def mac_key_templates() -> Iterable[Tuple[Text, tink_pb2.KeyTemplate]]:
"""Yields (mac_key_template_name, mac_key_template) tuples."""
for key_type in supported_key_types.MAC_KEY_TYPES:
for name in supported_key_types.KEY_TEMPLATE_NAMES[key_type]:
template = supported_key_types.KEY_TEMPLATE[name]
yield (name, template)
yield (name + '-raw', keyset_builder.raw_template(template))
yield (name + '-legacy', keyset_builder.legacy_template(template))
def test_legacy_template(self):
template = aead.aead_key_templates.AES128_GCM
legacy_template = keyset_builder.legacy_template(template)
self.assertEqual(legacy_template.output_prefix_type, tink_pb2.LEGACY)
self.assertEqual(legacy_template.type_url, template.type_url)
self.assertEqual(legacy_template.value, template.value)
# check that generating legacy_template did not change template.
self.assertNotEqual(template.output_prefix_type, tink_pb2.LEGACY)
def test_legacy_key_fails(self):
template = keyset_builder.legacy_template(jwt.raw_jwt_hs256_template())
builder = keyset_builder.new_keyset_builder()
key_id = builder.add_new_key(template)
builder.set_primary_key(key_id)
handle = builder.keyset_handle()
with self.assertRaises(tink.TinkError):
handle.primitive(jwt.JwtMac)
def test_legacy_template_fails(self):
template = keyset_builder.legacy_template(jwt.jwt_es256_template())
builder = keyset_builder.new_keyset_builder()
key_id = builder.add_new_key(template)
builder.set_primary_key(key_id)
handle = builder.keyset_handle()
with self.assertRaises(tink.TinkError):
handle.primitive(jwt.JwtPublicKeySign)
with self.assertRaises(tink.TinkError):
handle.public_keyset_handle().primitive(jwt.JwtPublicKeyVerify)
import tink
from tink import signature
from tink.proto import tink_pb2
from tink.testing import keyset_builder
from util import supported_key_types
from util import testing_servers
SUPPORTED_LANGUAGES = (
testing_servers.SUPPORTED_LANGUAGES_BY_PRIMITIVE['signature'])
TEMPLATE = signature.signature_key_templates.ECDSA_P256
KEY_ROTATION_TEMPLATES = [
TEMPLATE,
keyset_builder.raw_template(TEMPLATE),
keyset_builder.legacy_template(TEMPLATE)
]
def key_rotation_test_cases(
) -> Iterable[Tuple[Text, Text, tink_pb2.KeyTemplate, tink_pb2.KeyTemplate]]:
for enc_lang in SUPPORTED_LANGUAGES:
for dec_lang in SUPPORTED_LANGUAGES:
for old_key_tmpl in KEY_ROTATION_TEMPLATES:
for new_key_tmpl in KEY_ROTATION_TEMPLATES:
yield (enc_lang, dec_lang, old_key_tmpl, new_key_tmpl)
def setUpModule():
signature.register()
testing_servers.start('signature')
msg=
'Language %s supports signature sign with %s unexpectedly'
% (signer.lang, key_template_name)):
_ = signer.sign(message)
# If the implementations work fine for keysets with single keys, then key
# rotation should work if the primitive wrapper is implemented correctly.
# The wrapper does not depend on the key type, so it should be fine to always
# test with the same key type. The wrapper needs to treat keys with output
# prefix RAW and LEGACY differently, so we also test templates with these
# prefixes.
KEY_ROTATION_TEMPLATES = [
signature.signature_key_templates.ECDSA_P256,
keyset_builder.raw_template(signature.signature_key_templates.ECDSA_P256),
keyset_builder.legacy_template(
signature.signature_key_templates.ECDSA_P256)
]
def key_rotation_test_cases(
) -> Iterable[Tuple[Text, Text, tink_pb2.KeyTemplate, tink_pb2.KeyTemplate]]:
for enc_lang in SUPPORTED_LANGUAGES:
for dec_lang in SUPPORTED_LANGUAGES:
for old_key_tmpl in KEY_ROTATION_TEMPLATES:
for new_key_tmpl in KEY_ROTATION_TEMPLATES:
yield (enc_lang, dec_lang, old_key_tmpl, new_key_tmpl)
class SignatureKeyRotationTest(parameterized.TestCase):
@parameterized.parameters(key_rotation_test_cases())
def test_key_rotation(self, enc_lang, dec_lang, old_key_tmpl,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Tests for tink.python.tink.public_key_sign_wrapper."""
