def test_decrypt_unknown_ciphertext_fails(self):
unknown_enc = helper.FakeHybridEncrypt('unknownHybrid')
unknown_ciphertext = unknown_enc.encrypt(b'plaintext', b'context_info')
dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt)
dec1, _, dec1_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW)
dec2, _, dec2_key, _ = new_primitives_and_keys(5678, tink_pb2.TINK)
dec_pset.add_primitive(dec1, dec1_key)
dec_pset.set_primary(dec_pset.add_primitive(dec2, dec2_key))
wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap(
dec_pset)
with self.assertRaisesRegex(core.TinkError, 'Decryption failed'):
wrapped_dec.decrypt(unknown_ciphertext, b'context_info')
def test_encrypt_decrypt(self):
primitive, key = self.new_primitive_key_pair(1234, tink_pb2.TINK)
pset = core.new_primitive_set(daead.DeterministicAead)
entry = pset.add_primitive(primitive, key)
pset.set_primary(entry)
wrapped_daead = core.Registry.wrap(pset, daead.DeterministicAead)
plaintext = b'plaintext'
associated_data = b'associated_data'
ciphertext = wrapped_daead.encrypt_deterministically(
plaintext, associated_data)
self.assertEqual(
wrapped_daead.decrypt_deterministically(ciphertext,
associated_data),
plaintext)
def test_decrypt_unknown_ciphertext_fails(self):
unknown_primitive = helper.FakeAead('unknownFakeAead')
unknown_ciphertext = unknown_primitive.encrypt(b'plaintext',
b'associated_data')
pset = core.new_primitive_set(aead.Aead)
primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW)
new_primitive, new_key = self.new_primitive_key_pair(
5678, tink_pb2.TINK)
pset.add_primitive(primitive, raw_key)
new_entry = pset.add_primitive(new_primitive, new_key)
pset.set_primary(new_entry)
wrapped_aead = core.Registry.wrap(pset, aead.Aead)
with self.assertRaises(core.TinkError):
wrapped_aead.decrypt(unknown_ciphertext, b'associated_data')
def test_all_primitives(self):
primitive_set = core.new_primitive_set(mac.Mac)
key0 = new_key(MAC_TEMPLATE,
key_id=88,
output_prefix_type=tink_pb2.TINK)
primitive0 = core.Registry.primitive(key0.key_data, mac.Mac)
primitive_set.add_primitive(primitive0, key0)
key1 = new_key(MAC_TEMPLATE,
key_id=88,
output_prefix_type=tink_pb2.LEGACY)
primitive1 = core.Registry.primitive(key1.key_data, mac.Mac)
primitive_set.add_primitive(primitive1, key1)
key2 = new_key(MAC_TEMPLATE,
key_id=88,
output_prefix_type=tink_pb2.RAW)
primitive2 = core.Registry.primitive(key2.key_data, mac.Mac)
primitive_set.add_primitive(primitive2, key2)
key3 = new_key(MAC_TEMPLATE,
key_id=89,
output_prefix_type=tink_pb2.RAW,
status=tink_pb2.DISABLED)
primitive3 = core.Registry.primitive(key3.key_data, mac.Mac)
primitive_set.add_primitive(primitive3, key3)
key4 = new_key(MAC_TEMPLATE,
key_id=88,
output_prefix_type=tink_pb2.TINK)
primitive0 = core.Registry.primitive(key4.key_data, mac.Mac)
primitive_set.add_primitive(primitive0, key4)
list_of_entries = primitive_set.all()
v = []
for entries in list_of_entries:
v.append(
sorted([(e.identifier, e.output_prefix_type, e.key_id)
for e in entries]))
self.assertCountEqual(v, [
[(b'', tink_pb2.RAW, 88), (b'', tink_pb2.RAW, 89)],
[(b'\x01\x00\x00\x00X', tink_pb2.TINK, 88),
(b'\x01\x00\x00\x00X', tink_pb2.TINK, 88)],
