def test_verify_signature(self): pair0 = new_primitive_key_pair(1234, tink_pb2.RAW) pair1 = new_primitive_key_pair(5678, tink_pb2.TINK) pair2 = new_primitive_key_pair(9012, tink_pb2.LEGACY) pset = primitive_set.new_primitive_set( public_key_verify.PublicKeyVerify) pset.add_primitive(*pair0) pset.add_primitive(*pair1) pset.set_primary(pset.add_primitive(*pair2)) # Check all keys work for unused_primitive, key in (pair0, pair1, pair2): pset_sign = primitive_set.new_primitive_set( public_key_sign.PublicKeySign) pset_sign.set_primary( pset_sign.add_primitive( helper.FakePublicKeySign('fakePublicKeySign {}'.format( key.key_id)), key)) wrapped_pk_verify = public_key_verify_wrapper.PublicKeyVerifyWrapper( ).wrap(pset) wrapped_pk_sign = public_key_sign_wrapper.PublicKeySignWrapper( ).wrap(pset_sign) wrapped_pk_verify.verify(wrapped_pk_sign.sign(b'data'), b'data')
def test_encrypt_decrypt_with_key_rotation_from_raw(self): primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW) old_raw_ciphertext = primitive.encrypt_deterministically( b'plaintext', b'associated_data') pset = primitive_set.new_primitive_set( deterministic_aead.DeterministicAead) pset.add_primitive(primitive, raw_key) new_primitive, new_key = self.new_primitive_key_pair( 5678, tink_pb2.TINK) new_entry = pset.add_primitive(new_primitive, new_key) pset.set_primary(new_entry) wrapped_daead = deterministic_aead_wrapper.DeterministicAeadWrapper( ).wrap(pset) new_ciphertext = wrapped_daead.encrypt_deterministically( b'new_plaintext', b'new_associated_data') self.assertEqual( wrapped_daead.decrypt_deterministically(old_raw_ciphertext, b'associated_data'), b'plaintext') self.assertEqual( wrapped_daead.decrypt_deterministically(new_ciphertext, b'new_associated_data'), b'new_plaintext')
def test_encrypt_decrypt_two_raw_keys(self): primitive1, raw_key1 = self.new_primitive_key_pair(1234, tink_pb2.RAW) primitive2, raw_key2 = self.new_primitive_key_pair(5678, tink_pb2.RAW) raw_ciphertext1 = primitive1.encrypt_deterministically( b'plaintext1', b'associated_data1') raw_ciphertext2 = primitive2.encrypt_deterministically( b'plaintext2', b'associated_data2') pset = primitive_set.new_primitive_set( deterministic_aead.DeterministicAead) pset.add_primitive(primitive1, raw_key1) pset.set_primary(pset.add_primitive(primitive2, raw_key2)) wrapped_daead = deterministic_aead_wrapper.DeterministicAeadWrapper( ).wrap(pset) self.assertEqual( wrapped_daead.decrypt_deterministically(raw_ciphertext1, b'associated_data1'), b'plaintext1') self.assertEqual( wrapped_daead.decrypt_deterministically(raw_ciphertext2, b'associated_data2'), b'plaintext2') self.assertEqual( wrapped_daead.decrypt_deterministically( wrapped_daead.encrypt_deterministically( b'plaintext', b'associated_data'), b'associated_data'), b'plaintext')
def test_decrypt_wrong_associated_data_fails(self): primitive, key = self.new_primitive_key_pair(1234, tink_pb2.TINK) pset = primitive_set.new_primitive_set(aead.Aead) entry = pset.add_primitive(primitive, key) pset.set_primary(entry) wrapped_aead = aead_wrapper.AeadWrapper().wrap(pset) ciphertext = wrapped_aead.encrypt(b'plaintext', b'associated_data') with self.assertRaisesRegex(tink_error.TinkError, 'Decryption failed'): wrapped_aead.decrypt(ciphertext, b'wrong_associated_data')
def test_encrypt_decrypt(self): primitive, key = self.new_primitive_key_pair(1234, tink_pb2.TINK) pset = primitive_set.new_primitive_set(aead.Aead) entry = pset.add_primitive(primitive, key) pset.set_primary(entry) wrapped_aead = aead_wrapper.AeadWrapper().wrap(pset) plaintext = b'plaintext' associated_data = b'associated_data' ciphertext = wrapped_aead.encrypt(plaintext, associated_data) self.assertEqual(wrapped_aead.decrypt(ciphertext, associated_data), plaintext)
def test_signature(self, output_prefix_type): pair0 = new_primitive_key_pair(1234, output_prefix_type) pair1 = new_primitive_key_pair(5678, output_prefix_type) pset = primitive_set.new_primitive_set(public_key_sign.PublicKeySign) pset_verify = primitive_set.new_primitive_set( public_key_verify.PublicKeyVerify) pset.add_primitive(*pair0) pset.set_primary(pset.add_primitive(*pair1)) pset_verify.add_primitive(*to_verify_key_pair(pair0[1])) entry = pset_verify.add_primitive(*to_verify_key_pair(pair1[1])) pset_verify.set_primary(entry) wrapped_pk_sign = public_key_sign_wrapper.PublicKeySignWrapper().wrap(pset) wrapped_pk_verify = public_key_verify_wrapper.PublicKeyVerifyWrapper().wrap( pset_verify) signature = wrapped_pk_sign.sign(b'data') wrapped_pk_verify.verify(signature, b'data') with self.assertRaisesRegex(tink_error.TinkError, 'invalid signature'): wrapped_pk_verify.verify(signature, b'invalid')
def test_decrypt_unknown_ciphertext_fails(self): unknown_primitive = helper.FakeAead('unknownFakeAead') unknown_ciphertext = unknown_primitive.encrypt(b'plaintext', b'associated_data') pset = primitive_set.new_primitive_set(aead.Aead) primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW) new_primitive, new_key = self.new_primitive_key_pair(5678, tink_pb2.TINK) pset.add_primitive(primitive, raw_key) new_entry = pset.add_primitive(new_primitive, new_key) pset.set_primary(new_entry) wrapped_aead = aead_wrapper.AeadWrapper().wrap(pset) with self.assertRaisesRegex(tink_error.TinkError, 'Decryption failed'): wrapped_aead.decrypt(unknown_ciphertext, b'associated_data')
def test_encrypt_decrypt_with_key_rotation(self): primitive, key = self.new_primitive_key_pair(1234, tink_pb2.TINK) pset = primitive_set.new_primitive_set(aead.Aead) entry = pset.add_primitive(primitive, key) pset.set_primary(entry) wrapped_aead = aead_wrapper.AeadWrapper().wrap(pset) ciphertext = wrapped_aead.encrypt(b'plaintext', b'associated_data') new_primitive, new_key = self.new_primitive_key_pair( 5678, tink_pb2.TINK) new_entry = pset.add_primitive(new_primitive, new_key) pset.set_primary(new_entry) new_ciphertext = wrapped_aead.encrypt(b'new_plaintext', b'new_associated_data') self.assertEqual(wrapped_aead.decrypt(ciphertext, b'associated_data'), b'plaintext') self.assertEqual( wrapped_aead.decrypt(new_ciphertext, b'new_associated_data'), b'new_plaintext')