go/mac/aes_cmac_key_manager_test.go - third_party/tink - Git at Google

 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ////////////////////////////////////////////////////////////////////////////////

 package mac_test

 import (
 	"encoding/hex"
 	"fmt"
 	"testing"

 	"github.com/golang/protobuf/proto"
 	"github.com/google/tink/go/core/registry"
 	"github.com/google/tink/go/mac/subtle"
 	subtleMac "github.com/google/tink/go/mac/subtle"
 	"github.com/google/tink/go/subtle/random"
 	"github.com/google/tink/go/testutil"
 	cmacpb "github.com/google/tink/go/proto/aes_cmac_go_proto"
 	tinkpb "github.com/google/tink/go/proto/tink_go_proto"
 )

 func TestGetPrimitiveCMACBasic(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("AESCMAC key manager not found: %s", err)
 	}
 	testKeys := genValidCMACKeys()
 	for i := 0; i < len(testKeys); i++ {
 		serializedKey, _ := proto.Marshal(testKeys[i])
 		p, err := km.Primitive(serializedKey)
 		if err != nil {
 			t.Errorf("unexpected error in test case %d: %s", i, err)
 		}
 		if err := validateCMACPrimitive(p, testKeys[i]); err != nil {
 			t.Errorf("%s", err)
 		}
 	}
 }

 func TestGetPrimitiveCMACWithInvalidInput(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("cannot obtain AESCMAC key manager: %s", err)
 	}
 	// invalid key
 	testKeys := genInvalidCMACKeys()
 	for i := 0; i < len(testKeys); i++ {
 		serializedKey, _ := proto.Marshal(testKeys[i])
 		if _, err := km.Primitive(serializedKey); err == nil {
 			t.Errorf("expect an error in test case %d", i)
 		}
 	}
 	if _, err := km.Primitive(nil); err == nil {
 		t.Errorf("expect an error when input is nil")
 	}
 	// empty input
 	if _, err := km.Primitive([]byte{}); err == nil {
 		t.Errorf("expect an error when input is empty")
 	}
 }

 func TestNewKeyCMACMultipleTimes(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("cannot obtain AESCMAC key manager: %s", err)
 	}
 	serializedFormat, _ := proto.Marshal(testutil.NewAESCMACKeyFormat(16))
 	keys := make(map[string]bool)
 	nTest := 26
 	for i := 0; i < nTest; i++ {
 		key, _ := km.NewKey(serializedFormat)
 		serializedKey, _ := proto.Marshal(key)
 		keys[string(serializedKey)] = true

 		keyData, _ := km.NewKeyData(serializedFormat)
 		serializedKey = keyData.Value
 		keys[string(serializedKey)] = true
 	}
 	if len(keys) != nTest*2 {
 		t.Errorf("key is repeated")
 	}
 }

 func TestNewKeyCMACBasic(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("cannot obtain AESCMAC key manager: %s", err)
 	}
 	testFormats := genValidCMACKeyFormats()
 	for i := 0; i < len(testFormats); i++ {
 		serializedFormat, _ := proto.Marshal(testFormats[i])
 		key, err := km.NewKey(serializedFormat)
 		if err != nil {
 			t.Errorf("unexpected error in test case %d: %s", i, err)
 		}
 		if err := validateCMACKey(testFormats[i], key.(*cmacpb.AesCmacKey)); err != nil {
 			t.Errorf("%s", err)
 		}
 	}
 }

 func TestNewKeyCMACWithInvalidInput(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("cannot obtain AESCMAC key manager: %s", err)
 	}
 	// invalid key formats
 	testFormats := genInvalidCMACKeyFormats()
 	for i := 0; i < len(testFormats); i++ {
 		serializedFormat, err := proto.Marshal(testFormats[i])
 		if err != nil {
 			fmt.Println("Error!")
 		}
 		if _, err := km.NewKey(serializedFormat); err == nil {
 			t.Errorf("expect an error in test case %d: %s", i, err)
 		}
 	}
 	if _, err := km.NewKey(nil); err == nil {
 		t.Errorf("expect an error when input is nil")
 	}
 	// empty input
 	if _, err := km.NewKey([]byte{}); err == nil {
 		t.Errorf("expect an error when input is empty")
 	}
 }

