diff options
author | tholenst <tholenst@google.com> | 2019-11-12 06:31:28 -0800 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2019-11-12 06:32:13 -0800 |
commit | 14523c6b15eb1eba860760f7ab6f81df7ef6ee85 (patch) | |
tree | 3527ed1e3cee399b71a7305b560f5f7c267c9b4b /cc/prf | |
parent | 5f1203f316b052d8cf6ffc371aecf7f10c929b17 (diff) | |
download | tink-14523c6b15eb1eba860760f7ab6f81df7ef6ee85.tar.gz |
Add a HkdfPrfKeyManager for Java.
PiperOrigin-RevId: 279952563
Diffstat (limited to 'cc/prf')
-rw-r--r-- | cc/prf/hkdf_prf_key_manager.h | 7 | ||||
-rw-r--r-- | cc/prf/hkdf_prf_key_manager_test.cc | 52 |
2 files changed, 35 insertions, 24 deletions
diff --git a/cc/prf/hkdf_prf_key_manager.h b/cc/prf/hkdf_prf_key_manager.h index 9339f0f9c..c2fbc27f5 100644 --- a/cc/prf/hkdf_prf_key_manager.h +++ b/cc/prf/hkdf_prf_key_manager.h @@ -108,8 +108,11 @@ class HkdfPrfKeyManager return crypto::tink::util::Status::OK; } - // Tink specific minimum key size. - const int kMinKeySizeBytes = 16; + // We use a somewhat larger minimum key size than usual, because PRFs might be + // used by many users, in which case the security can degrade by a factor + // depending on the number of users. (Discussed for example in + // https://eprint.iacr.org/2012/159) + const int kMinKeySizeBytes = 32; const std::string key_type_ = absl::StrCat( kTypeGoogleapisCom, google::crypto::tink::HkdfPrfKey().GetTypeName()); }; diff --git a/cc/prf/hkdf_prf_key_manager_test.cc b/cc/prf/hkdf_prf_key_manager_test.cc index 90f9b8662..3978bfc75 100644 --- a/cc/prf/hkdf_prf_key_manager_test.cc +++ b/cc/prf/hkdf_prf_key_manager_test.cc @@ -49,10 +49,10 @@ TEST(HkdfPrfKeyManagerTest, ValidateEmptyKey) { StatusIs(util::error::INVALID_ARGUMENT)); } -TEST(HkdfPrfKeyManagerTest, ValidateValid16ByteKey) { +TEST(HkdfPrfKeyManagerTest, ValidateValid32ByteKey) { HkdfPrfKey key; key.set_version(0); - key.set_key_value("0123456789abcdef"); + key.set_key_value("01234567890123456789012345678901"); key.mutable_params()->set_hash(::google::crypto::tink::SHA256); EXPECT_THAT(HkdfPrfKeyManager().ValidateKey(key), IsOk()); } @@ -60,15 +60,15 @@ TEST(HkdfPrfKeyManagerTest, ValidateValid16ByteKey) { TEST(HkdfPrfKeyManagerTest, ValidateValidSha512Key) { HkdfPrfKey key; key.set_version(0); - key.set_key_value("0123456789abcdef"); + key.set_key_value("01234567890123456789012345678901"); key.mutable_params()->set_hash(::google::crypto::tink::SHA512); EXPECT_THAT(HkdfPrfKeyManager().ValidateKey(key), IsOk()); } -TEST(HkdfPrfKeyManagerTest, ValidateValid17ByteKey) { +TEST(HkdfPrfKeyManagerTest, ValidateValid33ByteKey) { HkdfPrfKey key; key.set_version(0); - key.set_key_value("0123456789abcdefg"); + key.set_key_value("012345678901234567890123456789012"); key.mutable_params()->set_hash(::google::crypto::tink::SHA256); EXPECT_THAT(HkdfPrfKeyManager().ValidateKey(key), IsOk()); } @@ -76,16 +76,16 @@ TEST(HkdfPrfKeyManagerTest, ValidateValid17ByteKey) { TEST(HkdfPrfKeyManagerTest, ValidateValidKeyWithSalt) { HkdfPrfKey key; key.set_version(0); - key.set_key_value("0123456789abcdefg"); + key.set_key_value("01234567890123456789012345678901"); key.mutable_params()->set_hash(::google::crypto::tink::SHA256); key.mutable_params()->set_salt("12345"); EXPECT_THAT(HkdfPrfKeyManager().ValidateKey(key), IsOk()); } -TEST(HkdfPrfKeyManagerTest, InvalidKeySizes15Bytes) { +TEST(HkdfPrfKeyManagerTest, InvalidKeySizes31Bytes) { HkdfPrfKey key; key.set_version(0); - key.set_key_value("0123456789abcde"); + key.set_key_value("0123456789012345678901234567890"); EXPECT_THAT(HkdfPrfKeyManager().ValidateKey(key), StatusIs(util::error::INVALID_ARGUMENT)); } @@ -93,7 +93,7 @@ TEST(HkdfPrfKeyManagerTest, InvalidKeySizes15Bytes) { TEST(HkdfPrfKeyManagerTest, InvalidKeySha1) { HkdfPrfKey key; key.set_version(0); - key.set_key_value("0123456789abcdef"); + key.set_key_value("01234567890123456789012345678901"); key.mutable_params()->set_hash(::google::crypto::tink::SHA1); EXPECT_THAT(HkdfPrfKeyManager().ValidateKey(key), StatusIs(util::error::INVALID_ARGUMENT)); @@ -102,7 +102,7 @@ TEST(HkdfPrfKeyManagerTest, InvalidKeySha1) { TEST(HkdfPrfKeyManagerTest, InvalidKeyVersion) { HkdfPrfKey key; key.set_version(1); - key.set_key_value("0123456789abcdef"); + key.set_key_value("01234567890123456789012345678901"); key.mutable_params()->set_hash(::google::crypto::tink::SHA256); EXPECT_THAT(HkdfPrfKeyManager().ValidateKey(key), StatusIs(util::error::INVALID_ARGUMENT)); @@ -113,30 +113,30 @@ TEST(HkdfPrfKeyManagerTest, ValidateEmptyKeyFormat) { StatusIs(util::error::INVALID_ARGUMENT)); } -TEST(HkdfPrfKeyManagerTest, ValidateValid16ByteKeyFormat) { +TEST(HkdfPrfKeyManagerTest, ValidateValid32ByteKeyFormat) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(32); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA256); EXPECT_THAT(HkdfPrfKeyManager().ValidateKeyFormat(key_format), IsOk()); } TEST(HkdfPrfKeyManagerTest, ValidateValidSha512KeyFormat) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(32); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA512); EXPECT_THAT(HkdfPrfKeyManager().ValidateKeyFormat(key_format), IsOk()); } -TEST(HkdfPrfKeyManagerTest, ValidateValid17ByteKeyFormat) { +TEST(HkdfPrfKeyManagerTest, ValidateValid33ByteKeyFormat) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(33); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA256); EXPECT_THAT(HkdfPrfKeyManager().ValidateKeyFormat(key_format), IsOk()); } TEST(HkdfPrfKeyManagerTest, ValidateValidKeyFormatWithSalt) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(32); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA256); key_format.mutable_params()->set_salt("abcdef"); EXPECT_THAT(HkdfPrfKeyManager().ValidateKeyFormat(key_format), IsOk()); @@ -144,19 +144,27 @@ TEST(HkdfPrfKeyManagerTest, ValidateValidKeyFormatWithSalt) { TEST(HkdfPrfKeyManagerTest, InvalidKeyFormatSha1) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(32); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA1); EXPECT_THAT(HkdfPrfKeyManager().ValidateKeyFormat(key_format), StatusIs(util::error::INVALID_ARGUMENT)); } +TEST(HkdfPrfKeyManagerTest, ValidateInvalid31ByteKeyFormat) { + HkdfPrfKeyFormat key_format; + key_format.set_key_size(31); + key_format.mutable_params()->set_hash(::google::crypto::tink::SHA256); + EXPECT_THAT(HkdfPrfKeyManager().ValidateKeyFormat(key_format), + StatusIs(util::error::INVALID_ARGUMENT)); +} + TEST(HkdfPrfKeyManagerTest, CreateKey) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(32); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA256); auto key_or = HkdfPrfKeyManager().CreateKey(key_format); ASSERT_THAT(key_or.status(), IsOk()); - EXPECT_THAT(key_or.ValueOrDie().key_value(), SizeIs(16)); + EXPECT_THAT(key_or.ValueOrDie().key_value(), SizeIs(32)); EXPECT_THAT(key_or.ValueOrDie().params().hash(), Eq(::google::crypto::tink::SHA256)); EXPECT_THAT(key_or.ValueOrDie().params().salt(), Eq("")); @@ -174,7 +182,7 @@ TEST(HkdfPrfKeyManagerTest, CreateKeyDifferetSize) { TEST(HkdfPrfKeyManagerTest, CreateKeyDifferetHash) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(32); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA512); auto key_or = HkdfPrfKeyManager().CreateKey(key_format); ASSERT_THAT(key_or.status(), IsOk()); @@ -184,7 +192,7 @@ TEST(HkdfPrfKeyManagerTest, CreateKeyDifferetHash) { TEST(HkdfPrfKeyManagerTest, CreateKeyDifferetSalt) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(32); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA512); key_format.mutable_params()->set_salt("saltstring"); auto key_or = HkdfPrfKeyManager().CreateKey(key_format); @@ -194,7 +202,7 @@ TEST(HkdfPrfKeyManagerTest, CreateKeyDifferetSalt) { TEST(HkdfPrfKeyManagerTest, CreatePrf) { HkdfPrfKeyFormat key_format; - key_format.set_key_size(16); + key_format.set_key_size(32); key_format.mutable_params()->set_hash(::google::crypto::tink::SHA256); key_format.mutable_params()->set_salt("salt string"); auto key_or = HkdfPrfKeyManager().CreateKey(key_format); |