def test_new_key_data_no_new_key_allowed(self): self.reg.register_key_manager( DummyKeyManager('dummy_type_url'), new_key_allowed=False) key_template = tink_pb2.KeyTemplate(type_url='dummy_type_url') with self.assertRaisesRegex(core.TinkError, 'does not allow for creation of new keys'): self.reg.new_key_data(key_template)
def test_new_key_data_wrong_type_url(self): self.reg.register_key_manager(DummyKeyManager('dummy_type_url')) unknown_key_template = tink_pb2.KeyTemplate( type_url='unknown_type_url') with self.assertRaisesRegex(core.TinkError, 'No manager for type unknown_type_url'): self.reg.new_key_data(unknown_key_template)
def new_aes_siv_key_template(self, key_size): key_format = aes_siv_pb2.AesSivKeyFormat() key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.AesSivKey' key_template.value = key_format.SerializeToString() return key_template
def test_jwt_mac(self, lang): key_format = jwt_hmac_pb2.JwtHmacKeyFormat( hash_type=common_pb2.SHA256, key_size=32) key_template = tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW) keyset = testing_servers.new_keyset(lang, key_template) jwt_mac_primitive = testing_servers.jwt_mac(lang, keyset) now = datetime.datetime.now(tz=datetime.timezone.utc) token = jwt.new_raw_jwt( issuer='issuer', subject='subject', audiences=['audience1', 'audience2'], jwt_id='jwt_id', expiration=now + datetime.timedelta(seconds=10), custom_claims={'switch': True, 'pi': 3.14159}) compact = jwt_mac_primitive.compute_mac_and_encode(token) validator = jwt.new_validator(audience='audience1', fixed_now=now) verified_jwt = jwt_mac_primitive.verify_mac_and_decode(compact, validator) self.assertEqual(verified_jwt.issuer(), 'issuer') self.assertEqual(verified_jwt.subject(), 'subject') self.assertEqual(verified_jwt.jwt_id(), 'jwt_id') self.assertEqual(verified_jwt.custom_claim('switch'), True) self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159) validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now) with self.assertRaises(tink.TinkError): jwt_mac_primitive.verify_mac_and_decode(compact, validator2)
def test_jwt_public_key_sign_verify(self, lang): key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat( algorithm=jwt_ecdsa_pb2.ES256) key_template = tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW) private_keyset = testing_servers.new_keyset(lang, key_template) public_keyset = testing_servers.public_keyset(lang, private_keyset) signer = testing_servers.jwt_public_key_sign(lang, private_keyset) verifier = testing_servers.jwt_public_key_verify(lang, public_keyset) now = datetime.datetime.now(tz=datetime.timezone.utc) token = jwt.new_raw_jwt( issuer='issuer', subject='subject', audiences=['audience1', 'audience2'], jwt_id='jwt_id', expiration=now + datetime.timedelta(seconds=10), custom_claims={'switch': True, 'pi': 3.14159}) compact = signer.sign_and_encode(token) validator = jwt.new_validator(audience='audience1', fixed_now=now) verified_jwt = verifier.verify_and_decode(compact, validator) self.assertEqual(verified_jwt.issuer(), 'issuer') self.assertEqual(verified_jwt.subject(), 'subject') self.assertEqual(verified_jwt.jwt_id(), 'jwt_id') self.assertEqual(verified_jwt.custom_claim('switch'), True) self.assertEqual(verified_jwt.custom_claim('pi'), 3.14159) validator2 = jwt.new_validator(audience='wrong_audience', fixed_now=now) with self.assertRaises(tink.TinkError): verifier.verify_and_decode(compact, validator2)
def _create_jwt_hmac_template( algorithm: jwt_hmac_pb2.JwtHmacAlgorithm) -> tink_pb2.KeyTemplate: key_format = jwt_hmac_pb2.JwtHmacKeyFormat(algorithm=algorithm, key_size=32) return tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW)
def _create_es_template( algorithm: jwt_ecdsa_pb2.JwtEcdsaAlgorithm) -> tink_pb2.KeyTemplate: key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(algorithm=algorithm) return tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW)
def new_jwt_hmac_key_template(self, algorithm, key_size): key_format = jwt_hmac_pb2.JwtHmacKeyFormat() key_format.algorithm = algorithm key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.JwtHmacKey' key_template.value = key_format.SerializeToString() return key_template.SerializeToString()
def test_new_key_data_verify_fails(self): key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(algorithm=jwt_ecdsa_pb2.ES256) key_template = tink_pb2.KeyTemplate() key_template.type_url = ( 'type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey') key_template.value = key_format.SerializeToString() with self.assertRaisesRegex(tink_bindings.StatusNotOk, 'not supported'): self.key_manager_verify.new_key_data(key_template.SerializeToString())
