Make the SecretKeyAccessToken optional for the key parsers and serializers.

PiperOrigin-RevId: 536830719
author: ioannanedelcu <ioannanedelcu@google.com> 2023-05-31 14:52:59 -0700
committer: Copybara-Service <copybara-worker@google.com> 2023-05-31 14:53:58 -0700
commit: 8b9be40f3c6d2ff5c220a33afcb997f39ef90b91 (patch)
tree: 6ba9e7d9a00312556395e217954266e4943555aa
parent: 4b641ad520a5b6ab64913b6bb0617f85faf9eef8 (diff)
download: tink-8b9be40f3c6d2ff5c220a33afcb997f39ef90b91.tar.gz
14 files changed, 155 insertions, 59 deletions
diff --git a/cc/core/keyset_handle.cc b/cc/core/keyset_handle.cc
index bab5bfe99..94d67232f 100644
--- a/cc/core/keyset_handle.cc
+++ b/cc/core/keyset_handle.cc
@@ -218,7 +218,8 @@ util::StatusOr<KeysetHandle::Entry> KeysetHandle::CreateEntry(
 
   util::StatusOr<std::shared_ptr<const Key>> key =
       internal::MutableSerializationRegistry::GlobalInstance()
-          .ParseKeyWithLegacyFallback(*serialization);
+          .ParseKeyWithLegacyFallback(*serialization,
+                                      InsecureSecretKeyAccess::Get());
   if (!key.ok()) {
     return key.status();
   }
diff --git a/cc/internal/BUILD.bazel b/cc/internal/BUILD.bazel
index 6d2471e68..be74b932a 100644
--- a/cc/internal/BUILD.bazel
+++ b/cc/internal/BUILD.bazel
@@ -926,7 +926,6 @@ cc_library(
         ":parser_index",
         ":serialization",
         ":serializer_index",
-        "//:insecure_secret_key_access",
         "//:key",
         "//:parameters",
         "//util:status",
@@ -934,6 +933,7 @@ cc_library(
         "@com_google_absl//absl/container:flat_hash_map",
         "@com_google_absl//absl/status",
         "@com_google_absl//absl/strings:str_format",
+        "@com_google_absl//absl/types:optional",
     ],
 )
 
@@ -948,6 +948,7 @@ cc_test(
         ":serialization",
         ":serialization_registry",
         ":serialization_test_util",
+        "//:insecure_secret_key_access",
         "//:key",
         "//:parameters",
         "//:secret_key_access_token",
@@ -983,6 +984,7 @@ cc_library(
         "@com_google_absl//absl/memory",
         "@com_google_absl//absl/status",
         "@com_google_absl//absl/synchronization",
+        "@com_google_absl//absl/types:optional",
     ],
 )
 
@@ -1008,6 +1010,7 @@ cc_test(
         "//util:statusor",
         "//util:test_matchers",
         "@com_google_absl//absl/status",
+        "@com_google_absl//absl/types:optional",
         "@com_google_googletest//:gtest_main",
     ],
 )
diff --git a/cc/internal/CMakeLists.txt b/cc/internal/CMakeLists.txt
index 62db0a976..45bad4bbf 100644
--- a/cc/internal/CMakeLists.txt
+++ b/cc/internal/CMakeLists.txt
@@ -884,7 +884,7 @@ tink_cc_library(
     absl::flat_hash_map
     absl::status
     absl::str_format
-    tink::core::insecure_secret_key_access
+    absl::optional
     tink::core::key
     tink::core::parameters
     tink::util::status
@@ -905,6 +905,7 @@ tink_cc_test(
     tink::internal::serialization_test_util
     gmock
     absl::status
+    tink::core::insecure_secret_key_access
     tink::core::key
     tink::core::parameters
     tink::core::secret_key_access_token
@@ -931,6 +932,7 @@ tink_cc_library(
     absl::memory
     absl::status
     absl::synchronization
+    absl::optional
     tink::core::insecure_secret_key_access
     tink::core::key
     tink::core::parameters
@@ -954,6 +956,7 @@ tink_cc_test(
     tink::internal::serialization_test_util
     gmock
     absl::status
+    absl::optional
     tink::core::insecure_secret_key_access
     tink::core::key
     tink::core::parameters
diff --git a/cc/internal/keyset_handle_builder_entry.cc b/cc/internal/keyset_handle_builder_entry.cc
index 2fd78ffdc..d407cc992 100644
--- a/cc/internal/keyset_handle_builder_entry.cc
+++ b/cc/internal/keyset_handle_builder_entry.cc
@@ -95,7 +95,8 @@ util::StatusOr<ProtoParametersSerialization> SerializeLegacyParameters(
 util::StatusOr<ProtoKeySerialization> SerializeKey(const Key& key) {
   util::StatusOr<std::unique_ptr<Serialization>> serialization =
       MutableSerializationRegistry::GlobalInstance()
-          .SerializeKey<ProtoKeySerialization>(key);
+          .SerializeKey<ProtoKeySerialization>(key,
+                                               InsecureSecretKeyAccess::Get());
   if (!serialization.ok()) return serialization.status();
 
