def test_compute_verify_mac(self, key_template_name, key_template):
key_type = supported_key_types.KEY_TYPE_FROM_URL[key_template.type_url]
supported_langs = supported_key_types.SUPPORTED_LANGUAGES[key_type]
self.assertNotEmpty(supported_langs)
# Take the first supported language to generate the keyset.
keyset = testing_servers.new_keyset(supported_langs[0], key_template)
supported_macs = [
testing_servers.mac(lang, keyset) for lang in supported_langs
]
unsupported_macs = [
testing_servers.mac(lang, keyset) for lang in SUPPORTED_LANGUAGES
if lang not in supported_langs
]
for p in supported_macs:
data = (
b'This is some data to be authenticated using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), p.lang.encode('utf8')))
mac_value = p.compute_mac(data)
for p2 in supported_macs:
self.assertIsNone(p2.verify_mac(mac_value, data))
for p2 in unsupported_macs:
with self.assertRaises(
tink.TinkError,
msg=
'Language %s supports verify_mac with %s unexpectedly'
% (p2.lang, key_template_name)):
p2.verify_mac(mac_value, data)
for p in unsupported_macs:
with self.assertRaises(
tink.TinkError,
msg='Language %s supports compute_mac with %s unexpectedly'
% (p.lang, key_template_name)):
p.compute_mac(data)
def test_compute_verify_mac(self, key_template_name):
supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[
key_template_name]
self.assertNotEmpty(supported_langs)
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
# Take the first supported language to generate the keyset.
keyset = testing_servers.new_keyset(supported_langs[0], key_template)
supported_macs = [
testing_servers.mac(lang, keyset) for lang in supported_langs
]
unsupported_macs = [
testing_servers.mac(lang, keyset) for lang in SUPPORTED_LANGUAGES
if lang not in supported_langs
]
for p in supported_macs:
data = (
b'This is some data to be authenticated using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), p.lang.encode('utf8')))
mac_value = p.compute_mac(data)
for p2 in supported_macs:
self.assertIsNone(p2.verify_mac(mac_value, data))
for p2 in unsupported_macs:
with self.assertRaises(tink.TinkError):
p2.verify_mac(mac_value, data)
for p in unsupported_macs:
with self.assertRaises(tink.TinkError):
p.compute_mac(data)
def test_encrypt_decrypt(self, key_template_name, supported_langs):
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset_handle = testing_servers.new_keyset_handle('java', key_template)
supported_macs = [
testing_servers.mac(lang, keyset_handle)
for lang in supported_langs
]
unsupported_macs = [
testing_servers.mac(lang, keyset_handle)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
for p in supported_macs:
data = (
b'This is some data to be authenticated using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), p.lang.encode('utf8')))
mac_value = p.compute_mac(data)
for p2 in supported_macs:
self.assertIsNone(p2.verify_mac(mac_value, data))
for p2 in unsupported_macs:
with self.assertRaises(tink.TinkError):
p2.verify_mac(mac_value, data)
for p in unsupported_macs:
with self.assertRaises(tink.TinkError):
p.compute_mac(data)
def test_inc_version_mac(self, key_template_name, lang):
"""Increments the key version by one and checks they can't be used."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
_ = testing_servers.mac(lang, keyset).compute_mac(b'foo')
for keyset1 in gen_inc_versions(keyset):
mac_primitive1 = testing_servers.mac(lang, keyset1)
with self.assertRaises(tink.TinkError):
_ = mac_primitive1.compute_mac(b'foo')
def test_mac_without_primary(self, key_template_name, lang):
"""Unsets the primary key and tries to use a MAC primitive."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
mac_value = testing_servers.mac(lang, keyset).compute_mac(b'foo')
mac_without_primary = testing_servers.mac(lang, unset_primary(keyset))
with self.assertRaises(tink.TinkError):
_ = mac_without_primary.compute_mac(b'foo')
with self.assertRaises(tink.TinkError):
mac_without_primary.verify_mac(mac_value, b'foo')
def test_key_rotation(self, compute_lang, verify_lang, old_key_tmpl,
new_key_tmpl):
# Do a key rotation from an old key generated from old_key_tmpl to a new
# key generated from new_key_tmpl. MAC computation and verification are done
# in languages compute_lang and verify_lang.
builder = keyset_builder.new_keyset_builder()
older_key_id = builder.add_new_key(old_key_tmpl)
builder.set_primary_key(older_key_id)
compute_mac1 = testing_servers.mac(compute_lang, builder.keyset())
verify_mac1 = testing_servers.mac(verify_lang, builder.keyset())
newer_key_id = builder.add_new_key(new_key_tmpl)
compute_mac2 = testing_servers.mac(compute_lang, builder.keyset())
verify_mac2 = testing_servers.mac(verify_lang, builder.keyset())
builder.set_primary_key(newer_key_id)
compute_mac3 = testing_servers.mac(compute_lang, builder.keyset())
verify_mac3 = testing_servers.mac(verify_lang, builder.keyset())
builder.disable_key(older_key_id)
compute_mac4 = testing_servers.mac(compute_lang, builder.keyset())
verify_mac4 = testing_servers.mac(verify_lang, builder.keyset())
self.assertNotEqual(older_key_id, newer_key_id)
# 1 uses the older key. So 1, 2 and 3 can verify the mac, but not 4.
mac_value1 = compute_mac1.compute_mac(b'plaintext')
verify_mac1.verify_mac(mac_value1, b'plaintext')
verify_mac2.verify_mac(mac_value1, b'plaintext')
verify_mac3.verify_mac(mac_value1, b'plaintext')
with self.assertRaises(tink.TinkError):
verify_mac4.verify_mac(mac_value1, b'plaintext')
# 2 uses the older key. So 1, 2 and 3 can verify the mac, but not 4.
mac_value2 = compute_mac2.compute_mac(b'plaintext')
verify_mac1.verify_mac(mac_value2, b'plaintext')
verify_mac2.verify_mac(mac_value2, b'plaintext')
verify_mac3.verify_mac(mac_value2, b'plaintext')
with self.assertRaises(tink.TinkError):
verify_mac4.verify_mac(mac_value2, b'plaintext')
# 3 uses the newer key. So 2, 3 and 4 can verify the mac, but not 1.
mac_value3 = compute_mac3.compute_mac(b'plaintext')
with self.assertRaises(tink.TinkError):
verify_mac1.verify_mac(mac_value3, b'plaintext')
verify_mac2.verify_mac(mac_value3, b'plaintext')
verify_mac3.verify_mac(mac_value3, b'plaintext')
verify_mac4.verify_mac(mac_value3, b'plaintext')
# 4 uses the newer key. So 2, 3 and 4 can verify the mac, but not 1.
mac_value4 = compute_mac4.compute_mac(b'plaintext')
with self.assertRaises(tink.TinkError):
verify_mac1.verify_mac(mac_value4, b'plaintext')
verify_mac2.verify_mac(mac_value4, b'plaintext')
verify_mac3.verify_mac(mac_value4, b'plaintext')
verify_mac4.verify_mac(mac_value4, b'plaintext')
def test_mac(self, lang):
keyset = testing_servers.new_keyset(
lang, mac.mac_key_templates.HMAC_SHA256_128BITTAG)
data = b'The quick brown fox jumps over the lazy dog'
mac_primitive = testing_servers.mac(lang, keyset)
mac_value = mac_primitive.compute_mac(data)
mac_primitive.verify_mac(mac_value, data)
with self.assertRaises(tink.TinkError):
mac_primitive.verify_mac(b'foo', data)
