def test_sign_verify_fail(self): keyset_servicer = services.KeysetServicer() signature_servicer = services.SignatureServicer() template = signature.signature_key_templates.ECDSA_P256.SerializeToString( ) gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') self.assertEmpty(gen_response.err) private_keyset = gen_response.keyset pub_request = testing_api_pb2.KeysetPublicRequest( private_keyset=private_keyset) pub_response = keyset_servicer.Public(pub_request, self._ctx) self.assertEqual(pub_response.WhichOneof('result'), 'public_keyset') public_keyset = pub_response.public_keyset invalid_request = testing_api_pb2.SignatureVerifyRequest( public_keyset=public_keyset, signature=b'invalid signature', data=b'The quick brown fox jumps over the lazy dog') invalid_response = signature_servicer.Verify(invalid_request, self._ctx) self.assertNotEmpty(invalid_response.err)
def test_compute_prf(self): keyset_servicer = services.KeysetServicer() prf_set_servicer = services.PrfSetServicer() template = prf.prf_key_templates.HMAC_SHA256.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset key_ids_request = testing_api_pb2.PrfSetKeyIdsRequest(keyset=keyset) key_ids_response = prf_set_servicer.KeyIds(key_ids_request, self._ctx) self.assertEqual(key_ids_response.WhichOneof('result'), 'output') self.assertLen(key_ids_response.output.key_id, 1) self.assertEqual(key_ids_response.output.key_id[0], key_ids_response.output.primary_key_id) output_length = 31 compute_request = testing_api_pb2.PrfSetComputeRequest( keyset=keyset, key_id=key_ids_response.output.primary_key_id, input_data=b'input_data', output_length=output_length) compute_response = prf_set_servicer.Compute(compute_request, self._ctx) self.assertEqual(compute_response.WhichOneof('result'), 'output') self.assertLen(compute_response.output, output_length)
def test_generate_hybrid_encrypt_decrypt(self): keyset_servicer = services.KeysetServicer() hybrid_servicer = services.HybridServicer() tp = hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM template = tp.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEmpty(gen_response.err) private_keyset = gen_response.keyset pub_request = testing_api_pb2.KeysetPublicRequest( private_keyset=private_keyset) pub_response = keyset_servicer.Public(pub_request, self._ctx) self.assertEqual(pub_response.WhichOneof('result'), 'public_keyset') public_keyset = pub_response.public_keyset plaintext = b'The quick brown fox jumps over the lazy dog' context_info = b'context_info' enc_request = testing_api_pb2.HybridEncryptRequest( public_keyset=public_keyset, plaintext=plaintext, context_info=context_info) enc_response = hybrid_servicer.Encrypt(enc_request, self._ctx) self.assertEqual(enc_response.WhichOneof('result'), 'ciphertext') ciphertext = enc_response.ciphertext dec_request = testing_api_pb2.HybridDecryptRequest( private_keyset=private_keyset, ciphertext=ciphertext, context_info=context_info) dec_response = hybrid_servicer.Decrypt(dec_request, self._ctx) self.assertEqual(dec_response.WhichOneof('result'), 'plaintext') self.assertEqual(dec_response.plaintext, plaintext)
def test_generate_keyset_write_read_encrypted(self): keyset_servicer = services.KeysetServicer() template = aead.aead_key_templates.AES128_GCM.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) master_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(master_response.WhichOneof('result'), 'keyset') master_keyset = master_response.keyset keyset_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(keyset_response.WhichOneof('result'), 'keyset') keyset = keyset_response.keyset write_encrypted_request = testing_api_pb2.KeysetWriteEncryptedRequest( keyset=keyset, master_keyset=master_keyset, keyset_writer_type=testing_api_pb2.KEYSET_WRITER_BINARY) write_encrypted_response = keyset_servicer.WriteEncrypted( write_encrypted_request, self._ctx) self.assertEqual(write_encrypted_response.WhichOneof('result'), 'encrypted_keyset') encrypted_keyset = write_encrypted_response.encrypted_keyset read_encrypted_request = testing_api_pb2.KeysetReadEncryptedRequest( encrypted_keyset=encrypted_keyset, master_keyset=master_keyset, keyset_reader_type=testing_api_pb2.KEYSET_READER_BINARY) read_encrypted_response = keyset_servicer.ReadEncrypted( read_encrypted_request, self._ctx) self.assertEqual(read_encrypted_response.WhichOneof('result'), 'keyset') self.assertEqual(read_encrypted_response.keyset, keyset)
