diff options
author | wconner <wconner@google.com> | 2023-07-10 05:43:25 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-07-10 05:44:26 -0700 |
commit | b53d160793b07c603f0abffee363f25184a9627f (patch) | |
tree | 0e52e611074de28021f170a7befa12f82fe7fafe /cc/aead | |
parent | 2995b1ecd7725bd4534e1acf21af0b038265b87d (diff) | |
download | tink-b53d160793b07c603f0abffee363f25184a9627f.tar.gz |
Register AES-GCM proto serialization.
PiperOrigin-RevId: 546845334
Diffstat (limited to 'cc/aead')
-rw-r--r-- | cc/aead/BUILD.bazel | 8 | ||||
-rw-r--r-- | cc/aead/CMakeLists.txt | 8 | ||||
-rw-r--r-- | cc/aead/aead_config.cc | 4 | ||||
-rw-r--r-- | cc/aead/aead_config_test.cc | 116 |
4 files changed, 135 insertions, 1 deletions
diff --git a/cc/aead/BUILD.bazel b/cc/aead/BUILD.bazel index 803e1fc62..9360bbdbd 100644 --- a/cc/aead/BUILD.bazel +++ b/cc/aead/BUILD.bazel @@ -63,6 +63,7 @@ cc_library( ":aes_ctr_hmac_aead_key_manager", ":aes_eax_key_manager", ":aes_gcm_key_manager", + ":aes_gcm_proto_serialization", ":aes_gcm_siv_key_manager", ":kms_aead_key_manager", ":kms_envelope_aead_key_manager", @@ -459,13 +460,20 @@ cc_test( deps = [ ":aead_config", ":aead_key_templates", + ":aes_gcm_key", ":aes_gcm_key_manager", + ":aes_gcm_parameters", "//:aead", + "//:insecure_secret_key_access", "//:keyset_handle", + "//:partial_key_access", "//:primitive_set", "//:registry", "//config:tink_fips", "//internal:fips_utils", + "//internal:mutable_serialization_registry", + "//internal:proto_key_serialization", + "//internal:proto_parameters_serialization", "//proto:tink_cc_proto", "//util:status", "//util:statusor", diff --git a/cc/aead/CMakeLists.txt b/cc/aead/CMakeLists.txt index 5c1adf698..149eab064 100644 --- a/cc/aead/CMakeLists.txt +++ b/cc/aead/CMakeLists.txt @@ -58,6 +58,7 @@ tink_cc_library( tink::aead::aes_ctr_hmac_aead_key_manager tink::aead::aes_eax_key_manager tink::aead::aes_gcm_key_manager + tink::aead::aes_gcm_proto_serialization tink::aead::aes_gcm_siv_key_manager tink::aead::kms_aead_key_manager tink::aead::kms_envelope_aead_key_manager @@ -430,16 +431,23 @@ tink_cc_test( DEPS tink::aead::aead_config tink::aead::aead_key_templates + tink::aead::aes_gcm_key tink::aead::aes_gcm_key_manager + tink::aead::aes_gcm_parameters gmock absl::memory absl::status tink::core::aead + tink::core::insecure_secret_key_access tink::core::keyset_handle + tink::core::partial_key_access tink::core::primitive_set tink::core::registry tink::config::tink_fips tink::internal::fips_utils + tink::internal::mutable_serialization_registry + tink::internal::proto_key_serialization + tink::internal::proto_parameters_serialization tink::util::status tink::util::statusor tink::util::test_matchers diff --git a/cc/aead/aead_config.cc b/cc/aead/aead_config.cc index b5a84cac8..b6ba99b07 100644 --- a/cc/aead/aead_config.cc +++ b/cc/aead/aead_config.cc @@ -22,6 +22,7 @@ #include "tink/aead/aes_ctr_hmac_aead_key_manager.h" #include "tink/aead/aes_eax_key_manager.h" #include "tink/aead/aes_gcm_key_manager.h" +#include "tink/aead/aes_gcm_proto_serialization.h" #include "tink/aead/aes_gcm_siv_key_manager.h" #include "tink/aead/kms_aead_key_manager.h" #include "tink/aead/kms_envelope_aead_key_manager.h" @@ -52,6 +53,9 @@ util::Status AeadConfig::Register() { absl::make_unique<AesGcmKeyManager>(), true); if (!status.ok()) return status; + status = RegisterAesGcmProtoSerialization(); + if (!status.ok()) return status; + if (IsFipsModeEnabled()) { return util::OkStatus(); } diff --git a/cc/aead/aead_config_test.cc b/cc/aead/aead_config_test.cc index 4a7945d3f..157902bc4 100644 --- a/cc/aead/aead_config_test.cc +++ b/cc/aead/aead_config_test.cc @@ -27,10 +27,17 @@ #include "absl/status/status.h" #include "tink/aead.h" #include "tink/aead/aead_key_templates.h" +#include "tink/aead/aes_gcm_key.h" #include "tink/aead/aes_gcm_key_manager.h" +#include "tink/aead/aes_gcm_parameters.h" #include "tink/config/tink_fips.h" +#include "tink/insecure_secret_key_access.h" #include "tink/internal/fips_utils.h" +#include "tink/internal/mutable_serialization_registry.h" +#include "tink/internal/proto_key_serialization.h" +#include "tink/internal/proto_parameters_serialization.h" #include "tink/keyset_handle.h" +#include "tink/partial_key_access.h" #include "tink/primitive_set.h" #include "tink/registry.h" #include "tink/util/status.h" @@ -45,14 +52,19 @@ namespace { using ::crypto::tink::test::IsOk; using ::crypto::tink::test::StatusIs; using ::crypto::tink::util::StatusOr; +using ::google::crypto::tink::KeyData; using ::google::crypto::tink::KeyTemplate; +using ::google::crypto::tink::OutputPrefixType; using ::testing::IsNull; using ::testing::Not; using ::testing::Test; class AeadConfigTest : public Test { protected: - void SetUp() override { Registry::Reset(); } + void SetUp() override { + Registry::Reset(); + internal::MutableSerializationRegistry::GlobalInstance().Reset(); + } }; TEST_F(AeadConfigTest, RegisterWorks) { @@ -138,6 +150,108 @@ TEST_F(AeadConfigTest, RegisterFailsIfBoringCryptoNotAvailable) { EXPECT_THAT(AeadConfig::Register(), StatusIs(absl::StatusCode::kInternal)); } +TEST_F(AeadConfigTest, AesGcmProtoParamsSerializationRegistered) { + if (IsFipsModeEnabled()) { + GTEST_SKIP() << "Not supported in FIPS-only mode"; + } + + util::StatusOr<internal::ProtoParametersSerialization> + proto_params_serialization = + internal::ProtoParametersSerialization::Create( + AeadKeyTemplates::Aes256Gcm()); + ASSERT_THAT(proto_params_serialization, IsOk()); + + util::StatusOr<std::unique_ptr<Parameters>> parsed_params = + internal::MutableSerializationRegistry::GlobalInstance().ParseParameters( + *proto_params_serialization); + ASSERT_THAT(parsed_params.status(), StatusIs(absl::StatusCode::kNotFound)); + + util::StatusOr<AesGcmParameters> params = + AesGcmParameters::Builder() + .SetVariant(AesGcmParameters::Variant::kTink) + .SetKeySizeInBytes(32) + .SetIvSizeInBytes(12) + .SetTagSizeInBytes(16) + .Build(); + ASSERT_THAT(params, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_params = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeParameters<internal::ProtoParametersSerialization>(*params); + ASSERT_THAT(serialized_params.status(), + StatusIs(absl::StatusCode::kNotFound)); + + ASSERT_THAT(AeadConfig::Register(), IsOk()); + + util::StatusOr<std::unique_ptr<Parameters>> parsed_params2 = + internal::MutableSerializationRegistry::GlobalInstance().ParseParameters( + *proto_params_serialization); + ASSERT_THAT(parsed_params2, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_params2 = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeParameters<internal::ProtoParametersSerialization>(*params); + ASSERT_THAT(serialized_params2, IsOk()); +} + +TEST_F(AeadConfigTest, AesGcmProtoKeySerializationRegistered) { + if (IsFipsModeEnabled()) { + GTEST_SKIP() << "Not supported in FIPS-only mode"; + } + + google::crypto::tink::AesGcmKey key_proto; + key_proto.set_version(0); + key_proto.set_key_value(subtle::Random::GetRandomBytes(32)); + + util::StatusOr<internal::ProtoKeySerialization> proto_key_serialization = + internal::ProtoKeySerialization::Create( + "type.googleapis.com/google.crypto.tink.AesGcmKey", + RestrictedData(key_proto.SerializeAsString(), + InsecureSecretKeyAccess::Get()), + KeyData::SYMMETRIC, OutputPrefixType::TINK, /*id_requirement=*/123); + ASSERT_THAT(proto_key_serialization, IsOk()); + + util::StatusOr<std::unique_ptr<Key>> parsed_key = + internal::MutableSerializationRegistry::GlobalInstance().ParseKey( + *proto_key_serialization, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(parsed_key.status(), StatusIs(absl::StatusCode::kNotFound)); + + util::StatusOr<AesGcmParameters> params = + AesGcmParameters::Builder() + .SetVariant(AesGcmParameters::Variant::kTink) + .SetKeySizeInBytes(32) + .SetIvSizeInBytes(12) + .SetTagSizeInBytes(16) + .Build(); + ASSERT_THAT(params, IsOk()); + + util::StatusOr<AesGcmKey> key = + AesGcmKey::Create(*params, + RestrictedData(subtle::Random::GetRandomBytes(32), + InsecureSecretKeyAccess::Get()), + /*id_requirement=*/123, GetPartialKeyAccess()); + ASSERT_THAT(key, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_key = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeKey<internal::ProtoKeySerialization>( + *key, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(serialized_key.status(), StatusIs(absl::StatusCode::kNotFound)); + + ASSERT_THAT(AeadConfig::Register(), IsOk()); + + util::StatusOr<std::unique_ptr<Key>> parsed_key2 = + internal::MutableSerializationRegistry::GlobalInstance().ParseKey( + *proto_key_serialization, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(parsed_key2, IsOk()); + + util::StatusOr<std::unique_ptr<Serialization>> serialized_key2 = + internal::MutableSerializationRegistry::GlobalInstance() + .SerializeKey<internal::ProtoKeySerialization>( + *key, InsecureSecretKeyAccess::Get()); + ASSERT_THAT(serialized_key2, IsOk()); +} + } // namespace } // namespace tink } // namespace crypto |