   const ProtoKeySerialization* serialized_proto_key =
diff --git a/cc/internal/mutable_serialization_registry.cc b/cc/internal/mutable_serialization_registry.cc
index 08f839cc7..250d026a7 100644
--- a/cc/internal/mutable_serialization_registry.cc
+++ b/cc/internal/mutable_serialization_registry.cc
@@ -94,15 +94,16 @@ MutableSerializationRegistry::ParseParameters(
 }
 
 util::StatusOr<std::unique_ptr<Key>> MutableSerializationRegistry::ParseKey(
-    const Serialization& serialization) {
+    const Serialization& serialization,
+    absl::optional<SecretKeyAccessToken> token) {
   absl::MutexLock lock(&registry_mutex_);
-  return registry_.ParseKey(serialization);
+  return registry_.ParseKey(serialization, token);
 }
 
 util::StatusOr<std::unique_ptr<Key>>
 MutableSerializationRegistry::ParseKeyWithLegacyFallback(
-    const Serialization& serialization) {
-  util::StatusOr<std::unique_ptr<Key>> key = ParseKey(serialization);
+    const Serialization& serialization, SecretKeyAccessToken token) {
+  util::StatusOr<std::unique_ptr<Key>> key = ParseKey(serialization, token);
   if (key.status().code() == absl::StatusCode::kNotFound) {
     const ProtoKeySerialization* proto_serialization =
         dynamic_cast<const ProtoKeySerialization*>(&serialization);
@@ -118,4 +119,3 @@ MutableSerializationRegistry::ParseKeyWithLegacyFallback(
 }  // namespace internal
 }  // namespace tink
 }  // namespace crypto
-
diff --git a/cc/internal/mutable_serialization_registry.h b/cc/internal/mutable_serialization_registry.h
index 34610d103..a9914dda5 100644
--- a/cc/internal/mutable_serialization_registry.h
+++ b/cc/internal/mutable_serialization_registry.h
@@ -21,6 +21,7 @@
 
 #include "absl/base/thread_annotations.h"
 #include "absl/synchronization/mutex.h"
+#include "absl/types/optional.h"
 #include "tink/internal/key_parser.h"
 #include "tink/internal/key_serializer.h"
 #include "tink/internal/parameters_parser.h"
@@ -29,6 +30,7 @@
 #include "tink/internal/serialization_registry.h"
 #include "tink/key.h"
 #include "tink/parameters.h"
+#include "tink/secret_key_access_token.h"
 #include "tink/util/status.h"
 #include "tink/util/statusor.h"
 
@@ -79,19 +81,22 @@ class MutableSerializationRegistry {
 
   // Parses `serialization` into a `Key` instance.
   util::StatusOr<std::unique_ptr<Key>> ParseKey(
-      const Serialization& serialization) ABSL_LOCKS_EXCLUDED(registry_mutex_);
+      const Serialization& serialization,
+      absl::optional<SecretKeyAccessToken> token)
+      ABSL_LOCKS_EXCLUDED(registry_mutex_);
 
   // Similar to `ParseKey` but falls back to legacy proto key serialization if
   // the corresponding key parser is not found.
   util::StatusOr<std::unique_ptr<Key>> ParseKeyWithLegacyFallback(
-      const Serialization& serialization);
+      const Serialization& serialization, SecretKeyAccessToken token);
 
