Tidy AEAD key to Hybrid primitive tests.

PiperOrigin-RevId: 555267492

4 files changed, 51 insertions, 130 deletions

diff --git a/go/hybrid/BUILD.bazel b/go/hybrid/BUILD.bazel
index 0e8c13ef1..dad79a90b 100644
--- a/go/hybrid/BUILD.bazel
+++ b/go/hybrid/BUILD.bazel
@@ -48,7 +48,6 @@ go_test(
         "ecies_aead_hkdf_hybrid_encrypt_test.go",
         "hpke_private_key_manager_test.go",
         "hpke_public_key_manager_test.go",
-        "hybrid_b243759652_test.go",
         "hybrid_factory_test.go",
         "hybrid_key_templates_test.go",
         "hybrid_test.go",
diff --git a/go/hybrid/hybrid_b243759652_test.go b/go/hybrid/hybrid_b243759652_test.go
deleted file mode 100644
index 329836cec..000000000
--- a/go/hybrid/hybrid_b243759652_test.go
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2019 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-////////////////////////////////////////////////////////////////////////////////
-
-package hybrid_test
-
-import (
-	"testing"
-
-	"github.com/google/tink/go/aead"
-	"github.com/google/tink/go/hybrid"
-	"github.com/google/tink/go/keyset"
-)
-
-// TODO(b/243759652): Move to hybrid_factory_test.go.
-func TestBHybridDecrypt(t *testing.T) {
-	manager := keyset.NewManager()
-	id, err := manager.Add(aead.AES256GCMKeyTemplate())
-	if err != nil {
-		t.Fatalf("manager.Add gives err = '%v', want nil", err)
-	}
-	err = manager.SetPrimary(id)
-	if err != nil {
-		t.Fatalf("manager.SetPrimary gives err = '%v', want nil", err)
-	}
-	_, err = manager.Add(hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template())
-	if err != nil {
-		t.Fatalf("manager.Add gives err = '%v', want nil", err)
-	}
-	handle, err := manager.Handle()
-	if err != nil {
-		t.Fatalf("manager.Handle gives err = '%v', want nil", err)
-	}
-
-	if _, err := hybrid.NewHybridDecrypt(handle); err == nil {
-		t.Error("hybrid.NewHybridDecrypt err = nil, want err")
-	}
-}
-
-func TestBHybridEncrypt(t *testing.T) {
-	handle, err := keyset.NewHandle(hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template())
-	if err != nil {
-		t.Fatalf("keyset.NewHandle gives err = '%v', want nil", err)
-	}
-	pub, err := handle.Public()
-	if err != nil {
-		t.Fatalf("handle.Public gives err = '%v', want nil", err)
-	}
-	manager := keyset.NewManagerFromHandle(pub)
-	_, err = manager.Add(aead.AES128GCMKeyTemplate())
-	if err != nil {
-		t.Fatalf("manager.Add gives err = '%v', want nil", err)
-	}
-	mixedHandle, err := manager.Handle()
-	if err != nil {
-		t.Fatalf("manager.Handle gives err = '%v', want nil", err)
-	}
-	if _, err := hybrid.NewHybridEncrypt(mixedHandle); err == nil {
-		t.Error("hybrid.NewHybridDecrypt err = nil, want err")
-	}
-}
diff --git a/go/hybrid/hybrid_factory_test.go b/go/hybrid/hybrid_factory_test.go
index 941b5182e..60ded7974 100644
--- a/go/hybrid/hybrid_factory_test.go
+++ b/go/hybrid/hybrid_factory_test.go
@@ -683,3 +683,54 @@ func TestPrimitiveFactoryEncryptDecryptWithoutAnnotationsDoesNotMonitor(t *testi
 		t.Errorf("len(client.Failures()) = %d, want 0", len(client.Failures()))
 	}
 }
+
+// Since the HybridEncrypt interface is a subset of the AEAD interface, verify
+// that a HybridEncrypt primitive cannot be obtained from a keyset handle
+// containing an AEAD key.
+func TestEncryptFactoryFailsOnAEADHandle(t *testing.T) {
+	handle, err := keyset.NewHandle(hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template())
+	if err != nil {
+		t.Fatalf("keyset.NewHandle gives err = '%v', want nil", err)
+	}
+	pub, err := handle.Public()
+	if err != nil {
+		t.Fatalf("handle.Public gives err = '%v', want nil", err)
+	}
+	manager := keyset.NewManagerFromHandle(pub)
+	_, err = manager.Add(aead.AES128GCMKeyTemplate())
+	if err != nil {
+		t.Fatalf("manager.Add gives err = '%v', want nil", err)
+	}
+	mixedHandle, err := manager.Handle()
+	if err != nil {
+		t.Fatalf("manager.Handle gives err = '%v', want nil", err)
+	}
+	if _, err := hybrid.NewHybridEncrypt(mixedHandle); err == nil {
+		t.Error("hybrid.NewHybridDecrypt err = nil, want err")
+	}
+}
+
+// Similar to the above but for HybridDecrypt.
+func TestDecryptFactoryFailsOnAEADHandle(t *testing.T) {
+	manager := keyset.NewManager()
+	id, err := manager.Add(aead.AES256GCMKeyTemplate())
+	if err != nil {
+		t.Fatalf("manager.Add gives err = '%v', want nil", err)
+	}
+	err = manager.SetPrimary(id)
+	if err != nil {
+		t.Fatalf("manager.SetPrimary gives err = '%v', want nil", err)
+	}
+	_, err = manager.Add(hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template())
+	if err != nil {
+		t.Fatalf("manager.Add gives err = '%v', want nil", err)
+	}
+	handle, err := manager.Handle()
+	if err != nil {
+		t.Fatalf("manager.Handle gives err = '%v', want nil", err)
+	}
+
+	if _, err := hybrid.NewHybridDecrypt(handle); err == nil {
+		t.Error("hybrid.NewHybridDecrypt err = nil, want err")
+	}
+}
diff --git a/testing/cross_language/primitive_creation_test.py b/testing/cross_language/primitive_creation_test.py
index 45b9b974b..34b8f645f 100644
--- a/testing/cross_language/primitive_creation_test.py
+++ b/testing/cross_language/primitive_creation_test.py
@@ -84,47 +84,6 @@ def named_testcases():
         case_num += 1
 
