go/tink/keyset_manager_test.go - third_party/tink - Git at Google

 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ////////////////////////////////////////////////////////////////////////////////

 package tink_test

 import (
 	"fmt"
 	"strings"
 	"testing"

 	"github.com/google/tink/go/aead"
 	"github.com/google/tink/go/mac"
 	"github.com/google/tink/go/testutil"
 	"github.com/google/tink/go/tink"
 	tinkpb "github.com/google/tink/proto/tink_go_proto"
 )

 func setupKeysetManagerTest() {
 	_, err := mac.RegisterStandardKeyTypes()
 	if err != nil {
 		panic(fmt.Sprintf("cannot register mac key types: %s", err))
 	}
 	_, err = aead.RegisterStandardKeyTypes()
 	if err != nil {
 		panic(fmt.Sprintf("cannot register aead key types: %s", err))
 	}
 }

 func TestKeysetManagerBasic(t *testing.T) {
 	setupKeysetManagerTest()

 	manager := tink.NewKeysetManager(nil, nil, nil)
 	err := manager.Rotate()
 	if err == nil || !strings.Contains(err.Error(), "need key template") {
 		t.Errorf("expect an error when key template is nil")
 	}
 	// Create a keyset that contains a single HmacKey.
 	template := mac.HmacSha256Tag128KeyTemplate()
 	manager = tink.NewKeysetManager(template, nil, nil)
 	err = manager.Rotate()
 	if err != nil {
 		t.Errorf("cannot rotate when key template is available: %s", err)
 	}
 	keyset := manager.Keyset()
 	if len(keyset.Key) != 1 {
 		t.Errorf("expect the number of keys in the keyset is 1")
 	}
 	if keyset.Key[0].KeyId != keyset.PrimaryKeyId ||
 		keyset.Key[0].KeyData.TypeUrl != mac.HmacTypeURL ||
 		keyset.Key[0].Status != tinkpb.KeyStatusType_ENABLED ||
 		keyset.Key[0].OutputPrefixType != tinkpb.OutputPrefixType_TINK {
 		t.Errorf("incorrect key information: %s", keyset.Key[0])
 	}
 }

 func TestEncryptedKeyset(t *testing.T) {
 	setupKeysetManagerTest()
 	macTemplate := mac.HmacSha256Tag128KeyTemplate()
 	aesTemplate := aead.Aes128GcmKeyTemplate()
 	keyData, err := tink.NewKeyData(aesTemplate)
 	if err != nil {
 		t.Errorf("cannot create new key data: %s", err)
 	}
 	p, err := tink.GetPrimitiveFromKeyData(keyData)
 	if p == nil || err != nil {
 		t.Errorf("cannot get primitive from key data: %s", err)
 	}
 	masterKey := p.(tink.Aead)
 	manager := tink.NewKeysetManager(macTemplate, masterKey, nil)
 	err = manager.Rotate()
 	if err != nil {
 		t.Errorf("cannot rotate when key template is available: %s", err)
 	}
 	handle, err := manager.GetKeysetHandle()
 	if handle == nil || err != nil {
 		t.Errorf("cannot get keyset handle: %s", err)
 	}
 	info, err := handle.KeysetInfo()
 	if info == nil || err != nil {
 		t.Errorf("cannot get keyset info: %s", err)
 	}
 	if len(info.KeyInfo) != 1 {
 		t.Errorf("incorrect number of keys: %v", len(info.KeyInfo))
 	}
 	if info.PrimaryKeyId != info.KeyInfo[0].KeyId {
 		t.Errorf("incorrect primary key id: %d >< %d", info.PrimaryKeyId, info.KeyInfo[0].KeyId)
 	}
 	if info.KeyInfo[0].TypeUrl != mac.HmacTypeURL ||
 		info.KeyInfo[0].Status != tinkpb.KeyStatusType_ENABLED ||
 		info.KeyInfo[0].OutputPrefixType != tinkpb.OutputPrefixType_TINK {
 		t.Errorf("incorrect key info: %s", info.KeyInfo[0])
 	}
 }