def test_generate_encrypt_decrypt_deterministically(self): keyset_servicer = services.KeysetServicer() daead_servicer = services.DeterministicAeadServicer() template_proto = daead.deterministic_aead_key_templates.AES256_SIV template = template_proto.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset plaintext = b'The quick brown fox jumps over the lazy dog' associated_data = b'associated_data' enc_request = testing_api_pb2.DeterministicAeadEncryptRequest( keyset=keyset, plaintext=plaintext, associated_data=associated_data) enc_response = daead_servicer.EncryptDeterministically( enc_request, self._ctx) self.assertEqual(enc_response.WhichOneof('result'), 'ciphertext') enc_response2 = daead_servicer.EncryptDeterministically( enc_request, self._ctx) self.assertEqual(enc_response2.WhichOneof('result'), 'ciphertext') self.assertEqual(enc_response2.ciphertext, enc_response.ciphertext) ciphertext = enc_response.ciphertext dec_request = testing_api_pb2.DeterministicAeadDecryptRequest( keyset=keyset, ciphertext=ciphertext, associated_data=associated_data) dec_response = daead_servicer.DecryptDeterministically( dec_request, self._ctx) self.assertEqual(dec_response.WhichOneof('result'), 'plaintext') self.assertEqual(dec_response.plaintext, plaintext)
def test_generate_compute_verify_mac(self): keyset_servicer = services.KeysetServicer() jwt_servicer = jwt_service.JwtServicer() template = jwt.jwt_hs256_template().SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset comp_request = testing_api_pb2.JwtSignRequest(keyset=keyset) comp_request.raw_jwt.issuer.value = 'issuer' comp_request.raw_jwt.subject.value = 'subject' comp_request.raw_jwt.custom_claims['myclaim'].bool_value = True comp_request.raw_jwt.expiration.seconds = 1334 comp_request.raw_jwt.expiration.nanos = 123000000 comp_response = jwt_servicer.ComputeMacAndEncode(comp_request, self._ctx) self.assertEqual(comp_response.WhichOneof('result'), 'signed_compact_jwt') signed_compact_jwt = comp_response.signed_compact_jwt verify_request = testing_api_pb2.JwtVerifyRequest( keyset=keyset, signed_compact_jwt=signed_compact_jwt) verify_request.validator.expected_issuer.value = 'issuer' verify_request.validator.now.seconds = 1234 verify_response = jwt_servicer.VerifyMacAndDecode(verify_request, self._ctx) self.assertEqual(verify_response.WhichOneof('result'), 'verified_jwt') self.assertEqual(verify_response.verified_jwt.issuer.value, 'issuer') self.assertEqual(verify_response.verified_jwt.subject.value, 'subject') self.assertEqual(verify_response.verified_jwt.expiration.seconds, 1334) self.assertEqual(verify_response.verified_jwt.expiration.nanos, 0)
def test_generate_streaming_encrypt_decrypt(self): keyset_servicer = services.KeysetServicer() streaming_aead_servicer = services.StreamingAeadServicer() templates = streaming_aead.streaming_aead_key_templates template = templates.AES128_CTR_HMAC_SHA256_4KB.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset plaintext = b'The quick brown fox jumps over the lazy dog' associated_data = b'associated_data' enc_request = testing_api_pb2.StreamingAeadEncryptRequest( keyset=keyset, plaintext=plaintext, associated_data=associated_data) enc_response = streaming_aead_servicer.Encrypt(enc_request, self._ctx) self.assertEqual(enc_response.WhichOneof('result'), 'ciphertext') ciphertext = enc_response.ciphertext dec_request = testing_api_pb2.StreamingAeadDecryptRequest( keyset=keyset, ciphertext=ciphertext, associated_data=associated_data) dec_response = streaming_aead_servicer.Decrypt(dec_request, self._ctx) self.assertEqual(dec_response.WhichOneof('result'), 'plaintext') self.assertEqual(dec_response.plaintext, plaintext)
def new_keyset(stub: testing_api_pb2_grpc.KeysetStub, template: tink_pb2.KeyTemplate) -> bytes: gen_request = testing_api_pb2.KeysetGenerateRequest( template=template.SerializeToString()) gen_response = stub.Generate(gen_request) if gen_response.err: raise tink.TinkError(gen_response.err) return gen_response.keyset
def test_generate_compute_verify_mac_fail(self): keyset_servicer = services.KeysetServicer() mac_servicer = services.MacServicer() template = mac.mac_key_templates.HMAC_SHA256_128BITTAG.SerializeToString( ) gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset verify_request = testing_api_pb2.VerifyMacRequest( keyset=keyset, mac_value=b'invalid mac_value', data=b'data') verify_response = mac_servicer.VerifyMac(verify_request, self._ctx) self.assertNotEmpty(verify_response.err)
