def test_read_write_encrypted_keyset(self, lang): keyset = testing_servers.new_keyset(lang, aead.aead_key_templates.AES128_GCM) master_keyset = testing_servers.new_keyset( lang, aead.aead_key_templates.AES128_GCM) encrypted_keyset = testing_servers.keyset_write_encrypted( lang, keyset, master_keyset, b'associated_data') output_keyset = testing_servers.keyset_read_encrypted( lang, encrypted_keyset, master_keyset, b'associated_data') self.assertEqual(output_keyset, keyset) with self.assertRaises(tink.TinkError): testing_servers.keyset_read_encrypted(lang, encrypted_keyset, master_keyset, b'invalid_associated_data') with self.assertRaises(tink.TinkError): testing_servers.keyset_read_encrypted(lang, b'invalid_encrypted_keyset', master_keyset, b'associated_data') with self.assertRaises(tink.TinkError): testing_servers.keyset_read_encrypted(lang, encrypted_keyset, b'invalid_master_keyset', b'associated_data') with self.assertRaises(tink.TinkError): testing_servers.keyset_write_encrypted(lang, keyset, b'invalid_master_keyset', b'associated_data')
def test_jwt_signature_without_primary(self, key_template_name, lang): """Unsets the primary key and tries to sign and verify JWT signatures.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] private_keyset = testing_servers.new_keyset(lang, template) public_keyset = testing_servers.public_keyset(lang, private_keyset) signer = testing_servers.jwt_public_key_sign(lang, private_keyset) now = datetime.datetime.now(tz=datetime.timezone.utc) raw_jwt = jwt.new_raw_jwt(issuer='issuer', expiration=now + datetime.timedelta(seconds=100)) token = signer.sign_and_encode(raw_jwt) signer_without_primary = testing_servers.jwt_public_key_sign( lang, unset_primary(private_keyset)) with self.assertRaises(tink.TinkError): signer_without_primary.sign_and_encode(raw_jwt) verifier_without_primary = testing_servers.jwt_public_key_verify( lang, unset_primary(public_keyset)) validator = jwt.new_validator(expected_issuer='issuer', fixed_now=now) if lang in ['cc', 'java', 'python']: # C++, Java and Python currently allow this. verifier_without_primary.verify_and_decode(token, validator) else: with self.assertRaises(tink.TinkError): verifier_without_primary.verify_and_decode(token, validator)
def test_jwt_mac(self, lang): keyset = testing_servers.new_keyset(lang, jwt.jwt_hs256_template()) jwt_mac_primitive = testing_servers.jwt_mac(lang, keyset) now = datetime.datetime.now(tz=datetime.timezone.utc) token = jwt.new_raw_jwt(issuer='issuer', subject='subject', audiences=['audience1', 'audience2'], jwt_id='jwt_id', expiration=now + datetime.timedelta(seconds=10), custom_claims={ 'switch': True, 'pi': 3.14159 }) compact = jwt_mac_primitive.compute_mac_and_encode(token) validator = jwt.new_validator(audience='audience1', fixed_now=now) # HERE verified_jwt = jwt_mac_primitive.verify_mac_and_decode( compact, validator) self.assertEqual(verified_jwt.issuer(), 'issuer') self.assertEqual(verified_jwt.subject(), 'subject') self.assertEqual(verified_jwt.jwt_id(), 'jwt_id') self.assertEqual(verified_jwt.custom_claim('switch'), True) self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159) validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now) with self.assertRaises(tink.TinkError): jwt_mac_primitive.verify_mac_and_decode(compact, validator2)
