def test_new_key_data_no_new_key_allowed(self):
self.reg.register_key_manager(
DummyKeyManager('dummy_type_url'), new_key_allowed=False)
key_template = tink_pb2.KeyTemplate(type_url='dummy_type_url')
with self.assertRaisesRegex(core.TinkError,
'does not allow for creation of new keys'):
self.reg.new_key_data(key_template)
def test_new_key_data_wrong_type_url(self):
self.reg.register_key_manager(DummyKeyManager('dummy_type_url'))
unknown_key_template = tink_pb2.KeyTemplate(
type_url='unknown_type_url')
with self.assertRaisesRegex(core.TinkError,
'No manager for type unknown_type_url'):
self.reg.new_key_data(unknown_key_template)
def new_aes_siv_key_template(self, key_size):
key_format = aes_siv_pb2.AesSivKeyFormat()
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.AesSivKey'
key_template.value = key_format.SerializeToString()
return key_template
def test_jwt_mac(self, lang):
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(
hash_type=common_pb2.SHA256, key_size=32)
key_template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
keyset = testing_servers.new_keyset(lang, key_template)
jwt_mac_primitive = testing_servers.jwt_mac(lang, keyset)
now = datetime.datetime.now(tz=datetime.timezone.utc)
token = jwt.new_raw_jwt(
issuer='issuer',
subject='subject',
audiences=['audience1', 'audience2'],
jwt_id='jwt_id',
expiration=now + datetime.timedelta(seconds=10),
custom_claims={'switch': True, 'pi': 3.14159})
compact = jwt_mac_primitive.compute_mac_and_encode(token)
validator = jwt.new_validator(audience='audience1', fixed_now=now)
verified_jwt = jwt_mac_primitive.verify_mac_and_decode(compact, validator)
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
self.assertEqual(verified_jwt.jwt_id(), 'jwt_id')
self.assertEqual(verified_jwt.custom_claim('switch'), True)
self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159)
validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now)
with self.assertRaises(tink.TinkError):
jwt_mac_primitive.verify_mac_and_decode(compact, validator2)
def test_jwt_public_key_sign_verify(self, lang):
key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(
algorithm=jwt_ecdsa_pb2.ES256)
key_template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
private_keyset = testing_servers.new_keyset(lang, key_template)
public_keyset = testing_servers.public_keyset(lang, private_keyset)
signer = testing_servers.jwt_public_key_sign(lang, private_keyset)
verifier = testing_servers.jwt_public_key_verify(lang, public_keyset)
now = datetime.datetime.now(tz=datetime.timezone.utc)
token = jwt.new_raw_jwt(
issuer='issuer',
subject='subject',
audiences=['audience1', 'audience2'],
jwt_id='jwt_id',
expiration=now + datetime.timedelta(seconds=10),
custom_claims={'switch': True, 'pi': 3.14159})
compact = signer.sign_and_encode(token)
validator = jwt.new_validator(audience='audience1', fixed_now=now)
verified_jwt = verifier.verify_and_decode(compact, validator)
self.assertEqual(verified_jwt.issuer(), 'issuer')
self.assertEqual(verified_jwt.subject(), 'subject')
self.assertEqual(verified_jwt.jwt_id(), 'jwt_id')
self.assertEqual(verified_jwt.custom_claim('switch'), True)
self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159)
validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now)
with self.assertRaises(tink.TinkError):
verifier.verify_and_decode(compact, validator2)
def _create_jwt_hmac_template(
algorithm: jwt_hmac_pb2.JwtHmacAlgorithm) -> tink_pb2.KeyTemplate:
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(algorithm=algorithm, key_size=32)
return tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
def _create_es_template(
algorithm: jwt_ecdsa_pb2.JwtEcdsaAlgorithm) -> tink_pb2.KeyTemplate:
key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(algorithm=algorithm)
return tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
def new_jwt_hmac_key_template(self, algorithm, key_size): key_format = jwt_hmac_pb2.JwtHmacKeyFormat() key_format.algorithm = algorithm key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.JwtHmacKey' key_template.value = key_format.SerializeToString() return key_template.SerializeToString()
def test_new_key_data_verify_fails(self):
key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(algorithm=jwt_ecdsa_pb2.ES256)
key_template = tink_pb2.KeyTemplate()
key_template.type_url = (
'type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey')
key_template.value = key_format.SerializeToString()
with self.assertRaisesRegex(tink_bindings.StatusNotOk, 'not supported'):
self.key_manager_verify.new_key_data(key_template.SerializeToString())
def _create_hs_template(
hash_type: common_pb2.HashType) -> tink_pb2.KeyTemplate:
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(hash_type=hash_type,
key_size=32)
return tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
def new_aes_eax_key_template(self, iv_size, key_size):
key_format = aes_eax_pb2.AesEaxKeyFormat()
key_format.params.iv_size = iv_size
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.type_url = ('type.googleapis.com/google.crypto.tink.AesEaxKey')
key_template.value = key_format.SerializeToString()
return key_template
def _create_kms_aead_key_template(key_uri: Text) -> tink_pb2.KeyTemplate: """Creates a KMS Envelope AEAD KeyTemplate, and fills in its values.""" key_format = kms_aead_pb2.KmsAeadKeyFormat() key_format.key_uri = key_uri key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = 'type.googleapis.com/google.crypto.tink.KmsAeadKey' key_template.output_prefix_type = tink_pb2.RAW return key_template
def new_hmac_key_template(self, hash_type, tag_size, key_size):
key_format = hmac_pb2.HmacKeyFormat()
key_format.params.hash = hash_type
key_format.params.tag_size = tag_size
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.HmacKey'
key_template.value = key_format.SerializeToString()
return key_template
def test_new_keyset_handle_on_public_key_fails(self):
key_format = ecies_aead_hkdf_pb2.EciesAeadHkdfKeyFormat()
key_template = tink_pb2.KeyTemplate()
key_template.type_url = (
'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey')
key_template.value = key_format.SerializeToString()
key_template.output_prefix_type = tink_pb2.TINK
with self.assertRaises(core.TinkError):
tink.new_keyset_handle(key_template)
def create_aes_siv_key_template(key_size: int) -> tink_pb2.KeyTemplate:
"""Creates an AES EAX KeyTemplate, and fills in its values."""
