def test_encrypt_decrypt_with_key_rotation(self): dec, enc, dec_key, enc_key = new_primitives_and_keys( 1234, tink_pb2.TINK) enc_pset = core.new_primitive_set(hybrid_encrypt.HybridEncrypt) enc_pset.set_primary(enc_pset.add_primitive(enc, enc_key)) wrapped_enc = hybrid_encrypt_wrapper.HybridEncryptWrapper().wrap( enc_pset) ciphertext = wrapped_enc.encrypt(b'plaintext', b'context_info') new_dec, new_enc, new_dec_key, new_enc_key = new_primitives_and_keys( 5678, tink_pb2.TINK) new_enc_pset = core.new_primitive_set(hybrid_encrypt.HybridEncrypt) new_enc_pset.set_primary( new_enc_pset.add_primitive(new_enc, new_enc_key)) new_wrapped_enc = hybrid_encrypt_wrapper.HybridEncryptWrapper().wrap( new_enc_pset) new_dec, new_enc, new_dec_key, new_enc_key = new_primitives_and_keys( 5678, tink_pb2.TINK) new_dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt) new_dec_pset.add_primitive(dec, dec_key) new_dec_pset.set_primary( new_dec_pset.add_primitive(new_dec, new_dec_key)) new_wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap( new_dec_pset) new_ciphertext = new_wrapped_enc.encrypt(b'new_plaintext', b'new_context_info') self.assertEqual(new_wrapped_dec.decrypt(ciphertext, b'context_info'), b'plaintext') self.assertEqual( new_wrapped_dec.decrypt(new_ciphertext, b'new_context_info'), b'new_plaintext')
def test_encrypt_decrypt_with_key_rotation_from_raw(self): raw_dec, raw_enc, raw_dec_key, raw_enc_key = new_primitives_and_keys( 1234, tink_pb2.RAW) old_raw_ciphertext = raw_enc.encrypt(b'old_raw_ciphertext', b'context_info') new_dec, new_enc, new_dec_key, new_enc_key = new_primitives_and_keys( 5678, tink_pb2.TINK) enc_pset = core.new_primitive_set(hybrid_encrypt.HybridEncrypt) enc_pset.add_primitive(raw_enc, raw_enc_key) enc_pset.set_primary(enc_pset.add_primitive(new_enc, new_enc_key)) wrapped_enc = hybrid_encrypt_wrapper.HybridEncryptWrapper().wrap( enc_pset) dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt) dec_pset.add_primitive(raw_dec, raw_dec_key) dec_pset.set_primary(dec_pset.add_primitive(new_dec, new_dec_key)) wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap( dec_pset) new_ciphertext = wrapped_enc.encrypt(b'new_plaintext', b'new_context_info') self.assertEqual( wrapped_dec.decrypt(old_raw_ciphertext, b'context_info'), b'old_raw_ciphertext') self.assertEqual( wrapped_dec.decrypt(new_ciphertext, b'new_context_info'), b'new_plaintext')
def test_list_of_entries_can_be_modified(self): primitive_set = core.new_primitive_set(mac.Mac) key = helper.fake_key(key_id=1) primitive_set.add_primitive(helper.FakeMac('FakeMac'), key) entries = primitive_set.primitive(key) entries.append('Something') self.assertLen(primitive_set.primitive(key), 1)
def test_decrypt_wrong_associated_data_fails(self): dec, enc, dec_key, enc_key = new_primitives_and_keys( 1234, tink_pb2.TINK) dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt) dec_pset.set_primary(dec_pset.add_primitive(dec, dec_key)) wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap( dec_pset) enc_pset = core.new_primitive_set(hybrid_encrypt.HybridEncrypt) enc_pset.set_primary(enc_pset.add_primitive(enc, enc_key)) wrapped_enc = hybrid_encrypt_wrapper.HybridEncryptWrapper().wrap( enc_pset) ciphertext = wrapped_enc.encrypt(b'plaintext', b'context_info') with self.assertRaisesRegex(core.TinkError, 'Decryption failed'): wrapped_dec.decrypt(ciphertext, b'wrong_context_info')