 func TestNewKeyDataCMACBasic(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("cannot obtain AESCMAC key manager: %s", err)
 	}
 	testFormats := genValidCMACKeyFormats()
 	for i := 0; i < len(testFormats); i++ {
 		serializedFormat, _ := proto.Marshal(testFormats[i])
 		keyData, err := km.NewKeyData(serializedFormat)
 		if err != nil {
 			t.Errorf("unexpected error in test case %d: %s", i, err)
 		}
 		if keyData.TypeUrl != testutil.AESCMACTypeURL {
 			t.Errorf("incorrect type url in test case %d", i)
 		}
 		if keyData.KeyMaterialType != tinkpb.KeyData_SYMMETRIC {
 			t.Errorf("incorrect key material type in test case %d", i)
 		}
 		key := new(cmacpb.AesCmacKey)
 		if err := proto.Unmarshal(keyData.Value, key); err != nil {
 			t.Errorf("invalid key value")
 		}
 		if err := validateCMACKey(testFormats[i], key); err != nil {
 			t.Errorf("invalid key")
 		}
 	}
 }

 func TestNewKeyDataCMACWithInvalidInput(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("AESCMAC key manager not found: %s", err)
 	}
 	// invalid key formats
 	testFormats := genInvalidCMACKeyFormats()
 	for i := 0; i < len(testFormats); i++ {
 		serializedFormat, _ := proto.Marshal(testFormats[i])
 		if _, err := km.NewKeyData(serializedFormat); err == nil {
 			t.Errorf("expect an error in test case %d", i)
 		}
 	}
 	// nil input
 	if _, err := km.NewKeyData(nil); err == nil {
 		t.Errorf("expect an error when input is nil")
 	}
 }

 func TestDoesSupportCMAC(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("AESCMAC key manager not found: %s", err)
 	}
 	if !km.DoesSupport(testutil.AESCMACTypeURL) {
 		t.Errorf("AESCMACKeyManager must support %s", testutil.AESCMACTypeURL)
 	}
 	if km.DoesSupport("some bad type") {
 		t.Errorf("AESCMACKeyManager must support only %s", testutil.AESCMACTypeURL)
 	}
 }

 func TestTypeURLCMAC(t *testing.T) {
 	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
 	if err != nil {
 		t.Errorf("AESCMAC key manager not found: %s", err)
 	}
 	if km.TypeURL() != testutil.AESCMACTypeURL {
 		t.Errorf("incorrect GetKeyType()")
 	}
 }

 func genInvalidCMACKeys() []proto.Message {
 	badVersionKey := testutil.NewAESCMACKey(16)
 	badVersionKey.Version++
 	shortKey := testutil.NewAESCMACKey(16)
 	shortKey.KeyValue = []byte{1, 1}
 	return []proto.Message{
 		// not a AESCMACKey
 		testutil.NewAESCMACParams(16),
 		// bad version
 		badVersionKey,
 		// tag size too big
 		testutil.NewAESCMACKey(17),
 		// tag size too small
 		testutil.NewAESCMACKey(1),
 		// key too short
 		shortKey,
 	}
 }

 func genInvalidCMACKeyFormats() []proto.Message {
 	shortKeyFormat := testutil.NewAESCMACKeyFormat(16)
 	shortKeyFormat.KeySize = 1
 	return []proto.Message{
 		// not a AESCMACKeyFormat
 		testutil.NewAESCMACParams(16),
 		// tag size too big
 		testutil.NewAESCMACKeyFormat(17),
 		// tag size too small
 		testutil.NewAESCMACKeyFormat(1),
 		// key too short
 		shortKeyFormat,
 	}
 }

 func genValidCMACKeyFormats() []*cmacpb.AesCmacKeyFormat {
 	return []*cmacpb.AesCmacKeyFormat{
 		testutil.NewAESCMACKeyFormat(10),
 		testutil.NewAESCMACKeyFormat(16),
 	}
 }

 func genValidCMACKeys() []*cmacpb.AesCmacKey {
 	return []*cmacpb.AesCmacKey{
 		testutil.NewAESCMACKey(10),
 		testutil.NewAESCMACKey(16),
 	}
 }

