Google Git
Sign in
fuchsia / third_party / tink / 77ea5026740aaedda87a23e0254bd8a1639674b4 / . / python / tink / cc / pybind / cc_key_manager_test.py
blob: 0bd5c3cad4f70499c483410661fe316ed39cd74e [file] [log] [blame]
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Tests for tink.python.tink.cc.pybind.py_key_manager."""
from typing import cast
from absl.testing import absltest
from absl.testing import parameterized
from tink.proto import aes_eax_pb2
from tink.proto import aes_siv_pb2
from tink.proto import common_pb2
from tink.proto import ecdsa_pb2
from tink.proto import ecies_aead_hkdf_pb2
from tink.proto import hmac_pb2
from tink.proto import hmac_prf_pb2
from tink.proto import hpke_pb2
from tink.proto import jwt_ecdsa_pb2
from tink.proto import jwt_hmac_pb2
from tink.proto import tink_pb2
from tink import aead
from tink import hybrid
from tink.cc.pybind import tink_bindings
def setUpModule():
tink_bindings.register()
tink_bindings.register_jwt()
tink_bindings.register_hpke()
class AeadKeyManagerTest(absltest.TestCase):
def setUp(self):
super().setUp()
self.key_manager = tink_bindings.AeadKeyManager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.AesEaxKey')
def new_aes_eax_key_template(self, iv_size, key_size):
key_format = aes_eax_pb2.AesEaxKeyFormat()
key_format.params.iv_size = iv_size
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.AesEaxKey'
key_template.value = key_format.SerializeToString()
return key_template.SerializeToString()
def test_key_type(self):
self.assertEqual(self.key_manager.key_type(),
'type.googleapis.com/google.crypto.tink.AesEaxKey')
def test_new_key_data(self):
key_template = self.new_aes_eax_key_template(12, 16)
serialized_key_data = self.key_manager.new_key_data(key_template)
key_data = tink_pb2.KeyData.FromString(serialized_key_data)
self.assertEqual(key_data.type_url, self.key_manager.key_type())
self.assertEqual(key_data.key_material_type, tink_pb2.KeyData.SYMMETRIC)
key = aes_eax_pb2.AesEaxKey.FromString(key_data.value)
self.assertEqual(key.version, 0)
self.assertEqual(key.params.iv_size, 12)
self.assertLen(key.key_value, 16)
def test_invalid_params_raise_exception(self):
key_template = self.new_aes_eax_key_template(9, 16)
with self.assertRaises(tink_bindings.PythonTinkException):
self.key_manager.new_key_data(key_template)
def test_encrypt_decrypt(self):
key_template = self.new_aes_eax_key_template(12, 16)
key_data = self.key_manager.new_key_data(key_template)
primitive = self.key_manager.primitive(key_data)
plaintext = b'plaintext'
associated_data = b'associated_data'
ciphertext = primitive.encrypt(plaintext, associated_data)
self.assertEqual(primitive.decrypt(ciphertext, associated_data), plaintext)
class DeterministicAeadKeyManagerTest(absltest.TestCase):
def setUp(self):
super().setUp()
daead_key_manager = tink_bindings.DeterministicAeadKeyManager
self.key_manager = daead_key_manager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.AesSivKey')
def new_aes_siv_key_template(self, key_size):
key_format = aes_siv_pb2.AesSivKeyFormat()
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.AesSivKey'
key_template.value = key_format.SerializeToString()
return key_template.SerializeToString()
def test_key_type(self):
self.assertEqual(self.key_manager.key_type(),
'type.googleapis.com/google.crypto.tink.AesSivKey')
def test_new_key_data(self):
key_template = self.new_aes_siv_key_template(64)
key_data = tink_pb2.KeyData.FromString(
self.key_manager.new_key_data(key_template))
self.assertEqual(key_data.type_url, self.key_manager.key_type())
self.assertEqual(key_data.key_material_type, tink_pb2.KeyData.SYMMETRIC)