   // Serializes `parameters` into a `Serialization` instance.
   template <typename SerializationT>
-  util::StatusOr<std::unique_ptr<Serialization>> SerializeKey(const Key& key)
+  util::StatusOr<std::unique_ptr<Serialization>> SerializeKey(
+      const Key& key, absl::optional<SecretKeyAccessToken> token)
       ABSL_LOCKS_EXCLUDED(registry_mutex_) {
     absl::MutexLock lock(&registry_mutex_);
-    return registry_.SerializeKey<SerializationT>(key);
+    return registry_.SerializeKey<SerializationT>(key, token);
   }
 
   // Resets to a new empty registry.
diff --git a/cc/internal/mutable_serialization_registry_test.cc b/cc/internal/mutable_serialization_registry_test.cc
index 9f3cf53be..7bea8b8fa 100644
--- a/cc/internal/mutable_serialization_registry_test.cc
+++ b/cc/internal/mutable_serialization_registry_test.cc
@@ -23,6 +23,7 @@
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "absl/status/status.h"
+#include "absl/types/optional.h"
 #include "tink/insecure_secret_key_access.h"
 #include "tink/internal/key_parser.h"
 #include "tink/internal/key_serializer.h"
@@ -163,19 +164,31 @@ TEST(MutableSerializationRegistryTest, ParseKey) {
   ASSERT_THAT(registry.RegisterKeyParser(&parser2), IsOk());
 
   util::StatusOr<std::unique_ptr<Key>> no_id_key =
-      registry.ParseKey(NoIdSerialization());
+      registry.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get());
   ASSERT_THAT(no_id_key, IsOk());
   EXPECT_THAT(std::type_index(typeid(**no_id_key)),
               std::type_index(typeid(NoIdKey)));
 
-  util::StatusOr<std::unique_ptr<Key>> id_key =
-      registry.ParseKey(IdKeySerialization(/*id=*/123));
+  util::StatusOr<std::unique_ptr<Key>> id_key = registry.ParseKey(
+      IdKeySerialization(/*id=*/123), InsecureSecretKeyAccess::Get());
   ASSERT_THAT(id_key, IsOk());
   EXPECT_THAT(std::type_index(typeid(**id_key)),
               std::type_index(typeid(IdKey)));
   EXPECT_THAT((*id_key)->GetIdRequirement(), Eq(123));
 }
 
+TEST(MutableSerializationRegistryTest, ParseKeyNoSecretAccess) {
+  MutableSerializationRegistry registry;
+  KeyParserImpl<NoIdSerialization, NoIdKey> parser(kNoIdTypeUrl, ParseNoIdKey);
+  ASSERT_THAT(registry.RegisterKeyParser(&parser), IsOk());
+
+  util::StatusOr<std::unique_ptr<Key>> no_id_public_key =
+      registry.ParseKey(NoIdSerialization(), absl::nullopt);
+  ASSERT_THAT(no_id_public_key, IsOk());
+  EXPECT_THAT(std::type_index(typeid(**no_id_public_key)),
+              std::type_index(typeid(NoIdKey)));
+}
+
 TEST(MutableSerializationRegistryTest, ParseKeyWithLegacyFallback) {
   MutableSerializationRegistry registry;
   KeyParserImpl<IdKeySerialization, IdKey> parser(kIdTypeUrl, ParseIdKey);
@@ -183,7 +196,8 @@ TEST(MutableSerializationRegistryTest, ParseKeyWithLegacyFallback) {
 
   // Parse key with registered key parser.
   util::StatusOr<std::unique_ptr<Key>> id_key =
-      registry.ParseKeyWithLegacyFallback(IdKeySerialization(/*id=*/123));
+      registry.ParseKeyWithLegacyFallback(IdKeySerialization(/*id=*/123),
+                                          InsecureSecretKeyAccess::Get());
   ASSERT_THAT(id_key, IsOk());
   EXPECT_THAT(std::type_index(typeid(**id_key)),
               std::type_index(typeid(IdKey)));
@@ -199,7 +213,8 @@ TEST(MutableSerializationRegistryTest, ParseKeyWithLegacyFallback) {
 
   // Fall back to legacy proto key.
   util::StatusOr<std::unique_ptr<Key>> proto_key =
-      registry.ParseKeyWithLegacyFallback(*serialization);
+      registry.ParseKeyWithLegacyFallback(*serialization,
+                                          InsecureSecretKeyAccess::Get());
   ASSERT_THAT(proto_key, IsOk());
   EXPECT_THAT((*proto_key)->GetIdRequirement(), Eq(456));
 }
@@ -207,8 +222,10 @@ TEST(MutableSerializationRegistryTest, ParseKeyWithLegacyFallback) {
 TEST(MutableSerializationRegistryTest, ParseKeyWithoutRegistration) {
   MutableSerializationRegistry registry;
 