 // Checks whether the given AESCMACKey matches the given key AESCMACKeyFormat
 func validateCMACKey(format *cmacpb.AesCmacKeyFormat, key *cmacpb.AesCmacKey) error {
 	if format.KeySize != uint32(len(key.KeyValue)) ||
 		key.Params.TagSize != format.Params.TagSize {
 		return fmt.Errorf("key format and generated key do not match")
 	}
 	p, err := subtleMac.NewAESCMAC(key.KeyValue, key.Params.TagSize)
 	if err != nil {
 		return fmt.Errorf("cannot create primitive from key: %s", err)
 	}
 	return validateCMACPrimitive(p, key)
 }

 // validateCMACPrimitive checks whether the given primitive matches the given AESCMACKey
 func validateCMACPrimitive(p interface{}, key *cmacpb.AesCmacKey) error {
 	cmacPrimitive := p.(*subtleMac.AESCMAC)
 	keyPrimitive, err := subtle.NewAESCMAC(key.KeyValue, key.Params.TagSize)
 	if err != nil {
 		return fmt.Errorf("Could not create AES CMAC with key material %q and tag size %d: %s", hex.EncodeToString(key.KeyValue), key.Params.TagSize, err)
 	}
 	data := random.GetRandomBytes(20)
 	mac, err := cmacPrimitive.ComputeMAC(data)
 	if err != nil {
 		return fmt.Errorf("mac computation failed: %s", err)
 	}
 	keyMac, err := keyPrimitive.ComputeMAC(data)
 	if err != nil {
 		return fmt.Errorf("mac computation with provided key failed: %s", err)
 	}
 	if err = cmacPrimitive.VerifyMAC(mac, data); err != nil {
 		return fmt.Errorf("mac self verification failed: %s", err)
 	}
 	if err = cmacPrimitive.VerifyMAC(keyMac, data); err != nil {
 		return fmt.Errorf("mac computed with the provided key could not be verified: %s", err)
 	}
 	if err = keyPrimitive.VerifyMAC(mac, data); err != nil {
 		return fmt.Errorf("mac could not be verified by primitive using the provided key: %s", err)
 	}
 	if err = keyPrimitive.VerifyMAC(keyMac, data); err != nil {
 		return fmt.Errorf("mac self verification of mac created with the provided key failed: %s", err)
 	}
 	return nil
 }
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	////////////////////////////////////////////////////////////////////////////////

	package mac_test

	import (
	"encoding/hex"
	"fmt"
	"testing"

	"github.com/golang/protobuf/proto"
	"github.com/google/tink/go/core/registry"
	"github.com/google/tink/go/mac/subtle"
	subtleMac "github.com/google/tink/go/mac/subtle"
	"github.com/google/tink/go/subtle/random"
	"github.com/google/tink/go/testutil"
	cmacpb "github.com/google/tink/go/proto/aes_cmac_go_proto"
	tinkpb "github.com/google/tink/go/proto/tink_go_proto"
	)

	func TestGetPrimitiveCMACBasic(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("AESCMAC key manager not found: %s", err)
	}
	testKeys := genValidCMACKeys()
	for i := 0; i < len(testKeys); i++ {
	serializedKey, _ := proto.Marshal(testKeys[i])
	p, err := km.Primitive(serializedKey)
	if err != nil {
	t.Errorf("unexpected error in test case %d: %s", i, err)
	}
	if err := validateCMACPrimitive(p, testKeys[i]); err != nil {
	t.Errorf("%s", err)
	}
	}
	}

	func TestGetPrimitiveCMACWithInvalidInput(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("cannot obtain AESCMAC key manager: %s", err)
	}
	// invalid key
	testKeys := genInvalidCMACKeys()
	for i := 0; i < len(testKeys); i++ {
	serializedKey, _ := proto.Marshal(testKeys[i])
	if _, err := km.Primitive(serializedKey); err == nil {
	t.Errorf("expect an error in test case %d", i)
	}
	}
	if _, err := km.Primitive(nil); err == nil {
	t.Errorf("expect an error when input is nil")
	}
	// empty input
	if _, err := km.Primitive([]byte{}); err == nil {
	t.Errorf("expect an error when input is empty")
	}
	}

