def test_verify_signature(self):
pair0 = new_primitive_key_pair(1234, tink_pb2.RAW)
pair1 = new_primitive_key_pair(5678, tink_pb2.TINK)
pair2 = new_primitive_key_pair(9012, tink_pb2.LEGACY)
pset = primitive_set.new_primitive_set(
public_key_verify.PublicKeyVerify)
pset.add_primitive(*pair0)
pset.add_primitive(*pair1)
pset.set_primary(pset.add_primitive(*pair2))
# Check all keys work
for unused_primitive, key in (pair0, pair1, pair2):
pset_sign = primitive_set.new_primitive_set(
public_key_sign.PublicKeySign)
pset_sign.set_primary(
pset_sign.add_primitive(
helper.FakePublicKeySign('fakePublicKeySign {}'.format(
key.key_id)), key))
wrapped_pk_verify = public_key_verify_wrapper.PublicKeyVerifyWrapper(
).wrap(pset)
wrapped_pk_sign = public_key_sign_wrapper.PublicKeySignWrapper(
).wrap(pset_sign)
wrapped_pk_verify.verify(wrapped_pk_sign.sign(b'data'), b'data')
def test_encrypt_decrypt_with_key_rotation_from_raw(self):
primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW)
old_raw_ciphertext = primitive.encrypt_deterministically(
b'plaintext', b'associated_data')
pset = primitive_set.new_primitive_set(
deterministic_aead.DeterministicAead)
pset.add_primitive(primitive, raw_key)
new_primitive, new_key = self.new_primitive_key_pair(
5678, tink_pb2.TINK)
new_entry = pset.add_primitive(new_primitive, new_key)
pset.set_primary(new_entry)
wrapped_daead = deterministic_aead_wrapper.DeterministicAeadWrapper(
).wrap(pset)
new_ciphertext = wrapped_daead.encrypt_deterministically(
b'new_plaintext', b'new_associated_data')
self.assertEqual(
wrapped_daead.decrypt_deterministically(old_raw_ciphertext,
b'associated_data'),
b'plaintext')
self.assertEqual(
wrapped_daead.decrypt_deterministically(new_ciphertext,
b'new_associated_data'),
b'new_plaintext')
def test_encrypt_decrypt_two_raw_keys(self):
primitive1, raw_key1 = self.new_primitive_key_pair(1234, tink_pb2.RAW)
primitive2, raw_key2 = self.new_primitive_key_pair(5678, tink_pb2.RAW)
raw_ciphertext1 = primitive1.encrypt_deterministically(
b'plaintext1', b'associated_data1')
raw_ciphertext2 = primitive2.encrypt_deterministically(
b'plaintext2', b'associated_data2')
pset = primitive_set.new_primitive_set(
deterministic_aead.DeterministicAead)
pset.add_primitive(primitive1, raw_key1)
pset.set_primary(pset.add_primitive(primitive2, raw_key2))
wrapped_daead = deterministic_aead_wrapper.DeterministicAeadWrapper(
).wrap(pset)
self.assertEqual(
wrapped_daead.decrypt_deterministically(raw_ciphertext1,
b'associated_data1'),
b'plaintext1')
self.assertEqual(
wrapped_daead.decrypt_deterministically(raw_ciphertext2,
b'associated_data2'),
b'plaintext2')
self.assertEqual(
wrapped_daead.decrypt_deterministically(
wrapped_daead.encrypt_deterministically(
b'plaintext', b'associated_data'), b'associated_data'),
b'plaintext')
def test_decrypt_wrong_associated_data_fails(self):
primitive, key = self.new_primitive_key_pair(1234, tink_pb2.TINK)
pset = primitive_set.new_primitive_set(aead.Aead)
entry = pset.add_primitive(primitive, key)
pset.set_primary(entry)
wrapped_aead = aead_wrapper.AeadWrapper().wrap(pset)
ciphertext = wrapped_aead.encrypt(b'plaintext', b'associated_data')
with self.assertRaisesRegex(tink_error.TinkError, 'Decryption failed'):
wrapped_aead.decrypt(ciphertext, b'wrong_associated_data')
def test_encrypt_decrypt(self):
primitive, key = self.new_primitive_key_pair(1234, tink_pb2.TINK)
pset = primitive_set.new_primitive_set(aead.Aead)
entry = pset.add_primitive(primitive, key)
pset.set_primary(entry)
wrapped_aead = aead_wrapper.AeadWrapper().wrap(pset)
plaintext = b'plaintext'
associated_data = b'associated_data'
ciphertext = wrapped_aead.encrypt(plaintext, associated_data)
self.assertEqual(wrapped_aead.decrypt(ciphertext, associated_data),
plaintext)
def test_signature(self, output_prefix_type):
pair0 = new_primitive_key_pair(1234, output_prefix_type)
pair1 = new_primitive_key_pair(5678, output_prefix_type)
pset = primitive_set.new_primitive_set(public_key_sign.PublicKeySign)
pset_verify = primitive_set.new_primitive_set(
public_key_verify.PublicKeyVerify)
pset.add_primitive(*pair0)
pset.set_primary(pset.add_primitive(*pair1))
pset_verify.add_primitive(*to_verify_key_pair(pair0[1]))
entry = pset_verify.add_primitive(*to_verify_key_pair(pair1[1]))
pset_verify.set_primary(entry)
wrapped_pk_sign = public_key_sign_wrapper.PublicKeySignWrapper().wrap(pset)
wrapped_pk_verify = public_key_verify_wrapper.PublicKeyVerifyWrapper().wrap(
pset_verify)
signature = wrapped_pk_sign.sign(b'data')
wrapped_pk_verify.verify(signature, b'data')
with self.assertRaisesRegex(tink_error.TinkError, 'invalid signature'):
wrapped_pk_verify.verify(signature, b'invalid')
def test_decrypt_unknown_ciphertext_fails(self):
unknown_primitive = helper.FakeAead('unknownFakeAead')
unknown_ciphertext = unknown_primitive.encrypt(b'plaintext',
b'associated_data')
pset = primitive_set.new_primitive_set(aead.Aead)
primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW)
new_primitive, new_key = self.new_primitive_key_pair(5678, tink_pb2.TINK)
pset.add_primitive(primitive, raw_key)
new_entry = pset.add_primitive(new_primitive, new_key)
pset.set_primary(new_entry)
wrapped_aead = aead_wrapper.AeadWrapper().wrap(pset)
with self.assertRaisesRegex(tink_error.TinkError, 'Decryption failed'):
wrapped_aead.decrypt(unknown_ciphertext, b'associated_data')
def test_encrypt_decrypt_with_key_rotation(self):
primitive, key = self.new_primitive_key_pair(1234, tink_pb2.TINK)
pset = primitive_set.new_primitive_set(aead.Aead)
entry = pset.add_primitive(primitive, key)
pset.set_primary(entry)
wrapped_aead = aead_wrapper.AeadWrapper().wrap(pset)
ciphertext = wrapped_aead.encrypt(b'plaintext', b'associated_data')
new_primitive, new_key = self.new_primitive_key_pair(
5678, tink_pb2.TINK)
new_entry = pset.add_primitive(new_primitive, new_key)
pset.set_primary(new_entry)
new_ciphertext = wrapped_aead.encrypt(b'new_plaintext',
b'new_associated_data')
self.assertEqual(wrapped_aead.decrypt(ciphertext, b'associated_data'),
b'plaintext')
self.assertEqual(
wrapped_aead.decrypt(new_ciphertext, b'new_associated_data'),
b'new_plaintext')