[(b'\x00\x00\x00\x00X', tink_pb2.LEGACY, 88)],
])
def test_decrypt_unknown_ciphertext_fails(self):
unknown_primitive = helper.FakeDeterministicAead(
'unknownFakeDeterministicAead')
unknown_ciphertext = unknown_primitive.encrypt_deterministically(
b'plaintext', b'associated_data')
pset = core.new_primitive_set(daead.DeterministicAead)
primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW)
new_primitive, new_key = self.new_primitive_key_pair(5678, tink_pb2.TINK)
pset.add_primitive(primitive, raw_key)
new_entry = pset.add_primitive(new_primitive, new_key)
pset.set_primary(new_entry)
wrapped_daead = daead.DeterministicAeadWrapper().wrap(pset)
with self.assertRaisesRegex(core.TinkError, 'Decryption failed'):
wrapped_daead.decrypt_deterministically(unknown_ciphertext,
b'associated_data')
def test_wrap_one(self):
primitive, key = self.new_primitive_key_pair(1234)
pset = core.new_primitive_set(prf.PrfSet)
entry = pset.add_primitive(primitive, key)
pset.set_primary(entry)
wrapped_prf_set = core.Registry.wrap(pset, prf.PrfSet)
expected_output = primitive.primary().compute(b'input',
output_length=31)
self.assertEqual(
wrapped_prf_set.primary().compute(b'input', output_length=31),
expected_output)
self.assertEqual(wrapped_prf_set.primary_id(), 1234)
prfs = wrapped_prf_set.all()
self.assertLen(prfs, 1)
self.assertEqual(prfs[1234].compute(b'input', output_length=31),
expected_output)
def test_encrypt_decrypt_two_raw_keys(self):
dec1, enc1, dec1_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW)
raw_ciphertext1 = enc1.encrypt(b'plaintext1', b'context_info1')
dec2, enc2, dec2_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW)
raw_ciphertext2 = enc2.encrypt(b'plaintext2', b'context_info2')
dec_pset = core.new_primitive_set(hybrid.HybridDecrypt)
dec_pset.add_primitive(dec1, dec1_key)
dec_pset.set_primary(dec_pset.add_primitive(dec2, dec2_key))
wrapped_dec = hybrid.HybridDecryptWrapper().wrap(dec_pset)
self.assertEqual(
wrapped_dec.decrypt(raw_ciphertext1, b'context_info1'),
b'plaintext1')
self.assertEqual(
wrapped_dec.decrypt(raw_ciphertext2, b'context_info2'),
b'plaintext2')
def test_same_key_id_and_prefix_type(self):
primitive_set = core.new_primitive_set(mac.Mac)
key1 = helper.fake_key(key_id=1, status=tink_pb2.ENABLED)
fake_mac1 = helper.FakeMac('FakeMac1')
primitive_set.add_primitive(fake_mac1, key1)
key2 = helper.fake_key(key_id=1, status=tink_pb2.DISABLED)
fake_mac2 = helper.FakeMac('FakeMac2')
primitive_set.add_primitive(fake_mac2, key2)
expected_ident = crypto_format.output_prefix(key1)
entries = primitive_set.primitive(key1)
self.assertLen(entries, 2)
self.assertEqual(fake_mac1, entries[0].primitive)
self.assertEqual(fake_mac2, entries[1].primitive)
self.assertEqual(tink_pb2.ENABLED, entries[0].status)
self.assertEqual(tink_pb2.DISABLED, entries[1].status)
self.assertEqual(expected_ident, entries[0].identifier)
self.assertEqual(expected_ident, entries[1].identifier)
self.assertLen(primitive_set.primitive(key2), 2)
def test_raw_primitives(self):
primitive_set = core.new_primitive_set(mac.Mac)
primitive_set.add_primitive(
helper.FakeMac('FakeMac1'), helper.fake_key(key_id=1))