-  ASSERT_THAT(registry.ParseKey(NoIdSerialization()).status(),
-              StatusIs(absl::StatusCode::kNotFound));
+  ASSERT_THAT(
+      registry.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get())
+          .status(),
+      StatusIs(absl::StatusCode::kNotFound));
 }
 
 TEST(MutableSerializationRegistryTest, RegisterSameKeyParser) {
@@ -238,20 +255,36 @@ TEST(MutableSerializationRegistryTest, SerializeKey) {
   ASSERT_THAT(registry.RegisterKeySerializer(&serializer2), IsOk());
 
   util::StatusOr<std::unique_ptr<Serialization>> serialization1 =
-      registry.SerializeKey<NoIdSerialization>(NoIdKey());
+      registry.SerializeKey<NoIdSerialization>(NoIdKey(),
+                                               InsecureSecretKeyAccess::Get());
   ASSERT_THAT(serialization1, IsOk());
   EXPECT_THAT((*serialization1)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
 
   util::StatusOr<std::unique_ptr<Serialization>> serialization2 =
-      registry.SerializeKey<IdKeySerialization>(IdKey(123));
+      registry.SerializeKey<IdKeySerialization>(IdKey(123),
+                                                InsecureSecretKeyAccess::Get());
   ASSERT_THAT(serialization2, IsOk());
   EXPECT_THAT((*serialization2)->ObjectIdentifier(), Eq(kIdTypeUrl));
 }
 
+TEST(MutableSerializationRegistryTest, SerializeKeyNoSecretAccess) {
+  MutableSerializationRegistry registry;
+  KeySerializerImpl<NoIdKey, NoIdSerialization> serializer(SerializeNoIdKey);
+  ASSERT_THAT(registry.RegisterKeySerializer(&serializer), IsOk());
+
+  util::StatusOr<std::unique_ptr<Serialization>> serialization =
+      registry.SerializeKey<NoIdSerialization>(NoIdKey(), absl::nullopt);
+  ASSERT_THAT(serialization, IsOk());
+  EXPECT_THAT((*serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
+}
+
 TEST(MutableSerializationRegistryTest, SerializeKeyWithoutRegistration) {
   MutableSerializationRegistry registry;
 
-  ASSERT_THAT(registry.SerializeKey<NoIdSerialization>(NoIdKey()).status(),
+  ASSERT_THAT(registry
+                  .SerializeKey<NoIdSerialization>(
+                      NoIdKey(), InsecureSecretKeyAccess::Get())
+                  .status(),
               StatusIs(absl::StatusCode::kNotFound));
 }
 
@@ -298,10 +331,11 @@ TEST(MutableSerializationRegistryTest, Reset) {
       registry.SerializeParameters<NoIdSerialization>(NoIdParams());
   ASSERT_THAT(serialization1, IsOk());
   util::StatusOr<std::unique_ptr<Key>> key =
-      registry.ParseKey(NoIdSerialization());
+      registry.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key, IsOk());
   util::StatusOr<std::unique_ptr<Serialization>> serialization2 =
-      registry.SerializeKey<NoIdSerialization>(NoIdKey());
+      registry.SerializeKey<NoIdSerialization>(NoIdKey(),
+                                               InsecureSecretKeyAccess::Get());
   ASSERT_THAT(serialization2, IsOk());
 
   registry.Reset();
@@ -311,9 +345,14 @@ TEST(MutableSerializationRegistryTest, Reset) {
   ASSERT_THAT(
       registry.SerializeParameters<NoIdSerialization>(NoIdParams()).status(),
       StatusIs(absl::StatusCode::kNotFound));
-  ASSERT_THAT(registry.ParseKey(NoIdSerialization()).status(),
-              StatusIs(absl::StatusCode::kNotFound));
-  ASSERT_THAT(registry.SerializeKey<NoIdSerialization>(NoIdKey()).status(),
+  ASSERT_THAT(
+      registry.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get())
+          .status(),
+      StatusIs(absl::StatusCode::kNotFound));
+  ASSERT_THAT(registry
+                  .SerializeKey<NoIdSerialization>(
+                      NoIdKey(), InsecureSecretKeyAccess::Get())
+                  .status(),
               StatusIs(absl::StatusCode::kNotFound));
 }
 
