def test_encrypt_decrypt(self, key_template_name, supported_langs): key_template = supported_key_types.KEY_TEMPLATE[key_template_name] private_keyset = testing_servers.new_keyset('java', key_template) supported_signers = [ testing_servers.public_key_sign(lang, private_keyset) for lang in supported_langs ] unsupported_signers = [ testing_servers.public_key_sign(lang, private_keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] public_keyset = testing_servers.public_keyset('java', private_keyset) supported_verifiers = [ testing_servers.public_key_verify(lang, public_keyset) for lang in supported_langs ] unsupported_verifiers = [ testing_servers.public_key_verify(lang, public_keyset) for lang in testing_servers.LANGUAGES if lang not in supported_langs ] for signer in supported_signers: message = ( b'A message to be signed using key_template %s in %s.' % (key_template_name.encode('utf8'), signer.lang.encode('utf8'))) sign = signer.sign(message) for verifier in supported_verifiers: self.assertIsNone(verifier.verify(sign, message)) for verifier in unsupported_verifiers: with self.assertRaises(tink.TinkError): verifier.verify(sign, message) for signer in unsupported_signers: with self.assertRaises(tink.TinkError): _ = signer.sign(message)
def test_key_rotation(self, enc_lang, dec_lang, old_key_tmpl, new_key_tmpl): # Do a key rotation from an old key generated from old_key_tmpl to a new # key generated from new_key_tmpl. Encryption and decryption are done # in languages enc_lang and dec_lang. builder = keyset_builder.new_keyset_builder() older_key_id = builder.add_new_key(old_key_tmpl) builder.set_primary_key(older_key_id) sign1 = testing_servers.public_key_sign(enc_lang, builder.keyset()) verify1 = testing_servers.public_key_verify(dec_lang, builder.public_keyset()) newer_key_id = builder.add_new_key(new_key_tmpl) sign2 = testing_servers.public_key_sign(enc_lang, builder.keyset()) verify2 = testing_servers.public_key_verify(dec_lang, builder.public_keyset()) builder.set_primary_key(newer_key_id) sign3 = testing_servers.public_key_sign(enc_lang, builder.keyset()) verify3 = testing_servers.public_key_verify(dec_lang, builder.public_keyset()) builder.disable_key(older_key_id) sign4 = testing_servers.public_key_sign(enc_lang, builder.keyset()) verify4 = testing_servers.public_key_verify(dec_lang, builder.public_keyset()) self.assertNotEqual(older_key_id, newer_key_id) # 1 signs with the older key. So 1, 2 and 3 can verify it, but not 4. data_signature1 = sign1.sign(b'data') verify1.verify(data_signature1, b'data') verify2.verify(data_signature1, b'data') verify3.verify(data_signature1, b'data') with self.assertRaises(tink.TinkError): verify4.verify(data_signature1, b'data') # 2 signs with the older key. So 1, 2 and 3 can verify it, but not 4. data_signature2 = sign2.sign(b'data') verify1.verify(data_signature2, b'data') verify2.verify(data_signature2, b'data') verify3.verify(data_signature2, b'data') with self.assertRaises(tink.TinkError): verify4.verify(data_signature2, b'data') # 3 signs with the newer key. So 2, 3 and 4 can verify it, but not 1. data_signature3 = sign3.sign(b'data') with self.assertRaises(tink.TinkError): verify1.verify(data_signature3, b'data') verify2.verify(data_signature3, b'data') verify3.verify(data_signature3, b'data') verify4.verify(data_signature3, b'data') # 4 signs with the newer key. So 2, 3 and 4 can verify it, but not 1. data_signature4 = sign4.sign(b'data') with self.assertRaises(tink.TinkError): verify1.verify(data_signature4, b'data') verify2.verify(data_signature4, b'data') verify3.verify(data_signature4, b'data') verify4.verify(data_signature4, b'data')
def test_sign_verify(self, key_template_name): supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[ key_template_name] self.assertNotEmpty(supported_langs) key_template = supported_key_types.KEY_TEMPLATE[key_template_name] # Take the first supported language to generate the private keyset. private_keyset = testing_servers.new_keyset(supported_langs[0], key_template) supported_signers = [ testing_servers.public_key_sign(lang, private_keyset) for lang in supported_langs ] unsupported_signers = [ testing_servers.public_key_sign(lang, private_keyset) for lang in SUPPORTED_LANGUAGES if lang not in supported_langs ] public_keyset = testing_servers.public_keyset('java', private_keyset) supported_verifiers = [ testing_servers.public_key_verify(lang, public_keyset) for lang in supported_langs ] unsupported_verifiers = [ testing_servers.public_key_verify(lang, public_keyset) for lang in testing_servers.LANGUAGES if lang not in supported_langs ] for signer in supported_signers: message = ( b'A message to be signed using key_template %s in %s.' % (key_template_name.encode('utf8'), signer.lang.encode('utf8'))) sign = signer.sign(message) for verifier in supported_verifiers: self.assertIsNone(verifier.verify(sign, message)) for verifier in unsupported_verifiers: with self.assertRaises( tink.TinkError, msg= 'Language %s supports signature verify with %s unexpectedly' % (verifier.lang, key_template_name)): verifier.verify(sign, message) for signer in unsupported_signers: with self.assertRaises( tink.TinkError, msg= 'Language %s supports signature sign with %s unexpectedly' % (signer.lang, key_template_name)): _ = signer.sign(message)
def test_signature(self, lang): private_handle = testing_servers.new_keyset( lang, signature.signature_key_templates.ED25519) public_handle = testing_servers.public_keyset(lang, private_handle) sign_primitive = testing_servers.public_key_sign(lang, private_handle) data = b'The quick brown fox jumps over the lazy dog' signature_value = sign_primitive.sign(data) verify_primitive = testing_servers.public_key_verify(lang, public_handle) verify_primitive.verify(signature_value, data) with self.assertRaises(tink.TinkError): verify_primitive.verify(b'foo', data)
def test_signature_without_primary(self, key_template_name, lang): """Unsets the primary key and tries to sign and verify signatures.""" template = supported_key_types.KEY_TEMPLATE[key_template_name] private_keyset = testing_servers.new_keyset(lang, template) public_keyset = testing_servers.public_keyset(lang, private_keyset) sig = testing_servers.public_key_sign(lang, private_keyset).sign(b'foo') testing_servers.public_key_verify(lang, public_keyset).verify(sig, b'foo') signer_without_primary = testing_servers.public_key_sign( lang, unset_primary(private_keyset)) verifier_without_primary = testing_servers.public_key_verify( lang, unset_primary(public_keyset)) with self.assertRaises(tink.TinkError): signer_without_primary.sign(b'foo') if lang in ['java', 'python']: # Java and Python currently allow this. verifier_without_primary.verify(sig, b'foo') else: with self.assertRaises(tink.TinkError): verifier_without_primary.verify(sig, b'foo')