Test that parsing and serializing keys fails without secret key access token.

PiperOrigin-RevId: 536953071
author: ioannanedelcu <ioannanedelcu@google.com> 2023-06-01 01:48:36 -0700
committer: Copybara-Service <copybara-worker@google.com> 2023-06-01 01:49:45 -0700
commit: c5b5a456895e65d6520dc6a7abbc740a60405c7d (patch)
tree: 7c7e7810af302593dfc38a86166b3f35b421a975
parent: 20dfc3f5f7a461e332b7690b4869fa6120545bd4 (diff)
download: tink-c5b5a456895e65d6520dc6a7abbc740a60405c7d.tar.gz
2 files changed, 44 insertions, 5 deletions
diff --git a/cc/mac/aes_cmac_proto_serialization.cc b/cc/mac/aes_cmac_proto_serialization.cc
index 4a12ae280..907ace6e9 100644
--- a/cc/mac/aes_cmac_proto_serialization.cc
+++ b/cc/mac/aes_cmac_proto_serialization.cc
@@ -139,7 +139,6 @@ util::StatusOr<AesCmacKey> ParseKey(
     return util::Status(absl::StatusCode::kInvalidArgument,
                         "Wrong type URL when parsing AesCmacKey.");
   }
-  // TODO(ioannanedelcu): Add a test for this behaviour.
   if (!token.has_value()) {
     return util::Status(absl::StatusCode::kInvalidArgument,
                         "SecretKeyAccess is required");
@@ -178,7 +177,6 @@ util::StatusOr<internal::ProtoKeySerialization> SerializeKey(
   util::StatusOr<RestrictedData> restricted_input =
       key.GetKeyBytes(GetPartialKeyAccess());
   if (!restricted_input.ok()) return restricted_input.status();
-    // TODO(ioannanedelcu): Add a test for this behaviour.
   if (!token.has_value()) {
     return util::Status(absl::StatusCode::kInvalidArgument,
                         "SecretKeyAccess is required");
diff --git a/cc/mac/aes_cmac_proto_serialization_test.cc b/cc/mac/aes_cmac_proto_serialization_test.cc
index ed80538cd..cda10935d 100644
--- a/cc/mac/aes_cmac_proto_serialization_test.cc
+++ b/cc/mac/aes_cmac_proto_serialization_test.cc
@@ -238,13 +238,32 @@ TEST_P(AesCmacProtoSerializationTest, ParseKey) {
 TEST_F(AesCmacProtoSerializationTest, ParseKeyWithInvalidSerialization) {
   ASSERT_THAT(RegisterAesCmacProtoSerialization(), IsOk());
 
+  RestrictedData serialized_key =
+      RestrictedData("invalid_serialization", InsecureSecretKeyAccess::Get());
+
+  util::StatusOr<internal::ProtoKeySerialization> serialization =
+      internal::ProtoKeySerialization::Create(
+          "type.googleapis.com/google.crypto.tink.AesCmacKey", serialized_key,
+          KeyData::SYMMETRIC, OutputPrefixType::TINK,
+          /*id_requirement=*/0x23456789);
+  ASSERT_THAT(serialization, IsOk());
+
+  util::StatusOr<std::unique_ptr<Key>> key =
+      internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
+          *serialization, InsecureSecretKeyAccess::Get());
+  ASSERT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument));
+}
+
+TEST_F(AesCmacProtoSerializationTest, ParseKeyNoSecretKeyAccess) {
+  ASSERT_THAT(RegisterAesCmacProtoSerialization(), IsOk());
+
   std::string raw_key_bytes = Random::GetRandomBytes(16);
   google::crypto::tink::AesCmacKey key_proto;
   key_proto.set_version(0);
   key_proto.set_key_value(raw_key_bytes);
   key_proto.mutable_params()->set_tag_size(10);
-  RestrictedData serialized_key =
-      RestrictedData("invalid_serialization", InsecureSecretKeyAccess::Get());
+  RestrictedData serialized_key = RestrictedData(
+      key_proto.SerializeAsString(), InsecureSecretKeyAccess::Get());
 
   util::StatusOr<internal::ProtoKeySerialization> serialization =
       internal::ProtoKeySerialization::Create(
@@ -255,7 +274,7 @@ TEST_F(AesCmacProtoSerializationTest, ParseKeyWithInvalidSerialization) {
 
   util::StatusOr<std::unique_ptr<Key>> key =
       internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
-          *serialization, InsecureSecretKeyAccess::Get());
+          *serialization, absl::nullopt);
   ASSERT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument));
 }
 
@@ -327,6 +346,28 @@ TEST_P(AesCmacProtoSerializationTest, SerializeKey) {
   EXPECT_THAT(proto_key.params().tag_size(), Eq(test_case.tag_size));
 }
 
+TEST_F(AesCmacProtoSerializationTest, SerializeKeyNoSecretKeyAccess) {
+  ASSERT_THAT(RegisterAesCmacProtoSerialization(), IsOk());
+
+  util::StatusOr<AesCmacParameters> parameters = AesCmacParameters::Create(
+      /*key_size_in_bytes=*/16, /*cryptographic_tag_size_in_bytes=*/10,
+      AesCmacParameters::Variant::kNoPrefix);
+  ASSERT_THAT(parameters, IsOk());
+
+  std::string raw_key_bytes = Random::GetRandomBytes(16);
+  util::StatusOr<AesCmacKey> key = AesCmacKey::Create(
+      *parameters,
+      RestrictedData(raw_key_bytes, InsecureSecretKeyAccess::Get()),
+      /*id_requirement=*/absl::nullopt, GetPartialKeyAccess());
+  ASSERT_THAT(key, IsOk());
+
+  util::StatusOr<std::unique_ptr<Serialization>> serialization =
+      internal::MutableSerializationRegistry::GlobalInstance()
+          .SerializeKey<internal::ProtoKeySerialization>(*key, absl::nullopt);
+  ASSERT_THAT(serialization.status(),
+              StatusIs(absl::StatusCode::kInvalidArgument));
+}
+
 }  // namespace
 }  // namespace tink
 }  // namespace crypto
author	ioannanedelcu <ioannanedelcu@google.com>	2023-06-01 01:48:36 -0700
committer	Copybara-Service <copybara-worker@google.com>	2023-06-01 01:49:45 -0700
commit	c5b5a456895e65d6520dc6a7abbc740a60405c7d (patch)
tree	7c7e7810af302593dfc38a86166b3f35b421a975
parent	20dfc3f5f7a461e332b7690b4869fa6120545bd4 (diff)
download	tink-c5b5a456895e65d6520dc6a7abbc740a60405c7d.tar.gz