key_format = aes_siv_pb2.AesSivKeyFormat()
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.type_url = _AES_SIV_KEY_TYPE_URL
key_template.output_prefix_type = tink_pb2.TINK
key_template.value = key_format.SerializeToString()
return key_template
def test_create_ecdsa_handle_with_invalid_algorithm_fails(self):
key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(
algorithm=jwt_ecdsa_pb2.ES_UNKNOWN)
template = tink_pb2.KeyTemplate(
type_url=
'type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
with self.assertRaises(tink.TinkError):
tink.new_keyset_handle(template)
def test_text_format_symmetric_key_template(self):
template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.AesEaxKey',
value=b'\n\x02\x08\x10\x10\x10',
output_prefix_type=tink_pb2.TINK)
expected = r"""type_url: "type.googleapis.com/google.crypto.tink.AesEaxKey"
# value: [type.googleapis.com/google.crypto.tink.AesEaxKeyFormat] {
# params {
# iv_size: 16
# }
# key_size: 16
# }
value: "\n\002\010\020\020\020"
output_prefix_type: TINK"""
output = key_util.text_format(template)
self.assertEqual(output, expected)
# the output should be in text format, and result in the original template.
self.assertEqual(
text_format.Parse(output, tink_pb2.KeyTemplate()), template)
def test_new_public_keyset_handle_fails(self):
params = ecdsa_pb2.EcdsaParams(hash_type=common_pb2.SHA256,
curve=common_pb2.NIST_P256,
encoding=ecdsa_pb2.DER)
key_format = ecdsa_pb2.EcdsaKeyFormat(params=params)
template = tink_pb2.KeyTemplate()
template.type_url = 'type.googleapis.com/google.crypto.tink.EcdsaPublicKey'
template.value = key_format.SerializeToString()
with self.assertRaises(core.TinkError):
tink.new_keyset_handle(template)
def new_ecdsa_key_template(hash_type, curve_type, encoding):
key_format = ecdsa_pb2.EcdsaKeyFormat()
key_format.params.hash_type = hash_type
key_format.params.curve = curve_type
key_format.params.encoding = encoding
key_template = tink_pb2.KeyTemplate()
key_template.type_url = (
'type.googleapis.com/google.crypto.tink.EcdsaPrivateKey')
key_template.value = key_format.SerializeToString()
return key_template
def _create_aes_cmac_key_template(key_size: int) -> tink_pb2.KeyTemplate: """Creates an AES CMAC PRF KeyTemplate, and fills in its values.""" key_format = aes_cmac_prf_pb2.AesCmacPrfKeyFormat() key_format.key_size = key_size key_format.version = 0 key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = _AES_CMAC_PRF_KEY_TYPE_URL key_template.output_prefix_type = tink_pb2.RAW return key_template
def test_text_format_asymmetric_key_template(self):
template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.EcdsaPrivateKey',
value=b'\022\006\010\004\020\003\030\002',
output_prefix_type=tink_pb2.TINK)
expected = r"""type_url: "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey"
# value: [type.googleapis.com/google.crypto.tink.EcdsaKeyFormat] {
# params {
# hash_type: SHA512
# curve: NIST_P384
# encoding: DER
# }
# }
value: "\022\006\010\004\020\003\030\002"
output_prefix_type: TINK"""
output = key_util.text_format(template)
self.assertEqual(output, expected)
# the output should be in text format, and result in the original template.
self.assertEqual(
text_format.Parse(output, tink_pb2.KeyTemplate()), template)
def _create_aes_cmac_key_template(key_size: int,
tag_size: int) -> tink_pb2.KeyTemplate:
""""Creates an AES-CMAC KeyTemplate, and fills in its values."""
