def test_read_write_encrypted_keyset(self, lang):
keyset = testing_servers.new_keyset(lang,
aead.aead_key_templates.AES128_GCM)
master_keyset = testing_servers.new_keyset(
lang, aead.aead_key_templates.AES128_GCM)
encrypted_keyset = testing_servers.keyset_write_encrypted(
lang, keyset, master_keyset, b'associated_data')
output_keyset = testing_servers.keyset_read_encrypted(
lang, encrypted_keyset, master_keyset, b'associated_data')
self.assertEqual(output_keyset, keyset)
with self.assertRaises(tink.TinkError):
testing_servers.keyset_read_encrypted(lang, encrypted_keyset,
master_keyset,
b'invalid_associated_data')
with self.assertRaises(tink.TinkError):
testing_servers.keyset_read_encrypted(lang, b'invalid_encrypted_keyset',
master_keyset,
b'associated_data')
with self.assertRaises(tink.TinkError):
testing_servers.keyset_read_encrypted(lang, encrypted_keyset,
b'invalid_master_keyset',
b'associated_data')
with self.assertRaises(tink.TinkError):
testing_servers.keyset_write_encrypted(lang, keyset,
b'invalid_master_keyset',
b'associated_data')
def test_jwt_signature_without_primary(self, key_template_name, lang):
"""Unsets the primary key and tries to sign and verify JWT signatures."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
private_keyset = testing_servers.new_keyset(lang, template)
public_keyset = testing_servers.public_keyset(lang, private_keyset)
signer = testing_servers.jwt_public_key_sign(lang, private_keyset)
now = datetime.datetime.now(tz=datetime.timezone.utc)
raw_jwt = jwt.new_raw_jwt(issuer='issuer',
expiration=now +
datetime.timedelta(seconds=100))
token = signer.sign_and_encode(raw_jwt)
signer_without_primary = testing_servers.jwt_public_key_sign(
lang, unset_primary(private_keyset))
with self.assertRaises(tink.TinkError):
signer_without_primary.sign_and_encode(raw_jwt)
verifier_without_primary = testing_servers.jwt_public_key_verify(
lang, unset_primary(public_keyset))
validator = jwt.new_validator(expected_issuer='issuer', fixed_now=now)
if lang in ['cc', 'java', 'python']:
# C++, Java and Python currently allow this.
verifier_without_primary.verify_and_decode(token, validator)
else:
with self.assertRaises(tink.TinkError):
verifier_without_primary.verify_and_decode(token, validator)
def test_jwt_mac(self, lang):
keyset = testing_servers.new_keyset(lang, jwt.jwt_hs256_template())
jwt_mac_primitive = testing_servers.jwt_mac(lang, keyset)
now = datetime.datetime.now(tz=datetime.timezone.utc)
token = jwt.new_raw_jwt(issuer='issuer',
subject='subject',
audiences=['audience1', 'audience2'],
jwt_id='jwt_id',
expiration=now +
datetime.timedelta(seconds=10),
custom_claims={
'switch': True,
'pi': 3.14159
})
compact = jwt_mac_primitive.compute_mac_and_encode(token)
validator = jwt.new_validator(audience='audience1', fixed_now=now)
# HERE
verified_jwt = jwt_mac_primitive.verify_mac_and_decode(
compact, validator)
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
self.assertEqual(verified_jwt.jwt_id(), 'jwt_id')
self.assertEqual(verified_jwt.custom_claim('switch'), True)
self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159)
validator2 = jwt.new_validator(audience='wrong_audience',
fixed_now=now)
with self.assertRaises(tink.TinkError):
jwt_mac_primitive.verify_mac_and_decode(compact, validator2)
def test_compute_verify_mac(self, key_template_name, key_template):
key_type = supported_key_types.KEY_TYPE_FROM_URL[key_template.type_url]
supported_langs = supported_key_types.SUPPORTED_LANGUAGES[key_type]
self.assertNotEmpty(supported_langs)