diff --git a/cc/internal/serialization_registry.cc b/cc/internal/serialization_registry.cc
index 93271b5e6..4d3447380 100644
--- a/cc/internal/serialization_registry.cc
+++ b/cc/internal/serialization_registry.cc
@@ -23,7 +23,6 @@
 #include "absl/container/flat_hash_map.h"
 #include "absl/status/status.h"
 #include "absl/strings/str_format.h"
-#include "tink/insecure_secret_key_access.h"
 #include "tink/internal/key_parser.h"
 #include "tink/internal/key_serializer.h"
 #include "tink/internal/parameters_parser.h"
@@ -122,7 +121,8 @@ SerializationRegistry::ParseParameters(
 }
 
 util::StatusOr<std::unique_ptr<Key>> SerializationRegistry::ParseKey(
-    const Serialization& serialization) const {
+    const Serialization& serialization,
+    absl::optional<SecretKeyAccessToken> token) const {
   ParserIndex index = ParserIndex::Create(serialization);
   auto it = key_parsers_.find(index);
   if (it == key_parsers_.end()) {
@@ -132,8 +132,7 @@ util::StatusOr<std::unique_ptr<Key>> SerializationRegistry::ParseKey(
                         typeid(serialization).name()));
   }
 
-  return key_parsers_.at(index)->ParseKey(serialization,
-                                          InsecureSecretKeyAccess::Get());
+  return key_parsers_.at(index)->ParseKey(serialization, token);
 }
 
 }  // namespace internal
diff --git a/cc/internal/serialization_registry.h b/cc/internal/serialization_registry.h
index 709775f6c..ac90e759f 100644
--- a/cc/internal/serialization_registry.h
+++ b/cc/internal/serialization_registry.h
@@ -26,7 +26,7 @@
 #include "absl/container/flat_hash_map.h"
 #include "absl/status/status.h"
 #include "absl/strings/str_format.h"
-#include "tink/insecure_secret_key_access.h"
+#include "absl/types/optional.h"
 #include "tink/internal/key_parser.h"
 #include "tink/internal/key_serializer.h"
 #include "tink/internal/parameters_parser.h"
@@ -129,12 +129,13 @@ class SerializationRegistry {
 
   // Parses `serialization` into a `Key` instance.
   util::StatusOr<std::unique_ptr<Key>> ParseKey(
-      const Serialization& serialization) const;
+      const Serialization& serialization,
+      absl::optional<SecretKeyAccessToken> token) const;
 
   // Serializes `parameters` into a `Serialization` instance.
   template <typename SerializationT>
   util::StatusOr<std::unique_ptr<Serialization>> SerializeKey(
-      const Key& key) const {
+      const Key& key, absl::optional<SecretKeyAccessToken> token) const {
     SerializerIndex index = SerializerIndex::Create<SerializationT>(key);
     auto it = key_serializers_.find(index);
     if (it == key_serializers_.end()) {
@@ -144,8 +145,7 @@ class SerializationRegistry {
                           typeid(key).name()));
     }
 
-    return key_serializers_.at(index)->SerializeKey(
-        key, InsecureSecretKeyAccess::Get());
+    return key_serializers_.at(index)->SerializeKey(key, token);
   }
 
  private:
diff --git a/cc/internal/serialization_registry_test.cc b/cc/internal/serialization_registry_test.cc
index 4f2d14766..0e0872b4c 100644
--- a/cc/internal/serialization_registry_test.cc
+++ b/cc/internal/serialization_registry_test.cc
@@ -24,6 +24,7 @@
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
 #include "absl/status/status.h"
+#include "tink/insecure_secret_key_access.h"
 #include "tink/internal/key_parser.h"
 #include "tink/internal/key_serializer.h"
 #include "tink/internal/parameters_parser.h"
@@ -166,25 +167,41 @@ TEST(SerializationRegistryTest, ParseKey) {
   SerializationRegistry registry = builder.Build();
 
   util::StatusOr<std::unique_ptr<Key>> no_id_key =
-      registry.ParseKey(NoIdSerialization());
+      registry.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get());
   ASSERT_THAT(no_id_key, IsOk());
   EXPECT_THAT(std::type_index(typeid(**no_id_key)),
               std::type_index(typeid(NoIdKey)));
 
