Google Git
Sign in
fuchsia / third_party / tink / 837cb690988e5ce1b929bfdf6fb4cafdb44a2531 / . / python / tink / signature / _signature_wrapper_test.py
blob: 8bc3ae8fc528a1dc6e924c25999493fa9fe5a34b [file] [log] [blame]
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Tests for tink.python.tink.public_key_sign_wrapper."""
from __future__ import absolute_import
from __future__ import division
from __future__ import print_function
from absl.testing import absltest
from absl.testing import parameterized
import tink
from tink import signature
from tink.testing import keyset_builder
TEMPLATE = signature.signature_key_templates.ECDSA_P256
LEGACY_TEMPLATE = keyset_builder.legacy_template(TEMPLATE)
RAW_TEMPLATE = keyset_builder.raw_template(TEMPLATE)
def setUpModule():
signature.register()
class SignatureWrapperTest(parameterized.TestCase):
@parameterized.parameters([TEMPLATE, LEGACY_TEMPLATE, RAW_TEMPLATE])
def test_sign_verify(self, template):
private_handle = tink.new_keyset_handle(template)
public_handle = private_handle.public_keyset_handle()
sign_primitive = private_handle.primitive(signature.PublicKeySign)
verify_primitive = public_handle.primitive(signature.PublicKeyVerify)
data_signature = sign_primitive.sign(b'data')
verify_primitive.verify(data_signature, b'data')
@parameterized.parameters([TEMPLATE, LEGACY_TEMPLATE, RAW_TEMPLATE])
def test_verify_fails_on_wrong_data(self, template):
private_handle = tink.new_keyset_handle(template)
public_handle = private_handle.public_keyset_handle()
sign_primitive = private_handle.primitive(signature.PublicKeySign)
verify_primitive = public_handle.primitive(signature.PublicKeyVerify)
data_signature = sign_primitive.sign(b'data')
with self.assertRaises(tink.TinkError):
verify_primitive.verify(data_signature, b'invalid data')
@parameterized.parameters([TEMPLATE, LEGACY_TEMPLATE, RAW_TEMPLATE])
def test_verify_fails_on_unknown_signature(self, template):
unknown_handle = tink.new_keyset_handle(template)
unknown_sign_primitive = unknown_handle.primitive(signature.PublicKeySign)
unknown_data_signature = unknown_sign_primitive.sign(b'data')
private_handle = tink.new_keyset_handle(template)
public_handle = private_handle.public_keyset_handle()
verify_primitive = public_handle.primitive(signature.PublicKeyVerify)
with self.assertRaises(tink.TinkError):
verify_primitive.verify(unknown_data_signature, b'data')
@parameterized.parameters([(TEMPLATE, TEMPLATE),
(TEMPLATE, LEGACY_TEMPLATE),
(TEMPLATE, RAW_TEMPLATE),
(LEGACY_TEMPLATE, TEMPLATE),
(LEGACY_TEMPLATE, LEGACY_TEMPLATE),
(LEGACY_TEMPLATE, RAW_TEMPLATE),
(RAW_TEMPLATE, TEMPLATE),
(RAW_TEMPLATE, LEGACY_TEMPLATE),
(RAW_TEMPLATE, RAW_TEMPLATE)])
def test_sign_verify_with_key_rotation(self, old_template, new_template):
builder = keyset_builder.new_keyset_builder()
older_key_id = builder.add_new_key(old_template)
builder.set_primary_key(older_key_id)
private_handle1 = builder.keyset_handle()
sign1 = private_handle1.primitive(signature.PublicKeySign)
verify1 = private_handle1.public_keyset_handle().primitive(
signature.PublicKeyVerify)
newer_key_id = builder.add_new_key(new_template)
private_handle2 = builder.keyset_handle()
sign2 = private_handle2.primitive(signature.PublicKeySign)
verify2 = private_handle2.public_keyset_handle().primitive(
signature.PublicKeyVerify)
builder.set_primary_key(newer_key_id)
private_handle3 = builder.keyset_handle()
sign3 = private_handle3.primitive(signature.PublicKeySign)
verify3 = private_handle3.public_keyset_handle().primitive(
signature.PublicKeyVerify)
builder.disable_key(older_key_id)
private_handle4 = builder.keyset_handle()
sign4 = private_handle4.primitive(signature.PublicKeySign)
verify4 = private_handle4.public_keyset_handle().primitive(
signature.PublicKeyVerify)
self.assertNotEqual(older_key_id, newer_key_id)
# 1 signs with the older key. So 1, 2 and 3 can verify it, but not 4.
data_signature1 = sign1.sign(b'data')
verify1.verify(data_signature1, b'data')
verify2.verify(data_signature1, b'data')
verify3.verify(data_signature1, b'data')
with self.assertRaises(tink.TinkError):
verify4.verify(data_signature1, b'data')
# 2 signs with the older key. So 1, 2 and 3 can verify it, but not 4.
data_signature2 = sign2.sign(b'data')
verify1.verify(data_signature2, b'data')
verify2.verify(data_signature2, b'data')
verify3.verify(data_signature2, b'data')
with self.assertRaises(tink.TinkError):
verify4.verify(data_signature2, b'data')
# 3 signs with the newer key. So 2, 3 and 4 can verify it, but not 1.
data_signature3 = sign3.sign(b'data')
with self.assertRaises(tink.TinkError):
verify1.verify(data_signature3, b'data')
verify2.verify(data_signature3, b'data')
verify3.verify(data_signature3, b'data')
verify4.verify(data_signature3, b'data')
# 4 signs with the newer key. So 2, 3 and 4 can verify it, but not 1.
data_signature4 = sign4.sign(b'data')
with self.assertRaises(tink.TinkError):
verify1.verify(data_signature4, b'data')
verify2.verify(data_signature4, b'data')
verify3.verify(data_signature4, b'data')
verify4.verify(data_signature4, b'data')
if __name__ == '__main__':
absltest.main()