key_format = aes_cmac_pb2.AesCmacKeyFormat()
key_format.key_size = key_size
key_format.params.tag_size = tag_size
key_template = tink_pb2.KeyTemplate()
key_template.value = key_format.SerializeToString()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.AesCmacKey'
key_template.output_prefix_type = tink_pb2.TINK
return key_template
def test_new_key_data_on_public_key_manager_fails(self):
key_format = ecies_aead_hkdf_pb2.EciesAeadHkdfKeyFormat()
key_template = tink_pb2.KeyTemplate()
key_template.type_url = (
'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey')
key_template.value = key_format.SerializeToString()
key_template.output_prefix_type = tink_pb2.TINK
with self.assertRaisesRegex(tink_error.TinkError,
'Operation not supported for public keys'):
key_manager = _hybrid_encrypt_key_manager()
key_manager.new_key_data(key_template)
def _create_ps_template(algorithm: jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssAlgorithm,
modulus_size: int) -> tink_pb2.KeyTemplate:
key_format = jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssKeyFormat(
algorithm=algorithm,
modulus_size_in_bits=modulus_size,
public_exponent=_num_to_bytes(_F4))
return tink_pb2.KeyTemplate(
type_url=
'type.googleapis.com/google.crypto.tink.JwtRsaSsaPssPrivateKey',
value=key_format.SerializeToString(),
output_prefix_type=tink_pb2.RAW)
def _create_hkdf_key_template(
key_size: int, hash_type: common_pb2.HashType) -> tink_pb2.KeyTemplate:
"""Creates an HKDF PRF KeyTemplate, and fills in its values."""
key_format = hkdf_prf_pb2.HkdfPrfKeyFormat()
key_format.params.hash = hash_type
key_format.key_size = key_size
key_format.version = 0
key_template = tink_pb2.KeyTemplate()
key_template.value = key_format.SerializeToString()
key_template.type_url = _HKDF_PRF_KEY_TYPE_URL
key_template.output_prefix_type = tink_pb2.RAW
return key_template
def template_from_testdata(
template_name: Text,
dir_name: Optional[Text] = None) -> tink_pb2.KeyTemplate:
"""Reads a template from the testdata."""
if dir_name:
path = os.path.join(tink_root_path(), 'testdata/templates', dir_name,
template_name)
else:
path = os.path.join(tink_root_path(), 'testdata/templates', template_name)
with open(path, mode='rt') as f:
data = f.read()
return text_format.Parse(data, tink_pb2.KeyTemplate())
def _create_aes_gcm_siv_key_template(
key_size: int,
output_prefix_type: tink_pb2.OutputPrefixType = tink_pb2.TINK
) -> tink_pb2.KeyTemplate:
"""Creates an AES GCM SIV KeyTemplate, and fills in its values."""
key_format = aes_gcm_siv_pb2.AesGcmSivKeyFormat()
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.value = key_format.SerializeToString()
key_template.type_url = _AES_GCM_SIV_KEY_TYPE_URL
key_template.output_prefix_type = output_prefix_type
return key_template
def _test_case(
algorithm: jwt_hmac_pb2.JwtHmacAlgorithm, key_size: int,
output_prefix_type: tink_pb2.OutputPrefixType
) -> Tuple[str, tink_pb2.KeyTemplate]:
key_format = jwt_hmac_pb2.JwtHmacKeyFormat(
algorithm=algorithm, key_size=key_size)
template = tink_pb2.KeyTemplate(
type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey',
value=key_format.SerializeToString(),
output_prefix_type=output_prefix_type)
return ('JwtHmacKey(%d,%s,%s)' %
(key_size, jwt_hmac_pb2.JwtHmacAlgorithm.Name(algorithm),
tink_pb2.OutputPrefixType.Name(output_prefix_type)), template)
def _create_hmac_key_template(
key_size: int, tag_size: int,
hash_type: common_pb2.HashType) -> tink_pb2.KeyTemplate:
"""Creates a HMAC KeyTemplate, and fills in its values."""
key_format = hmac_pb2.HmacKeyFormat()
key_format.params.hash = hash_type
key_format.params.tag_size = tag_size
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.value = key_format.SerializeToString()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.HmacKey'
key_template.output_prefix_type = tink_pb2.TINK
return key_template
def new_ecdsa_key_template(hash_type, curve_type, encoding, public=True):
params = ecdsa_pb2.EcdsaParams(
hash_type=hash_type, curve=curve_type, encoding=encoding)
key_format = ecdsa_pb2.EcdsaKeyFormat(params=params)
key_template = tink_pb2.KeyTemplate()
if public:
append = 'EcdsaPublicKey'
else:
append = 'EcdsaPrivateKey'
key_template.type_url = 'type.googleapis.com/google.crypto.tink.' + append
key_template.value = key_format.SerializeToString()
return key_template
