def test_encrypt_decrypt(self, key_template_name, supported_langs):
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset('java', key_template)
supported_daeads = [
testing_servers.deterministic_aead(lang, keyset)
for lang in supported_langs
]
self.assertNotEmpty(supported_daeads)
unsupported_daeads = [
testing_servers.deterministic_aead(lang, keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
plaintext = (b'This is some plaintext message to be encrypted using '
b'key_template %s.' % key_template_name.encode('utf8'))
associated_data = (b'Some associated data for %s.' %
key_template_name.encode('utf8'))
ciphertext = None
for p in supported_daeads:
if ciphertext:
self.assertEqual(
ciphertext,
p.encrypt_deterministically(plaintext, associated_data))
else:
ciphertext = p.encrypt_deterministically(
plaintext, associated_data)
for p2 in supported_daeads:
output = p2.decrypt_deterministically(ciphertext, associated_data)
self.assertEqual(output, plaintext)
for p2 in unsupported_daeads:
with self.assertRaises(tink.TinkError):
p2.decrypt_deterministically(ciphertext, associated_data)
for p in unsupported_daeads:
with self.assertRaises(tink.TinkError):
p.encrypt_deterministically(b'plaintext', b'associated_data')
def test_inc_version_daead(self, key_template_name, lang):
"""Increments the key version by one and checks they can't be used."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
p = testing_servers.deterministic_aead(lang, keyset)
_ = p.encrypt_deterministically(b'foo', b'bar')
for keyset1 in gen_inc_versions(keyset):
daead_primitive = testing_servers.deterministic_aead(lang, keyset1)
with self.assertRaises(tink.TinkError):
_ = daead_primitive.encrypt_deterministically(b'foo', b'bar')
def test_daead_without_primary(self, key_template_name, lang):
"""Unsets the primary key and tries to use a DAEAD primitive."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
p = testing_servers.deterministic_aead(lang, keyset)
ciphertext = p.encrypt_deterministically(b'foo', b'bar')
daead_without_primary = testing_servers.deterministic_aead(
lang, unset_primary(keyset))
with self.assertRaises(tink.TinkError):
_ = daead_without_primary.encrypt_deterministically(b'foo', b'bar')
with self.assertRaises(tink.TinkError):
_ = daead_without_primary.decrypt_deterministically(
ciphertext, b'bar')
def test_encrypt_decrypt(self, key_template_name):
supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[
key_template_name]
self.assertNotEmpty(supported_langs)
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
# Take the first supported language to generate the keyset.
keyset = testing_servers.new_keyset(supported_langs[0], key_template)
supported_daeads = [
testing_servers.deterministic_aead(lang, keyset)
for lang in supported_langs
]
self.assertNotEmpty(supported_daeads)
unsupported_daeads = [
testing_servers.deterministic_aead(lang, keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
plaintext = (b'This is some plaintext message to be encrypted using '
b'key_template %s.' % key_template_name.encode('utf8'))
associated_data = (b'Some associated data for %s.' %
key_template_name.encode('utf8'))
ciphertext = None
for p in supported_daeads:
if ciphertext:
self.assertEqual(
ciphertext,
p.encrypt_deterministically(plaintext, associated_data))
else:
ciphertext = p.encrypt_deterministically(
plaintext, associated_data)
for p2 in supported_daeads:
output = p2.decrypt_deterministically(ciphertext, associated_data)
self.assertEqual(output, plaintext)
for p2 in unsupported_daeads:
with self.assertRaises(
tink.TinkError,
msg='Language %s supports decrypt_deterministically with %s '
'unexpectedly' % (p2.lang, key_template_name)):
p2.decrypt_deterministically(ciphertext, associated_data)
for p in unsupported_daeads:
with self.assertRaises(
tink.TinkError,
msg='Language %s supports encrypt_deterministically with %s '
'unexpectedly' % (p.lang, key_template_name)):
p.encrypt_deterministically(b'plaintext', b'associated_data')
def test_daead(self, lang):
keyset = testing_servers.new_keyset(
lang, daead.deterministic_aead_key_templates.AES256_SIV)
plaintext = b'The quick brown fox jumps over the lazy dog'
associated_data = b'associated_data'
daead_primitive = testing_servers.deterministic_aead(lang, keyset)
ciphertext = daead_primitive.encrypt_deterministically(
plaintext, associated_data)
output = daead_primitive.decrypt_deterministically(
ciphertext, associated_data)
self.assertEqual(output, plaintext)
with self.assertRaises(tink.TinkError):
daead_primitive.decrypt_deterministically(b'foo', associated_data)
def test_key_rotation(self, enc_lang, dec_lang, old_key_tmpl,
new_key_tmpl):