def test_keyset_write_encrypted_fails_when_keyset_is_invalid(self): keyset_servicer = services.KeysetServicer() template = aead.aead_key_templates.AES128_GCM.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) master_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(master_response.WhichOneof('result'), 'keyset') master_keyset = master_response.keyset write_encrypted_request = testing_api_pb2.KeysetWriteEncryptedRequest( keyset=b'invalid', master_keyset=master_keyset, keyset_writer_type=testing_api_pb2.KEYSET_WRITER_BINARY) write_encrypted_response = keyset_servicer.WriteEncrypted( write_encrypted_request, self._ctx) self.assertEqual(write_encrypted_response.WhichOneof('result'), 'err')
def test_generate_keyset_write_read_encrypted_with_associated_data(self): keyset_servicer = services.KeysetServicer() template = aead.aead_key_templates.AES128_GCM.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) master_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(master_response.WhichOneof('result'), 'keyset') master_keyset = master_response.keyset keyset_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(keyset_response.WhichOneof('result'), 'keyset') keyset = keyset_response.keyset associated_data = b'associated_data' write_encrypted_request = testing_api_pb2.KeysetWriteEncryptedRequest( keyset=keyset, master_keyset=master_keyset, associated_data=testing_api_pb2.BytesValue(value=associated_data), keyset_writer_type=testing_api_pb2.KEYSET_WRITER_BINARY) write_encrypted_response = keyset_servicer.WriteEncrypted( write_encrypted_request, self._ctx) self.assertEqual(write_encrypted_response.WhichOneof('result'), 'encrypted_keyset') encrypted_keyset = write_encrypted_response.encrypted_keyset read_encrypted_request = testing_api_pb2.KeysetReadEncryptedRequest( encrypted_keyset=encrypted_keyset, master_keyset=master_keyset, associated_data=testing_api_pb2.BytesValue(value=associated_data), keyset_reader_type=testing_api_pb2.KEYSET_READER_BINARY) read_encrypted_response = keyset_servicer.ReadEncrypted( read_encrypted_request, self._ctx) self.assertEqual(read_encrypted_response.WhichOneof('result'), 'keyset') self.assertEqual(read_encrypted_response.keyset, keyset) # Using the wrong associated_data fails read_encrypted_request = testing_api_pb2.KeysetReadEncryptedRequest( encrypted_keyset=encrypted_keyset, master_keyset=master_keyset, associated_data=testing_api_pb2.BytesValue(value=b'wrong ad'), keyset_reader_type=testing_api_pb2.KEYSET_READER_BINARY) read_encrypted_response = keyset_servicer.ReadEncrypted( read_encrypted_request, self._ctx) self.assertEqual(read_encrypted_response.WhichOneof('result'), 'err')
def test_generate_sign_export_import_verify_signature(self): keyset_servicer = services.KeysetServicer() jwt_servicer = jwt_service.JwtServicer() template = jwt.jwt_es256_template().SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') private_keyset = gen_response.keyset comp_request = testing_api_pb2.JwtSignRequest(keyset=private_keyset) comp_request.raw_jwt.issuer.value = 'issuer' comp_request.raw_jwt.subject.value = 'subject' comp_request.raw_jwt.custom_claims['myclaim'].bool_value = True comp_response = jwt_servicer.PublicKeySignAndEncode(comp_request, self._ctx) self.assertEqual(comp_response.WhichOneof('result'), 'signed_compact_jwt') signed_compact_jwt = comp_response.signed_compact_jwt pub_request = testing_api_pb2.KeysetPublicRequest( private_keyset=private_keyset) pub_response = keyset_servicer.Public(pub_request, self._ctx) self.assertEqual(pub_response.WhichOneof('result'), 'public_keyset') public_keyset = pub_response.public_keyset to_jwkset_request = testing_api_pb2.JwtToJwkSetRequest(keyset=public_keyset) to_jwkset_response = jwt_servicer.ToJwkSet(to_jwkset_request, self._ctx) self.assertEqual(to_jwkset_response.WhichOneof('result'), 'jwk_set') self.assertStartsWith(to_jwkset_response.jwk_set, '{"keys":[{"') from_jwkset_request = testing_api_pb2.JwtFromJwkSetRequest( jwk_set=to_jwkset_response.jwk_set) from_jwkset_response = jwt_servicer.FromJwkSet( from_jwkset_request, self._ctx) self.assertEqual(from_jwkset_response.WhichOneof('result'), 'keyset') verify_request = testing_api_pb2.JwtVerifyRequest( keyset=from_jwkset_response.keyset, signed_compact_jwt=signed_compact_jwt) verify_request.validator.expected_issuer.value = 'issuer' verify_request.validator.allow_missing_expiration = True verify_response = jwt_servicer.PublicKeyVerifyAndDecode( verify_request, self._ctx) self.assertEqual(verify_response.WhichOneof('result'), 'verified_jwt') self.assertEqual(verify_response.verified_jwt.issuer.value, 'issuer')