from absl.testing import absltest
from absl.testing import parameterized
import tink
from tink import signature
from tink.testing import keyset_builder
TEMPLATE = signature.signature_key_templates.ECDSA_P256
LEGACY_TEMPLATE = keyset_builder.legacy_template(TEMPLATE)
RAW_TEMPLATE = keyset_builder.raw_template(TEMPLATE)
def setUpModule():
signature.register()
class SignatureWrapperTest(parameterized.TestCase):
@parameterized.parameters([TEMPLATE, LEGACY_TEMPLATE, RAW_TEMPLATE])
def test_sign_verify(self, template):
private_handle = tink.new_keyset_handle(template)
public_handle = private_handle.public_keyset_handle()
sign_primitive = private_handle.primitive(signature.PublicKeySign)
verify_primitive = public_handle.primitive(signature.PublicKeyVerify)
tink.TinkError,
msg='Language %s supports compute_mac with %s unexpectedly'
% (p.lang, key_template_name)):
p.compute_mac(data)
# If the implementations work fine for keysets with single keys, then key
# rotation should work if the primitive wrapper is implemented correctly.
# These wrappers do not depend on the key type, so it should be fine to always
# test with the same key type. The wrapper needs to treat keys with output
# prefix RAW and LEGACY differently, so we also test templates with these
# prefixes.
KEY_ROTATION_TEMPLATES = [
mac.mac_key_templates.HMAC_SHA512_512BITTAG,
keyset_builder.raw_template(mac.mac_key_templates.HMAC_SHA512_512BITTAG),
keyset_builder.legacy_template(mac.mac_key_templates.HMAC_SHA512_512BITTAG)
]
def key_rotation_test_cases(
) -> Iterable[Tuple[Text, Text, tink_pb2.KeyTemplate, tink_pb2.KeyTemplate]]:
for compute_lang in SUPPORTED_LANGUAGES:
for verify_lang in SUPPORTED_LANGUAGES:
for old_key_tmpl in KEY_ROTATION_TEMPLATES:
for new_key_tmpl in KEY_ROTATION_TEMPLATES:
yield (compute_lang, verify_lang, old_key_tmpl,
new_key_tmpl)
class MacKeyRotationTest(parameterized.TestCase):
@parameterized.parameters(key_rotation_test_cases())
def tearDownModule():
testing_servers.stop()
# maps from key_template_name to (key_template, key_type)
_ADDITIONAL_KEY_TEMPLATES = {
# We additionally test a RAW and a LEGACY template, because LEGACY keys
# require tags with a special format, and RAW don't.
# We test one key template for each, because this is handled by the
# primitive wrapper which is independent of the particular key template
# used.
'HMAC_SHA256_128BITTAG_RAW':
(keyset_builder.raw_template(mac.mac_key_templates.HMAC_SHA256_128BITTAG),
'HmacKey'),
'HMAC_SHA256_128BITTAG_LEGACY': (keyset_builder.legacy_template(
mac.mac_key_templates.HMAC_SHA256_128BITTAG), 'HmacKey')
}
def mac_key_template_names() -> Iterable[str]:
for key_type in supported_key_types.MAC_KEY_TYPES:
for key_template_name in supported_key_types.KEY_TEMPLATE_NAMES[
key_type]:
yield key_template_name
for key_template_name in _ADDITIONAL_KEY_TEMPLATES:
yield key_template_name
class MacTest(parameterized.TestCase):
@parameterized.parameters(mac_key_template_names())
def test_compute_verify_mac(self, key_template_name):