 func TestExistingKeyset(t *testing.T) {
 	// Create a keyset that contains a single HmacKey.
 	macTemplate := mac.HmacSha256Tag128KeyTemplate()
 	manager1 := tink.NewKeysetManager(macTemplate, nil, nil)
 	err := manager1.Rotate()
 	if err != nil {
 		t.Errorf("cannot rotate when key template is available: %s", err)
 	}
 	handle1, err := manager1.GetKeysetHandle()
 	if err != nil {
 		t.Errorf("cannot get keyset handle: %s", err)
 	}
 	keyset1 := handle1.Keyset()

 	manager2 := tink.NewKeysetManager(nil, nil, keyset1)
 	manager2.RotateWithTemplate(macTemplate)
 	handle2, err := manager2.GetKeysetHandle()
 	if err != nil {
 		t.Errorf("cannot get keyset handle: %s", err)
 	}
 	keyset2 := handle2.Keyset()
 	if len(keyset2.Key) != 2 {
 		t.Errorf("expect the number of keys to be 2, got %d", len(keyset2.Key))
 	}
 	if keyset1.Key[0].String() != keyset2.Key[0].String() {
 		t.Errorf("expect the first key in two keysets to be the same")
 	}
 	if keyset2.Key[1].KeyId != keyset2.PrimaryKeyId {
 		t.Errorf("expect the second key to be primary")
 	}
 }

 /**
  * Tests that when encryption with KMS failed, an exception is thrown.
  */
 func TestFaultyKms(t *testing.T) {
 	var masterKey tink.Aead = new(testutil.DummyAead)
 	template := mac.HmacSha256Tag128KeyTemplate()
 	manager := tink.NewKeysetManager(template, masterKey, nil)
 	err := manager.Rotate()
 	if err != nil {
 		t.Errorf("cannot rotate when key template is available: %s", err)
 	}
 	_, err = manager.GetKeysetHandle()
 	if err == nil || !strings.Contains(err.Error(), "dummy") {
 		t.Errorf("expect an error with dummy aead: %s", err)
 	}
 }
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	////////////////////////////////////////////////////////////////////////////////

	package tink_test

	import (
	"fmt"
	"strings"
	"testing"

	"github.com/google/tink/go/aead"
	"github.com/google/tink/go/mac"
	"github.com/google/tink/go/testutil"
	"github.com/google/tink/go/tink"
	tinkpb "github.com/google/tink/proto/tink_go_proto"
	)

	func setupKeysetManagerTest() {
	_, err := mac.RegisterStandardKeyTypes()
	if err != nil {
	panic(fmt.Sprintf("cannot register mac key types: %s", err))
	}
	_, err = aead.RegisterStandardKeyTypes()
	if err != nil {
	panic(fmt.Sprintf("cannot register aead key types: %s", err))
	}
	}

	func TestKeysetManagerBasic(t *testing.T) {
	setupKeysetManagerTest()

	manager := tink.NewKeysetManager(nil, nil, nil)
	err := manager.Rotate()
	if err == nil \|\| !strings.Contains(err.Error(), "need key template") {
	t.Errorf("expect an error when key template is nil")
	}
	// Create a keyset that contains a single HmacKey.
	template := mac.HmacSha256Tag128KeyTemplate()
	manager = tink.NewKeysetManager(template, nil, nil)
	err = manager.Rotate()
	if err != nil {
	t.Errorf("cannot rotate when key template is available: %s", err)
	}
	keyset := manager.Keyset()
	if len(keyset.Key) != 1 {
	t.Errorf("expect the number of keys in the keyset is 1")
	}
	if keyset.Key[0].KeyId != keyset.PrimaryKeyId \|\|
	keyset.Key[0].KeyData.TypeUrl != mac.HmacTypeURL \|\|
	keyset.Key[0].Status != tinkpb.KeyStatusType_ENABLED \|\|
	keyset.Key[0].OutputPrefixType != tinkpb.OutputPrefixType_TINK {
	t.Errorf("incorrect key information: %s", keyset.Key[0])
	}
	}