key2 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.RAW)
fake_mac2 = helper.FakeMac('FakeMac2')
primitive_set.add_primitive(fake_mac2, key2)
key3 = helper.fake_key(
key_id=3, status=tink_pb2.DISABLED, output_prefix_type=tink_pb2.RAW)
fake_mac3 = helper.FakeMac('FakeMac3')
primitive_set.add_primitive(fake_mac3, key3)
entries = primitive_set.raw_primitives()
self.assertLen(entries, 2)
self.assertEqual(fake_mac2, entries[0].primitive)
self.assertEqual(tink_pb2.ENABLED, entries[0].status)
self.assertEqual(crypto_format.RAW_PREFIX, entries[0].identifier)
self.assertEqual(fake_mac3, entries[1].primitive)
self.assertEqual(tink_pb2.DISABLED, entries[1].status)
self.assertEqual(crypto_format.RAW_PREFIX, entries[1].identifier)
def test_encrypt_decrypt_with_key_rotation(self):
primitive, key = self.new_primitive_key_pair(1234, tink_pb2.TINK)
pset = core.new_primitive_set(aead.Aead)
entry = pset.add_primitive(primitive, key)
pset.set_primary(entry)
wrapped_aead = core.Registry.wrap(pset)
ciphertext = wrapped_aead.encrypt(b'plaintext', b'associated_data')
new_primitive, new_key = self.new_primitive_key_pair(
5678, tink_pb2.TINK)
new_entry = pset.add_primitive(new_primitive, new_key)
pset.set_primary(new_entry)
new_ciphertext = wrapped_aead.encrypt(b'new_plaintext',
b'new_associated_data')
self.assertEqual(wrapped_aead.decrypt(ciphertext, b'associated_data'),
b'plaintext')
self.assertEqual(
wrapped_aead.decrypt(new_ciphertext, b'new_associated_data'),
b'new_plaintext')
def test_same_key_id_but_different_prefix_type(self):
primitive_set = core.new_primitive_set(mac.Mac)
key1 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.TINK)
fake_mac1 = helper.FakeMac('FakeMac1')
primitive_set.add_primitive(fake_mac1, key1)
key2 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.LEGACY)
fake_mac2 = helper.FakeMac('FakeMac2')
primitive_set.add_primitive(fake_mac2, key2)
entries1 = primitive_set.primitive(key1)
self.assertLen(entries1, 1)
self.assertEqual(fake_mac1, entries1[0].primitive)
self.assertEqual(tink_pb2.ENABLED, entries1[0].status)
self.assertEqual(crypto_format.output_prefix(key1), entries1[0].identifier)
entries2 = primitive_set.primitive(key2)
self.assertLen(entries2, 1)
self.assertEqual(fake_mac2, entries2[0].primitive)
self.assertEqual(tink_pb2.ENABLED, entries2[0].status)
self.assertEqual(crypto_format.output_prefix(key2), entries2[0].identifier)
def test_same_key_id_and_prefix_type(self):
primitive_set = core.new_primitive_set(mac.Mac)
key1 = new_key(MAC_TEMPLATE, key_id=1)
primitive1 = core.Registry.primitive(key1.key_data, mac.Mac)
primitive_set.add_primitive(primitive1, key1)
key2 = new_key(MAC_TEMPLATE, key_id=1, status=tink_pb2.DISABLED)
primitive2 = core.Registry.primitive(key2.key_data, mac.Mac)
primitive_set.add_primitive(primitive2, key2)
expected_ident = core.crypto_format.output_prefix(key1)
entries = primitive_set.primitive(key1)
self.assertLen(entries, 2)
self.assertEqual(primitive1, entries[0].primitive)
self.assertEqual(primitive2, entries[1].primitive)
self.assertEqual(tink_pb2.ENABLED, entries[0].status)
self.assertEqual(tink_pb2.DISABLED, entries[1].status)