key = aes_siv_pb2.AesSivKey.FromString(key_data.value)
self.assertEqual(key.version, 0)
self.assertLen(key.key_value, 64)
def test_invalid_params_raise_exception(self):
key_template = self.new_aes_siv_key_template(65)
with self.assertRaises(tink_bindings.PythonTinkException):
self.key_manager.new_key_data(key_template)
def test_encrypt_decrypt(self):
key_template = self.new_aes_siv_key_template(64)
key_data = self.key_manager.new_key_data(key_template)
primitive = self.key_manager.primitive(key_data)
plaintext = b'plaintext'
associated_data = b'associated_data'
ciphertext = primitive.encrypt_deterministically(plaintext, associated_data)
self.assertEqual(
primitive.decrypt_deterministically(ciphertext, associated_data),
plaintext)
class HybridKeyManagerTest(absltest.TestCase):
def hybrid_decrypt_key_manager(self):
return tink_bindings.HybridDecryptKeyManager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPrivateKey')
def hybrid_encrypt_key_manager(self):
return tink_bindings.HybridEncryptKeyManager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey')
def test_new_key_data(self):
key_manager = self.hybrid_decrypt_key_manager()
key_data = tink_pb2.KeyData.FromString(
key_manager.new_key_data(
hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM
.SerializeToString()))
self.assertEqual(key_data.type_url, key_manager.key_type())
self.assertEqual(key_data.key_material_type,
tink_pb2.KeyData.ASYMMETRIC_PRIVATE)
key = ecies_aead_hkdf_pb2.EciesAeadHkdfPrivateKey.FromString(key_data.value)
self.assertLen(key.key_value, 32)
self.assertEqual(key.public_key.params.kem_params.curve_type,
common_pb2.NIST_P256)
def test_new_key_data_invalid_params_raise_exception(self):
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'Unsupported elliptic curve'):
self.hybrid_decrypt_key_manager().new_key_data(
hybrid.hybrid_key_templates.create_ecies_aead_hkdf_key_template(
curve_type=cast(common_pb2.EllipticCurveType, 100), # invalid
ec_point_format=common_pb2.UNCOMPRESSED,
hash_type=common_pb2.SHA256,
dem_key_template=aead.aead_key_templates.AES128_GCM)
.SerializeToString())
def test_encrypt_decrypt(self):
decrypt_key_manager = self.hybrid_decrypt_key_manager()
encrypt_key_manager = self.hybrid_encrypt_key_manager()
key_data = decrypt_key_manager.new_key_data(
hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM
.SerializeToString())
public_key_data = decrypt_key_manager.public_key_data(key_data)
hybrid_encrypt = encrypt_key_manager.primitive(public_key_data)
ciphertext = hybrid_encrypt.encrypt(b'some plaintext', b'some context info')
hybrid_decrypt = decrypt_key_manager.primitive(key_data)
self.assertEqual(hybrid_decrypt.decrypt(ciphertext, b'some context info'),
b'some plaintext')
def test_decrypt_fails(self):
decrypt_key_manager = self.hybrid_decrypt_key_manager()
key_data = decrypt_key_manager.new_key_data(
hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM
.SerializeToString())
hybrid_decrypt = decrypt_key_manager.primitive(key_data)
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'ciphertext too short'):
hybrid_decrypt.decrypt(b'bad ciphertext', b'some context info')
class HpkeKeyManagerTest(parameterized.TestCase):
def hybrid_decrypt_key_manager(self):
return tink_bindings.HybridDecryptKeyManager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.HpkePrivateKey')
def hybrid_encrypt_key_manager(self):
return tink_bindings.HybridEncryptKeyManager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.HpkePublicKey')
def test_new_key_data(self):
key_manager = self.hybrid_decrypt_key_manager()