	func TestEncryptedKeyset(t *testing.T) {
	setupKeysetManagerTest()
	macTemplate := mac.HmacSha256Tag128KeyTemplate()
	aesTemplate := aead.Aes128GcmKeyTemplate()
	keyData, err := tink.NewKeyData(aesTemplate)
	if err != nil {
	t.Errorf("cannot create new key data: %s", err)
	}
	p, err := tink.GetPrimitiveFromKeyData(keyData)
	if p == nil \|\| err != nil {
	t.Errorf("cannot get primitive from key data: %s", err)
	}
	masterKey := p.(tink.Aead)
	manager := tink.NewKeysetManager(macTemplate, masterKey, nil)
	err = manager.Rotate()
	if err != nil {
	t.Errorf("cannot rotate when key template is available: %s", err)
	}
	handle, err := manager.GetKeysetHandle()
	if handle == nil \|\| err != nil {
	t.Errorf("cannot get keyset handle: %s", err)
	}
	info, err := handle.KeysetInfo()
	if info == nil \|\| err != nil {
	t.Errorf("cannot get keyset info: %s", err)
	}
	if len(info.KeyInfo) != 1 {
	t.Errorf("incorrect number of keys: %v", len(info.KeyInfo))
	}
	if info.PrimaryKeyId != info.KeyInfo[0].KeyId {
	t.Errorf("incorrect primary key id: %d >< %d", info.PrimaryKeyId, info.KeyInfo[0].KeyId)
	}
	if info.KeyInfo[0].TypeUrl != mac.HmacTypeURL \|\|
	info.KeyInfo[0].Status != tinkpb.KeyStatusType_ENABLED \|\|
	info.KeyInfo[0].OutputPrefixType != tinkpb.OutputPrefixType_TINK {
	t.Errorf("incorrect key info: %s", info.KeyInfo[0])
	}
	}

	func TestExistingKeyset(t *testing.T) {
	// Create a keyset that contains a single HmacKey.
	macTemplate := mac.HmacSha256Tag128KeyTemplate()
	manager1 := tink.NewKeysetManager(macTemplate, nil, nil)
	err := manager1.Rotate()
	if err != nil {
	t.Errorf("cannot rotate when key template is available: %s", err)
	}
	handle1, err := manager1.GetKeysetHandle()
	if err != nil {
	t.Errorf("cannot get keyset handle: %s", err)
	}
	keyset1 := handle1.Keyset()

	manager2 := tink.NewKeysetManager(nil, nil, keyset1)
	manager2.RotateWithTemplate(macTemplate)
	handle2, err := manager2.GetKeysetHandle()
	if err != nil {
	t.Errorf("cannot get keyset handle: %s", err)
	}
	keyset2 := handle2.Keyset()
	if len(keyset2.Key) != 2 {
	t.Errorf("expect the number of keys to be 2, got %d", len(keyset2.Key))
	}
	if keyset1.Key[0].String() != keyset2.Key[0].String() {
	t.Errorf("expect the first key in two keysets to be the same")
	}
	if keyset2.Key[1].KeyId != keyset2.PrimaryKeyId {
	t.Errorf("expect the second key to be primary")
	}
	}

	/**
	* Tests that when encryption with KMS failed, an exception is thrown.
	*/
	func TestFaultyKms(t *testing.T) {
	var masterKey tink.Aead = new(testutil.DummyAead)
	template := mac.HmacSha256Tag128KeyTemplate()
	manager := tink.NewKeysetManager(template, masterKey, nil)
	err := manager.Rotate()
	if err != nil {
	t.Errorf("cannot rotate when key template is available: %s", err)
	}
	_, err = manager.GetKeysetHandle()
	if err == nil \|\| !strings.Contains(err.Error(), "dummy") {
	t.Errorf("expect an error with dummy aead: %s", err)
	}
	}