def test_read_write_encrypted_keyset(self, lang):
keyset = testing_servers.new_keyset(lang,
aead.aead_key_templates.AES128_GCM)
master_keyset = testing_servers.new_keyset(
lang, aead.aead_key_templates.AES128_GCM)
encrypted_keyset = testing_servers.keyset_write_encrypted(
lang, keyset, master_keyset, b'associated_data')
output_keyset = testing_servers.keyset_read_encrypted(
lang, encrypted_keyset, master_keyset, b'associated_data')
self.assertEqual(output_keyset, keyset)
with self.assertRaises(tink.TinkError):
testing_servers.keyset_read_encrypted(lang, encrypted_keyset,
master_keyset,
b'invalid_associated_data')
with self.assertRaises(tink.TinkError):
testing_servers.keyset_read_encrypted(lang, b'invalid_encrypted_keyset',
master_keyset,
b'associated_data')
with self.assertRaises(tink.TinkError):
testing_servers.keyset_read_encrypted(lang, encrypted_keyset,
b'invalid_master_keyset',
b'associated_data')
with self.assertRaises(tink.TinkError):
testing_servers.keyset_write_encrypted(lang, keyset,
b'invalid_master_keyset',
b'associated_data')
def test_read_write_encrypted_keyset(self, keyset, read_lang, reader_type,
write_lang, writer_type,
associated_data):
# Use an arbitrary AEAD template that's supported in all languages,
# and use an arbitrary language to generate the keyset_encryption_keyset.
keyset_encryption_keyset = testing_servers.new_keyset(
'cc', aead.aead_key_templates.AES128_GCM)
encrypted_keyset = testing_servers.keyset_write_encrypted(
write_lang, keyset, keyset_encryption_keyset, associated_data,
writer_type)
decrypted_keyset = testing_servers.keyset_read_encrypted(
read_lang, encrypted_keyset, keyset_encryption_keyset,
associated_data, reader_type)
# Both keyset and decrypted_keyset are serialized tink_pb2.Keyset.
key_util.assert_tink_proto_equal(
self, tink_pb2.Keyset.FromString(keyset),
tink_pb2.Keyset.FromString(decrypted_keyset))
with self.assertRaises(tink.TinkError):
testing_servers.keyset_read_encrypted(read_lang, encrypted_keyset,
keyset_encryption_keyset,
b'invalid_associated_data',
reader_type)
def test_read_encrypted_ignores_keyset_info_json(self, lang):
# Use an arbitrary AEAD template that's supported in all languages,
# and use an arbitrary language to generate the keyset_encryption_keyset.
keyset_encryption_keyset = testing_servers.new_keyset(
'cc', aead.aead_key_templates.AES128_GCM)
# Also, generate an arbitrary keyset.
keyset = testing_servers.new_keyset('cc',
aead.aead_key_templates.AES128_GCM)
associated_data = b'associated_data'
encrypted_keyset = testing_servers.keyset_write_encrypted(
lang, keyset, keyset_encryption_keyset, associated_data,
'KEYSET_WRITER_JSON')
# encrypted_keyset is a JSON serialized tink_pb2.EncryptedKeyset
parsed_encrypted_keyset = json_format.Parse(encrypted_keyset,
tink_pb2.EncryptedKeyset())
# Note that some implementations (currently C++) do not set keyset_info.
# But we require that values are correct when they are set.
if parsed_encrypted_keyset.HasField('keyset_info'):
self.assertLen(parsed_encrypted_keyset.keyset_info.key_info, 1)
self.assertEqual(
parsed_encrypted_keyset.keyset_info.primary_key_id,
parsed_encrypted_keyset.keyset_info.key_info[0].key_id)
# keyset_info should be ignored when reading a keyset.
# To test this, we add something invalid and check that read still works.
# Some languages (C++ and Java) however do check that the fields of
# keyset_info are present. So we have to set all required fields here.
parsed_encrypted_keyset.keyset_info.key_info.append(
tink_pb2.KeysetInfo.KeyInfo(type_url='invalid',
status=tink_pb2.ENABLED,
key_id=123,
output_prefix_type=tink_pb2.LEGACY))
parsed_encrypted_keyset.keyset_info.primary_key_id = 123
modified_encrypted_keyset = json_format.MessageToJson(
parsed_encrypted_keyset).encode('utf8')
decrypted_keyset = testing_servers.keyset_read_encrypted(
lang, modified_encrypted_keyset, keyset_encryption_keyset,
associated_data, 'KEYSET_READER_JSON')
# Both keyset and decrypted_keyset are serialized tink_pb2.Keyset.
key_util.assert_tink_proto_equal(
self, tink_pb2.Keyset.FromString(keyset),
tink_pb2.Keyset.FromString(decrypted_keyset))
def test_read_encrypted_ignores_keyset_info_binary(self, lang):
# Use an arbitrary AEAD template that's supported in all languages,
# and use an arbitrary language to generate the keyset_encryption_keyset.
keyset_encryption_keyset = testing_servers.new_keyset(
'cc', aead.aead_key_templates.AES128_GCM)
# Also, generate an arbitrary keyset.
keyset = testing_servers.new_keyset('cc',
aead.aead_key_templates.AES128_GCM)
associated_data = b'associated_data'
encrypted_keyset = testing_servers.keyset_write_encrypted(
lang, keyset, keyset_encryption_keyset, associated_data,
'KEYSET_WRITER_BINARY')
# encrypted_keyset is a serialized tink_pb2.EncryptedKeyset
parsed_encrypted_keyset = tink_pb2.EncryptedKeyset.FromString(
encrypted_keyset)
# Note that some implementations (currently C++) do not set keyset_info.
# But we require that values are correct when they are set.
if parsed_encrypted_keyset.HasField('keyset_info'):
self.assertLen(parsed_encrypted_keyset.keyset_info.key_info, 1)
self.assertEqual(
parsed_encrypted_keyset.keyset_info.primary_key_id,
parsed_encrypted_keyset.keyset_info.key_info[0].key_id)
# keyset_info should be ignored when reading a keyset.
# to test this, we add something invalid and check that read still works.
parsed_encrypted_keyset.keyset_info.key_info.append(
tink_pb2.KeysetInfo.KeyInfo(type_url='invalid', key_id=123))
modified_encrypted_keyset = parsed_encrypted_keyset.SerializeToString()
decrypted_keyset = testing_servers.keyset_read_encrypted(
lang, modified_encrypted_keyset, keyset_encryption_keyset,
associated_data, 'KEYSET_READER_BINARY')
# Both keyset and decrypted_keyset are serialized tink_pb2.Keyset.
key_util.assert_tink_proto_equal(
self, tink_pb2.Keyset.FromString(keyset),
tink_pb2.Keyset.FromString(decrypted_keyset))