self.assertEqual(expected_ident, entries[0].identifier)
self.assertEqual(expected_ident, entries[1].identifier)
self.assertEqual(1, entries[0].key_id)
self.assertEqual(1, entries[1].key_id)
self.assertLen(primitive_set.primitive(key2), 2)
def test_encrypt_decrypt_with_key_rotation_from_raw(self):
primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW)
old_raw_ciphertext = primitive.encrypt(b'plaintext',
b'associated_data')
pset = core.new_primitive_set(aead.Aead)
pset.add_primitive(primitive, raw_key)
new_primitive, new_key = self.new_primitive_key_pair(
5678, tink_pb2.TINK)
new_entry = pset.add_primitive(new_primitive, new_key)
pset.set_primary(new_entry)
wrapped_aead = aead.AeadWrapper().wrap(pset)
new_ciphertext = wrapped_aead.encrypt(b'new_plaintext',
b'new_associated_data')
self.assertEqual(
wrapped_aead.decrypt(old_raw_ciphertext, b'associated_data'),
b'plaintext')
self.assertEqual(
wrapped_aead.decrypt(new_ciphertext, b'new_associated_data'),
b'new_plaintext')
def test_wrap_two(self):
primitive1, key1 = self.new_primitive_key_pair(1234)
primitive2, key2 = self.new_primitive_key_pair(5678)
pset = core.new_primitive_set(prf.PrfSet)
_ = pset.add_primitive(primitive1, key1)
entry2 = pset.add_primitive(primitive2, key2)
pset.set_primary(entry2)
wrapped_prf_set = core.Registry.wrap(pset)
expected_output1 = primitive1.primary().compute(b'input', output_length=31)
expected_output2 = primitive2.primary().compute(b'input', output_length=31)
self.assertEqual(
wrapped_prf_set.primary().compute(b'input', output_length=31),
expected_output2)
self.assertEqual(wrapped_prf_set.primary_id(), 5678)
prfs = wrapped_prf_set.all()
self.assertLen(prfs, 2)
self.assertEqual(prfs[1234].compute(b'input', output_length=31),
expected_output1)
self.assertEqual(prfs[5678].compute(b'input', output_length=31),
expected_output2)
def test_encrypt_decrypt_two_raw_keys(self):
primitive1, raw_key1 = self.new_primitive_key_pair(1234, tink_pb2.RAW)
primitive2, raw_key2 = self.new_primitive_key_pair(5678, tink_pb2.RAW)
raw_ciphertext1 = primitive1.encrypt(b'plaintext1',
b'associated_data1')
raw_ciphertext2 = primitive2.encrypt(b'plaintext2',
b'associated_data2')
pset = core.new_primitive_set(aead.Aead)
pset.add_primitive(primitive1, raw_key1)
pset.set_primary(pset.add_primitive(primitive2, raw_key2))
wrapped_aead = core.Registry.wrap(pset)
self.assertEqual(
wrapped_aead.decrypt(raw_ciphertext1, b'associated_data1'),
b'plaintext1')
self.assertEqual(
wrapped_aead.decrypt(raw_ciphertext2, b'associated_data2'),
b'plaintext2')
self.assertEqual(
wrapped_aead.decrypt(
wrapped_aead.encrypt(b'plaintext', b'associated_data'),
b'associated_data'), b'plaintext')
def test_same_key_id_but_different_prefix_type(self):
primitive_set = core.new_primitive_set(mac.Mac)
key1 = new_key(MAC_TEMPLATE, key_id=1, output_prefix_type=tink_pb2.TINK)
primitive1 = core.Registry.primitive(key1.key_data, mac.Mac)
primitive_set.add_primitive(primitive1, key1)
key2 = new_key(MAC_TEMPLATE, key_id=1, output_prefix_type=tink_pb2.LEGACY)
primitive2 = core.Registry.primitive(key2.key_data, mac.Mac)
primitive_set.add_primitive(primitive2, key2)
