def test_key_rotation(self, enc_lang, dec_lang, old_key_tmpl, new_key_tmpl): # Do a key rotation from an old key generated from old_key_tmpl to a new # key generated from new_key_tmpl. Encryption and decryption are done # in languages enc_lang and dec_lang. builder = keyset_builder.new_keyset_builder() older_key_id = builder.add_new_key(old_key_tmpl) builder.set_primary_key(older_key_id) enc_aead1 = testing_servers.aead(enc_lang, builder.keyset()) dec_aead1 = testing_servers.aead(dec_lang, builder.keyset()) newer_key_id = builder.add_new_key(new_key_tmpl) enc_aead2 = testing_servers.aead(enc_lang, builder.keyset()) dec_aead2 = testing_servers.aead(dec_lang, builder.keyset()) builder.set_primary_key(newer_key_id) enc_aead3 = testing_servers.aead(enc_lang, builder.keyset()) dec_aead3 = testing_servers.aead(dec_lang, builder.keyset()) builder.disable_key(older_key_id) enc_aead4 = testing_servers.aead(enc_lang, builder.keyset()) dec_aead4 = testing_servers.aead(dec_lang, builder.keyset()) self.assertNotEqual(older_key_id, newer_key_id) # 1 encrypts with the older key. So 1, 2 and 3 can decrypt it, but not 4. ciphertext1 = enc_aead1.encrypt(b'plaintext', b'ad') self.assertEqual(dec_aead1.decrypt(ciphertext1, b'ad'), b'plaintext') self.assertEqual(dec_aead2.decrypt(ciphertext1, b'ad'), b'plaintext') self.assertEqual(dec_aead3.decrypt(ciphertext1, b'ad'), b'plaintext') with self.assertRaises(tink.TinkError): _ = dec_aead4.decrypt(ciphertext1, b'ad') # 2 encrypts with the older key. So 1, 2 and 3 can decrypt it, but not 4. ciphertext2 = enc_aead2.encrypt(b'plaintext', b'ad') self.assertEqual(dec_aead1.decrypt(ciphertext2, b'ad'), b'plaintext') self.assertEqual(dec_aead2.decrypt(ciphertext2, b'ad'), b'plaintext') self.assertEqual(dec_aead3.decrypt(ciphertext2, b'ad'), b'plaintext') with self.assertRaises(tink.TinkError): _ = dec_aead4.decrypt(ciphertext2, b'ad') # 3 encrypts with the newer key. So 2, 3 and 4 can decrypt it, but not 1. ciphertext3 = enc_aead3.encrypt(b'plaintext', b'ad') with self.assertRaises(tink.TinkError): _ = dec_aead1.decrypt(ciphertext3, b'ad') self.assertEqual(dec_aead2.decrypt(ciphertext3, b'ad'), b'plaintext') self.assertEqual(dec_aead3.decrypt(ciphertext3, b'ad'), b'plaintext') self.assertEqual(dec_aead4.decrypt(ciphertext3, b'ad'), b'plaintext') # 4 encrypts with the newer key. So 2, 3 and 4 can decrypt it, but not 1. ciphertext4 = enc_aead4.encrypt(b'plaintext', b'ad') with self.assertRaises(tink.TinkError): _ = dec_aead1.decrypt(ciphertext4, b'ad') self.assertEqual(dec_aead2.decrypt(ciphertext4, b'ad'), b'plaintext') self.assertEqual(dec_aead3.decrypt(ciphertext4, b'ad'), b'plaintext') self.assertEqual(dec_aead4.decrypt(ciphertext4, b'ad'), b'plaintext')
