diff options
author | ioannanedelcu <ioannanedelcu@google.com> | 2023-05-31 07:13:33 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-05-31 07:14:34 -0700 |
commit | 578e002be958f392d3295322a217975104b6414a (patch) | |
tree | d3f0260ae139b309b91f61be843f0e4862de95b0 | |
parent | 7c8b4e471704ca039c2c77814d315ff873b2cef8 (diff) | |
download | tink-578e002be958f392d3295322a217975104b6414a.tar.gz |
Make the SecretKeyAccessToken optional for the key parsers and serializers.
PiperOrigin-RevId: 536703561
-rw-r--r-- | cc/internal/BUILD.bazel | 2 | ||||
-rw-r--r-- | cc/internal/CMakeLists.txt | 2 | ||||
-rw-r--r-- | cc/internal/key_parser.h | 18 | ||||
-rw-r--r-- | cc/internal/key_parser_test.cc | 15 | ||||
-rw-r--r-- | cc/internal/key_serializer.h | 11 | ||||
-rw-r--r-- | cc/internal/key_serializer_test.cc | 12 | ||||
-rw-r--r-- | cc/internal/serialization_test_util.h | 14 | ||||
-rw-r--r-- | cc/mac/BUILD.bazel | 1 | ||||
-rw-r--r-- | cc/mac/CMakeLists.txt | 1 | ||||
-rw-r--r-- | cc/mac/aes_cmac_proto_serialization.cc | 25 |
10 files changed, 77 insertions, 24 deletions
diff --git a/cc/internal/BUILD.bazel b/cc/internal/BUILD.bazel index 3da0c8fea..6d2471e68 100644 --- a/cc/internal/BUILD.bazel +++ b/cc/internal/BUILD.bazel @@ -762,6 +762,7 @@ cc_library( "@com_google_absl//absl/log", "@com_google_absl//absl/status", "@com_google_absl//absl/strings", + "@com_google_absl//absl/types:optional", ], ) @@ -799,6 +800,7 @@ cc_library( "@com_google_absl//absl/functional:function_ref", "@com_google_absl//absl/log", "@com_google_absl//absl/status", + "@com_google_absl//absl/types:optional", ], ) diff --git a/cc/internal/CMakeLists.txt b/cc/internal/CMakeLists.txt index 5dc759b2d..62db0a976 100644 --- a/cc/internal/CMakeLists.txt +++ b/cc/internal/CMakeLists.txt @@ -717,6 +717,7 @@ tink_cc_library( absl::log absl::status absl::strings + absl::optional tink::core::key tink::core::secret_key_access_token tink::util::status @@ -753,6 +754,7 @@ tink_cc_library( absl::function_ref absl::log absl::status + absl::optional tink::core::key tink::core::secret_key_access_token tink::util::status diff --git a/cc/internal/key_parser.h b/cc/internal/key_parser.h index 74d4def0d..c73481484 100644 --- a/cc/internal/key_parser.h +++ b/cc/internal/key_parser.h @@ -27,6 +27,7 @@ #include "absl/log/log.h" #include "absl/status/status.h" #include "absl/strings/string_view.h" +#include "absl/types/optional.h" #include "tink/internal/parser_index.h" #include "tink/internal/serialization.h" #include "tink/key.h" @@ -47,7 +48,8 @@ class KeyParser { // value returned by `ObjectIdentifier()`. However, implementations should // check that this is the case. virtual util::StatusOr<std::unique_ptr<Key>> ParseKey( - const Serialization& serialization, SecretKeyAccessToken token) const = 0; + const Serialization& serialization, + absl::optional<SecretKeyAccessToken> token) const = 0; // Returns the object identifier for `SerializationT`, which is only valid // for the lifetime of this object. @@ -74,15 +76,16 @@ class KeyParserImpl : public KeyParser { public: // Creates a key parser with `object_identifier` and parsing `function`. The // referenced `function` should outlive the created key parser object. - explicit KeyParserImpl(absl::string_view object_identifier, - absl::FunctionRef<util::StatusOr<KeyT>( - SerializationT, SecretKeyAccessToken)> - function) + explicit KeyParserImpl( + absl::string_view