def test_generate_new_key_id_is_randomized(self):
handle1 = core.new_keyset_handle(
mac.mac_key_templates.HMAC_SHA256_128BITTAG)
handle2 = core.new_keyset_handle(
mac.mac_key_templates.HMAC_SHA256_128BITTAG)
self.assertNotEqual(handle1.keyset_info().key_info[0].key_id,
handle2.keyset_info().key_info[0].key_id)
def test_write_raises_error_when_decrypt_not_possible(self):
handle = core.new_keyset_handle(
mac.mac_key_templates.HMAC_SHA256_128BITTAG)
writer = core.BinaryKeysetWriter(io.BytesIO())
with self.assertRaisesRegex(core.TinkError,
'invalid keyset, corrupted key material'):
handle.write(writer, BadAead1())
def test_generate_new(self):
keyset_info = core.new_keyset_handle(
mac.mac_key_templates.HMAC_SHA256_128BITTAG).keyset_info()
self.assertLen(keyset_info.key_info, 1)
key_info = keyset_info.key_info[0]
self.assertEqual(key_info.status, tink_pb2.ENABLED)
self.assertEqual(
key_info.output_prefix_type,
mac.mac_key_templates.HMAC_SHA256_128BITTAG.output_prefix_type)
self.assertEqual(keyset_info.primary_key_id, key_info.key_id)
def test_write_encrypted(self):
handle = core.new_keyset_handle(mac.mac_key_templates.HMAC_SHA256_128BITTAG)
# Encrypt the keyset with Aead.
master_key_aead = _master_key_aead()
output_stream = io.BytesIO()
writer = core.BinaryKeysetWriter(output_stream)
handle.write(writer, master_key_aead)
reader = core.BinaryKeysetReader(output_stream.getvalue())
handle2 = core.read_keyset_handle(reader, master_key_aead)
# Check that handle2 has the same primitive as handle.
handle2.primitive(mac.Mac).verify_mac(
handle.primitive(mac.Mac).compute_mac(b'data'), b'data')
def test_write_no_secret(self):
private_handle = core.new_keyset_handle(
hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM)
public_handle = private_handle.public_keyset_handle()
output_stream = io.BytesIO()
writer = core.BinaryKeysetWriter(output_stream)
public_handle.write_no_secret(writer)
with self.assertRaisesRegex(core.TinkError,
'keyset contains secret key material'):
private_handle.write_no_secret(writer)
def test_public_keyset_handle(self):
private_handle = core.new_keyset_handle(
hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM)
public_handle = private_handle.public_keyset_handle()
hybrid_dec = private_handle.primitive(hybrid.HybridDecrypt)
hybrid_enc = public_handle.primitive(hybrid.HybridEncrypt)
self.assertEqual(public_handle.keyset_info().primary_key_id,
private_handle.keyset_info().primary_key_id)
self.assertLen(public_handle.keyset_info().key_info, 1)
self.assertEqual(
public_handle.keyset_info().key_info[0].type_url,
'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey')
ciphertext = hybrid_enc.encrypt(b'some plaintext', b'some context info')
self.assertEqual(
hybrid_dec.decrypt(ciphertext, b'some context info'), b'some plaintext')
def test_read_no_secret(self):
private_handle = core.new_keyset_handle(
hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM)
public_handle = private_handle.public_keyset_handle()
output_stream_pub = io.BytesIO()
writer = core.BinaryKeysetWriter(output_stream_pub)
writer.write(public_handle._keyset)
output_stream_priv = io.BytesIO()
writer = core.BinaryKeysetWriter(output_stream_priv)
writer.write(private_handle._keyset)
reader = core.BinaryKeysetReader(output_stream_pub.getvalue())
core.read_no_secret_keyset_handle(reader)
with self.assertRaisesRegex(core.TinkError,
'keyset contains secret key material'):
reader = core.BinaryKeysetReader(output_stream_priv.getvalue())
core.read_no_secret_keyset_handle(reader)
def test_write_raises_error_when_decrypt_to_wrong_keyset(self):
handle = core.new_keyset_handle(
mac.mac_key_templates.HMAC_SHA256_128BITTAG)
writer = core.BinaryKeysetWriter(io.BytesIO())
with self.assertRaisesRegex(core.TinkError, 'cannot encrypt keyset:'):
handle.write(writer, BadAead2())
def test_write_raises_error_when_encrypt_failed(self):
handle = core.new_keyset_handle(
mac.mac_key_templates.HMAC_SHA256_128BITTAG)
writer = core.BinaryKeysetWriter(io.BytesIO())
with self.assertRaisesRegex(core.TinkError, 'encrypt failed'):
handle.write(writer, FaultyAead())