def test_compute_verify_mac(self, key_template_name, key_template): key_type = supported_key_types.KEY_TYPE_FROM_URL[key_template.type_url] supported_langs = supported_key_types.SUPPORTED_LANGUAGES[key_type] self.assertNotEmpty(supported_langs) # Take the first supported language to generate the keyset. keyset = testing_servers.new_keyset(supported_langs[0], key_template) supported_macs = [ testing_servers.mac(lang, keyset) for lang in supported_langs ] unsupported_macs = [ testing_servers.mac(lang, keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] for p in supported_macs: data = ( b'This is some data to be authenticated using key_template ' b'%s in %s.' % (key_template_name.encode('utf8'), p.lang.encode('utf8'))) mac_value = p.compute_mac(data) for p2 in supported_macs: self.assertIsNone(p2.verify_mac(mac_value, data)) for p2 in unsupported_macs: with self.assertRaises( tink.TinkError, msg= 'Language %s supports verify_mac with %s unexpectedly' % (p2.lang, key_template_name)): p2.verify_mac(mac_value, data) for p in unsupported_macs: with self.assertRaises( tink.TinkError, msg='Language %s supports compute_mac with %s unexpectedly' % (p.lang, key_template_name)): p.compute_mac(data)
def test_encrypt_decrypt(self, key_template_name, supported_langs): key_template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset('java', key_template) supported_daeads = [ testing_servers.deterministic_aead(lang, keyset) for lang in supported_langs ] self.assertNotEmpty(supported_daeads) unsupported_daeads = [ testing_servers.deterministic_aead(lang, keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] plaintext = (b'This is some plaintext message to be encrypted using ' b'key_template %s.' % key_template_name.encode('utf8')) associated_data = (b'Some associated data for %s.' % key_template_name.encode('utf8')) ciphertext = None for p in supported_daeads: if ciphertext: self.assertEqual( ciphertext, p.encrypt_deterministically(plaintext, associated_data)) else: ciphertext = p.encrypt_deterministically( plaintext, associated_data) for p2 in supported_daeads: output = p2.decrypt_deterministically(ciphertext, associated_data) self.assertEqual(output, plaintext) for p2 in unsupported_daeads: with self.assertRaises(tink.TinkError): p2.decrypt_deterministically(ciphertext, associated_data) for p in unsupported_daeads: with self.assertRaises(tink.TinkError): p.encrypt_deterministically(b'plaintext', b'associated_data')
def test_compute_verify_mac(self, key_template_name): supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[ key_template_name] self.assertNotEmpty(supported_langs) key_template = supported_key_types.KEY_TEMPLATE[key_template_name] # Take the first supported language to generate the keyset. keyset = testing_servers.new_keyset(supported_langs[0], key_template) supported_macs = [ testing_servers.mac(lang, keyset) for lang in supported_langs ] unsupported_macs = [ testing_servers.mac(lang, keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] for p in supported_macs: data = ( b'This is some data to be authenticated using key_template ' b'%s in %s.' % (key_template_name.encode('utf8'), p.lang.encode('utf8'))) mac_value = p.compute_mac(data) for p2 in supported_macs: self.assertIsNone(p2.verify_mac(mac_value, data)) for p2 in unsupported_macs: with self.assertRaises(tink.TinkError): p2.verify_mac(mac_value, data) for p in unsupported_macs: with self.assertRaises(tink.TinkError): p.compute_mac(data)
def test_convert_to_raw_fails(self, template_name): """Make sure that "wrapped" AEADs don't accept the raw AEAD ciphertext.""" supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[ template_name] self.assertNotEmpty(supported_langs) template = supported_key_types.KEY_TEMPLATE[template_name] if template.output_prefix_type == tink_pb2.RAW: # ciphertext is already raw, so there is nothing to test. return keyset = testing_servers.new_keyset(supported_langs[0], template) ciphertext = testing_servers.aead(supported_langs[0], keyset).encrypt( b'plaintext', b'aad') for lang in supported_langs: primitive = testing_servers.aead(lang, keyset) # all non-raw keys add a 5 byte prefix to the raw ciphertext. Remove it # and try to decrypt. raw_ciphertext = ciphertext[:5] with self.assertRaises( tink.TinkError, msg= 'non-raw ciphertext with 5 byte tink header removed did not ' 'cause a decryption error in %s. keyset="%s", ' 'modified_ciphertext="%s"' % (lang, keyset.hex(), raw_ciphertext.hex())): primitive.decrypt(raw_ciphertext, b'aad')
