aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorcinlin <cinlin@google.com>2023-08-09 13:59:34 -0700
committerCopybara-Service <copybara-worker@google.com>2023-08-09 14:01:29 -0700
commit4ca829d14be45a48c255031c314a469802495218 (patch)
treefdb82ec9fa4456c34b8f76e30da93e5dc6334ac5
parentbdaa251d7d3d41e786ea1ffb46bbe6a1dfa6dbc1 (diff)
downloadtink-4ca829d14be45a48c255031c314a469802495218.tar.gz
Tidy AEAD key to Hybrid primitive tests.
PiperOrigin-RevId: 555267492
-rw-r--r--go/hybrid/BUILD.bazel1
-rw-r--r--go/hybrid/hybrid_b243759652_test.go73
-rw-r--r--go/hybrid/hybrid_factory_test.go51
-rw-r--r--testing/cross_language/primitive_creation_test.py56
4 files changed, 51 insertions, 130 deletions
diff --git a/go/hybrid/BUILD.bazel b/go/hybrid/BUILD.bazel
index 0e8c13ef1..dad79a90b 100644
--- a/go/hybrid/BUILD.bazel
+++ b/go/hybrid/BUILD.bazel
@@ -48,7 +48,6 @@ go_test(
"ecies_aead_hkdf_hybrid_encrypt_test.go",
"hpke_private_key_manager_test.go",
"hpke_public_key_manager_test.go",
- "hybrid_b243759652_test.go",
"hybrid_factory_test.go",
"hybrid_key_templates_test.go",
"hybrid_test.go",
diff --git a/go/hybrid/hybrid_b243759652_test.go b/go/hybrid/hybrid_b243759652_test.go
deleted file mode 100644
index 329836cec..000000000
--- a/go/hybrid/hybrid_b243759652_test.go
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2019 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-////////////////////////////////////////////////////////////////////////////////
-
-package hybrid_test
-
-import (
- "testing"
-
- "github.com/google/tink/go/aead"
- "github.com/google/tink/go/hybrid"
- "github.com/google/tink/go/keyset"
-)
-
-// TODO(b/243759652): Move to hybrid_factory_test.go.
-func TestBHybridDecrypt(t *testing.T) {
- manager := keyset.NewManager()
- id, err := manager.Add(aead.AES256GCMKeyTemplate())
- if err != nil {
- t.Fatalf("manager.Add gives err = '%v', want nil", err)
- }
- err = manager.SetPrimary(id)
- if err != nil {
- t.Fatalf("manager.SetPrimary gives err = '%v', want nil", err)
- }
- _, err = manager.Add(hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template())
- if err != nil {
- t.Fatalf("manager.Add gives err = '%v', want nil", err)
- }
- handle, err := manager.Handle()
- if err != nil {
- t.Fatalf("manager.Handle gives err = '%v', want nil", err)
- }
-
- if _, err := hybrid.NewHybridDecrypt(handle); err == nil {
- t.Error("hybrid.NewHybridDecrypt err = nil, want err")
- }
-}
-
-func TestBHybridEncrypt(t *testing.T) {
- handle, err := keyset.NewHandle(hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template())
- if err != nil {
- t.Fatalf("keyset.NewHandle gives err = '%v', want nil", err)
- }
- pub, err := handle.Public()
- if err != nil {
- t.Fatalf("handle.Public gives err = '%v', want nil", err)
- }
- manager := keyset.NewManagerFromHandle(pub)
- _, err = manager.Add(aead.AES128GCMKeyTemplate())
- if err != nil {
- t.Fatalf("manager.Add gives err = '%v', want nil", err)
- }
- mixedHandle, err := manager.Handle()
- if err != nil {
- t.Fatalf("manager.Handle gives err = '%v', want nil", err)
- }
- if _, err := hybrid.NewHybridEncrypt(mixedHandle); err == nil {
- t.Error("hybrid.NewHybridDecrypt err = nil, want err")
- }
-}
diff --git a/go/hybrid/hybrid_factory_test.go b/go/hybrid/hybrid_factory_test.go
index 941b5182e..60ded7974 100644
--- a/go/hybrid/hybrid_factory_test.go
+++ b/go/hybrid/hybrid_factory_test.go
@@ -683,3 +683,54 @@ func TestPrimitiveFactoryEncryptDecryptWithoutAnnotationsDoesNotMonitor(t *testi
t.Errorf("len(client.Failures()) = %d, want 0", len(client.Failures()))
}
}
+
+// Since the HybridEncrypt interface is a subset of the AEAD interface, verify
+// that a HybridEncrypt primitive cannot be obtained from a keyset handle
+// containing an AEAD key.
+func TestEncryptFactoryFailsOnAEADHandle(t *testing.T) {
+ handle, err := keyset.NewHandle(hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template())
+ if err != nil {
+ t.Fatalf("keyset.NewHandle gives err = '%v', want nil", err)
+ }
+ pub, err := handle.Public()
+ if err != nil {
+ t.Fatalf("handle.Public gives err = '%v', want nil", err)
+ }
+ manager := keyset.NewManagerFromHandle(pub)
+ _, err = manager.Add(aead.AES128GCMKeyTemplate())
+ if err != nil {
+ t.Fatalf("manager.Add gives err = '%v', want nil", err)
+ }
+ mixedHandle, err := manager.Handle()
+ if err != nil {
+ t.Fatalf("manager.Handle gives err = '%v', want nil", err)
+ }
+ if _, err := hybrid.NewHybridEncrypt(mixedHandle); err == nil {
+ t.Error("hybrid.NewHybridDecrypt err = nil, want err")
+ }
+}
+
+// Similar to the above but for HybridDecrypt.