# Take the first supported language to generate the keyset.
keyset = testing_servers.new_keyset(supported_langs[0], key_template)
supported_macs = [
testing_servers.mac(lang, keyset) for lang in supported_langs
]
unsupported_macs = [
testing_servers.mac(lang, keyset) for lang in SUPPORTED_LANGUAGES
if lang not in supported_langs
]
for p in supported_macs:
data = (
b'This is some data to be authenticated using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), p.lang.encode('utf8')))
mac_value = p.compute_mac(data)
for p2 in supported_macs:
self.assertIsNone(p2.verify_mac(mac_value, data))
for p2 in unsupported_macs:
with self.assertRaises(
tink.TinkError,
msg=
'Language %s supports verify_mac with %s unexpectedly'
% (p2.lang, key_template_name)):
p2.verify_mac(mac_value, data)
for p in unsupported_macs:
with self.assertRaises(
tink.TinkError,
msg='Language %s supports compute_mac with %s unexpectedly'
% (p.lang, key_template_name)):
p.compute_mac(data)
def test_encrypt_decrypt(self, key_template_name, supported_langs):
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset('java', key_template)
supported_daeads = [
testing_servers.deterministic_aead(lang, keyset)
for lang in supported_langs
]
self.assertNotEmpty(supported_daeads)
unsupported_daeads = [
testing_servers.deterministic_aead(lang, keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
plaintext = (b'This is some plaintext message to be encrypted using '
b'key_template %s.' % key_template_name.encode('utf8'))
associated_data = (b'Some associated data for %s.' %
key_template_name.encode('utf8'))
ciphertext = None
for p in supported_daeads:
if ciphertext:
self.assertEqual(
ciphertext,
p.encrypt_deterministically(plaintext, associated_data))
else:
ciphertext = p.encrypt_deterministically(
plaintext, associated_data)
for p2 in supported_daeads:
output = p2.decrypt_deterministically(ciphertext, associated_data)
self.assertEqual(output, plaintext)
for p2 in unsupported_daeads:
with self.assertRaises(tink.TinkError):
p2.decrypt_deterministically(ciphertext, associated_data)
for p in unsupported_daeads:
with self.assertRaises(tink.TinkError):
p.encrypt_deterministically(b'plaintext', b'associated_data')
def test_compute_verify_mac(self, key_template_name):
supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[
key_template_name]
self.assertNotEmpty(supported_langs)
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
# Take the first supported language to generate the keyset.
keyset = testing_servers.new_keyset(supported_langs[0], key_template)
supported_macs = [
testing_servers.mac(lang, keyset) for lang in supported_langs
]
unsupported_macs = [
testing_servers.mac(lang, keyset) for lang in SUPPORTED_LANGUAGES
if lang not in supported_langs
]
for p in supported_macs:
data = (
b'This is some data to be authenticated using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), p.lang.encode('utf8')))
mac_value = p.compute_mac(data)
for p2 in supported_macs:
self.assertIsNone(p2.verify_mac(mac_value, data))
for p2 in unsupported_macs:
with self.assertRaises(tink.TinkError):
p2.verify_mac(mac_value, data)
for p in unsupported_macs:
with self.assertRaises(tink.TinkError):
p.compute_mac(data)
def test_convert_to_raw_fails(self, template_name):
"""Make sure that "wrapped" AEADs don't accept the raw AEAD ciphertext."""
supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[
template_name]
self.assertNotEmpty(supported_langs)
template = supported_key_types.KEY_TEMPLATE[template_name]
if template.output_prefix_type == tink_pb2.RAW:
# ciphertext is already raw, so there is nothing to test.
return
keyset = testing_servers.new_keyset(supported_langs[0], template)
ciphertext = testing_servers.aead(supported_langs[0], keyset).encrypt(
b'plaintext', b'aad')
for lang in supported_langs:
primitive = testing_servers.aead(lang, keyset)
# all non-raw keys add a 5 byte prefix to the raw ciphertext. Remove it
# and try to decrypt.
raw_ciphertext = ciphertext[:5]
with self.assertRaises(
tink.TinkError,
msg=
'non-raw ciphertext with 5 byte tink header removed did not '
'cause a decryption error in %s. keyset="%s", '
'modified_ciphertext="%s"' %
(lang, keyset.hex(), raw_ciphertext.hex())):
primitive.decrypt(raw_ciphertext, b'aad')
def test_key_generation_consistency(self, name, template):
supported_langs = TYPE_URL_TO_SUPPORTED_LANGUAGES[template.type_url]
failures = 0
results = {}
for lang in supported_langs:
try:
_ = testing_servers.new_keyset(lang, template)
if (name, lang) in SUCCEEDS_BUT_SHOULD_FAIL:
failures += 1
if (name, lang) in FAILS_BUT_SHOULD_SUCCEED:
self.fail(
'(%s, %s) succeeded, but is in FAILS_BUT_SHOULD_SUCCEED'
% (name, lang))
results[lang] = 'success'
except tink.TinkError as e:
if (name, lang) not in FAILS_BUT_SHOULD_SUCCEED:
failures += 1
if (name, lang) in SUCCEEDS_BUT_SHOULD_FAIL:
self.fail(
'(%s, %s) is in SUCCEEDS_BUT_SHOULD_FAIL, but failed with %s'
% (name, lang, e))
results[lang] = e
# Test that either all supported langs accept the template, or all reject.
if failures not in [0, len(supported_langs)]:
self.fail('key generation for template %s is inconsistent: %s' %
(name, results))
def test_encrypt_decrypt(self, key_template_name, supported_langs):
self.assertNotEmpty(supported_langs)
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
# Take the first supported language to generate the keyset.
keyset = testing_servers.new_keyset(supported_langs[0], key_template)
supported_aeads = [
testing_servers.aead(lang, keyset) for lang in supported_langs
]
unsupported_aeads = [
testing_servers.aead(lang, keyset) for lang in SUPPORTED_LANGUAGES
if lang not in supported_langs
]
for p in supported_aeads:
plaintext = (
b'This is some plaintext message to be encrypted using key_template '
b'%s using %s for encryption.' %
(key_template_name.encode('utf8'), p.lang.encode('utf8')))
associated_data = (
b'Some associated data for %s using %s for encryption.' %
(key_template_name.encode('utf8'), p.lang.encode('utf8')))
ciphertext = p.encrypt(plaintext, associated_data)
for p2 in supported_aeads:
output = p2.decrypt(ciphertext, associated_data)
self.assertEqual(output, plaintext)
for p2 in unsupported_aeads:
with self.assertRaises(tink.TinkError):
p2.decrypt(ciphertext, associated_data)
for p in unsupported_aeads:
with self.assertRaises(tink.TinkError):
p.encrypt(b'plaintext', b'associated_data')
def test_jwt_public_key_sign_verify(self, lang):
key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(
algorithm=jwt_ecdsa_pb2.ES256)
key_template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
private_keyset = testing_servers.new_keyset(lang, key_template)
public_keyset = testing_servers.public_keyset(lang, private_keyset)
signer = testing_servers.jwt_public_key_sign(lang, private_keyset)
verifier = testing_servers.jwt_public_key_verify(lang, public_keyset)
now = datetime.datetime.now(tz=datetime.timezone.utc)
token = jwt.new_raw_jwt(
issuer='issuer',
subject='subject',
audiences=['audience1', 'audience2'],
jwt_id='jwt_id',
expiration=now + datetime.timedelta(seconds=10),
custom_claims={'switch': True, 'pi': 3.14159})
compact = signer.sign_and_encode(token)
validator = jwt.new_validator(audience='audience1', fixed_now=now)
verified_jwt = verifier.verify_and_decode(compact, validator)
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