def test_key_generation_consistency(self, name, template): supported_langs = TYPE_URL_TO_SUPPORTED_LANGUAGES[template.type_url] failures = 0 results = {} for lang in supported_langs: try: _ = testing_servers.new_keyset(lang, template) if (name, lang) in SUCCEEDS_BUT_SHOULD_FAIL: failures += 1 if (name, lang) in FAILS_BUT_SHOULD_SUCCEED: self.fail( '(%s, %s) succeeded, but is in FAILS_BUT_SHOULD_SUCCEED' % (name, lang)) results[lang] = 'success' except tink.TinkError as e: if (name, lang) not in FAILS_BUT_SHOULD_SUCCEED: failures += 1 if (name, lang) in SUCCEEDS_BUT_SHOULD_FAIL: self.fail( '(%s, %s) is in SUCCEEDS_BUT_SHOULD_FAIL, but failed with %s' % (name, lang, e)) results[lang] = e # Test that either all supported langs accept the template, or all reject. if failures not in [0, len(supported_langs)]: self.fail('key generation for template %s is inconsistent: %s' % (name, results))
def test_encrypt_decrypt(self, key_template_name, supported_langs): self.assertNotEmpty(supported_langs) key_template = supported_key_types.KEY_TEMPLATE[key_template_name] # Take the first supported language to generate the keyset. keyset = testing_servers.new_keyset(supported_langs[0], key_template) supported_aeads = [ testing_servers.aead(lang, keyset) for lang in supported_langs ] unsupported_aeads = [ testing_servers.aead(lang, keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] for p in supported_aeads: plaintext = ( b'This is some plaintext message to be encrypted using key_template ' b'%s using %s for encryption.' % (key_template_name.encode('utf8'), p.lang.encode('utf8'))) associated_data = ( b'Some associated data for %s using %s for encryption.' % (key_template_name.encode('utf8'), p.lang.encode('utf8'))) ciphertext = p.encrypt(plaintext, associated_data) for p2 in supported_aeads: output = p2.decrypt(ciphertext, associated_data) self.assertEqual(output, plaintext) for p2 in unsupported_aeads: with self.assertRaises(tink.TinkError): p2.decrypt(ciphertext, associated_data) for p in unsupported_aeads: with self.assertRaises(tink.TinkError): p.encrypt(b'plaintext', b'associated_data')
def test_jwt_public_key_sign_verify(self, lang): key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat( algorithm=jwt_ecdsa_pb2.ES256) key_template = tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW) private_keyset = testing_servers.new_keyset(lang, key_template) public_keyset = testing_servers.public_keyset(lang, private_keyset) signer = testing_servers.jwt_public_key_sign(lang, private_keyset) verifier = testing_servers.jwt_public_key_verify(lang, public_keyset) now = datetime.datetime.now(tz=datetime.timezone.utc) token = jwt.new_raw_jwt( issuer='issuer', subject='subject', audiences=['audience1', 'audience2'], jwt_id='jwt_id', expiration=now + datetime.timedelta(seconds=10), custom_claims={'switch': True, 'pi': 3.14159}) compact = signer.sign_and_encode(token) validator = jwt.new_validator(audience='audience1', fixed_now=now) verified_jwt = verifier.verify_and_decode(compact, validator) self.assertEqual(verified_jwt.issuer(), 'issuer') self.assertEqual(verified_jwt.subject(), 'subject') self.assertEqual(verified_jwt.jwt_id(), 'jwt_id') self.assertEqual(verified_jwt.custom_claim('switch'), True) self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159) validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now) with self.assertRaises(tink.TinkError): verifier.verify_and_decode(compact, validator2)