entries1 = primitive_set.primitive(key1)
self.assertLen(entries1, 1)
self.assertEqual(primitive1, entries1[0].primitive)
self.assertEqual(tink_pb2.ENABLED, entries1[0].status)
self.assertEqual(core.crypto_format.output_prefix(key1),
entries1[0].identifier)
self.assertEqual(1, entries1[0].key_id)
entries2 = primitive_set.primitive(key2)
self.assertLen(entries2, 1)
self.assertEqual(primitive2, entries2[0].primitive)
self.assertEqual(tink_pb2.ENABLED, entries2[0].status)
self.assertEqual(core.crypto_format.output_prefix(key2),
entries2[0].identifier)
self.assertEqual(1, entries2[0].key_id)
def test_add_invalid_key_fails(self):
primitive_set = core.new_primitive_set(mac.Mac)
key = new_key(MAC_TEMPLATE, key_id=1)
key.ClearField('output_prefix_type')
with self.assertRaises(core.TinkError):
primitive_set.add_primitive(helper.FakeMac(), key)
def test_add_wrong_primitive_fails(self):
primitive_set = core.new_primitive_set(aead.Aead)
with self.assertRaises(core.TinkError):
primitive_set.add_primitive(helper.FakeMac(), helper.fake_key())
def _wrapped_saead(key_id):
primitive, key = _primitive_key_pair(key_id)
pset = core.new_primitive_set(_raw_streaming_aead.RawStreamingAead)
entry = pset.add_primitive(primitive, key)
pset.set_primary(entry)
return core.Registry.wrap(pset, streaming_aead.StreamingAead)
def test_primary_returns_none(self): primitive_set = core.new_primitive_set(mac.Mac) key = new_key(MAC_TEMPLATE, key_id=1) primitive = core.Registry.primitive(key.key_data, mac.Mac) primitive_set.add_primitive(primitive, key) self.assertIsNone(primitive_set.primary())
def test_primary_returns_none(self):
primitive_set = core.new_primitive_set(mac.Mac)
primitive_set.add_primitive(
helper.FakeMac('FakeMac'), helper.fake_key(key_id=1))
self.assertEqual(primitive_set.primary(), None)
def test_unknown_key_returns_empty_list(self): primitive_set = core.new_primitive_set(mac.Mac) unknown_key = helper.fake_key(key_id=1) self.assertEqual(primitive_set.primitive(unknown_key), [])
def test_primitive_class(self): primitive_set = core.new_primitive_set(mac.Mac) self.assertEqual(primitive_set.primitive_class(), mac.Mac)
def test_add_wrong_primitive_fails(self):
primitive_set = core.new_primitive_set(aead.Aead)
with self.assertRaisesRegex(core.TinkError,
'The primitive is not an instance of '):
primitive_set.add_primitive(helper.FakeMac(), helper.fake_key())
def test_add_invalid_key_fails(self):
primitive_set = core.new_primitive_set(mac.Mac)
key = helper.fake_key()
key.ClearField('output_prefix_type')
with self.assertRaisesRegex(core.TinkError, 'invalid OutputPrefixType'):
primitive_set.add_primitive(helper.FakeMac(), key)
def test_add_wrong_primitive_fails(self):
primitive_set = core.new_primitive_set(aead.Aead)
key = new_key(MAC_TEMPLATE, key_id=1, output_prefix_type=tink_pb2.TINK)
primitive = core.Registry.primitive(key.key_data, mac.Mac)
with self.assertRaises(core.TinkError):
primitive_set.add_primitive(primitive, key)
def test_unknown_key_returns_empty_list(self): primitive_set = core.new_primitive_set(mac.Mac) unknown_key = new_key(MAC_TEMPLATE, key_id=1) self.assertEqual(primitive_set.primitive(unknown_key), [])