self.assertEqual(verified_jwt.jwt_id(), 'jwt_id')
self.assertEqual(verified_jwt.custom_claim('switch'), True)
self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159)
validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now)
with self.assertRaises(tink.TinkError):
verifier.verify_and_decode(compact, validator2)
def test_jwt_mac(self, lang):
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(
hash_type=common_pb2.SHA256, key_size=32)
key_template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
keyset = testing_servers.new_keyset(lang, key_template)
jwt_mac_primitive = testing_servers.jwt_mac(lang, keyset)
now = datetime.datetime.now(tz=datetime.timezone.utc)
token = jwt.new_raw_jwt(
issuer='issuer',
subject='subject',
audiences=['audience1', 'audience2'],
jwt_id='jwt_id',
expiration=now + datetime.timedelta(seconds=10),
custom_claims={'switch': True, 'pi': 3.14159})
compact = jwt_mac_primitive.compute_mac_and_encode(token)
validator = jwt.new_validator(audience='audience1', fixed_now=now)
verified_jwt = jwt_mac_primitive.verify_mac_and_decode(compact, validator)
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
self.assertEqual(verified_jwt.jwt_id(), 'jwt_id')
self.assertEqual(verified_jwt.custom_claim('switch'), True)
self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159)
validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now)
with self.assertRaises(tink.TinkError):
jwt_mac_primitive.verify_mac_and_decode(compact, validator2)
def test_encrypt_decrypt(self, key_template_name, supported_langs):
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
private_keyset = testing_servers.new_keyset('java', key_template)
supported_signers = [
testing_servers.public_key_sign(lang, private_keyset)
for lang in supported_langs
]
unsupported_signers = [
testing_servers.public_key_sign(lang, private_keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
public_keyset = testing_servers.public_keyset('java', private_keyset)
supported_verifiers = [
testing_servers.public_key_verify(lang, public_keyset)
for lang in supported_langs
]
unsupported_verifiers = [
testing_servers.public_key_verify(lang, public_keyset)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
for signer in supported_signers:
message = (
b'A message to be signed using key_template %s in %s.' %
(key_template_name.encode('utf8'), signer.lang.encode('utf8')))
sign = signer.sign(message)
for verifier in supported_verifiers:
self.assertIsNone(verifier.verify(sign, message))
for verifier in unsupported_verifiers:
with self.assertRaises(tink.TinkError):
verifier.verify(sign, message)
for signer in unsupported_signers:
with self.assertRaises(tink.TinkError):
_ = signer.sign(message)
def test_jwt_public_key_sign_verify(self, lang):
private_keyset = testing_servers.new_keyset(lang, jwt.jwt_es256_template())
public_keyset = testing_servers.public_keyset(lang, private_keyset)
signer = testing_servers.jwt_public_key_sign(lang, private_keyset)
verifier = testing_servers.jwt_public_key_verify(lang, public_keyset)
now = datetime.datetime.now(tz=datetime.timezone.utc)
token = jwt.new_raw_jwt(
issuer='issuer',
subject='subject',
audiences=['audience1', 'audience2'],
jwt_id='jwt_id',
expiration=now + datetime.timedelta(seconds=10),
custom_claims={'switch': True, 'pi': 3.14159})
compact = signer.sign_and_encode(token)
validator = jwt.new_validator(
expected_issuer='issuer',
expected_audience='audience1',
fixed_now=now)
verified_jwt = verifier.verify_and_decode(compact, validator)
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
self.assertEqual(verified_jwt.jwt_id(), 'jwt_id')
self.assertEqual(verified_jwt.custom_claim('switch'), True)
self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159)
validator2 = jwt.new_validator(
expected_audience='wrong_audience', fixed_now=now)
with self.assertRaises(tink.TinkError):
verifier.verify_and_decode(compact, validator2)
def test_read_encrypted_ignores_keyset_info_json(self, lang):