 
-# Delete.
-def _is_b243759652_test_case(lang: str, keyset: bytes, primitive: Any) -> bool:
-  """Returns whether the test case falls under b/243759652.
-
-  When calling hybrid.NewHybridDecrypt or hybrid.NewHybridEncrypt, Tink asks
-  each key manager to create a primitive (whose type is fixed for each key
-  manager). Because of duck-typing, if the key manager returns an Aead, Tink
-  happily carries on in case it wants a HybridEncrypt/HybridDecrypt.
-
-  Args:
-    lang: A string describing the language.
-    keyset: A serialized keyset
-    primitive: One of the primitives
-
-  Returns:
-    True iff this test case falls under b/243759652.
-  """
-  # The bug only exists in go.
-  if lang != 'go':
-    return False
-  # The bug only happens if we create a HybridEncrypt or a HybridDecrypt
-  if primitive not in [tink.hybrid.HybridDecrypt, tink.hybrid.HybridEncrypt]:
-    return False
-
-  keytypes = utilities.key_types_in_keyset(keyset)
-  primitives = [tink_config.primitive_for_keytype(k) for k in keytypes]
-  # For the bug to occur, we must only at least one AEAD keytype (as it only
-  # happens if at least one key type should *not* work).
-  if not any(p == aead.Aead for p in primitives):
-    return False
-  # For the bug to occur, all key types must be either for 'primitive' or
-  # for Aead (otherwise primitive creation fails).
-  if not all(p == aead.Aead or p == primitive for p in primitives):
-    return False
-  # For the bug to occur, we must not have an AesEaxKey: these are unsupported
-  # in go, and so if we have them, primitive creation fails.
-  if any(k == 'AesEaxKey' for k in keytypes):
-    return False
-  return True
-
-
 class SupportedKeyTypesTest(parameterized.TestCase):
   """Tests if creation of primitives succeeds as described in tink_config.
 
@@ -150,11 +109,6 @@ class SupportedKeyTypesTest(parameterized.TestCase):
     keytypes = utilities.key_types_in_keyset(keyset)
     keytype = keytypes[0]
 
-    if _is_b243759652_test_case(lang, keyset, primitive):
-      with self.assertRaises(tink.TinkError):
-        _ = testing_servers.remote_primitive(lang, keyset, primitive)
-      return
-
     if (lang in tink_config.supported_languages_for_key_type(keytype) and
         primitive == tink_config.primitive_for_keytype(keytype)):
       _ = testing_servers.remote_primitive(lang, keyset, primitive)
@@ -184,11 +138,6 @@ class SupportedKeyTypesTest(parameterized.TestCase):
     self.assertLen(keytypes, 1)
     keytype = keytypes[0]
 
-    if _is_b243759652_test_case(lang, public_keyset, primitive):
-      with self.assertRaises(tink.TinkError):
-        _ = testing_servers.remote_primitive(lang, public_keyset, primitive)
-      return
-
     if (lang in tink_config.supported_languages_for_key_type(keytype) and
         primitive == tink_config.primitive_for_keytype(keytype)):
       _ = testing_servers.remote_primitive(lang, public_keyset, primitive)
@@ -215,11 +164,6 @@ class SupportedKeyTypesTest(parameterized.TestCase):
     keytypes = utilities.key_types_in_keyset(keyset)
     keytype = keytypes[0]
 
-    if _is_b243759652_test_case(lang, modified_keyset, primitive):
-      with self.assertRaises(tink.TinkError):
-        _ = testing_servers.remote_primitive(lang, modified_keyset, primitive)
-      return
-
     if (lang in tink_config.supported_languages_for_key_type(keytype) and
         primitive == tink_config.primitive_for_keytype(keytype)):
       _ = testing_servers.remote_primitive(lang, modified_keyset, primitive)