Add a test with two envelope AEAD keys in a keyset.

PiperOrigin-RevId: 549657384
author: juerg <juerg@google.com> 2023-07-20 09:41:06 -0700
committer: Copybara-Service <copybara-worker@google.com> 2023-07-20 09:42:16 -0700
commit: 63fe69f9576bce3aa23e2e11d906a0705540a66a (patch)
tree: edf670cb0ffc599b781abed6e04910daf3808755 /java_src
parent: 91f28af515a4e782466b4b5c02fd403f568e8aae (diff)
download: tink-63fe69f9576bce3aa23e2e11d906a0705540a66a.tar.gz
1 files changed, 30 insertions, 0 deletions
diff --git a/java_src/src/test/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManagerTest.java b/java_src/src/test/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManagerTest.java
index c2805855f..b1405992f 100644
--- a/java_src/src/test/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManagerTest.java
+++ b/java_src/src/test/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManagerTest.java
@@ -254,6 +254,36 @@ public class KmsEnvelopeAeadKeyManagerTest {
   }
 
   @Test
+  public void keysetsWithTwoKmsEnvelopeAeadKeys_canDecryptWithBoth() throws Exception {
+    KeyTemplate dekTemplate = AesCtrHmacAeadKeyManager.aes128CtrHmacSha256Template();
+    byte[] plaintext = Random.randBytes(20);
+    byte[] associatedData = Random.randBytes(20);
+
+    String kekUri1 = FakeKmsClient.createFakeKeyUri();
+    KeysetHandle handle1 =
+        KeysetHandle.generateNew(KmsEnvelopeAeadKeyManager.createKeyTemplate(kekUri1, dekTemplate));
+    Aead aead1 = handle1.getPrimitive(Aead.class);
+    byte[] ciphertext1 = aead1.encrypt(plaintext, associatedData);
+
+    String kekUri2 = FakeKmsClient.createFakeKeyUri();
+    KeysetHandle handle2 =
+        KeysetHandle.generateNew(KmsEnvelopeAeadKeyManager.createKeyTemplate(kekUri2, dekTemplate));
+    Aead aead2 = handle2.getPrimitive(Aead.class);
+    byte[] ciphertext2 = aead2.encrypt(plaintext, associatedData);
+
+    KeysetHandle handle =
+        KeysetHandle.newBuilder()
+            .addEntry(
+                KeysetHandle.importKey(handle1.getAt(0).getKey()).withRandomId().makePrimary())
+            .addEntry(KeysetHandle.importKey(handle2.getAt(0).getKey()).withRandomId())
+            .build();
+    Aead aead = handle.getPrimitive(Aead.class);
+
+    assertThat(aead.decrypt(ciphertext1, associatedData)).isEqualTo(plaintext);
+    assertThat(aead.decrypt(ciphertext2, associatedData)).isEqualTo(plaintext);
+  }
+
+  @Test
   public void multipleAeadsWithSameKekAndDifferentDekTemplateOfSameKeyType_canDecryptEachOther()
       throws Exception {
     String kekUri = FakeKmsClient.createFakeKeyUri();
author	juerg <juerg@google.com>	2023-07-20 09:41:06 -0700
committer	Copybara-Service <copybara-worker@google.com>	2023-07-20 09:42:16 -0700
commit	63fe69f9576bce3aa23e2e11d906a0705540a66a (patch)
tree	edf670cb0ffc599b781abed6e04910daf3808755 /java_src
parent	91f28af515a4e782466b4b5c02fd403f568e8aae (diff)
download	tink-63fe69f9576bce3aa23e2e11d906a0705540a66a.tar.gz