# Use an arbitrary AEAD template that's supported in all languages,
# and use an arbitrary language to generate the keyset_encryption_keyset.
keyset_encryption_keyset = testing_servers.new_keyset(
'cc', aead.aead_key_templates.AES128_GCM)
# Also, generate an arbitrary keyset.
keyset = testing_servers.new_keyset('cc',
aead.aead_key_templates.AES128_GCM)
associated_data = b'associated_data'
encrypted_keyset = testing_servers.keyset_write_encrypted(
lang, keyset, keyset_encryption_keyset, associated_data,
'KEYSET_WRITER_JSON')
# encrypted_keyset is a JSON serialized tink_pb2.EncryptedKeyset
parsed_encrypted_keyset = json_format.Parse(encrypted_keyset,
tink_pb2.EncryptedKeyset())
# Note that some implementations (currently C++) do not set keyset_info.
# But we require that values are correct when they are set.
if parsed_encrypted_keyset.HasField('keyset_info'):
self.assertLen(parsed_encrypted_keyset.keyset_info.key_info, 1)
self.assertEqual(
parsed_encrypted_keyset.keyset_info.primary_key_id,
parsed_encrypted_keyset.keyset_info.key_info[0].key_id)
# keyset_info should be ignored when reading a keyset.
# To test this, we add something invalid and check that read still works.
# Some languages (C++ and Java) however do check that the fields of
# keyset_info are present. So we have to set all required fields here.
parsed_encrypted_keyset.keyset_info.key_info.append(
tink_pb2.KeysetInfo.KeyInfo(type_url='invalid',
status=tink_pb2.ENABLED,
key_id=123,
output_prefix_type=tink_pb2.LEGACY))
parsed_encrypted_keyset.keyset_info.primary_key_id = 123
modified_encrypted_keyset = json_format.MessageToJson(
parsed_encrypted_keyset).encode('utf8')
decrypted_keyset = testing_servers.keyset_read_encrypted(
lang, modified_encrypted_keyset, keyset_encryption_keyset,
associated_data, 'KEYSET_READER_JSON')
# Both keyset and decrypted_keyset are serialized tink_pb2.Keyset.
key_util.assert_tink_proto_equal(
self, tink_pb2.Keyset.FromString(keyset),
tink_pb2.Keyset.FromString(decrypted_keyset))
def test_jwt_mac_does_not_sets_kid_for_raw_templates(self, template_name):
key_template = supported_key_types.KEY_TEMPLATE[template_name]
keyset = testing_servers.new_keyset('cc', key_template)
raw_jwt = jwt.new_raw_jwt(without_expiration=True)
for lang in SUPPORTED_LANGUAGES:
jwt_mac = testing_servers.jwt_mac(lang, keyset)
compact = jwt_mac.compute_mac_and_encode(raw_jwt)
self.assertIsNone(decode_kid(compact))
def test_encrypt_decrypt(self, key_template_name):
if key_template_name in _ADDITIONAL_KEY_TEMPLATES:
key_template, supported_langs = _ADDITIONAL_KEY_TEMPLATES[
key_template_name]
else:
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
supported_langs = (
supported_key_types.
SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[key_template_name])
self.assertNotEmpty(supported_langs)