object_identifier, + absl::FunctionRef<util::StatusOr<KeyT>( + SerializationT, absl::optional<SecretKeyAccessToken>)> + function) : object_identifier_(object_identifier), function_(function) {} util::StatusOr<std::unique_ptr<Key>> ParseKey( const Serialization& serialization, - SecretKeyAccessToken token) const override { + absl::optional<SecretKeyAccessToken> token) const override { if (serialization.ObjectIdentifier() != object_identifier_) { return util::Status(absl::StatusCode::kInvalidArgument, "Invalid object identifier for this key parser."); @@ -108,7 +111,8 @@ class KeyParserImpl : public KeyParser { private: std::string object_identifier_; - std::function<util::StatusOr<KeyT>(SerializationT, SecretKeyAccessToken)> + std::function<util::StatusOr<KeyT>(SerializationT, + absl::optional<SecretKeyAccessToken>)> function_; }; diff --git a/cc/internal/key_parser_test.cc b/cc/internal/key_parser_test.cc index 56b2c6aba..c9dac8e77 100644 --- a/cc/internal/key_parser_test.cc +++ b/cc/internal/key_parser_test.cc @@ -17,6 +17,7 @@ #include "tink/internal/key_parser.h" #include <memory> +#include <optional> #include <string_view> #include "gmock/gmock.h" @@ -67,6 +68,20 @@ TEST(KeyParserTest, ParseKey) { EXPECT_THAT(**key, Eq(NoIdKey())); } +TEST(KeyParserTest, ParsePublicKeyNoAccessToken) { + std::unique_ptr<KeyParser> parser = + absl::make_unique<KeyParserImpl<NoIdSerialization, NoIdKey>>( + kNoIdTypeUrl, ParseNoIdKey); + + NoIdSerialization serialization; + util::StatusOr<std::unique_ptr<Key>> public_key = + parser->ParseKey(serialization, absl::nullopt); + ASSERT_THAT(public_key, IsOk()); + EXPECT_THAT((*public_key)->GetIdRequirement(), Eq(absl::nullopt)); + EXPECT_THAT((*public_key)->GetParameters(), Eq(NoIdParams())); + EXPECT_THAT(**public_key, Eq(NoIdKey())); +} + TEST(KeyParserTest, ParseKeyWithInvalidSerializationType) { std::unique_ptr<KeyParser> parser = absl::make_unique<KeyParserImpl<NoIdSerialization, NoIdKey>>( diff --git a/cc/internal/key_serializer.h b/cc/internal/key_serializer.h index 1799623dd..1d879a610 100644 --- a/cc/internal/key_serializer.h +++ b/cc/internal/key_serializer.h @@ -25,6 +25,7 @@ #include "absl/functional/function_ref.h" #include "absl/log/log.h" #include "absl/status/status.h" +#include "absl/types/optional.h" #include "tink/internal/serialization.h" #include "tink/internal/serializer_index.h" #include "tink/key.h" @@ -41,7 +42,7 @@ class KeySerializer { public: // Returns the serialization of `key`. virtual util::StatusOr<std::unique_ptr<Serialization>> SerializeKey( - const Key& key, SecretKeyAccessToken token) const = 0; + const Key& key, absl::optional<SecretKeyAccessToken> token) const = 0; // Returns an index that can be used to look up the `KeySerializer` // object registered for the `KeyT` type in a registry. @@ -57,12 +58,13 @@ class KeySerializerImpl : public KeySerializer { // Creates a key serializer with serialization `function`. The referenced // `function` should outlive the created key serializer object. explicit KeySerializerImpl(absl::FunctionRef<util::StatusOr<SerializationT>( - KeyT, SecretKeyAccessToken)> + KeyT, absl::optional<SecretKeyAccessToken>)> function) : function_(function) {} util::StatusOr<std::unique_ptr<Serialization>> SerializeKey( - const Key& key, SecretKeyAccessToken token) const override { + const Key& key, + absl::optional<SecretKeyAccessToken> token) const override { const KeyT* kt = dynamic_cast<const