def test_jwt_mac(self, lang): key_format = jwt_hmac_pb2.JwtHmacKeyFormat( hash_type=common_pb2.SHA256, key_size=32) key_template = tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW) keyset = testing_servers.new_keyset(lang, key_template) jwt_mac_primitive = testing_servers.jwt_mac(lang, keyset) now = datetime.datetime.now(tz=datetime.timezone.utc) token = jwt.new_raw_jwt( issuer='issuer', subject='subject', audiences=['audience1', 'audience2'], jwt_id='jwt_id', expiration=now + datetime.timedelta(seconds=10), custom_claims={'switch': True, 'pi': 3.14159}) compact = jwt_mac_primitive.compute_mac_and_encode(token) validator = jwt.new_validator(audience='audience1', fixed_now=now) verified_jwt = jwt_mac_primitive.verify_mac_and_decode(compact, validator) self.assertEqual(verified_jwt.issuer(), 'issuer') self.assertEqual(verified_jwt.subject(), 'subject') self.assertEqual(verified_jwt.jwt_id(), 'jwt_id') self.assertEqual(verified_jwt.custom_claim('switch'), True) self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159) validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now) with self.assertRaises(tink.TinkError): jwt_mac_primitive.verify_mac_and_decode(compact, validator2)
def test_encrypt_decrypt(self, key_template_name, supported_langs): key_template = supported_key_types.KEY_TEMPLATE[key_template_name] private_keyset = testing_servers.new_keyset('java', key_template) supported_signers = [ testing_servers.public_key_sign(lang, private_keyset) for lang in supported_langs ] unsupported_signers = [ testing_servers.public_key_sign(lang, private_keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] public_keyset = testing_servers.public_keyset('java', private_keyset) supported_verifiers = [ testing_servers.public_key_verify(lang, public_keyset) for lang in supported_langs ] unsupported_verifiers = [ testing_servers.public_key_verify(lang, public_keyset) for lang in testing_servers.LANGUAGES if lang not in supported_langs ] for signer in supported_signers: message = ( b'A message to be signed using key_template %s in %s.' % (key_template_name.encode('utf8'), signer.lang.encode('utf8'))) sign = signer.sign(message) for verifier in supported_verifiers: self.assertIsNone(verifier.verify(sign, message)) for verifier in unsupported_verifiers: with self.assertRaises(tink.TinkError): verifier.verify(sign, message) for signer in unsupported_signers: with self.assertRaises(tink.TinkError): _ = signer.sign(message)
def test_jwt_public_key_sign_verify(self, lang): private_keyset = testing_servers.new_keyset(lang, jwt.jwt_es256_template()) public_keyset = testing_servers.public_keyset(lang, private_keyset) signer = testing_servers.jwt_public_key_sign(lang, private_keyset) verifier = testing_servers.jwt_public_key_verify(lang, public_keyset) now = datetime.datetime.now(tz=datetime.timezone.utc) token = jwt.new_raw_jwt( issuer='issuer', subject='subject', audiences=['audience1', 'audience2'], jwt_id='jwt_id', expiration=now + datetime.timedelta(seconds=10), custom_claims={'switch': True, 'pi': 3.14159}) compact = signer.sign_and_encode(token) validator = jwt.new_validator( expected_issuer='issuer', expected_audience='audience1', fixed_now=now) verified_jwt = verifier.verify_and_decode(compact, validator) self.assertEqual(verified_jwt.issuer(), 'issuer') self.assertEqual(verified_jwt.subject(), 'subject') self.assertEqual(verified_jwt.jwt_id(), 'jwt_id') self.assertEqual(verified_jwt.custom_claim('switch'), True) self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159) validator2 = jwt.new_validator( expected_audience='wrong_audience', fixed_now=now) with self.assertRaises(tink.TinkError): verifier.verify_and_decode(compact, validator2)
