Example #1
0
    def test_client_not_bound(self):
        gcp_key1 = 'gcp-kms://projects/someProject/.../cryptoKeys/key1'

        aws_client = AwsKmsClient(KEY_URI, CREDENTIAL_PATH)

        self.assertEqual(aws_client.does_support(KEY_URI), True)
        self.assertEqual(aws_client.does_support(gcp_key1), False)
Example #2
0
  def test_encrypt_with_bad_credentials(self):
    aws_client = AwsKmsClient(KEY_URI, BAD_CREDENTIALS_PATH)
    aead = aws_client.get_aead(KEY_URI)

    plaintext = b'hello'
    associated_data = b'world'
    with self.assertRaises(ValueError):
      aead.encrypt(plaintext, associated_data)
Example #3
0
  def test_encrypt_decrypt(self):
    aws_client = AwsKmsClient(KEY_URI, CREDENTIAL_PATH)
    aead = aws_client.get_aead(KEY_URI)

    plaintext = b'hello'
    associated_data = b'world'
    ciphertext = aead.encrypt(plaintext, associated_data)
    self.assertEqual(plaintext, aead.decrypt(ciphertext, associated_data))

    plaintext = b'hello'
    ciphertext = aead.encrypt(plaintext, None)
    self.assertEqual(plaintext, aead.decrypt(ciphertext, None))
Example #4
0
  def test_corrupted_ciphertext(self):
    aws_client = AwsKmsClient(KEY_URI, CREDENTIAL_PATH)
    aead = aws_client.get_aead(KEY_URI)

    plaintext = b'helloworld'
    ciphertext = aead.encrypt(plaintext, None)
    self.assertEqual(plaintext, aead.decrypt(ciphertext, None))

    # Corrupt each byte once and check that decryption fails
    # NOTE: Skipping two bytes as they are malleable
    for byte_idx in [b for b in range(len(ciphertext)) if b not in [77, 123]]:
      tmp_ciphertext = list(ciphertext)
      tmp_ciphertext[byte_idx] ^= 1
      corrupted_ciphertext = bytes(tmp_ciphertext)
      with self.assertRaises(ValueError):
        aead.decrypt(corrupted_ciphertext, None)
Example #5
0
 def test_encrypt_with_bad_uri(self):
   with self.assertRaises(ValueError):
     aws_client = AwsKmsClient(KEY_URI, CREDENTIAL_PATH)
     aws_client.get_aead(BAD_KEY_URI)
Example #6
0
 def test_wrong_credentials_path(self):
     with self.assertRaises(ValueError):
         AwsKmsClient(KEY_URI, '../credentials.txt')
Example #7
0
 def test_wrong_key_uri(self):
     with self.assertRaises(ValueError):
         AwsKmsClient(BAD_KEY_URI, CREDENTIAL_PATH)
Example #8
0
 def test_client_generation(self):
     aws_client = AwsKmsClient(KEY_URI, CREDENTIAL_PATH)
     self.assertNotEqual(aws_client, None)