-  util::StatusOr<std::unique_ptr<Key>> id_key =
-      registry.ParseKey(IdKeySerialization(/*id=*/123));
+  util::StatusOr<std::unique_ptr<Key>> id_key = registry.ParseKey(
+      IdKeySerialization(/*id=*/123), InsecureSecretKeyAccess::Get());
   ASSERT_THAT(id_key, IsOk());
   EXPECT_THAT(std::type_index(typeid(**id_key)),
               std::type_index(typeid(IdKey)));
   EXPECT_THAT((*id_key)->GetIdRequirement(), Eq(123));
 }
 
+TEST(SerializationRegistryTest, ParseKeyNoSecretAccess) {
+  SerializationRegistry::Builder builder;
+  KeyParserImpl<NoIdSerialization, NoIdKey> parser(kNoIdTypeUrl, ParseNoIdKey);
+  ASSERT_THAT(builder.RegisterKeyParser(&parser), IsOk());
+
+  SerializationRegistry registry = builder.Build();
+
+  util::StatusOr<std::unique_ptr<Key>> no_id_public_key =
+      registry.ParseKey(NoIdSerialization(), absl::nullopt);
+  ASSERT_THAT(no_id_public_key, IsOk());
+  EXPECT_THAT(std::type_index(typeid(**no_id_public_key)),
+              std::type_index(typeid(NoIdKey)));
+}
+
 TEST(SerializationRegistryTest, ParseKeyWithoutRegistration) {
   SerializationRegistry::Builder builder;
   SerializationRegistry registry = builder.Build();
 
-  ASSERT_THAT(registry.ParseKey(NoIdSerialization()).status(),
-              StatusIs(absl::StatusCode::kNotFound));
+  ASSERT_THAT(
+      registry.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get())
+          .status(),
+      StatusIs(absl::StatusCode::kNotFound));
 }
 
 TEST(SerializationRegistryTest, RegisterSameKeyParser) {
@@ -215,21 +232,40 @@ TEST(SerializationRegistryTest, SerializeKey) {
   SerializationRegistry registry = builder.Build();
 
   util::StatusOr<std::unique_ptr<Serialization>> serialization1 =
-      registry.SerializeKey<NoIdSerialization>(NoIdKey());
+      registry.SerializeKey<NoIdSerialization>(NoIdKey(),
+                                               InsecureSecretKeyAccess::Get());
   ASSERT_THAT(serialization1, IsOk());
   EXPECT_THAT((*serialization1)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
 
   util::StatusOr<std::unique_ptr<Serialization>> serialization2 =
-      registry.SerializeKey<IdKeySerialization>(IdKey(123));
+      registry.SerializeKey<IdKeySerialization>(IdKey(123),
+                                                InsecureSecretKeyAccess::Get());
   ASSERT_THAT(serialization2, IsOk());
   EXPECT_THAT((*serialization2)->ObjectIdentifier(), Eq(kIdTypeUrl));
 }
 
+TEST(SerializationRegistryTest, SerializeKeyNoSecretAccess) {
+  SerializationRegistry::Builder builder;
+  KeySerializerImpl<NoIdKey, NoIdSerialization> serializer(SerializeNoIdKey);
+  ASSERT_THAT(builder.RegisterKeySerializer(&serializer), IsOk());
+
+  SerializationRegistry registry = builder.Build();
+
+  util::StatusOr<std::unique_ptr<Serialization>> serialization =
+      registry.SerializeKey<NoIdSerialization>(NoIdKey(),
+                                               absl::nullopt);
+  ASSERT_THAT(serialization, IsOk());
+  EXPECT_THAT((*serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
+}
+
 TEST(SerializationRegistryTest, SerializeKeyWithoutRegistration) {
   SerializationRegistry::Builder builder;
   SerializationRegistry registry = builder.Build();
 
-  ASSERT_THAT(registry.SerializeKey<NoIdSerialization>(NoIdKey()).status(),
+  ASSERT_THAT(registry
+                  .SerializeKey<NoIdSerialization>(
+                      NoIdKey(), InsecureSecretKeyAccess::Get())
+                  .status(),
               StatusIs(absl::StatusCode::kNotFound));
 }
 
