diff options
author | ioannanedelcu <ioannanedelcu@google.com> | 2023-06-01 01:48:36 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-06-01 01:49:45 -0700 |
commit | c5b5a456895e65d6520dc6a7abbc740a60405c7d (patch) | |
tree | 7c7e7810af302593dfc38a86166b3f35b421a975 | |
parent | 20dfc3f5f7a461e332b7690b4869fa6120545bd4 (diff) | |
download | tink-c5b5a456895e65d6520dc6a7abbc740a60405c7d.tar.gz |
Test that parsing and serializing keys fails without secret key access token.
PiperOrigin-RevId: 536953071
-rw-r--r-- | cc/mac/aes_cmac_proto_serialization.cc | 2 | ||||
-rw-r--r-- | cc/mac/aes_cmac_proto_serialization_test.cc | 47 |
2 files changed, 44 insertions, 5 deletions
diff --git a/cc/mac/aes_cmac_proto_serialization.cc b/cc/mac/aes_cmac_proto_serialization.cc index 4a12ae280..907ace6e9 100644 --- a/cc/mac/aes_cmac_proto_serialization.cc +++ b/cc/mac/aes_cmac_proto_serialization.cc @@ -139,7 +139,6 @@ util::StatusOr<AesCmacKey> ParseKey( return util::Status(absl::StatusCode::kInvalidArgument, "Wrong type URL when parsing AesCmacKey."); } - // TODO(ioannanedelcu): Add a test for this behaviour. if (!token.has_value()) { return util::Status(absl::StatusCode::kInvalidArgument, "SecretKeyAccess is required"); @@ -178,7 +177,6 @@ util::StatusOr<internal::ProtoKeySerialization> SerializeKey( util::StatusOr<RestrictedData> restricted_input = key.GetKeyBytes(GetPartialKeyAccess()); if (!restricted_input.ok()) return restricted_input.status(); - // TODO(ioannanedelcu): Add a test for this behaviour. if (!token.has_value()) { return util::Status(absl::StatusCode::kInvalidArgument, "SecretKeyAccess is required"); diff --git a/cc/mac/aes_cmac_proto_serialization_test.cc b/cc/mac/aes_cmac_proto_serialization_test.cc index ed80538cd..cda10935d 100644 --- a/cc/mac/aes_cmac_proto_serialization_test.cc +++ b/cc/mac/aes_cmac_proto_serialization_test.cc @@ -238,13 +238,32 @@ TEST_P(AesCmacProtoSerializationTest, ParseKey) { TEST_F(AesCmacProtoSerializationTest, ParseKeyWithInvalidSerialization) { ASSERT_THAT(RegisterAesCmacProtoSerialization(), IsOk()); + RestrictedData serialized_key = + RestrictedData("invalid_serialization", InsecureSecretKeyAccess::Get()); + + util::StatusOr<internal::ProtoKeySerialization> serialization = + internal::ProtoKeySerialization::Create( + "type.googleapis.com/google.crypto.tink.AesCmacKey", serialized_key, + KeyData::SYMMETRIC, OutputPrefixType::TINK, + /*id_requirement=*/0x23456789); + ASSERT_THAT(serialization, IsOk()); + + util::StatusOr<std::unique_ptr<Key>> key = + internal::MutableSerializationRegistry::GlobalInstance().ParseKey( + *serialization, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument)); +} + +TEST_F(AesCmacProtoSerializationTest, ParseKeyNoSecretKeyAccess) { + ASSERT_THAT(RegisterAesCmacProtoSerialization(), IsOk()); + std::string raw_key_bytes = Random::GetRandomBytes(16); google::crypto::tink::AesCmacKey key_proto; key_proto.set_version(0); key_proto.set_key_value(raw_key_bytes); key_proto.mutable_params()->set_tag_size(10); - RestrictedData serialized_key = - RestrictedData("invalid_serialization", InsecureSecretKeyAccess::Get()); + RestrictedData serialized_key = RestrictedData( + key_proto.SerializeAsString(), InsecureSecretKeyAccess::Get()); util::StatusOr<internal::ProtoKeySerialization> serialization = internal::ProtoKeySerialization::Create( @@ -255,7 +274,7 @@ TEST_F(AesCmacProtoSerializationTest, ParseKeyWithInvalidSerialization) { util::StatusOr<std::unique_ptr<Key>> key = internal::MutableSerializationRegistry::GlobalInstance().ParseKey( - *serialization, InsecureSecretKeyAccess::Get()); + *serialization, absl::nullopt); ASSERT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument)); } @@ -327,6 +346,28 @@ TEST_P(AesCmacProtoSerializationTest, SerializeKey) { EXPECT_THAT(proto_key.params().tag_size(), Eq(test_case.tag_size)); } +TEST_F(AesCmacProtoSerializationTest, SerializeKeyNoSecretKeyAccess) { + ASSERT_THAT(RegisterAesCmacProtoSerialization(), IsOk()); + + util::StatusOr<AesCmacParameters> parameters = AesCmacParameters::Create( + /*key_size_in_bytes=*/16, /*cryptographic_tag_size_in_bytes=*/10, + AesCmacParameters::Variant::kNoPrefix); + ASSERT_THAT(parameters, IsOk()); + + std::string raw_key_bytes = Random::GetRandomBytes(16); + util::StatusOr<AesCmacKey> key = AesCmacKey::Create( + *parameters, + RestrictedData(raw_key_bytes, InsecureSecretKeyAccess::Get()), + /*id_requirement=*/absl::nullopt, GetPartialKeyAccess()); + ASSERT_THAT(key, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialization = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeKey<internal::ProtoKeySerialization>(*key, absl::nullopt); + ASSERT_THAT(serialization.status(), + StatusIs(absl::StatusCode::kInvalidArgument)); +} + } // namespace } // namespace tink } // namespace crypto |