def test_add_invalid_key_fails(self): primitive_set = core.new_primitive_set(mac.Mac) key = helper.fake_key() key.ClearField('output_prefix_type') with self.assertRaisesRegex(core.TinkError, 'invalid OutputPrefixType'): primitive_set.add_primitive(helper.FakeMac(), key)
def test_signature_wrapper_is_correctly_registered(self): sig1, key1 = _new_primitive_and_key( signature.signature_key_templates.ECDSA_P256, signature.PublicKeySign, tink_pb2.TINK) sig2, key2 = _new_primitive_and_key( signature.signature_key_templates.ECDSA_P256, signature.PublicKeySign, tink_pb2.TINK) ver1, pubkey1 = _public_primitive_and_key(key1, signature.PublicKeyVerify, tink_pb2.TINK) ver2, pubkey2 = _public_primitive_and_key(key2, signature.PublicKeyVerify, tink_pb2.TINK) pset = core.PrimitiveSet(signature.PublicKeySign) pset.add_primitive(sig1, key1) pset.set_primary(pset.add_primitive(sig2, key2)) wrapped_sig = core.Registry.wrap(pset) pset_verify = core.new_primitive_set(signature.PublicKeyVerify) pset_verify.add_primitive(ver1, pubkey1) pset_verify.set_primary(pset_verify.add_primitive(ver2, pubkey2)) wrapped_ver = core.Registry.wrap(pset_verify) sig = wrapped_sig.sign(b'data') wrapped_ver.verify(sig, b'data')
def _mac_set(mac_list): """Converts a List of Mac in a PrimitiveSet and sets the last primary.""" mac_set = core.new_primitive_set(mac.Mac) for i, primitive in enumerate(mac_list): mac_set.set_primary( mac_set.add_primitive( primitive, helper.fake_key(key_id=i, output_prefix_type=tink_pb2.RAW))) return mac_set
def test_verify_legacy_mac(self): primitive, key = self.new_primitive_key_pair(1234, tink_pb2.LEGACY) pset = core.new_primitive_set(mac.Mac) pset.set_primary(pset.add_primitive(primitive, key)) wrapped_mac = mac_wrapper.MacWrapper().wrap(pset) tag = wrapped_mac.compute_mac(b'data') # No exception raised, no return value. self.assertIsNone(wrapped_mac.verify_mac(tag, b'data'))
def test_verify_old_raw_mac_with_new_key(self): primitive, key = self.new_primitive_key_pair(1234, tink_pb2.RAW) tag = primitive.compute_mac(b'data') pset = core.new_primitive_set(mac.Mac) pset.add_primitive(primitive, key) new_primitive, new_key = self.new_primitive_key_pair(5678, tink_pb2.TINK) pset.set_primary(pset.add_primitive(new_primitive, new_key)) wrapped_mac = mac_wrapper.MacWrapper().wrap(pset) self.assertIsNone(wrapped_mac.verify_mac(tag, b'data'))
def test_primary_returns_primary(self): primitive_set = core.new_primitive_set(mac.Mac) key = helper.fake_key(key_id=1) fake_mac = helper.FakeMac('FakeMac') entry = primitive_set.add_primitive(fake_mac, key) primitive_set.set_primary(entry) entry = primitive_set.primary() self.assertEqual(fake_mac, entry.primitive) self.assertEqual(tink_pb2.ENABLED, entry.status) self.assertEqual(crypto_format.output_prefix(key), entry.identifier)