KeyT*>(&key); if (kt == nullptr) { return util::Status(absl::StatusCode::kInvalidArgument, @@ -78,7 +80,8 @@ class KeySerializerImpl : public KeySerializer { } private: - std::function<util::StatusOr<SerializationT>(KeyT, SecretKeyAccessToken)> + std::function<util::StatusOr<SerializationT>( + KeyT, absl::optional<SecretKeyAccessToken>)> function_; }; diff --git a/cc/internal/key_serializer_test.cc b/cc/internal/key_serializer_test.cc index 3aa0b5d36..e67257ef3 100644 --- a/cc/internal/key_serializer_test.cc +++ b/cc/internal/key_serializer_test.cc @@ -62,6 +62,18 @@ TEST(KeySerializerTest, SerializeKey) { EXPECT_THAT((*serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl)); } +TEST(KeySerializerTest, SerializePublicKeyNoAccessToken) { + std::unique_ptr<KeySerializer> serializer = + absl::make_unique<KeySerializerImpl<NoIdKey, NoIdSerialization>>( + SerializeNoIdKey); + + NoIdKey public_key; + util::StatusOr<std::unique_ptr<Serialization>> serialization = + serializer->SerializeKey(public_key, absl::nullopt); + ASSERT_THAT(serialization, IsOk()); + EXPECT_THAT((*serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl)); +} + TEST(KeySerializerTest, SerializeKeyWithInvalidKeyType) { std::unique_ptr<KeySerializer> serializer = absl::make_unique<KeySerializerImpl<NoIdKey, NoIdSerialization>>( diff --git a/cc/internal/serialization_test_util.h b/cc/internal/serialization_test_util.h index 263b9b376..b772a0a25 100644 --- a/cc/internal/serialization_test_util.h +++ b/cc/internal/serialization_test_util.h @@ -157,26 +157,28 @@ inline util::StatusOr<IdParamsSerialization> SerializeIdParams( } // Parse `serialization` into a key without an ID requirement. -inline util::StatusOr<NoIdKey> ParseNoIdKey(NoIdSerialization serialization, - SecretKeyAccessToken token) { +inline util::StatusOr<NoIdKey> ParseNoIdKey( + NoIdSerialization serialization, + absl::optional<SecretKeyAccessToken> token) { return NoIdKey(); } // Parse `serialization` into a key with an ID requirement. -inline util::StatusOr<IdKey> ParseIdKey(IdKeySerialization serialization, - SecretKeyAccessToken token) { +inline util::StatusOr<IdKey> ParseIdKey( + IdKeySerialization serialization, + absl::optional<SecretKeyAccessToken> token) { return IdKey(serialization.GetKeyId()); } // Serialize `key` without an ID requirement. inline util::StatusOr<NoIdSerialization> SerializeNoIdKey( - NoIdKey key, SecretKeyAccessToken token) { + NoIdKey key, absl::optional<SecretKeyAccessToken> token) { return NoIdSerialization(); } // Serialize `key` with an ID requirement. inline util::StatusOr<IdKeySerialization> SerializeIdKey( - IdKey key, SecretKeyAccessToken token) { + IdKey key, absl::optional<SecretKeyAccessToken> token) { return IdKeySerialization(key.GetIdRequirement().value()); } diff --git a/cc/mac/BUILD.bazel b/cc/mac/BUILD.bazel index 211aaebd1..b0400ecb9 100644 --- a/cc/mac/BUILD.bazel +++ b/cc/mac/BUILD.bazel @@ -224,6 +224,7 @@ cc_library( "//util:status", "//util:statusor", "@com_google_absl//absl/status", + "@com_google_absl//absl/types:optional", ], ) diff --git a/cc/mac/CMakeLists.txt b/cc/mac/CMakeLists.txt index 28489feca..82f00d067 100644 --- a/cc/mac/CMakeLists.txt +++ b/cc/mac/CMakeLists.txt @@ -198,6 +198,7 @@ tink_cc_library( tink::mac::aes_cmac_key tink::mac::aes_cmac_parameters absl::status + absl::optional tink::core::partial_key_access tink::core::restricted_data tink::core::secret_key_access_token