	func TestNewKeyCMACMultipleTimes(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("cannot obtain AESCMAC key manager: %s", err)
	}
	serializedFormat, _ := proto.Marshal(testutil.NewAESCMACKeyFormat(16))
	keys := make(map[string]bool)
	nTest := 26
	for i := 0; i < nTest; i++ {
	key, _ := km.NewKey(serializedFormat)
	serializedKey, _ := proto.Marshal(key)
	keys[string(serializedKey)] = true

	keyData, _ := km.NewKeyData(serializedFormat)
	serializedKey = keyData.Value
	keys[string(serializedKey)] = true
	}
	if len(keys) != nTest*2 {
	t.Errorf("key is repeated")
	}
	}

	func TestNewKeyCMACBasic(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("cannot obtain AESCMAC key manager: %s", err)
	}
	testFormats := genValidCMACKeyFormats()
	for i := 0; i < len(testFormats); i++ {
	serializedFormat, _ := proto.Marshal(testFormats[i])
	key, err := km.NewKey(serializedFormat)
	if err != nil {
	t.Errorf("unexpected error in test case %d: %s", i, err)
	}
	if err := validateCMACKey(testFormats[i], key.(*cmacpb.AesCmacKey)); err != nil {
	t.Errorf("%s", err)
	}
	}
	}

	func TestNewKeyCMACWithInvalidInput(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("cannot obtain AESCMAC key manager: %s", err)
	}
	// invalid key formats
	testFormats := genInvalidCMACKeyFormats()
	for i := 0; i < len(testFormats); i++ {
	serializedFormat, err := proto.Marshal(testFormats[i])
	if err != nil {
	fmt.Println("Error!")
	}
	if _, err := km.NewKey(serializedFormat); err == nil {
	t.Errorf("expect an error in test case %d: %s", i, err)
	}
	}
	if _, err := km.NewKey(nil); err == nil {
	t.Errorf("expect an error when input is nil")
	}
	// empty input
	if _, err := km.NewKey([]byte{}); err == nil {
	t.Errorf("expect an error when input is empty")
	}
	}

	func TestNewKeyDataCMACBasic(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("cannot obtain AESCMAC key manager: %s", err)
	}
	testFormats := genValidCMACKeyFormats()
	for i := 0; i < len(testFormats); i++ {
	serializedFormat, _ := proto.Marshal(testFormats[i])
	keyData, err := km.NewKeyData(serializedFormat)
	if err != nil {
	t.Errorf("unexpected error in test case %d: %s", i, err)
	}
	if keyData.TypeUrl != testutil.AESCMACTypeURL {
	t.Errorf("incorrect type url in test case %d", i)
	}
	if keyData.KeyMaterialType != tinkpb.KeyData_SYMMETRIC {
	t.Errorf("incorrect key material type in test case %d", i)
	}
	key := new(cmacpb.AesCmacKey)
	if err := proto.Unmarshal(keyData.Value, key); err != nil {
	t.Errorf("invalid key value")
	}
	if err := validateCMACKey(testFormats[i], key); err != nil {
	t.Errorf("invalid key")
	}
	}
	}

	func TestNewKeyDataCMACWithInvalidInput(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("AESCMAC key manager not found: %s", err)
	}
	// invalid key formats
	testFormats := genInvalidCMACKeyFormats()
	for i := 0; i < len(testFormats); i++ {
	serializedFormat, _ := proto.Marshal(testFormats[i])
	if _, err := km.NewKeyData(serializedFormat); err == nil {
	t.Errorf("expect an error in test case %d", i)
	}
	}
	// nil input
	if _, err := km.NewKeyData(nil); err == nil {
	t.Errorf("expect an error when input is nil")
	}
	}

	func TestDoesSupportCMAC(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("AESCMAC key manager not found: %s", err)
	}
	if !km.DoesSupport(testutil.AESCMACTypeURL) {
	t.Errorf("AESCMACKeyManager must support %s", testutil.AESCMACTypeURL)
	}
	if km.DoesSupport("some bad type") {
	t.Errorf("AESCMACKeyManager must support only %s", testutil.AESCMACTypeURL)
	}
	}