# Take the first supported language to generate the private keyset.
private_keyset = testing_servers.new_keyset(supported_langs[0],
key_template)
supported_decs = [
testing_servers.hybrid_decrypt(lang, private_keyset)
for lang in supported_langs
]
unsupported_decs = [
testing_servers.hybrid_decrypt(lang, private_keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
public_keyset = testing_servers.public_keyset(supported_langs[0],
private_keyset)
supported_encs = [
testing_servers.hybrid_encrypt(lang, public_keyset)
for lang in supported_langs
]
unsupported_encs = [
testing_servers.hybrid_encrypt(lang, public_keyset)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
for enc in supported_encs:
plaintext = (
b'This is some plaintext message to be encrypted using key_template '
b'%s in %s.' %
(key_template_name.encode('utf8'), enc.lang.encode('utf8')))
context_info = (
b'Some context info for %s using %s for encryption.' %
(key_template_name.encode('utf8'), enc.lang.encode('utf8')))
ciphertext = enc.encrypt(plaintext, context_info)
for dec in supported_decs:
output = dec.decrypt(ciphertext, context_info)
self.assertEqual(output, plaintext)
for dec in unsupported_decs:
with self.assertRaises(
tink.TinkError,
msg=
'Language %s supports hybrid decrypt with %s unexpectedly'
% (dec.lang, key_template_name)):
dec.decrypt(ciphertext, context_info)
for enc in unsupported_encs:
with self.assertRaises(
tink.TinkError,
msg=
'Language %s supports hybrid encrypt with %s unexpectedly'
% (enc.lang, key_template_name)):
enc.encrypt(b'plaintext', b'context_info')
def test_inc_version_aead_aes_ctr_hmac_subkeys(self):
"""Increments the subkey versions by one and check they can't be used."""
template = supported_key_types.KEY_TEMPLATE['AES128_CTR_HMAC_SHA256']
for lang in TYPE_URL_TO_SUPPORTED_LANGUAGES[template.type_url]:
keyset = testing_servers.new_keyset(lang, template)
for keyset1 in gen_keys_for_aes_ctr_hmac_aead(keyset):
aead_primitive = testing_servers.aead(lang, keyset1)
with self.assertRaises(tink.TinkError):
_ = aead_primitive.encrypt(b'foo', b'bar')
def test_inc_version_aead(self, key_template_name, lang):
"""Increments the key version by one and checks they can't be used."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
_ = testing_servers.aead(lang, keyset).encrypt(b'foo', b'bar')
for keyset1 in gen_inc_versions(keyset):
aead_primitive = testing_servers.aead(lang, keyset1)
with self.assertRaises(tink.TinkError):
_ = aead_primitive.encrypt(b'foo', b'bar')
def test_prf_without_primary(self, key_template_name, lang):
"""Unsets the primary key and tries to use a PRF set primitive."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
_ = testing_servers.prf_set(lang, keyset).primary().compute(b'foo', 16)
prf_set_without_primary = testing_servers.prf_set(
lang, unset_primary(keyset))
with self.assertRaises(tink.TinkError):
_ = prf_set_without_primary.primary().compute(b'foo', 16)
def test_inc_version_prf(self, key_template_name, lang):
"""Increments the key version by one and checks they can't be used."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
_ = testing_servers.prf_set(lang, keyset).primary().compute(b'foo', 16)
for keyset1 in gen_inc_versions(keyset):
prf_set_primitive = testing_servers.prf_set(lang, keyset1)
with self.assertRaises(tink.TinkError):
_ = prf_set_primitive.primary().compute(b'foo', 16)
def test_inc_version_aead(self, name, key_class):
"""Increments the key version by one and checks they can't be used."""