diff --git a/cc/mac/aes_cmac_proto_serialization.cc b/cc/mac/aes_cmac_proto_serialization.cc index 74bd7fd9a..4a12ae280 100644 --- a/cc/mac/aes_cmac_proto_serialization.cc +++ b/cc/mac/aes_cmac_proto_serialization.cc @@ -19,6 +19,7 @@ #include <string> #include "absl/status/status.h" +#include "absl/types/optional.h" #include "tink/internal/key_parser.h" #include "tink/internal/key_serializer.h" #include "tink/internal/mutable_serialization_registry.h" @@ -132,17 +133,22 @@ util::StatusOr<internal::ProtoParametersSerialization> SerializeParameters( } util::StatusOr<AesCmacKey> ParseKey( - internal::ProtoKeySerialization serialization, SecretKeyAccessToken token) { + internal::ProtoKeySerialization serialization, + absl::optional<SecretKeyAccessToken> token) { if (serialization.TypeUrl() != kTypeUrl) { return util::Status(absl::StatusCode::kInvalidArgument, "Wrong type URL when parsing AesCmacKey."); } - + // TODO(ioannanedelcu): Add a test for this behaviour. + if (!token.has_value()) { + return util::Status(absl::StatusCode::kInvalidArgument, + "SecretKeyAccess is required"); + } google::crypto::tink::AesCmacKey proto_key; RestrictedData restricted_data = serialization.SerializedKeyProto(); // OSS proto library complains if input is not converted to a string. if (!proto_key.ParseFromString( - std::string(restricted_data.GetSecret(token)))) { + std::string(restricted_data.GetSecret(*token)))) { return util::Status(absl::StatusCode::kInvalidArgument, "Failed to parse AesCmacKey proto"); } @@ -160,7 +166,7 @@ util::StatusOr<AesCmacKey> ParseKey( if (!parameters.ok()) return parameters.status(); util::StatusOr<AesCmacKey> key = AesCmacKey::Create( - *parameters, RestrictedData(proto_key.key_value(), token), + *parameters, RestrictedData(proto_key.key_value(), *token), serialization.IdRequirement(), GetPartialKeyAccess()); if (!key.ok()) return key.status(); @@ -168,10 +174,15 @@ util::StatusOr<AesCmacKey> ParseKey( } util::StatusOr<internal::ProtoKeySerialization> SerializeKey( - AesCmacKey key, SecretKeyAccessToken token) { + AesCmacKey key, absl::optional<SecretKeyAccessToken> token) { util::StatusOr<RestrictedData> restricted_input = key.GetKeyBytes(GetPartialKeyAccess()); if (!restricted_input.ok()) return restricted_input.status(); + // TODO(ioannanedelcu): Add a test for this behaviour. + if (!token.has_value()) { + return util::Status(absl::StatusCode::kInvalidArgument, + "SecretKeyAccess is required"); + } AesCmacParams proto_params; proto_params.set_tag_size(key.GetParameters().CryptographicTagSizeInBytes()); @@ -179,14 +190,14 @@ util::StatusOr<internal::ProtoKeySerialization> SerializeKey( *proto_key.mutable_params() = proto_params; proto_key.set_version(0); // OSS proto library complains if input is not converted to a string. - proto_key.set_key_value(std::string(restricted_input->GetSecret(token))); + proto_key.set_key_value(std::string(restricted_input->GetSecret(*token))); util::StatusOr<OutputPrefixType> output_prefix_type = ToOutputPrefixType(key.GetParameters().GetVariant()); if (!output_prefix_type.ok()) return output_prefix_type.status(); RestrictedData restricted_output = - RestrictedData(proto_key.SerializeAsString(), token); + RestrictedData(proto_key.SerializeAsString(), *token); return internal::ProtoKeySerialization::Create( kTypeUrl, restricted_output, google::crypto::tink::KeyData::SYMMETRIC, *output_prefix_type, key.GetIdRequirement()); |