def test_primitive_from_identifier_returns_entry(self): primitive_set = core.new_primitive_set(mac.Mac) key = helper.fake_key(key_id=1) fake_mac = helper.FakeMac('FakeMac') primitive_set.add_primitive(fake_mac, key) ident = crypto_format.output_prefix(key) entries = primitive_set.primitive_from_identifier(ident) self.assertLen(entries, 1) entry = entries[0] self.assertEqual(fake_mac, entry.primitive) self.assertEqual(tink_pb2.ENABLED, entry.status) self.assertEqual(ident, entry.identifier)
def test_verify_unknown_mac_fails(self): unknown_tag = helper.FakeMac('UnknownfakeMac').compute_mac(b'data') pset = core.new_primitive_set(mac.Mac) primitive, raw_key = self.new_primitive_key_pair(1234, tink_pb2.RAW) new_primitive, new_key = self.new_primitive_key_pair(5678, tink_pb2.TINK) pset.add_primitive(primitive, raw_key) new_entry = pset.add_primitive(new_primitive, new_key) pset.set_primary(new_entry) wrapped_mac = mac_wrapper.MacWrapper().wrap(pset) with self.assertRaisesRegex(core.TinkError, 'invalid MAC'): wrapped_mac.verify_mac(unknown_tag, b'data')
def test_verify_macs_from_two_raw_keys(self): primitive1, raw_key1 = self.new_primitive_key_pair(1234, tink_pb2.RAW) primitive2, raw_key2 = self.new_primitive_key_pair(5678, tink_pb2.RAW) tag1 = primitive1.compute_mac(b'data1') tag2 = primitive2.compute_mac(b'data2') pset = core.new_primitive_set(mac.Mac) pset.add_primitive(primitive1, raw_key1) pset.set_primary(pset.add_primitive(primitive2, raw_key2)) wrapped_mac = mac_wrapper.MacWrapper().wrap(pset) self.assertIsNone(wrapped_mac.verify_mac(tag1, b'data1')) self.assertIsNone(wrapped_mac.verify_mac(tag2, b'data2')) self.assertIsNone( wrapped_mac.verify_mac(wrapped_mac.compute_mac(b'data'), b'data'))
def test_decrypt_unknown_ciphertext_fails(self): unknown_enc = helper.FakeHybridEncrypt('unknownHybrid') unknown_ciphertext = unknown_enc.encrypt(b'plaintext', b'context_info') dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt) dec1, _, dec1_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW) dec2, _, dec2_key, _ = new_primitives_and_keys(5678, tink_pb2.TINK) dec_pset.add_primitive(dec1, dec1_key) dec_pset.set_primary(dec_pset.add_primitive(dec2, dec2_key)) wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap( dec_pset) with self.assertRaisesRegex(core.TinkError, 'Decryption failed'): wrapped_dec.decrypt(unknown_ciphertext, b'context_info')
def test_encrypt_decrypt_two_raw_keys(self): dec1, enc1, dec1_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW) raw_ciphertext1 = enc1.encrypt(b'plaintext1', b'context_info1') dec2, enc2, dec2_key, _ = new_primitives_and_keys(1234, tink_pb2.RAW) raw_ciphertext2 = enc2.encrypt(b'plaintext2', b'context_info2') dec_pset = core.new_primitive_set(hybrid_decrypt.HybridDecrypt) dec_pset.add_primitive(dec1, dec1_key) dec_pset.set_primary(dec_pset.add_primitive(dec2, dec2_key)) wrapped_dec = hybrid_decrypt_wrapper.HybridDecryptWrapper().wrap( dec_pset) self.assertEqual( wrapped_dec.decrypt(raw_ciphertext1, b'context_info1'), b'plaintext1') self.assertEqual( wrapped_dec.decrypt(raw_ciphertext2, b'context_info2'), b'plaintext2')