key_data = tink_pb2.KeyData.FromString(
key_manager.new_key_data(
hybrid.hybrid_key_templates
.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM.SerializeToString(
)))
self.assertEqual(key_data.type_url, key_manager.key_type())
self.assertEqual(key_data.key_material_type,
tink_pb2.KeyData.ASYMMETRIC_PRIVATE)
key = hpke_pb2.HpkePrivateKey.FromString(key_data.value)
self.assertLen(key.private_key, 32) # HPKE 'Nsk' parameter length = 32
self.assertEqual(key.public_key.params.kem,
hpke_pb2.DHKEM_X25519_HKDF_SHA256)
self.assertEqual(key.public_key.params.kdf, hpke_pb2.HKDF_SHA256)
self.assertEqual(key.public_key.params.aead, hpke_pb2.AES_128_GCM)
def test_new_key_data_invalid_kem_raise_exception(self):
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'Invalid KEM param.'):
self.hybrid_decrypt_key_manager().new_key_data(
hybrid.hybrid_key_templates._create_hpke_key_template(
hpke_kem=hpke_pb2.KEM_UNKNOWN,
hpke_kdf=hpke_pb2.HKDF_SHA256,
hpke_aead=hpke_pb2.AES_128_GCM,
output_prefix_type=tink_pb2.TINK).SerializeToString())
def test_new_key_data_invalid_kdf_raise_exception(self):
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'Invalid KDF param.'):
self.hybrid_decrypt_key_manager().new_key_data(
hybrid.hybrid_key_templates._create_hpke_key_template(
hpke_kem=hpke_pb2.DHKEM_X25519_HKDF_SHA256,
hpke_kdf=hpke_pb2.KDF_UNKNOWN,
hpke_aead=hpke_pb2.AES_128_GCM,
output_prefix_type=tink_pb2.TINK).SerializeToString())
def test_new_key_data_invalid_aead_raise_exception(self):
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'Invalid AEAD param.'):
self.hybrid_decrypt_key_manager().new_key_data(
hybrid.hybrid_key_templates._create_hpke_key_template(
hpke_kem=hpke_pb2.DHKEM_X25519_HKDF_SHA256,
hpke_kdf=hpke_pb2.HKDF_SHA256,
hpke_aead=hpke_pb2.AEAD_UNKNOWN,
output_prefix_type=tink_pb2.TINK).SerializeToString())
def test_encrypt_decrypt(self):
decrypt_key_manager = self.hybrid_decrypt_key_manager()
encrypt_key_manager = self.hybrid_encrypt_key_manager()
key_data = decrypt_key_manager.new_key_data(
hybrid.hybrid_key_templates
.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM.SerializeToString())
public_key_data = decrypt_key_manager.public_key_data(key_data)
hybrid_encrypt = encrypt_key_manager.primitive(public_key_data)
ciphertext = hybrid_encrypt.encrypt(b'some plaintext', b'some context info')
hybrid_decrypt = decrypt_key_manager.primitive(key_data)
self.assertEqual(
hybrid_decrypt.decrypt(ciphertext, b'some context info'),
b'some plaintext')
@parameterized.parameters(
[tink_pb2.TINK, tink_pb2.RAW, tink_pb2.CRUNCHY, tink_pb2.LEGACY])
def test_encrypt_decrypt_by_prefix(self, prefix):
decrypt_key_manager = self.hybrid_decrypt_key_manager()
encrypt_key_manager = self.hybrid_encrypt_key_manager()
key_data = decrypt_key_manager.new_key_data(
hybrid.hybrid_key_templates._create_hpke_key_template(
hpke_kem=hpke_pb2.DHKEM_X25519_HKDF_SHA256,
hpke_kdf=hpke_pb2.HKDF_SHA256,
hpke_aead=hpke_pb2.AES_128_GCM,
output_prefix_type=prefix).SerializeToString())
public_key_data = decrypt_key_manager.public_key_data(key_data)
hybrid_encrypt = encrypt_key_manager.primitive(public_key_data)
ciphertext = hybrid_encrypt.encrypt(b'some plaintext', b'some context info')
hybrid_decrypt = decrypt_key_manager.primitive(key_data)
self.assertEqual(
hybrid_decrypt.decrypt(ciphertext, b'some context info'),
b'some plaintext')
def test_decrypt_fails(self):
decrypt_key_manager = self.hybrid_decrypt_key_manager()
key_data = decrypt_key_manager.new_key_data(
hybrid.hybrid_key_templates
.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM.SerializeToString())
