def test_encrypt_decrypt(self, key_template_name, supported_langs):
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
private_keyset = testing_servers.new_keyset('java', key_template)
supported_signers = [
testing_servers.public_key_sign(lang, private_keyset)
for lang in supported_langs
]
unsupported_signers = [
testing_servers.public_key_sign(lang, private_keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
public_keyset = testing_servers.public_keyset('java', private_keyset)
supported_verifiers = [
testing_servers.public_key_verify(lang, public_keyset)
for lang in supported_langs
]
unsupported_verifiers = [
testing_servers.public_key_verify(lang, public_keyset)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
for signer in supported_signers:
message = (
b'A message to be signed using key_template %s in %s.' %
(key_template_name.encode('utf8'), signer.lang.encode('utf8')))
sign = signer.sign(message)
for verifier in supported_verifiers:
self.assertIsNone(verifier.verify(sign, message))
for verifier in unsupported_verifiers:
with self.assertRaises(tink.TinkError):
verifier.verify(sign, message)
for signer in unsupported_signers:
with self.assertRaises(tink.TinkError):
_ = signer.sign(message)
def test_key_rotation(self, enc_lang, dec_lang, old_key_tmpl,
new_key_tmpl):
# Do a key rotation from an old key generated from old_key_tmpl to a new
# key generated from new_key_tmpl. Encryption and decryption are done
# in languages enc_lang and dec_lang.
builder = keyset_builder.new_keyset_builder()
older_key_id = builder.add_new_key(old_key_tmpl)
builder.set_primary_key(older_key_id)
sign1 = testing_servers.public_key_sign(enc_lang, builder.keyset())
verify1 = testing_servers.public_key_verify(dec_lang,
builder.public_keyset())
newer_key_id = builder.add_new_key(new_key_tmpl)
sign2 = testing_servers.public_key_sign(enc_lang, builder.keyset())
verify2 = testing_servers.public_key_verify(dec_lang,
builder.public_keyset())
builder.set_primary_key(newer_key_id)
sign3 = testing_servers.public_key_sign(enc_lang, builder.keyset())
verify3 = testing_servers.public_key_verify(dec_lang,
builder.public_keyset())
builder.disable_key(older_key_id)
sign4 = testing_servers.public_key_sign(enc_lang, builder.keyset())
verify4 = testing_servers.public_key_verify(dec_lang,
builder.public_keyset())
self.assertNotEqual(older_key_id, newer_key_id)
# 1 signs with the older key. So 1, 2 and 3 can verify it, but not 4.
data_signature1 = sign1.sign(b'data')
verify1.verify(data_signature1, b'data')
verify2.verify(data_signature1, b'data')
verify3.verify(data_signature1, b'data')
with self.assertRaises(tink.TinkError):
verify4.verify(data_signature1, b'data')
# 2 signs with the older key. So 1, 2 and 3 can verify it, but not 4.
data_signature2 = sign2.sign(b'data')
verify1.verify(data_signature2, b'data')
verify2.verify(data_signature2, b'data')
verify3.verify(data_signature2, b'data')
with self.assertRaises(tink.TinkError):
verify4.verify(data_signature2, b'data')
# 3 signs with the newer key. So 2, 3 and 4 can verify it, but not 1.
data_signature3 = sign3.sign(b'data')
with self.assertRaises(tink.TinkError):
verify1.verify(data_signature3, b'data')
verify2.verify(data_signature3, b'data')
verify3.verify(data_signature3, b'data')
verify4.verify(data_signature3, b'data')
# 4 signs with the newer key. So 2, 3 and 4 can verify it, but not 1.
data_signature4 = sign4.sign(b'data')
with self.assertRaises(tink.TinkError):
verify1.verify(data_signature4, b'data')
verify2.verify(data_signature4, b'data')
verify3.verify(data_signature4, b'data')
verify4.verify(data_signature4, b'data')
def test_sign_verify(self, key_template_name):
supported_langs = supported_key_types.SUPPORTED_LANGUAGES_BY_TEMPLATE_NAME[
key_template_name]
self.assertNotEmpty(supported_langs)
key_template = supported_key_types.KEY_TEMPLATE[key_template_name]
# Take the first supported language to generate the private keyset.
private_keyset = testing_servers.new_keyset(supported_langs[0],
key_template)
supported_signers = [
testing_servers.public_key_sign(lang, private_keyset)
for lang in supported_langs
]
unsupported_signers = [
testing_servers.public_key_sign(lang, private_keyset)
for lang in SUPPORTED_LANGUAGES if lang not in supported_langs
]
public_keyset = testing_servers.public_keyset('java', private_keyset)
supported_verifiers = [
testing_servers.public_key_verify(lang, public_keyset)
for lang in supported_langs
]
unsupported_verifiers = [
testing_servers.public_key_verify(lang, public_keyset)
for lang in testing_servers.LANGUAGES
if lang not in supported_langs
]
for signer in supported_signers:
message = (
b'A message to be signed using key_template %s in %s.' %
(key_template_name.encode('utf8'), signer.lang.encode('utf8')))
sign = signer.sign(message)
for verifier in supported_verifiers:
self.assertIsNone(verifier.verify(sign, message))
for verifier in unsupported_verifiers:
with self.assertRaises(
tink.TinkError,
msg=
'Language %s supports signature verify with %s unexpectedly'
% (verifier.lang, key_template_name)):
verifier.verify(sign, message)
for signer in unsupported_signers:
with self.assertRaises(
tink.TinkError,
msg=
'Language %s supports signature sign with %s unexpectedly'
% (signer.lang, key_template_name)):
_ = signer.sign(message)
def test_signature(self, lang):
private_handle = testing_servers.new_keyset(
lang, signature.signature_key_templates.ED25519)
public_handle = testing_servers.public_keyset(lang, private_handle)
sign_primitive = testing_servers.public_key_sign(lang, private_handle)
data = b'The quick brown fox jumps over the lazy dog'
signature_value = sign_primitive.sign(data)
verify_primitive = testing_servers.public_key_verify(lang, public_handle)
verify_primitive.verify(signature_value, data)
with self.assertRaises(tink.TinkError):
verify_primitive.verify(b'foo', data)
def test_signature_without_primary(self, key_template_name, lang):
"""Unsets the primary key and tries to sign and verify signatures."""
template = supported_key_types.KEY_TEMPLATE[key_template_name]
private_keyset = testing_servers.new_keyset(lang, template)
public_keyset = testing_servers.public_keyset(lang, private_keyset)
sig = testing_servers.public_key_sign(lang,
private_keyset).sign(b'foo')
testing_servers.public_key_verify(lang,
public_keyset).verify(sig, b'foo')
signer_without_primary = testing_servers.public_key_sign(
lang, unset_primary(private_keyset))
verifier_without_primary = testing_servers.public_key_verify(
lang, unset_primary(public_keyset))
with self.assertRaises(tink.TinkError):
signer_without_primary.sign(b'foo')
if lang in ['java', 'python']:
# Java and Python currently allow this.
verifier_without_primary.verify(sig, b'foo')
else:
with self.assertRaises(tink.TinkError):
verifier_without_primary.verify(sig, b'foo')