template = supported_key_types.KEY_TEMPLATE[name]
for lang in TYPE_URL_TO_SUPPORTED_LANGUAGES[template.type_url]:
keyset = testing_servers.new_keyset(lang, template)
keyset1 = inc_version(keyset, key_class)
aead_primitive = testing_servers.aead(lang, keyset1)
with self.assertRaises(tink.TinkError):
_ = aead_primitive.encrypt(b'foo', b'bar')
def test_to_from_json(self, key_template_name, supported_langs):
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset('java', key_template)
for to_lang in supported_langs:
json_keyset = testing_servers.keyset_to_json(to_lang, keyset)
for from_lang in supported_langs:
keyset2 = testing_servers.keyset_from_json(
from_lang, json_keyset)
self.assertEqualKeyset(keyset, keyset2)
def test_mac_without_primary(self, key_template_name, lang):
"""Unsets the primary key and tries to use a MAC primitive."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
mac_value = testing_servers.mac(lang, keyset).compute_mac(b'foo')
mac_without_primary = testing_servers.mac(lang, unset_primary(keyset))
with self.assertRaises(tink.TinkError):
_ = mac_without_primary.compute_mac(b'foo')
with self.assertRaises(tink.TinkError):
mac_without_primary.verify_mac(mac_value, b'foo')
def test_mac(self, lang):
keyset = testing_servers.new_keyset(
lang, mac.mac_key_templates.HMAC_SHA256_128BITTAG)
data = b'The quick brown fox jumps over the lazy dog'
mac_primitive = testing_servers.mac(lang, keyset)
mac_value = mac_primitive.compute_mac(data)
mac_primitive.verify_mac(mac_value, data)
with self.assertRaises(tink.TinkError):
mac_primitive.verify_mac(b'foo', data)
def test_prf(self, lang):
keyset = testing_servers.new_keyset(lang,
prf.prf_key_templates.HMAC_SHA256)
input_data = b'The quick brown fox jumps over the lazy dog'
prf_set_primitive = testing_servers.prf_set(lang, keyset)
output = prf_set_primitive.primary().compute(input_data, output_length=15)
self.assertLen(output, 15)
with self.assertRaises(tink.TinkError):
prf_set_primitive.primary().compute(input_data, output_length=123456)
def test_to_from_json(self, key_template_name, supported_langs):
self.assertNotEmpty(supported_langs)
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
# Take the first supported language to generate the keyset.
keyset = testing_servers.new_keyset(supported_langs[0], key_template)
for to_lang in supported_langs:
json_keyset = testing_servers.keyset_to_json(to_lang, keyset)
for from_lang in supported_langs:
keyset2 = testing_servers.keyset_from_json(
from_lang, json_keyset)
self.assertEqualKeyset(keyset, keyset2)
def test_jwt_public_key_sign_does_not_sets_kid_for_raw_templates(
self, template_name):
key_template = supported_key_types.KEY_TEMPLATE[template_name]
keyset = testing_servers.new_keyset('cc', key_template)
raw_jwt = jwt.new_raw_jwt(without_expiration=True)
supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[
template_name]
for lang in supported_langs:
jwt_sign = testing_servers.jwt_public_key_sign(lang, keyset)
compact = jwt_sign.sign_and_encode(raw_jwt)
self.assertIsNone(decode_kid(compact))
def test_aead(self, lang):
keyset = testing_servers.new_keyset(lang,
aead.aead_key_templates.AES128_GCM)
plaintext = b'The quick brown fox jumps over the lazy dog'
associated_data = b'associated_data'
aead_primitive = testing_servers.aead(lang, keyset)
ciphertext = aead_primitive.encrypt(plaintext, associated_data)
output = aead_primitive.decrypt(ciphertext, associated_data)
self.assertEqual(output, plaintext)
with self.assertRaises(tink.TinkError):
aead_primitive.decrypt(b'foo', associated_data)
def test_aead_without_primary(self, key_template_name, lang):
"""Unsets the primary key and tries to use an AEAD primitive."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
keyset = testing_servers.new_keyset(lang, template)
ciphertext = testing_servers.aead(lang, keyset).encrypt(b'foo', b'bar')
aead_without_primary = testing_servers.aead(lang,
unset_primary(keyset))
with self.assertRaises(tink.TinkError):
_ = aead_without_primary.encrypt(b'foo', b'bar')
with self.assertRaises(tink.TinkError):
_ = aead_without_primary.decrypt(ciphertext, b'bar')
def test_signature(self, lang):
private_handle = testing_servers.new_keyset(
lang, signature.signature_key_templates.ED25519)
public_handle = testing_servers.public_keyset(lang, private_handle)
sign_primitive = testing_servers.public_key_sign(lang, private_handle)
data = b'The quick brown fox jumps over the lazy dog'
signature_value = sign_primitive.sign(data)
verify_primitive = testing_servers.public_key_verify(lang, public_handle)
verify_primitive.verify(signature_value, data)
with self.assertRaises(tink.TinkError):
verify_primitive.verify(b'foo', data)