hybrid_decrypt = decrypt_key_manager.primitive(key_data)
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'Ciphertext is too short.'):
hybrid_decrypt.decrypt(b'bad ciphertext', b'some context info')
class MacKeyManagerTest(absltest.TestCase):
def setUp(self):
super().setUp()
self.key_manager = tink_bindings.MacKeyManager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.HmacKey')
def new_hmac_key_template(self, hash_type, tag_size, key_size):
key_format = hmac_pb2.HmacKeyFormat()
key_format.params.hash = hash_type
key_format.params.tag_size = tag_size
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.HmacKey'
key_template.value = key_format.SerializeToString()
return key_template.SerializeToString()
def test_key_type(self):
self.assertEqual(self.key_manager.key_type(),
'type.googleapis.com/google.crypto.tink.HmacKey')
def test_new_key_data(self):
key_template = self.new_hmac_key_template(common_pb2.SHA256, 24, 16)
key_data = tink_pb2.KeyData.FromString(
self.key_manager.new_key_data(key_template))
self.assertEqual(key_data.type_url, self.key_manager.key_type())
key = hmac_pb2.HmacKey.FromString(key_data.value)
self.assertEqual(key.version, 0)
self.assertEqual(key.params.hash, common_pb2.SHA256)
self.assertEqual(key.params.tag_size, 24)
self.assertLen(key.key_value, 16)
def test_invalid_params_raise_exception(self):
key_template = self.new_hmac_key_template(common_pb2.SHA256, 9, 16)
with self.assertRaises(tink_bindings.PythonTinkException):
self.key_manager.new_key_data(key_template)
def test_mac_success(self):
mac = self.key_manager.primitive(
self.key_manager.new_key_data(
self.new_hmac_key_template(common_pb2.SHA256, 24, 16)))
data = b'data'
tag = mac.compute_mac(data)
self.assertLen(tag, 24)
# No exception raised.
mac.verify_mac(tag, data)
def test_mac_wrong(self):
mac = self.key_manager.primitive(
self.key_manager.new_key_data(
self.new_hmac_key_template(common_pb2.SHA256, 16, 16)))
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'verification failed'):
mac.verify_mac(b'0123456789ABCDEF', b'data')
class JwtMacKeyManagerTest(absltest.TestCase):
def setUp(self):
super().setUp()
self.key_manager = tink_bindings.MacKeyManager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.JwtHmacKey')
def new_jwt_hmac_key_template(self, algorithm, key_size):
key_format = jwt_hmac_pb2.JwtHmacKeyFormat()
key_format.algorithm = algorithm
key_format.key_size = key_size
key_template = tink_pb2.KeyTemplate()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.JwtHmacKey'
key_template.value = key_format.SerializeToString()
return key_template.SerializeToString()
def test_key_type(self):
self.assertEqual(self.key_manager.key_type(),
'type.googleapis.com/google.crypto.tink.JwtHmacKey')
def test_new_key_data(self):
key_template = self.new_jwt_hmac_key_template(jwt_hmac_pb2.HS256, 32)
key_data = tink_pb2.KeyData.FromString(
self.key_manager.new_key_data(key_template))
self.assertEqual(key_data.type_url, self.key_manager.key_type())
key = jwt_hmac_pb2.JwtHmacKey.FromString(key_data.value)
self.assertEqual(key.version, 0)
self.assertEqual(key.algorithm, jwt_hmac_pb2.HS256)
self.assertLen(key.key_value, 32)
def test_too_short_key_size_raises_exception(self):
key_template = self.new_jwt_hmac_key_template(jwt_hmac_pb2.HS256, 31)
with self.assertRaises(tink_bindings.PythonTinkException):
self.key_manager.new_key_data(key_template)
def test_mac_success(self):
mac = self.key_manager.primitive(
self.key_manager.new_key_data(
self.new_jwt_hmac_key_template(jwt_hmac_pb2.HS256, 32)))
data = b'data'
tag = mac.compute_mac(data)
self.assertLen(tag, 32)