	func TestTypeURLCMAC(t *testing.T) {
	km, err := registry.GetKeyManager(testutil.AESCMACTypeURL)
	if err != nil {
	t.Errorf("AESCMAC key manager not found: %s", err)
	}
	if km.TypeURL() != testutil.AESCMACTypeURL {
	t.Errorf("incorrect GetKeyType()")
	}
	}

	func genInvalidCMACKeys() []proto.Message {
	badVersionKey := testutil.NewAESCMACKey(16)
	badVersionKey.Version++
	shortKey := testutil.NewAESCMACKey(16)
	shortKey.KeyValue = []byte{1, 1}
	return []proto.Message{
	// not a AESCMACKey
	testutil.NewAESCMACParams(16),
	// bad version
	badVersionKey,
	// tag size too big
	testutil.NewAESCMACKey(17),
	// tag size too small
	testutil.NewAESCMACKey(1),
	// key too short
	shortKey,
	}
	}

	func genInvalidCMACKeyFormats() []proto.Message {
	shortKeyFormat := testutil.NewAESCMACKeyFormat(16)
	shortKeyFormat.KeySize = 1
	return []proto.Message{
	// not a AESCMACKeyFormat
	testutil.NewAESCMACParams(16),
	// tag size too big
	testutil.NewAESCMACKeyFormat(17),
	// tag size too small
	testutil.NewAESCMACKeyFormat(1),
	// key too short
	shortKeyFormat,
	}
	}

	func genValidCMACKeyFormats() []*cmacpb.AesCmacKeyFormat {
	return []*cmacpb.AesCmacKeyFormat{
	testutil.NewAESCMACKeyFormat(10),
	testutil.NewAESCMACKeyFormat(16),
	}
	}

	func genValidCMACKeys() []*cmacpb.AesCmacKey {
	return []*cmacpb.AesCmacKey{
	testutil.NewAESCMACKey(10),
	testutil.NewAESCMACKey(16),
	}
	}

	// Checks whether the given AESCMACKey matches the given key AESCMACKeyFormat
	func validateCMACKey(format cmacpb.AesCmacKeyFormat, key cmacpb.AesCmacKey) error {
	if format.KeySize != uint32(len(key.KeyValue)) \|\|
	key.Params.TagSize != format.Params.TagSize {
	return fmt.Errorf("key format and generated key do not match")
	}
	p, err := subtleMac.NewAESCMAC(key.KeyValue, key.Params.TagSize)
	if err != nil {
	return fmt.Errorf("cannot create primitive from key: %s", err)
	}
	return validateCMACPrimitive(p, key)
	}

	// validateCMACPrimitive checks whether the given primitive matches the given AESCMACKey
	func validateCMACPrimitive(p interface{}, key *cmacpb.AesCmacKey) error {
	cmacPrimitive := p.(*subtleMac.AESCMAC)
	keyPrimitive, err := subtle.NewAESCMAC(key.KeyValue, key.Params.TagSize)
	if err != nil {
	return fmt.Errorf("Could not create AES CMAC with key material %q and tag size %d: %s", hex.EncodeToString(key.KeyValue), key.Params.TagSize, err)
	}
	data := random.GetRandomBytes(20)
	mac, err := cmacPrimitive.ComputeMAC(data)
	if err != nil {
	return fmt.Errorf("mac computation failed: %s", err)
	}
	keyMac, err := keyPrimitive.ComputeMAC(data)
	if err != nil {
	return fmt.Errorf("mac computation with provided key failed: %s", err)
	}
	if err = cmacPrimitive.VerifyMAC(mac, data); err != nil {
	return fmt.Errorf("mac self verification failed: %s", err)
	}
	if err = cmacPrimitive.VerifyMAC(keyMac, data); err != nil {
	return fmt.Errorf("mac computed with the provided key could not be verified: %s", err)
	}
	if err = keyPrimitive.VerifyMAC(mac, data); err != nil {
	return fmt.Errorf("mac could not be verified by primitive using the provided key: %s", err)
	}
	if err = keyPrimitive.VerifyMAC(keyMac, data); err != nil {
	return fmt.Errorf("mac self verification of mac created with the provided key failed: %s", err)
	}
	return nil
	}