def _create_hs_template( hash_type: common_pb2.HashType) -> tink_pb2.KeyTemplate: key_format = jwt_hmac_pb2.JwtHmacKeyFormat(hash_type=hash_type, key_size=32) return tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW)
def new_aes_eax_key_template(self, iv_size, key_size): key_format = aes_eax_pb2.AesEaxKeyFormat() key_format.params.iv_size = iv_size key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = ('type.googleapis.com/google.crypto.tink.AesEaxKey') key_template.value = key_format.SerializeToString() return key_template
def _create_kms_aead_key_template(key_uri: Text) -> tink_pb2.KeyTemplate: """Creates a KMS Envelope AEAD KeyTemplate, and fills in its values.""" key_format = kms_aead_pb2.KmsAeadKeyFormat() key_format.key_uri = key_uri key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = 'type.googleapis.com/google.crypto.tink.KmsAeadKey' key_template.output_prefix_type = tink_pb2.RAW return key_template
def new_hmac_key_template(self, hash_type, tag_size, key_size): key_format = hmac_pb2.HmacKeyFormat() key_format.params.hash = hash_type key_format.params.tag_size = tag_size key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.HmacKey' key_template.value = key_format.SerializeToString() return key_template
def test_new_keyset_handle_on_public_key_fails(self): key_format = ecies_aead_hkdf_pb2.EciesAeadHkdfKeyFormat() key_template = tink_pb2.KeyTemplate() key_template.type_url = ( 'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey') key_template.value = key_format.SerializeToString() key_template.output_prefix_type = tink_pb2.TINK with self.assertRaises(core.TinkError): tink.new_keyset_handle(key_template)
def create_aes_siv_key_template(key_size: int) -> tink_pb2.KeyTemplate: """Creates an AES EAX KeyTemplate, and fills in its values.""" key_format = aes_siv_pb2.AesSivKeyFormat() key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = _AES_SIV_KEY_TYPE_URL key_template.output_prefix_type = tink_pb2.TINK key_template.value = key_format.SerializeToString() return key_template
def test_create_ecdsa_handle_with_invalid_algorithm_fails(self): key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat( algorithm=jwt_ecdsa_pb2.ES_UNKNOWN) template = tink_pb2.KeyTemplate( type_url= 'type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW) with self.assertRaises(tink.TinkError): tink.new_keyset_handle(template)
def test_text_format_symmetric_key_template(self): template = tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.AesEaxKey', value=b'\n\x02\x08\x10\x10\x10', output_prefix_type=tink_pb2.TINK) expected = r"""type_url: "type.googleapis.com/google.crypto.tink.AesEaxKey" # value: [type.googleapis.com/google.crypto.tink.AesEaxKeyFormat] { # params { # iv_size: 16 # } # key_size: 16 # } value: "\n\002\010\020\020\020" output_prefix_type: TINK""" output = key_util.text_format(template) self.assertEqual(output, expected) # the output should be in text format, and result in the original template. self.assertEqual( text_format.Parse(output, tink_pb2.KeyTemplate()), template)
def test_new_public_keyset_handle_fails(self): params = ecdsa_pb2.EcdsaParams(hash_type=common_pb2.SHA256, curve=common_pb2.NIST_P256, encoding=ecdsa_pb2.DER) key_format = ecdsa_pb2.EcdsaKeyFormat(params=params) template = tink_pb2.KeyTemplate() template.type_url = 'type.googleapis.com/google.crypto.tink.EcdsaPublicKey' template.value = key_format.SerializeToString() with self.assertRaises(core.TinkError): tink.new_keyset_handle(template)
def new_ecdsa_key_template(hash_type, curve_type, encoding): key_format = ecdsa_pb2.EcdsaKeyFormat() key_format.params.hash_type = hash_type key_format.params.curve = curve_type key_format.params.encoding = encoding key_template = tink_pb2.KeyTemplate() key_template.type_url = ( 'type.googleapis.com/google.crypto.tink.EcdsaPrivateKey') key_template.value = key_format.SerializeToString() return key_template
def _create_aes_cmac_key_template(key_size: int) -> tink_pb2.KeyTemplate: """Creates an AES CMAC PRF KeyTemplate, and fills in its values.""" key_format = aes_cmac_prf_pb2.AesCmacPrfKeyFormat() key_format.key_size = key_size key_format.version = 0 key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = _AES_CMAC_PRF_KEY_TYPE_URL key_template.output_prefix_type = tink_pb2.RAW return key_template