# No exception raised.
mac.verify_mac(tag, data)
def test_mac_wrong(self):
mac = self.key_manager.primitive(
self.key_manager.new_key_data(
self.new_jwt_hmac_key_template(jwt_hmac_pb2.HS256, 32)))
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'verification failed'):
mac.verify_mac(b'0123456789ABCDEF0123456789ABCDEF', b'data')
class PrfKeyManagerTest(absltest.TestCase):
def setUp(self):
super().setUp()
self.key_manager = tink_bindings.PrfKeyManager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.HmacPrfKey')
def new_hmac_prf_key_template(self, hash_type, key_size):
key_format = hmac_prf_pb2.HmacPrfKeyFormat()
key_format.params.hash = hash_type
key_format.key_size = key_size
key_format.version = 0
key_template = tink_pb2.KeyTemplate()
key_template.type_url = 'type.googleapis.com/google.crypto.tink.HmacPrfKey'
key_template.value = key_format.SerializeToString()
return key_template.SerializeToString()
def test_key_type(self):
self.assertEqual(self.key_manager.key_type(),
'type.googleapis.com/google.crypto.tink.HmacPrfKey')
def test_new_key_data(self):
key_template = self.new_hmac_prf_key_template(
hash_type=common_pb2.SHA256, key_size=16)
key_data = tink_pb2.KeyData.FromString(
self.key_manager.new_key_data(key_template))
self.assertEqual(key_data.type_url, self.key_manager.key_type())
key = hmac_pb2.HmacKey.FromString(key_data.value)
self.assertEqual(key.version, 0)
self.assertEqual(key.params.hash, common_pb2.SHA256)
self.assertLen(key.key_value, 16)
def test_invalid_params_raise_exception(self):
key_template = self.new_hmac_prf_key_template(
hash_type=common_pb2.SHA256, key_size=7)
with self.assertRaises(tink_bindings.PythonTinkException):
self.key_manager.new_key_data(key_template)
def test_prf_success(self):
prf = self.key_manager.primitive(
self.key_manager.new_key_data(
self.new_hmac_prf_key_template(
hash_type=common_pb2.SHA256, key_size=16)))
output = prf.compute(b'input_data', output_length=31)
self.assertLen(output, 31)
self.assertEqual(prf.compute(b'input_data', output_length=31), output)
def test_prf_bad_output_length(self):
prf = self.key_manager.primitive(
self.key_manager.new_key_data(
self.new_hmac_prf_key_template(
hash_type=common_pb2.SHA256, key_size=16)))
with self.assertRaises(tink_bindings.PythonTinkException):
_ = prf.compute(b'input_data', output_length=12345)
class PublicKeySignVerifyKeyManagerTest(absltest.TestCase):
def setUp(self):
super().setUp()
public_key_verify_manager = tink_bindings.PublicKeyVerifyKeyManager
self.key_manager_verify = public_key_verify_manager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.EcdsaPublicKey')
public_key_sign_manager = tink_bindings.PublicKeySignKeyManager
self.key_manager_sign = public_key_sign_manager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.EcdsaPrivateKey')
def new_ecdsa_key_template(self, hash_type, curve_type, encoding,
public=False):
params = ecdsa_pb2.EcdsaParams(
hash_type=hash_type, curve=curve_type, encoding=encoding)
key_format = ecdsa_pb2.EcdsaKeyFormat(params=params)
key_template = tink_pb2.KeyTemplate()
if public:
append = 'EcdsaPublicKey'
else:
append = 'EcdsaPrivateKey'
key_template.type_url = 'type.googleapis.com/google.crypto.tink.' + append
key_template.value = key_format.SerializeToString()
return key_template.SerializeToString()
def test_key_type_sign(self):
self.assertEqual(self.key_manager_sign.key_type(),
'type.googleapis.com/google.crypto.tink.EcdsaPrivateKey')
def test_key_type_verify(self):
self.assertEqual(self.key_manager_verify.key_type(),
'type.googleapis.com/google.crypto.tink.EcdsaPublicKey')
def test_new_key_data_sign(self):
key_template = self.new_ecdsa_key_template(
common_pb2.SHA256, common_pb2.NIST_P256, ecdsa_pb2.DER)