def test_read_encrypted_ignores_keyset_info_json(self, lang): # Use an arbitrary AEAD template that's supported in all languages, # and use an arbitrary language to generate the keyset_encryption_keyset. keyset_encryption_keyset = testing_servers.new_keyset( 'cc', aead.aead_key_templates.AES128_GCM) # Also, generate an arbitrary keyset. keyset = testing_servers.new_keyset('cc', aead.aead_key_templates.AES128_GCM) associated_data = b'associated_data' encrypted_keyset = testing_servers.keyset_write_encrypted( lang, keyset, keyset_encryption_keyset, associated_data, 'KEYSET_WRITER_JSON') # encrypted_keyset is a JSON serialized tink_pb2.EncryptedKeyset parsed_encrypted_keyset = json_format.Parse(encrypted_keyset, tink_pb2.EncryptedKeyset()) # Note that some implementations (currently C++) do not set keyset_info. # But we require that values are correct when they are set. if parsed_encrypted_keyset.HasField('keyset_info'): self.assertLen(parsed_encrypted_keyset.keyset_info.key_info, 1) self.assertEqual( parsed_encrypted_keyset.keyset_info.primary_key_id, parsed_encrypted_keyset.keyset_info.key_info[0].key_id) # keyset_info should be ignored when reading a keyset. # To test this, we add something invalid and check that read still works. # Some languages (C++ and Java) however do check that the fields of # keyset_info are present. So we have to set all required fields here. parsed_encrypted_keyset.keyset_info.key_info.append( tink_pb2.KeysetInfo.KeyInfo(type_url='invalid', status=tink_pb2.ENABLED, key_id=123, output_prefix_type=tink_pb2.LEGACY)) parsed_encrypted_keyset.keyset_info.primary_key_id = 123 modified_encrypted_keyset = json_format.MessageToJson( parsed_encrypted_keyset).encode('utf8') decrypted_keyset = testing_servers.keyset_read_encrypted( lang, modified_encrypted_keyset, keyset_encryption_keyset, associated_data, 'KEYSET_READER_JSON') # Both keyset and decrypted_keyset are serialized tink_pb2.Keyset. key_util.assert_tink_proto_equal( self, tink_pb2.Keyset.FromString(keyset), tink_pb2.Keyset.FromString(decrypted_keyset))
def test_jwt_mac_does_not_sets_kid_for_raw_templates(self, template_name): key_template = supported_key_types.KEY_TEMPLATE[template_name] keyset = testing_servers.new_keyset('cc', key_template) raw_jwt = jwt.new_raw_jwt(without_expiration=True) for lang in SUPPORTED_LANGUAGES: jwt_mac = testing_servers.jwt_mac(lang, keyset) compact = jwt_mac.compute_mac_and_encode(raw_jwt) self.assertIsNone(decode_kid(compact))
def test_encrypt_decrypt(self, key_template_name): if key_template_name in _ADDITIONAL_KEY_TEMPLATES: key_template, supported_langs = _ADDITIONAL_KEY_TEMPLATES[ key_template_name] else: key_template = supported_key_types.KEY_TEMPLATE[key_template_name] supported_langs = ( supported_key_types. SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[key_template_name]) self.assertNotEmpty(supported_langs) # Take the first supported language to generate the private keyset. private_keyset = testing_servers.new_keyset(supported_langs[0], key_template) supported_decs = [ testing_servers.hybrid_decrypt(lang, private_keyset) for lang in supported_langs ] unsupported_decs = [ testing_servers.hybrid_decrypt(lang, private_keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] public_keyset = testing_servers.public_keyset(supported_langs[0], private_keyset) supported_encs = [ testing_servers.hybrid_encrypt(lang, public_keyset) for lang in supported_langs ] unsupported_encs = [ testing_servers.hybrid_encrypt(lang, public_keyset) for lang in testing_servers.LANGUAGES if lang not in supported_langs ] for enc in supported_encs: plaintext = ( b'This is some plaintext message to be encrypted using key_template ' b'%s in %s.' % (key_template_name.encode('utf8'), enc.lang.encode('utf8'))) context_info = ( b'Some context info for %s using %s for encryption.' % (key_template_name.encode('utf8'), enc.lang.encode('utf8'))) ciphertext = enc.encrypt(plaintext, context_info) for dec in supported_decs: output = dec.decrypt(ciphertext, context_info) self.assertEqual(output, plaintext) for dec in unsupported_decs: with self.assertRaises( tink.TinkError, msg= 'Language %s supports hybrid decrypt with %s unexpectedly' % (dec.lang, key_template_name)): dec.decrypt(ciphertext, context_info) for enc in unsupported_encs: with self.assertRaises( tink.TinkError, msg= 'Language %s supports hybrid encrypt with %s unexpectedly' % (enc.lang, key_template_name)): enc.encrypt(b'plaintext', b'context_info')
def test_inc_version_aead_aes_ctr_hmac_subkeys(self): """Increments the subkey versions by one and check they can't be used.""" template = supported_key_types.KEY_TEMPLATE['AES128_CTR_HMAC_SHA256'] for lang in TYPE_URL_TO_SUPPORTED_LANGUAGES[template.type_url]: keyset = testing_servers.new_keyset(lang, template) for keyset1 in gen_keys_for_aes_ctr_hmac_aead(keyset): aead_primitive = testing_servers.aead(lang, keyset1) with self.assertRaises(tink.TinkError): _ = aead_primitive.encrypt(b'foo', b'bar')
def test_inc_version_aead(self, key_template_name, lang): """Increments the key version by one and checks they can't be used.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset(lang, template) _ = testing_servers.aead(lang, keyset).encrypt(b'foo', b'bar') for keyset1 in gen_inc_versions(keyset): aead_primitive = testing_servers.aead(lang, keyset1) with self.assertRaises(tink.TinkError): _ = aead_primitive.encrypt(b'foo', b'bar')
def test_prf_without_primary(self, key_template_name, lang): """Unsets the primary key and tries to use a PRF set primitive.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset(lang, template) _ = testing_servers.prf_set(lang, keyset).primary().compute(b'foo', 16) prf_set_without_primary = testing_servers.prf_set( lang, unset_primary(keyset)) with self.assertRaises(tink.TinkError): _ = prf_set_without_primary.primary().compute(b'foo', 16)
def test_inc_version_prf(self, key_template_name, lang): """Increments the key version by one and checks they can't be used.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset(lang, template) _ = testing_servers.prf_set(lang, keyset).primary().compute(b'foo', 16) for keyset1 in gen_inc_versions(keyset): prf_set_primitive = testing_servers.prf_set(lang, keyset1) with self.assertRaises(tink.TinkError): _ = prf_set_primitive.primary().compute(b'foo', 16)
def test_inc_version_aead(self, name, key_class): """Increments the key version by one and checks they can't be used.""" template = supported_key_types.KEY_TEMPLATE[name] for lang in TYPE_URL_TO_SUPPORTED_LANGUAGES[template.type_url]: keyset = testing_servers.new_keyset(lang, template) keyset1 = inc_version(keyset, key_class) aead_primitive = testing_servers.aead(lang, keyset1) with self.assertRaises(tink.TinkError): _ = aead_primitive.encrypt(b'foo', b'bar')
def test_to_from_json(self, key_template_name, supported_langs): key_template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset('java', key_template) for to_lang in supported_langs: json_keyset = testing_servers.keyset_to_json(to_lang, keyset) for from_lang in supported_langs: keyset2 = testing_servers.keyset_from_json( from_lang, json_keyset) self.assertEqualKeyset(keyset, keyset2)
