def test_encrypt_decrypt(self, key_template_name): if key_template_name in _ADDITIONAL_KEY_TEMPLATES: key_template, supported_langs = _ADDITIONAL_KEY_TEMPLATES[ key_template_name] else: key_template = supported_key_types.KEY_TEMPLATE[key_template_name] supported_langs = ( supported_key_types. SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[key_template_name]) self.assertNotEmpty(supported_langs) # Take the first supported language to generate the private keyset. private_keyset = testing_servers.new_keyset(supported_langs[0], key_template) supported_decs = [ testing_servers.hybrid_decrypt(lang, private_keyset) for lang in supported_langs ] unsupported_decs = [ testing_servers.hybrid_decrypt(lang, private_keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] public_keyset = testing_servers.public_keyset(supported_langs[0], private_keyset) supported_encs = [ testing_servers.hybrid_encrypt(lang, public_keyset) for lang in supported_langs ] unsupported_encs = [ testing_servers.hybrid_encrypt(lang, public_keyset) for lang in testing_servers.LANGUAGES if lang not in supported_langs ] for enc in supported_encs: plaintext = ( b'This is some plaintext message to be encrypted using key_template ' b'%s in %s.' % (key_template_name.encode('utf8'), enc.lang.encode('utf8'))) context_info = ( b'Some context info for %s using %s for encryption.' % (key_template_name.encode('utf8'), enc.lang.encode('utf8'))) ciphertext = enc.encrypt(plaintext, context_info) for dec in supported_decs: output = dec.decrypt(ciphertext, context_info) self.assertEqual(output, plaintext) for dec in unsupported_decs: with self.assertRaises( tink.TinkError, msg= 'Language %s supports hybrid decrypt with %s unexpectedly' % (dec.lang, key_template_name)): dec.decrypt(ciphertext, context_info) for enc in unsupported_encs: with self.assertRaises( tink.TinkError, msg= 'Language %s supports hybrid encrypt with %s unexpectedly' % (enc.lang, key_template_name)): enc.encrypt(b'plaintext', b'context_info')
def test_key_rotation(self, enc_lang, dec_lang, old_key_tmpl, new_key_tmpl): # Do a key rotation from an old key generated from old_key_tmpl to a new # key generated from new_key_tmpl. Encryption and decryption are done # in languages enc_lang and dec_lang. builder = keyset_builder.new_keyset_builder() older_key_id = builder.add_new_key(old_key_tmpl) builder.set_primary_key(older_key_id) dec1 = testing_servers.hybrid_decrypt(enc_lang, builder.keyset()) enc1 = testing_servers.hybrid_encrypt(dec_lang, builder.public_keyset()) newer_key_id = builder.add_new_key(new_key_tmpl) dec2 = testing_servers.hybrid_decrypt(enc_lang, builder.keyset()) enc2 = testing_servers.hybrid_encrypt(dec_lang, builder.public_keyset()) builder.set_primary_key(newer_key_id) dec3 = testing_servers.hybrid_decrypt(enc_lang, builder.keyset()) enc3 = testing_servers.hybrid_encrypt(dec_lang, builder.public_keyset()) builder.disable_key(older_key_id) dec4 = testing_servers.hybrid_decrypt(enc_lang, builder.keyset()) enc4 = testing_servers.hybrid_encrypt(dec_lang, builder.public_keyset()) self.assertNotEqual(older_key_id, newer_key_id) # p1 encrypts with the older key. So p1, p2 and p3 can decrypt it, # but not p4. ciphertext1 = enc1.encrypt(b'plaintext', b'context') self.assertEqual(dec1.decrypt(ciphertext1, b'context'), b'plaintext') self.assertEqual(dec2.decrypt(ciphertext1, b'context'), b'plaintext') self.assertEqual(dec3.decrypt(ciphertext1, b'context'), b'plaintext') with self.assertRaises(tink.TinkError): _ = dec4.decrypt(ciphertext1, b'context') # p2 encrypts with the older key. So p1, p2 and p3 can decrypt it, # but not p4. ciphertext2 = enc2.encrypt(b'plaintext', b'context') self.assertEqual(dec1.decrypt(ciphertext2, b'context'), b'plaintext') self.assertEqual(dec2.decrypt(ciphertext2, b'context'), b'plaintext') self.assertEqual(dec3.decrypt(ciphertext2, b'context'), b'plaintext') with self.assertRaises(tink.TinkError): _ = dec4.decrypt(ciphertext2, b'context') # p3 encrypts with the newer key. So p2, p3 and p4 can decrypt it, # but not p1. ciphertext3 = enc3.encrypt(b'plaintext', b'context') with self.assertRaises(tink.TinkError): _ = dec1.decrypt(ciphertext3, b'context') self.assertEqual(dec2.decrypt(ciphertext3, b'context'), b'plaintext') self.assertEqual(dec3.decrypt(ciphertext3, b'context'), b'plaintext') self.assertEqual(dec4.decrypt(ciphertext3, b'context'), b'plaintext') # p4 encrypts with the newer key. So p2, p3 and p4 can decrypt it, # but not p1. ciphertext4 = enc4.encrypt(b'plaintext', b'context') with self.assertRaises(tink.TinkError): _ = dec1.decrypt(ciphertext4, b'context') self.assertEqual(dec2.decrypt(ciphertext4, b'context'), b'plaintext') self.assertEqual(dec3.decrypt(ciphertext4, b'context'), b'plaintext') self.assertEqual(dec4.decrypt(ciphertext4, b'context'), b'plaintext')