def test_text_format_asymmetric_key_template(self): template = tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.EcdsaPrivateKey', value=b'\022\006\010\004\020\003\030\002', output_prefix_type=tink_pb2.TINK) expected = r"""type_url: "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey" # value: [type.googleapis.com/google.crypto.tink.EcdsaKeyFormat] { # params { # hash_type: SHA512 # curve: NIST_P384 # encoding: DER # } # } value: "\022\006\010\004\020\003\030\002" output_prefix_type: TINK""" output = key_util.text_format(template) self.assertEqual(output, expected) # the output should be in text format, and result in the original template. self.assertEqual( text_format.Parse(output, tink_pb2.KeyTemplate()), template)
def _create_aes_cmac_key_template(key_size: int, tag_size: int) -> tink_pb2.KeyTemplate: """"Creates an AES-CMAC KeyTemplate, and fills in its values.""" key_format = aes_cmac_pb2.AesCmacKeyFormat() key_format.key_size = key_size key_format.params.tag_size = tag_size key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = 'type.googleapis.com/google.crypto.tink.AesCmacKey' key_template.output_prefix_type = tink_pb2.TINK return key_template
def test_new_key_data_on_public_key_manager_fails(self): key_format = ecies_aead_hkdf_pb2.EciesAeadHkdfKeyFormat() key_template = tink_pb2.KeyTemplate() key_template.type_url = ( 'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey') key_template.value = key_format.SerializeToString() key_template.output_prefix_type = tink_pb2.TINK with self.assertRaisesRegex(tink_error.TinkError, 'Operation not supported for public keys'): key_manager = _hybrid_encrypt_key_manager() key_manager.new_key_data(key_template)
def _create_ps_template(algorithm: jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssAlgorithm, modulus_size: int) -> tink_pb2.KeyTemplate: key_format = jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssKeyFormat( algorithm=algorithm, modulus_size_in_bits=modulus_size, public_exponent=_num_to_bytes(_F4)) return tink_pb2.KeyTemplate( type_url= 'type.googleapis.com/google.crypto.tink.JwtRsaSsaPssPrivateKey', value=key_format.SerializeToString(), output_prefix_type=tink_pb2.RAW)
def _create_hkdf_key_template( key_size: int, hash_type: common_pb2.HashType) -> tink_pb2.KeyTemplate: """Creates an HKDF PRF KeyTemplate, and fills in its values.""" key_format = hkdf_prf_pb2.HkdfPrfKeyFormat() key_format.params.hash = hash_type key_format.key_size = key_size key_format.version = 0 key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = _HKDF_PRF_KEY_TYPE_URL key_template.output_prefix_type = tink_pb2.RAW return key_template
def template_from_testdata( template_name: Text, dir_name: Optional[Text] = None) -> tink_pb2.KeyTemplate: """Reads a template from the testdata.""" if dir_name: path = os.path.join(tink_root_path(), 'testdata/templates', dir_name, template_name) else: path = os.path.join(tink_root_path(), 'testdata/templates', template_name) with open(path, mode='rt') as f: data = f.read() return text_format.Parse(data, tink_pb2.KeyTemplate())
def _create_aes_gcm_siv_key_template( key_size: int, output_prefix_type: tink_pb2.OutputPrefixType = tink_pb2.TINK ) -> tink_pb2.KeyTemplate: """Creates an AES GCM SIV KeyTemplate, and fills in its values.""" key_format = aes_gcm_siv_pb2.AesGcmSivKeyFormat() key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = _AES_GCM_SIV_KEY_TYPE_URL key_template.output_prefix_type = output_prefix_type return key_template
def _test_case( algorithm: jwt_hmac_pb2.JwtHmacAlgorithm, key_size: int, output_prefix_type: tink_pb2.OutputPrefixType ) -> Tuple[str, tink_pb2.KeyTemplate]: key_format = jwt_hmac_pb2.JwtHmacKeyFormat( algorithm=algorithm, key_size=key_size) template = tink_pb2.KeyTemplate( type_url='type.googleapis.com/google.crypto.tink.JwtHmacKey', value=key_format.SerializeToString(), output_prefix_type=output_prefix_type) return ('JwtHmacKey(%d,%s,%s)' % (key_size, jwt_hmac_pb2.JwtHmacAlgorithm.Name(algorithm), tink_pb2.OutputPrefixType.Name(output_prefix_type)), template)
def _create_hmac_key_template( key_size: int, tag_size: int, hash_type: common_pb2.HashType) -> tink_pb2.KeyTemplate: """Creates a HMAC KeyTemplate, and fills in its values.""" key_format = hmac_pb2.HmacKeyFormat() key_format.params.hash = hash_type key_format.params.tag_size = tag_size key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = 'type.googleapis.com/google.crypto.tink.HmacKey' key_template.output_prefix_type = tink_pb2.TINK return key_template
def new_ecdsa_key_template(hash_type, curve_type, encoding, public=True): params = ecdsa_pb2.EcdsaParams( hash_type=hash_type, curve=curve_type, encoding=encoding) key_format = ecdsa_pb2.EcdsaKeyFormat(params=params) key_template = tink_pb2.KeyTemplate() if public: append = 'EcdsaPublicKey' else: append = 'EcdsaPrivateKey' key_template.type_url = 'type.googleapis.com/google.crypto.tink.' + append key_template.value = key_format.SerializeToString() return key_template