+func TestDecryptFactoryFailsOnAEADHandle(t *testing.T) {
+ manager := keyset.NewManager()
+ id, err := manager.Add(aead.AES256GCMKeyTemplate())
+ if err != nil {
+ t.Fatalf("manager.Add gives err = '%v', want nil", err)
+ }
+ err = manager.SetPrimary(id)
+ if err != nil {
+ t.Fatalf("manager.SetPrimary gives err = '%v', want nil", err)
+ }
+ _, err = manager.Add(hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template())
+ if err != nil {
+ t.Fatalf("manager.Add gives err = '%v', want nil", err)
+ }
+ handle, err := manager.Handle()
+ if err != nil {
+ t.Fatalf("manager.Handle gives err = '%v', want nil", err)
+ }
+
+ if _, err := hybrid.NewHybridDecrypt(handle); err == nil {
+ t.Error("hybrid.NewHybridDecrypt err = nil, want err")
+ }
+}
diff --git a/testing/cross_language/primitive_creation_test.py b/testing/cross_language/primitive_creation_test.py
index 45b9b974b..34b8f645f 100644
--- a/testing/cross_language/primitive_creation_test.py
+++ b/testing/cross_language/primitive_creation_test.py
@@ -84,47 +84,6 @@ def named_testcases():
case_num += 1
-# Delete.
-def _is_b243759652_test_case(lang: str, keyset: bytes, primitive: Any) -> bool:
- """Returns whether the test case falls under b/243759652.
-
- When calling hybrid.NewHybridDecrypt or hybrid.NewHybridEncrypt, Tink asks
- each key manager to create a primitive (whose type is fixed for each key
- manager). Because of duck-typing, if the key manager returns an Aead, Tink
- happily carries on in case it wants a HybridEncrypt/HybridDecrypt.
-
- Args:
- lang: A string describing the language.
- keyset: A serialized keyset
- primitive: One of the primitives
-
- Returns:
- True iff this test case falls under b/243759652.
- """
- # The bug only exists in go.
- if lang != 'go':
- return False
- # The bug only happens if we create a HybridEncrypt or a HybridDecrypt
- if primitive not in [tink.hybrid.HybridDecrypt, tink.hybrid.HybridEncrypt]:
- return False
-
- keytypes = utilities.key_types_in_keyset(keyset)
- primitives = [tink_config.primitive_for_keytype(k) for k in keytypes]
- # For the bug to occur, we must only at least one AEAD keytype (as it only
- # happens if at least one key type should *not* work).
- if not any(p == aead.Aead for p in primitives):
- return False
- # For the bug to occur, all key types must be either for 'primitive' or
- # for Aead (otherwise primitive creation fails).
- if not all(p == aead.Aead or p == primitive for p in primitives):
- return False
- # For the bug to occur, we must not have an AesEaxKey: these are unsupported
- # in go, and so if we have them, primitive creation fails.
- if any(k == 'AesEaxKey' for k in keytypes):
- return False
- return True
-
-
class SupportedKeyTypesTest(parameterized.TestCase):
"""Tests if creation of primitives succeeds as described in tink_config.
@@ -150,11 +109,6 @@ class SupportedKeyTypesTest(parameterized.TestCase):
keytypes = utilities.key_types_in_keyset(keyset)
keytype = keytypes[0]
- if _is_b243759652_test_case(lang, keyset, primitive):
- with self.assertRaises(tink.TinkError):
- _ = testing_servers.remote_primitive(lang, keyset, primitive)
- return
-
if (lang in tink_config.supported_languages_for_key_type(keytype) and
primitive == tink_config.primitive_for_keytype(keytype)):
_ = testing_servers.remote_primitive(lang, keyset, primitive)
@@ -184,11 +138,6 @@ class SupportedKeyTypesTest(parameterized.TestCase):
self.assertLen(keytypes, 1)
keytype = keytypes[0]
- if _is_b243759652_test_case(lang, public_keyset, primitive):
- with self.assertRaises(tink.TinkError):
- _ = testing_servers.remote_primitive(lang, public_keyset, primitive)
- return
-
if (lang in tink_config.supported_languages_for_key_type(keytype) and
primitive == tink_config.primitive_for_keytype(keytype)):
_ = testing_servers.remote_primitive(lang, public_keyset, primitive)
@@ -215,11 +164,6 @@ class SupportedKeyTypesTest(parameterized.TestCase):
keytypes = utilities.key_types_in_keyset(keyset)
keytype = keytypes[0]
- if _is_b243759652_test_case(lang, modified_keyset, primitive):
- with self.assertRaises(tink.TinkError):
- _ = testing_servers.remote_primitive(lang, modified_keyset, primitive)
- return
-
if (lang in tink_config.supported_languages_for_key_type(keytype) and
primitive == tink_config.primitive_for_keytype(keytype)):
_ = testing_servers.remote_primitive(lang, modified_keyset, primitive)