def test_mac_without_primary(self, key_template_name, lang): """Unsets the primary key and tries to use a MAC primitive.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset(lang, template) mac_value = testing_servers.mac(lang, keyset).compute_mac(b'foo') mac_without_primary = testing_servers.mac(lang, unset_primary(keyset)) with self.assertRaises(tink.TinkError): _ = mac_without_primary.compute_mac(b'foo') with self.assertRaises(tink.TinkError): mac_without_primary.verify_mac(mac_value, b'foo')
def test_mac(self, lang): keyset = testing_servers.new_keyset( lang, mac.mac_key_templates.HMAC_SHA256_128BITTAG) data = b'The quick brown fox jumps over the lazy dog' mac_primitive = testing_servers.mac(lang, keyset) mac_value = mac_primitive.compute_mac(data) mac_primitive.verify_mac(mac_value, data) with self.assertRaises(tink.TinkError): mac_primitive.verify_mac(b'foo', data)
def test_prf(self, lang): keyset = testing_servers.new_keyset(lang, prf.prf_key_templates.HMAC_SHA256) input_data = b'The quick brown fox jumps over the lazy dog' prf_set_primitive = testing_servers.prf_set(lang, keyset) output = prf_set_primitive.primary().compute(input_data, output_length=15) self.assertLen(output, 15) with self.assertRaises(tink.TinkError): prf_set_primitive.primary().compute(input_data, output_length=123456)
def test_to_from_json(self, key_template_name, supported_langs): self.assertNotEmpty(supported_langs) key_template = supported_key_types.KEY_TEMPLATE[key_template_name] # Take the first supported language to generate the keyset. keyset = testing_servers.new_keyset(supported_langs[0], key_template) for to_lang in supported_langs: json_keyset = testing_servers.keyset_to_json(to_lang, keyset) for from_lang in supported_langs: keyset2 = testing_servers.keyset_from_json( from_lang, json_keyset) self.assertEqualKeyset(keyset, keyset2)
def test_jwt_public_key_sign_does_not_sets_kid_for_raw_templates( self, template_name): key_template = supported_key_types.KEY_TEMPLATE[template_name] keyset = testing_servers.new_keyset('cc', key_template) raw_jwt = jwt.new_raw_jwt(without_expiration=True) supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[ template_name] for lang in supported_langs: jwt_sign = testing_servers.jwt_public_key_sign(lang, keyset) compact = jwt_sign.sign_and_encode(raw_jwt) self.assertIsNone(decode_kid(compact))
def test_aead(self, lang): keyset = testing_servers.new_keyset(lang, aead.aead_key_templates.AES128_GCM) plaintext = b'The quick brown fox jumps over the lazy dog' associated_data = b'associated_data' aead_primitive = testing_servers.aead(lang, keyset) ciphertext = aead_primitive.encrypt(plaintext, associated_data) output = aead_primitive.decrypt(ciphertext, associated_data) self.assertEqual(output, plaintext) with self.assertRaises(tink.TinkError): aead_primitive.decrypt(b'foo', associated_data)
def test_aead_without_primary(self, key_template_name, lang): """Unsets the primary key and tries to use an AEAD primitive.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] keyset = testing_servers.new_keyset(lang, template) ciphertext = testing_servers.aead(lang, keyset).encrypt(b'foo', b'bar') aead_without_primary = testing_servers.aead(lang, unset_primary(keyset)) with self.assertRaises(tink.TinkError): _ = aead_without_primary.encrypt(b'foo', b'bar') with self.assertRaises(tink.TinkError): _ = aead_without_primary.decrypt(ciphertext, b'bar')
def test_signature(self, lang): private_handle = testing_servers.new_keyset( lang, signature.signature_key_templates.ED25519) public_handle = testing_servers.public_keyset(lang, private_handle) sign_primitive = testing_servers.public_key_sign(lang, private_handle) data = b'The quick brown fox jumps over the lazy dog' signature_value = sign_primitive.sign(data) verify_primitive = testing_servers.public_key_verify(lang, public_handle) verify_primitive.verify(signature_value, data) with self.assertRaises(tink.TinkError): verify_primitive.verify(b'foo', data)