def test_key_rotation(self, compute_lang, verify_lang, old_key_tmpl, new_key_tmpl): # Do a key rotation from an old key generated from old_key_tmpl to a new # key generated from new_key_tmpl. MAC computation and verification are done # in languages compute_lang and verify_lang. builder = keyset_builder.new_keyset_builder() older_key_id = builder.add_new_key(old_key_tmpl) builder.set_primary_key(older_key_id) compute_mac1 = testing_servers.mac(compute_lang, builder.keyset()) verify_mac1 = testing_servers.mac(verify_lang, builder.keyset()) newer_key_id = builder.add_new_key(new_key_tmpl) compute_mac2 = testing_servers.mac(compute_lang, builder.keyset()) verify_mac2 = testing_servers.mac(verify_lang, builder.keyset()) builder.set_primary_key(newer_key_id) compute_mac3 = testing_servers.mac(compute_lang, builder.keyset()) verify_mac3 = testing_servers.mac(verify_lang, builder.keyset()) builder.disable_key(older_key_id) compute_mac4 = testing_servers.mac(compute_lang, builder.keyset()) verify_mac4 = testing_servers.mac(verify_lang, builder.keyset()) self.assertNotEqual(older_key_id, newer_key_id) # 1 uses the older key. So 1, 2 and 3 can verify the mac, but not 4. mac_value1 = compute_mac1.compute_mac(b'plaintext') verify_mac1.verify_mac(mac_value1, b'plaintext') verify_mac2.verify_mac(mac_value1, b'plaintext') verify_mac3.verify_mac(mac_value1, b'plaintext') with self.assertRaises(tink.TinkError): verify_mac4.verify_mac(mac_value1, b'plaintext') # 2 uses the older key. So 1, 2 and 3 can verify the mac, but not 4. mac_value2 = compute_mac2.compute_mac(b'plaintext') verify_mac1.verify_mac(mac_value2, b'plaintext') verify_mac2.verify_mac(mac_value2, b'plaintext') verify_mac3.verify_mac(mac_value2, b'plaintext') with self.assertRaises(tink.TinkError): verify_mac4.verify_mac(mac_value2, b'plaintext') # 3 uses the newer key. So 2, 3 and 4 can verify the mac, but not 1. mac_value3 = compute_mac3.compute_mac(b'plaintext') with self.assertRaises(tink.TinkError): verify_mac1.verify_mac(mac_value3, b'plaintext') verify_mac2.verify_mac(mac_value3, b'plaintext') verify_mac3.verify_mac(mac_value3, b'plaintext') verify_mac4.verify_mac(mac_value3, b'plaintext') # 4 uses the newer key. So 2, 3 and 4 can verify the mac, but not 1. mac_value4 = compute_mac4.compute_mac(b'plaintext') with self.assertRaises(tink.TinkError): verify_mac1.verify_mac(mac_value4, b'plaintext') verify_mac2.verify_mac(mac_value4, b'plaintext') verify_mac3.verify_mac(mac_value4, b'plaintext') verify_mac4.verify_mac(mac_value4, b'plaintext')
def test_key_rotation(self): builder = keyset_builder.new_keyset_builder() older_key_id = builder.add_new_key(aead.aead_key_templates.AES128_GCM) builder.set_primary_key(older_key_id) p1 = builder.keyset_handle().primitive(aead.Aead) newer_key_id = builder.add_new_key(aead.aead_key_templates.AES128_GCM) p2 = builder.keyset_handle().primitive(aead.Aead) builder.set_primary_key(newer_key_id) p3 = builder.keyset_handle().primitive(aead.Aead) builder.disable_key(older_key_id) p4 = builder.keyset_handle().primitive(aead.Aead) builder.delete_key(older_key_id) self.assertNotEqual(older_key_id, newer_key_id) # p1 encrypts with the older key. So p1, p2 and p3 can decrypt it, # but not p4. ciphertext1 = p1.encrypt(b'plaintext', b'ad') self.assertEqual(p1.decrypt(ciphertext1, b'ad'), b'plaintext') self.assertEqual(p2.decrypt(ciphertext1, b'ad'), b'plaintext') self.assertEqual(p3.decrypt(ciphertext1, b'ad'), b'plaintext') with self.assertRaises(tink.TinkError): _ = p4.decrypt(ciphertext1, b'ad') # p2 encrypts with the older key. So p1, p2 and p3 can decrypt it, # but not p4. ciphertext2 = p2.encrypt(b'plaintext', b'ad') self.assertEqual(p1.decrypt(ciphertext2, b'ad'), b'plaintext') self.assertEqual(p2.decrypt(ciphertext2, b'ad'), b'plaintext') self.assertEqual(p3.decrypt(ciphertext2, b'ad'), b'plaintext') with self.assertRaises(tink.TinkError): _ = p4.decrypt(ciphertext2, b'ad') # p3 encrypts with the newer key. So p2, p3 and p4 can decrypt it, # but not p1. ciphertext3 = p3.encrypt(b'plaintext', b'ad') with self.assertRaises(tink.TinkError): _ = p1.decrypt(ciphertext3, b'ad') self.assertEqual(p2.decrypt(ciphertext3, b'ad'), b'plaintext') self.assertEqual(p3.decrypt(ciphertext3, b'ad'), b'plaintext') self.assertEqual(p4.decrypt(ciphertext3, b'ad'), b'plaintext') # p4 encrypts with the newer key. So p2, p3 and p4 can decrypt it, # but not p1. ciphertext4 = p3.encrypt(b'plaintext', b'ad') with self.assertRaises(tink.TinkError): _ = p1.decrypt(ciphertext4, b'ad') self.assertEqual(p2.decrypt(ciphertext4, b'ad'), b'plaintext') self.assertEqual(p3.decrypt(ciphertext4, b'ad'), b'plaintext') self.assertEqual(p4.decrypt(ciphertext4, b'ad'), b'plaintext')
def test_operation_on_unknown_key_fails(self): builder = keyset_builder.new_keyset_builder() key_id = builder.add_new_key(aead.aead_key_templates.AES128_GCM) unknown_key_id = key_id + 1 with self.assertRaises(tink.TinkError): builder.set_primary_key(unknown_key_id) with self.assertRaises(tink.TinkError): builder.enable_key(unknown_key_id) with self.assertRaises(tink.TinkError): builder.disable_key(unknown_key_id) with self.assertRaises(tink.TinkError): builder.delete_key(unknown_key_id)
def test_keyset_conversion(self): builder1 = keyset_builder.new_keyset_builder() new_key_id = builder1.add_new_key(aead.aead_key_templates.AES128_GCM) builder1.set_primary_key(new_key_id) keyset = builder1.keyset() keyset_handle1 = builder1.keyset_handle() p1 = keyset_handle1.primitive(aead.Aead) builder2 = keyset_builder.from_keyset(keyset) keyset_handle2 = builder2.keyset_handle() p2 = keyset_handle2.primitive(aead.Aead) ciphertext = p1.encrypt(b'plaintext', b'ad') self.assertEqual(p2.decrypt(ciphertext, b'ad'), b'plaintext')
def test_set_primary_success(self): builder = keyset_builder.new_keyset_builder() secondary_key_id = builder.add_new_key( aead.aead_key_templates.AES128_GCM) builder.set_primary_key(secondary_key_id)
def test_add_new_key_new_id(self): builder = keyset_builder.new_keyset_builder() key_id1 = builder.add_new_key(aead.aead_key_templates.AES128_GCM) key_id2 = builder.add_new_key(aead.aead_key_templates.AES128_GCM) self.assertNotEqual(key_id1, key_id2)
def gen_keyset_with_2_prfs() -> bytes: builder = keyset_builder.new_keyset_builder() builder.add_new_key(prf.prf_key_templates.HMAC_SHA256) primary_key_id = builder.add_new_key(prf.prf_key_templates.HKDF_SHA256) builder.set_primary_key(primary_key_id) return builder.keyset()
def gen_keyset(key_template_name: Text) -> bytes: builder = keyset_builder.new_keyset_builder() primary_key_id = builder.add_new_key( supported_key_types.KEY_TEMPLATE[key_template_name]) builder.set_primary_key(primary_key_id) return builder.keyset()