def test_generate_hybrid_encrypt_decrypt_fail(self): keyset_servicer = services.KeysetServicer() hybrid_servicer = services.HybridServicer() tp = hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM template = tp.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') private_keyset = gen_response.keyset dec_request = testing_api_pb2.HybridDecryptRequest( private_keyset=private_keyset, ciphertext=b'invalid ciphertext', context_info=b'context_info') dec_response = hybrid_servicer.Decrypt(dec_request, self._ctx) self.assertEqual(dec_response.WhichOneof('result'), 'err') self.assertNotEmpty(dec_response.err)
def test_generate_decrypt_fail(self): keyset_servicer = services.KeysetServicer() aead_servicer = services.AeadServicer() template = aead.aead_key_templates.AES128_GCM.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset ciphertext = b'some invalid ciphertext' associated_data = b'associated_data' dec_request = testing_api_pb2.AeadDecryptRequest( keyset=keyset, ciphertext=ciphertext, associated_data=associated_data) dec_response = aead_servicer.Decrypt(dec_request, self._ctx) self.assertEqual(dec_response.WhichOneof('result'), 'err') self.assertNotEmpty(dec_response.err)
def test_generate_to_from_json(self): keyset_servicer = services.KeysetServicer() template = aead.aead_key_templates.AES128_GCM.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset tojson_request = testing_api_pb2.KeysetToJsonRequest(keyset=keyset) tojson_response = keyset_servicer.ToJson(tojson_request, self._ctx) self.assertEqual(tojson_response.WhichOneof('result'), 'json_keyset') json_keyset = tojson_response.json_keyset fromjson_request = testing_api_pb2.KeysetFromJsonRequest( json_keyset=json_keyset) fromjson_response = keyset_servicer.FromJson(fromjson_request, self._ctx) self.assertEqual(fromjson_response.WhichOneof('result'), 'keyset') self.assertEqual(fromjson_response.keyset, keyset)
def test_generate_compute_verify_mac(self): keyset_servicer = services.KeysetServicer() mac_servicer = services.MacServicer() template = mac.mac_key_templates.HMAC_SHA256_128BITTAG.SerializeToString( ) gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset data = b'The quick brown fox jumps over the lazy dog' comp_request = testing_api_pb2.ComputeMacRequest(keyset=keyset, data=data) comp_response = mac_servicer.ComputeMac(comp_request, self._ctx) self.assertEqual(comp_response.WhichOneof('result'), 'mac_value') mac_value = comp_response.mac_value verify_request = testing_api_pb2.VerifyMacRequest(keyset=keyset, mac_value=mac_value, data=data) verify_response = mac_servicer.VerifyMac(verify_request, self._ctx) self.assertEmpty(verify_response.err)
def test_compute_prf_fail(self): keyset_servicer = services.KeysetServicer() prf_set_servicer = services.PrfSetServicer() template = prf.prf_key_templates.HMAC_SHA256.SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset key_ids_request = testing_api_pb2.PrfSetKeyIdsRequest(keyset=keyset) key_ids_response = prf_set_servicer.KeyIds(key_ids_request, self._ctx) self.assertEqual(key_ids_response.WhichOneof('result'), 'output') primary_key_id = key_ids_response.output.primary_key_id invalid_output_length = 123456 invalid_compute_request = testing_api_pb2.PrfSetComputeRequest( keyset=keyset, key_id=primary_key_id, input_data=b'input_data', output_length=invalid_output_length) invalid_compute_response = prf_set_servicer.Compute( invalid_compute_request, self._ctx) self.assertEqual(invalid_compute_response.WhichOneof('result'), 'err') self.assertNotEmpty(invalid_compute_response.err)
def test_generate_compute_verify_mac_without_expiration(self): keyset_servicer = services.KeysetServicer() jwt_servicer = jwt_service.JwtServicer() template = jwt.jwt_hs256_template().SerializeToString() gen_request = testing_api_pb2.KeysetGenerateRequest(template=template) gen_response = keyset_servicer.Generate(gen_request, self._ctx) self.assertEqual(gen_response.WhichOneof('result'), 'keyset') keyset = gen_response.keyset comp_request = testing_api_pb2.JwtSignRequest(keyset=keyset) comp_request.raw_jwt.issuer.value = 'issuer' comp_response = jwt_servicer.ComputeMacAndEncode(comp_request, self._ctx) self.assertEqual(comp_response.WhichOneof('result'), 'signed_compact_jwt') signed_compact_jwt = comp_response.signed_compact_jwt verify_request = testing_api_pb2.JwtVerifyRequest( keyset=keyset, signed_compact_jwt=signed_compact_jwt) verify_request.validator.expected_issuer.value = 'issuer' verify_request.validator.allow_missing_expiration = True verify_response = jwt_servicer.VerifyMacAndDecode(verify_request, self._ctx) print(verify_response.err) self.assertEqual(verify_response.WhichOneof('result'), 'verified_jwt') self.assertEqual(verify_response.verified_jwt.issuer.value, 'issuer')