@@ -283,12 +319,13 @@ TEST(SerializationRegistryTest, BuiltFromAnotherRegistry) {
   EXPECT_THAT((*params_serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
 
   util::StatusOr<std::unique_ptr<Key>> key =
-      registry2.ParseKey(NoIdSerialization());
+      registry2.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key, IsOk());
   EXPECT_THAT(std::type_index(typeid(**key)), std::type_index(typeid(NoIdKey)));
 
   util::StatusOr<std::unique_ptr<Serialization>> key_serialization =
-      registry2.SerializeKey<NoIdSerialization>(NoIdKey());
+      registry2.SerializeKey<NoIdSerialization>(NoIdKey(),
+                                                InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key_serialization, IsOk());
   EXPECT_THAT((*key_serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
 }
@@ -322,12 +359,13 @@ TEST(SerializationRegistryTest, RegistryCopy) {
   EXPECT_THAT((*params_serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
 
   util::StatusOr<std::unique_ptr<Key>> key =
-      registry2.ParseKey(NoIdSerialization());
+      registry2.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key, IsOk());
   EXPECT_THAT(std::type_index(typeid(**key)), std::type_index(typeid(NoIdKey)));
 
   util::StatusOr<std::unique_ptr<Serialization>> key_serialization =
-      registry2.SerializeKey<NoIdSerialization>(NoIdKey());
+      registry2.SerializeKey<NoIdSerialization>(NoIdKey(),
+                                                InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key_serialization, IsOk());
   EXPECT_THAT((*key_serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
 }
@@ -361,12 +399,13 @@ TEST(SerializationRegistryTest, RegistryMove) {
   EXPECT_THAT((*params_serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
 
   util::StatusOr<std::unique_ptr<Key>> key =
-      registry2.ParseKey(NoIdSerialization());
+      registry2.ParseKey(NoIdSerialization(), InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key, IsOk());
   EXPECT_THAT(std::type_index(typeid(**key)), std::type_index(typeid(NoIdKey)));
 
   util::StatusOr<std::unique_ptr<Serialization>> key_serialization =
-      registry2.SerializeKey<NoIdSerialization>(NoIdKey());
+      registry2.SerializeKey<NoIdSerialization>(NoIdKey(),
+                                                InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key_serialization, IsOk());
   EXPECT_THAT((*key_serialization)->ObjectIdentifier(), Eq(kNoIdTypeUrl));
 }
diff --git a/cc/mac/BUILD.bazel b/cc/mac/BUILD.bazel
index b0400ecb9..e5d344397 100644
--- a/cc/mac/BUILD.bazel
+++ b/cc/mac/BUILD.bazel
@@ -300,6 +300,7 @@ cc_test(
         ":mac_config",
         ":mac_key_templates",
         "//:chunked_mac",
+        "//:insecure_secret_key_access",
         "//:keyset_handle",
         "//:mac",
         "//:partial_key_access",
diff --git a/cc/mac/CMakeLists.txt b/cc/mac/CMakeLists.txt
index 82f00d067..c7dbe23ca 100644
--- a/cc/mac/CMakeLists.txt
+++ b/cc/mac/CMakeLists.txt
@@ -286,6 +286,7 @@ tink_cc_test(
     absl::status
     crypto
     tink::core::chunked_mac
+    tink::core::insecure_secret_key_access
     tink::core::keyset_handle
     tink::core::mac
     tink::core::partial_key_access
diff --git a/cc/mac/aes_cmac_proto_serialization_test.cc b/cc/mac/aes_cmac_proto_serialization_test.cc
index 0edd1fc76..ed80538cd 100644
--- a/cc/mac/aes_cmac_proto_serialization_test.cc
+++ b/cc/mac/aes_cmac_proto_serialization_test.cc
@@ -210,7 +210,7 @@ TEST_P(AesCmacProtoSerializationTest, ParseKey) {
 
   util::StatusOr<std::unique_ptr<Key>> key =
       internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
-          *serialization);
+          *serialization, InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key, IsOk());
   EXPECT_THAT((*key)->GetIdRequirement(), Eq(test_case.id));
   EXPECT_THAT((*key)->GetParameters().HasIdRequirement(),
@@ -255,7 +255,7 @@ TEST_F(AesCmacProtoSerializationTest, ParseKeyWithInvalidSerialization) {
 
   util::StatusOr<std::unique_ptr<Key>> key =
       internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
-          *serialization);
+          *serialization, InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument));
 }
 