def test_hybrid_without_primary(self, key_template_name, lang): """Unsets the primary key and tries to use hybrid encryption.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] private_keyset = testing_servers.new_keyset(lang, template) public_keyset = testing_servers.public_keyset(lang, private_keyset) ciphertext = testing_servers.hybrid_encrypt( lang, public_keyset).encrypt(b'foo', b'context_info') dec_without_primary = testing_servers.hybrid_decrypt( lang, unset_primary(private_keyset)) with self.assertRaises(tink.TinkError): dec_without_primary.decrypt(ciphertext, b'context_info') enc_without_primary = testing_servers.hybrid_encrypt( lang, unset_primary(public_keyset)) with self.assertRaises(tink.TinkError): enc_without_primary.encrypt(b'foo', b'context_info')
def test_encrypt_decrypt(self, key_template_name, supported_langs): self.assertNotEmpty(supported_langs) key_template = supported_key_types.KEY_TEMPLATE[key_template_name] # Take the first supported language to generate the private keyset. private_keyset = testing_servers.new_keyset(supported_langs[0], key_template) supported_decs = [ testing_servers.hybrid_decrypt(lang, private_keyset) for lang in supported_langs ] unsupported_decs = [ testing_servers.hybrid_decrypt(lang, private_keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] public_keyset = testing_servers.public_keyset('java', private_keyset) supported_encs = [ testing_servers.hybrid_encrypt(lang, public_keyset) for lang in supported_langs ] unsupported_encs = [ testing_servers.hybrid_encrypt(lang, public_keyset) for lang in testing_servers.LANGUAGES if lang not in supported_langs ] for enc in supported_encs: plaintext = ( b'This is some plaintext message to be encrypted using key_template ' b'%s in %s.' % (key_template_name.encode('utf8'), enc.lang.encode('utf8'))) context_info = ( b'Some context info for %s using %s for encryption.' % (key_template_name.encode('utf8'), enc.lang.encode('utf8'))) ciphertext = enc.encrypt(plaintext, context_info) for dec in supported_decs: output = dec.decrypt(ciphertext, context_info) self.assertEqual(output, plaintext) for dec in unsupported_decs: with self.assertRaises(tink.TinkError): dec.decrypt(ciphertext, context_info) for enc in unsupported_encs: with self.assertRaises(tink.TinkError): enc.encrypt(b'plaintext', b'context_info')
def test_encrypt_decrypt(self, key_template_name, supported_langs): key_template = supported_key_types.KEY_TEMPLATE[key_template_name] private_handle = testing_servers.new_keyset_handle( 'java', key_template) supported_decs = [ testing_servers.hybrid_decrypt(lang, private_handle) for lang in supported_langs ] unsupported_decs = [ testing_servers.hybrid_decrypt(lang, private_handle) for lang in testing_servers.LANGUAGES if lang not in supported_langs ] public_handle = private_handle.public_keyset_handle() supported_encs = [ testing_servers.hybrid_encrypt(lang, public_handle) for lang in supported_langs ] unsupported_encs = [ testing_servers.hybrid_encrypt(lang, public_handle) for lang in testing_servers.LANGUAGES if lang not in supported_langs ] for enc in supported_encs: plaintext = ( b'This is some plaintext message to be encrypted using key_template ' b'%s in %s.' % (key_template_name.encode('utf8'), enc.lang.encode('utf8'))) context_info = ( b'Some context info for %s using %s for encryption.' % (key_template_name.encode('utf8'), enc.lang.encode('utf8'))) ciphertext = enc.encrypt(plaintext, context_info) for dec in supported_decs: output = dec.decrypt(ciphertext, context_info) self.assertEqual(output, plaintext) for dec in unsupported_decs: with self.assertRaises(tink.TinkError): dec.decrypt(ciphertext, context_info) for enc in unsupported_encs: with self.assertRaises(tink.TinkError): enc.encrypt(b'plaintext', b'context_info')
def test_hybrid(self, lang): private_handle = testing_servers.new_keyset( lang, hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM) public_handle = testing_servers.public_keyset(lang, private_handle) enc_primitive = testing_servers.hybrid_encrypt(lang, public_handle) data = b'The quick brown fox jumps over the lazy dog' context_info = b'context' ciphertext = enc_primitive.encrypt(data, context_info) dec_primitive = testing_servers.hybrid_decrypt(lang, private_handle) output = dec_primitive.decrypt(ciphertext, context_info) self.assertEqual(output, data) with self.assertRaises(tink.TinkError): dec_primitive.decrypt(b'foo', context_info)