key_data = tink_pb2.KeyData.FromString(
self.key_manager_sign.new_key_data(key_template))
self.assertEqual(key_data.type_url, self.key_manager_sign.key_type())
key = ecdsa_pb2.EcdsaPrivateKey.FromString(key_data.value)
public_key = key.public_key
self.assertEqual(key.version, 0)
self.assertEqual(public_key.version, 0)
self.assertEqual(public_key.params.hash_type, common_pb2.SHA256)
self.assertEqual(public_key.params.curve, common_pb2.NIST_P256)
self.assertEqual(public_key.params.encoding, ecdsa_pb2.DER)
self.assertLen(key.key_value, 32)
def test_new_key_data_verify(self):
key_template = self.new_ecdsa_key_template(
common_pb2.SHA256, common_pb2.NIST_P256, ecdsa_pb2.DER, True)
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'not supported'):
self.key_manager_verify.new_key_data(key_template)
def test_signature_success(self):
priv_key = self.key_manager_sign.new_key_data(
self.new_ecdsa_key_template(common_pb2.SHA256, common_pb2.NIST_P256,
ecdsa_pb2.DER))
pub_key = self.key_manager_sign.public_key_data(priv_key)
verifier = self.key_manager_verify.primitive(pub_key)
signer = self.key_manager_sign.primitive(priv_key)
data = b'data'
signature = signer.sign(data)
# Starts with a DER sequence
self.assertEqual(bytearray(signature)[0], 0x30)
verifier.verify(signature, data)
def test_signature_fails(self):
key_template = self.new_ecdsa_key_template(
common_pb2.SHA256, common_pb2.NIST_P256, ecdsa_pb2.DER, False)
priv_key = self.key_manager_sign.new_key_data(key_template)
pub_key = self.key_manager_sign.public_key_data(priv_key)
signer = self.key_manager_sign.primitive(priv_key)
verifier = self.key_manager_verify.primitive(pub_key)
data = b'data'
signature = signer.sign(data)
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'Signature is not valid'):
verifier.verify(signature, b'wrongdata')
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'Signature is not valid'):
verifier.verify(b'wrongsignature', data)
class JwtPublicKeySignVerifyKeyManagerTest(absltest.TestCase):
def setUp(self):
super().setUp()
public_key_verify_manager = tink_bindings.PublicKeyVerifyKeyManager
self.key_manager_verify = public_key_verify_manager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey')
public_key_sign_manager = tink_bindings.PublicKeySignKeyManager
self.key_manager_sign = public_key_sign_manager.from_cc_registry(
'type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey')
def test_new_key_data_verify_fails(self):
key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(algorithm=jwt_ecdsa_pb2.ES256)
key_template = tink_pb2.KeyTemplate()
key_template.type_url = (
'type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey')
key_template.value = key_format.SerializeToString()
with self.assertRaisesRegex(tink_bindings.PythonTinkException,
'not supported'):
self.key_manager_verify.new_key_data(key_template.SerializeToString())
def test_signature_success(self):
key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(algorithm=jwt_ecdsa_pb2.ES256)
key_template = tink_pb2.KeyTemplate()
key_template.type_url = (
'type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey')
key_template.value = key_format.SerializeToString()
priv_key = self.key_manager_sign.new_key_data(
key_template.SerializeToString())
pub_key = self.key_manager_sign.public_key_data(priv_key)
verifier = self.key_manager_verify.primitive(pub_key)
signer = self.key_manager_sign.primitive(priv_key)
data = b'data'
signature = signer.sign(data)
verifier.verify(signature, data)
with self.assertRaises(tink_bindings.PythonTinkException):
verifier.verify(signature, b'wrongdata')
with self.assertRaises(tink_bindings.PythonTinkException):
verifier.verify(b'wrongsignature', data)
if __name__ == '__main__':
absltest.main()