@@ -279,7 +279,7 @@ TEST_F(AesCmacProtoSerializationTest, ParseKeyWithInvalidVersion) {
 
   util::StatusOr<std::unique_ptr<Key>> key =
       internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
-          *serialization);
+          *serialization, InsecureSecretKeyAccess::Get());
   ASSERT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument));
 }
 
@@ -300,7 +300,8 @@ TEST_P(AesCmacProtoSerializationTest, SerializeKey) {
 
   util::StatusOr<std::unique_ptr<Serialization>> serialization =
       internal::MutableSerializationRegistry::GlobalInstance()
-          .SerializeKey<internal::ProtoKeySerialization>(*key);
+          .SerializeKey<internal::ProtoKeySerialization>(
+              *key, InsecureSecretKeyAccess::Get());
   ASSERT_THAT(serialization, IsOk());
   EXPECT_THAT((*serialization)->ObjectIdentifier(),
               Eq("type.googleapis.com/google.crypto.tink.AesCmacKey"));
diff --git a/cc/mac/mac_config_test.cc b/cc/mac/mac_config_test.cc
index 44009c075..7243a9ac9 100644
--- a/cc/mac/mac_config_test.cc
+++ b/cc/mac/mac_config_test.cc
@@ -24,6 +24,7 @@
 #include "gtest/gtest.h"
 #include "absl/status/status.h"
 #include "tink/chunked_mac.h"
+#include "tink/insecure_secret_key_access.h"
 #include "tink/internal/fips_utils.h"
 #include "tink/internal/mutable_serialization_registry.h"
 #include "tink/internal/proto_key_serialization.h"
@@ -196,7 +197,7 @@ TEST_F(MacConfigTest, AesCmacProtoKeySerializationRegistered) {
 
   util::StatusOr<std::unique_ptr<Key>> parsed_key =
       internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
-          *proto_key_serialization);
+          *proto_key_serialization, InsecureSecretKeyAccess::Get());
   ASSERT_THAT(parsed_key.status(), StatusIs(absl::StatusCode::kNotFound));
 
   util::StatusOr<AesCmacParameters> params = AesCmacParameters::Create(
@@ -213,19 +214,21 @@ TEST_F(MacConfigTest, AesCmacProtoKeySerializationRegistered) {
 
   util::StatusOr<std::unique_ptr<Serialization>> serialized_key =
       internal::MutableSerializationRegistry::GlobalInstance()
-          .SerializeKey<internal::ProtoKeySerialization>(*key);
+          .SerializeKey<internal::ProtoKeySerialization>(
+              *key, InsecureSecretKeyAccess::Get());
   ASSERT_THAT(serialized_key.status(), StatusIs(absl::StatusCode::kNotFound));
 
   ASSERT_THAT(MacConfig::Register(), IsOk());
 
   util::StatusOr<std::unique_ptr<Key>> parsed_key2 =
       internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
-          *proto_key_serialization);
+          *proto_key_serialization, InsecureSecretKeyAccess::Get());
   ASSERT_THAT(parsed_key2, IsOk());
 
   util::StatusOr<std::unique_ptr<Serialization>> serialized_key2 =
       internal::MutableSerializationRegistry::GlobalInstance()
-          .SerializeKey<internal::ProtoKeySerialization>(*key);
+          .SerializeKey<internal::ProtoKeySerialization>(
+              *key, InsecureSecretKeyAccess::Get());
   ASSERT_THAT(serialized_key2, IsOk());
 }
author	ioannanedelcu <ioannanedelcu@google.com>	2023-05-31 14:52:59 -0700
committer	Copybara-Service <copybara-worker@google.com>	2023-05-31 14:53:58 -0700
commit	8b9be40f3c6d2ff5c220a33afcb997f39ef90b91 (patch)
tree	6ba9e7d9a00312556395e217954266e4943555aa
parent	4b641ad520a5b6ab64913b6bb0617f85faf9eef8 (diff)
download	tink-8b9be40f3c6d2ff5c220a33afcb997f39ef90b91.tar.gz