def test_key_rotation(self, enc_lang, dec_lang): # Do a key rotation from an old key to a new key. # Encryption and decryption are done in languages enc_lang and dec_lang. builder = keyset_builder.new_keyset_builder() older_key_id = builder.add_new_key( streaming_aead.streaming_aead_key_templates.AES128_GCM_HKDF_4KB) builder.set_primary_key(older_key_id) enc1 = testing_servers.streaming_aead(enc_lang, builder.keyset()) dec1 = testing_servers.streaming_aead(dec_lang, builder.keyset()) newer_key_id = builder.add_new_key( streaming_aead.streaming_aead_key_templates.AES256_GCM_HKDF_4KB) enc2 = testing_servers.streaming_aead(enc_lang, builder.keyset()) dec2 = testing_servers.streaming_aead(dec_lang, builder.keyset()) builder.set_primary_key(newer_key_id) enc3 = testing_servers.streaming_aead(enc_lang, builder.keyset()) dec3 = testing_servers.streaming_aead(dec_lang, builder.keyset()) builder.disable_key(older_key_id) enc4 = testing_servers.streaming_aead(enc_lang, builder.keyset()) dec4 = testing_servers.streaming_aead(dec_lang, builder.keyset()) self.assertNotEqual(older_key_id, newer_key_id) # 1 encrypts with the older key. So 1, 2 and 3 can decrypt it, but not 4. plaintext = LONG_PLAINTEXT ad = b'associated_data' ciphertext1 = enc1.new_encrypting_stream(io.BytesIO(plaintext), ad).read() self.assertEqual( dec1.new_decrypting_stream(io.BytesIO(ciphertext1), ad).read(), plaintext) self.assertEqual( dec2.new_decrypting_stream(io.BytesIO(ciphertext1), ad).read(), plaintext) self.assertEqual( dec3.new_decrypting_stream(io.BytesIO(ciphertext1), ad).read(), plaintext) with self.assertRaises(tink.TinkError): _ = dec4.new_decrypting_stream(io.BytesIO(ciphertext1), ad).read() # 2 encrypts with the older key. So 1, 2 and 3 can decrypt it, but not 4. ciphertext2 = enc2.new_encrypting_stream(io.BytesIO(plaintext), ad).read() self.assertEqual( dec1.new_decrypting_stream(io.BytesIO(ciphertext2), ad).read(), plaintext) self.assertEqual( dec2.new_decrypting_stream(io.BytesIO(ciphertext2), ad).read(), plaintext) self.assertEqual( dec3.new_decrypting_stream(io.BytesIO(ciphertext2), ad).read(), plaintext) with self.assertRaises(tink.TinkError): _ = dec4.new_decrypting_stream(io.BytesIO(ciphertext2), ad).read() # 3 encrypts with the newer key. So 2, 3 and 4 can decrypt it, but not 1. ciphertext3 = enc3.new_encrypting_stream(io.BytesIO(plaintext), ad).read() with self.assertRaises(tink.TinkError): _ = dec1.new_decrypting_stream(io.BytesIO(ciphertext3), ad).read() self.assertEqual( dec2.new_decrypting_stream(io.BytesIO(ciphertext3), ad).read(), plaintext) self.assertEqual( dec3.new_decrypting_stream(io.BytesIO(ciphertext3), ad).read(), plaintext) self.assertEqual( dec4.new_decrypting_stream(io.BytesIO(ciphertext3), ad).read(), plaintext) # 4 encrypts with the newer key. So 2, 3 and 4 can decrypt it, but not 1. ciphertext4 = enc4.new_encrypting_stream(io.BytesIO(plaintext), ad).read() with self.assertRaises(tink.TinkError): _ = dec1.new_decrypting_stream(io.BytesIO(ciphertext4), ad).read() self.assertEqual( dec2.new_decrypting_stream(io.BytesIO(ciphertext4), ad).read(), plaintext) self.assertEqual( dec3.new_decrypting_stream(io.BytesIO(ciphertext4), ad).read(), plaintext) self.assertEqual( dec4.new_decrypting_stream(io.BytesIO(ciphertext4), ad).read(), plaintext)