "sign" or "verify".')
return 1
# Initialise Tink.
try:
signature.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
# Read the keyset into a keyset_handle.
with open(keyset_filename, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.error('Error reading key: %s', e)
return 1
# Get the primitive.
try:
if mode == 'sign':
cipher = keyset_handle.primitive(signature.PublicKeySign)
else:
cipher = keyset_handle.primitive(signature.PublicKeyVerify)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
with open(data_filename, 'rb') as data_file:
data = data_file.read()
# Compute the signature.
if mode == 'sign':
if len(argv) != 4:
logging.error('Invalid number of parameters for signing.'
'Expected 3 arguments, got %d.\n Usage: %s sign '
'keyset-file data-file')
return 1
code = cipher.sign(data)
logging.info('Signature output is %s',
binascii.hexlify(code).decode('utf-8'))
return 0
if mode == 'verify':
if len(argv) != 5:
logging.error('Invalid number of parameters for verification.'
'Expected 4 arguments, got %d.\n Usage: %s verify '
'keyset-file data-file [expected-signature-file]')
return 1
expected_code_filename = argv[4]
with open(expected_code_filename, 'rb') as expected_code_file:
expected_code_hex = expected_code_file.read().strip()
logging.info(
'Using keyset from file %s to verify file %s against expected signature on %s',
keyset_filename, data_filename, expected_code_hex.decode('utf-8'))
try:
expected_signature = binascii.unhexlify(expected_code_hex)
except binascii.Error as e:
logging.error('Error reading expected signature: %s', e)
return 1
try:
cipher.verify(expected_signature, data)
logging.info('Signature outputs matched. Success!')
return 0
except tink.TinkError as e:
logging.info('Signature outputs did not match!')
return 1