def test_same_key_id_and_prefix_type(self): primitive_set = core.new_primitive_set(mac.Mac) key1 = helper.fake_key(key_id=1, status=tink_pb2.ENABLED) fake_mac1 = helper.FakeMac('FakeMac1') primitive_set.add_primitive(fake_mac1, key1) key2 = helper.fake_key(key_id=1, status=tink_pb2.DISABLED) fake_mac2 = helper.FakeMac('FakeMac2') primitive_set.add_primitive(fake_mac2, key2) expected_ident = crypto_format.output_prefix(key1) entries = primitive_set.primitive(key1) self.assertLen(entries, 2) self.assertEqual(fake_mac1, entries[0].primitive) self.assertEqual(fake_mac2, entries[1].primitive) self.assertEqual(tink_pb2.ENABLED, entries[0].status) self.assertEqual(tink_pb2.DISABLED, entries[1].status) self.assertEqual(expected_ident, entries[0].identifier) self.assertEqual(expected_ident, entries[1].identifier) self.assertLen(primitive_set.primitive(key2), 2)
def test_raw_primitives(self): primitive_set = core.new_primitive_set(mac.Mac) primitive_set.add_primitive(helper.FakeMac('FakeMac1'), helper.fake_key(key_id=1)) key2 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.RAW) fake_mac2 = helper.FakeMac('FakeMac2') primitive_set.add_primitive(fake_mac2, key2) key3 = helper.fake_key(key_id=3, status=tink_pb2.DISABLED, output_prefix_type=tink_pb2.RAW) fake_mac3 = helper.FakeMac('FakeMac3') primitive_set.add_primitive(fake_mac3, key3) entries = primitive_set.raw_primitives() self.assertLen(entries, 2) self.assertEqual(fake_mac2, entries[0].primitive) self.assertEqual(tink_pb2.ENABLED, entries[0].status) self.assertEqual(crypto_format.RAW_PREFIX, entries[0].identifier) self.assertEqual(fake_mac3, entries[1].primitive) self.assertEqual(tink_pb2.DISABLED, entries[1].status) self.assertEqual(crypto_format.RAW_PREFIX, entries[1].identifier)
def test_same_key_id_but_different_prefix_type(self): primitive_set = core.new_primitive_set(mac.Mac) key1 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.TINK) fake_mac1 = helper.FakeMac('FakeMac1') primitive_set.add_primitive(fake_mac1, key1) key2 = helper.fake_key(key_id=1, output_prefix_type=tink_pb2.LEGACY) fake_mac2 = helper.FakeMac('FakeMac2') primitive_set.add_primitive(fake_mac2, key2) entries1 = primitive_set.primitive(key1) self.assertLen(entries1, 1) self.assertEqual(fake_mac1, entries1[0].primitive) self.assertEqual(tink_pb2.ENABLED, entries1[0].status) self.assertEqual(crypto_format.output_prefix(key1), entries1[0].identifier) entries2 = primitive_set.primitive(key2) self.assertLen(entries2, 1) self.assertEqual(fake_mac2, entries2[0].primitive) self.assertEqual(tink_pb2.ENABLED, entries2[0].status) self.assertEqual(crypto_format.output_prefix(key2), entries2[0].identifier)
def test_primary_returns_none(self): primitive_set = core.new_primitive_set(mac.Mac) primitive_set.add_primitive(helper.FakeMac('FakeMac'), helper.fake_key(key_id=1)) self.assertEqual(primitive_set.primary(), None)
def test_unknown_key_returns_empty_list(self): primitive_set = core.new_primitive_set(mac.Mac) unknown_key = helper.fake_key(key_id=1) self.assertEqual(primitive_set.primitive(unknown_key), [])
def test_primitive_class(self): primitive_set = core.new_primitive_set(mac.Mac) self.assertEqual(primitive_set.primitive_class(), mac.Mac)
def test_add_wrong_primitive_fails(self): primitive_set = core.new_primitive_set(aead.Aead) with self.assertRaisesRegex(core.TinkError, 'The primitive is not an instance of '): primitive_set.add_primitive(helper.FakeMac(), helper.fake_key())