# Do a key rotation from an old key generated from old_key_tmpl to a new
# key generated from new_key_tmpl. Encryption and decryption are done
# in languages enc_lang and dec_lang.
builder = keyset_builder.new_keyset_builder()
older_key_id = builder.add_new_key(old_key_tmpl)
builder.set_primary_key(older_key_id)
enc_daead1 = testing_servers.deterministic_aead(
enc_lang, builder.keyset())
dec_daead1 = testing_servers.deterministic_aead(
dec_lang, builder.keyset())
newer_key_id = builder.add_new_key(new_key_tmpl)
enc_daead2 = testing_servers.deterministic_aead(
enc_lang, builder.keyset())
dec_daead2 = testing_servers.deterministic_aead(
dec_lang, builder.keyset())
builder.set_primary_key(newer_key_id)
enc_daead3 = testing_servers.deterministic_aead(
enc_lang, builder.keyset())
dec_daead3 = testing_servers.deterministic_aead(
dec_lang, builder.keyset())
builder.disable_key(older_key_id)
enc_daead4 = testing_servers.deterministic_aead(
enc_lang, builder.keyset())
dec_daead4 = testing_servers.deterministic_aead(
dec_lang, builder.keyset())
self.assertNotEqual(older_key_id, newer_key_id)
# 1 encrypts with the older key. So 1, 2 and 3 can decrypt it, but not 4.
ciphertext1 = enc_daead1.encrypt_deterministically(b'plaintext', b'ad')
self.assertEqual(
dec_daead1.decrypt_deterministically(ciphertext1, b'ad'),
b'plaintext')
self.assertEqual(
dec_daead2.decrypt_deterministically(ciphertext1, b'ad'),
b'plaintext')
self.assertEqual(
dec_daead3.decrypt_deterministically(ciphertext1, b'ad'),
b'plaintext')
with self.assertRaises(tink.TinkError):
_ = dec_daead4.decrypt_deterministically(ciphertext1, b'ad')
# 2 encrypts with the older key. So 1, 2 and 3 can decrypt it, but not 4.
ciphertext2 = enc_daead2.encrypt_deterministically(b'plaintext', b'ad')
self.assertEqual(
dec_daead1.decrypt_deterministically(ciphertext2, b'ad'),
b'plaintext')
self.assertEqual(
dec_daead2.decrypt_deterministically(ciphertext2, b'ad'),
b'plaintext')
self.assertEqual(
dec_daead3.decrypt_deterministically(ciphertext2, b'ad'),
b'plaintext')
with self.assertRaises(tink.TinkError):
_ = dec_daead4.decrypt_deterministically(ciphertext2, b'ad')
# 3 encrypts with the newer key. So 2, 3 and 4 can decrypt it, but not 1.
ciphertext3 = enc_daead3.encrypt_deterministically(b'plaintext', b'ad')
with self.assertRaises(tink.TinkError):
_ = dec_daead1.decrypt_deterministically(ciphertext3, b'ad')
self.assertEqual(
dec_daead2.decrypt_deterministically(ciphertext3, b'ad'),
b'plaintext')
self.assertEqual(
dec_daead3.decrypt_deterministically(ciphertext3, b'ad'),
b'plaintext')
self.assertEqual(
dec_daead4.decrypt_deterministically(ciphertext3, b'ad'),
b'plaintext')
# 4 encrypts with the newer key. So 2, 3 and 4 can decrypt it, but not 1.
ciphertext4 = enc_daead4.encrypt_deterministically(b'plaintext', b'ad')
with self.assertRaises(tink.TinkError):
_ = dec_daead1.decrypt_deterministically(ciphertext4, b'ad')
self.assertEqual(
dec_daead2.decrypt_deterministically(ciphertext4, b'ad'),
b'plaintext')
self.assertEqual(
dec_daead3.decrypt_deterministically(ciphertext4, b'ad'),
b'plaintext')
self.assertEqual(
dec_daead4.decrypt_deterministically(ciphertext4, b'ad'),
b'plaintext')
