Remove remaining usages of Registry.getKeyManager and Registry.getUntypedKeyManager in some tests.

Instead, to verify that the key manager is registered, try to create a key. Also, remove the initialization test. It doesn't really add any additional value. PiperOrigin-RevId: 549582726
author: juerg <juerg@google.com> 2023-07-20 03:36:22 -0700
committer: Copybara-Service <copybara-worker@google.com> 2023-07-20 03:38:47 -0700
commit: 7d1665c2c6d5479347b99938b661fd08994097ae (patch)
tree: 2f4569a6fd16f2c436f89aa0bcfb9c2e28feb672 /java_src
parent: 7ac3ceb9334b94bc8d327bd35f9b2c673211494e (diff)
download: tink-7d1665c2c6d5479347b99938b661fd08994097ae.tar.gz
6 files changed, 83 insertions, 152 deletions
diff --git a/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/BUILD.bazel b/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/BUILD.bazel
index 2441f4dc4..5ca1e21d1 100644
--- a/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/BUILD.bazel
+++ b/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/BUILD.bazel
@@ -146,10 +146,12 @@ java_test(
         "//proto:tink_java_proto",
         "//src/main/java/com/google/crypto/tink:hybrid_decrypt",
         "//src/main/java/com/google/crypto/tink:hybrid_encrypt",
-        "//src/main/java/com/google/crypto/tink:registry",
+        "//src/main/java/com/google/crypto/tink:key_templates",
+        "//src/main/java/com/google/crypto/tink:registry_cluster",
+        "//src/main/java/com/google/crypto/tink/hybrid:hybrid_decrypt_wrapper",
+        "//src/main/java/com/google/crypto/tink/hybrid:hybrid_encrypt_wrapper",
         "//src/main/java/com/google/crypto/tink/hybrid/internal:hpke_encrypt",
         "//src/main/java/com/google/crypto/tink/hybrid/internal:hpke_private_key_manager",
-        "//src/main/java/com/google/crypto/tink/hybrid/internal:hpke_public_key_manager",
         "//src/main/java/com/google/crypto/tink/internal:key_type_manager",
         "//src/main/java/com/google/crypto/tink/subtle:random",
         "//src/main/java/com/google/crypto/tink/testing:test_util",
diff --git a/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/HpkePrivateKeyManagerTest.java b/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/HpkePrivateKeyManagerTest.java
index 1e036ba2b..e92bb5d24 100644
--- a/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/HpkePrivateKeyManagerTest.java
+++ b/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/HpkePrivateKeyManagerTest.java
@@ -22,7 +22,10 @@ import static org.junit.Assert.assertThrows;
 
 import com.google.crypto.tink.HybridDecrypt;
 import com.google.crypto.tink.HybridEncrypt;
-import com.google.crypto.tink.Registry;
+import com.google.crypto.tink.KeyTemplates;
+import com.google.crypto.tink.KeysetHandle;
+import com.google.crypto.tink.hybrid.HybridDecryptWrapper;
+import com.google.crypto.tink.hybrid.HybridEncryptWrapper;
 import com.google.crypto.tink.internal.KeyTypeManager;
 import com.google.crypto.tink.proto.HpkeAead;
 import com.google.crypto.tink.proto.HpkeKdf;
@@ -237,19 +240,26 @@ public final class HpkePrivateKeyManagerTest {
 
   @Test
   public void registerPair() throws Exception {
-    String publicKeyUrl = new HpkePublicKeyManager().getKeyType();
-    String privateKeyUrl = new HpkePrivateKeyManager().getKeyType();
+    if (TestUtil.isTsan()) {
+      // key generation is too slow in Tsan.
+      return;
+    }
+    HybridDecryptWrapper.register();
+    HybridEncryptWrapper.register();
 
     assertThrows(
         GeneralSecurityException.class,
-        () -> Registry.getKeyManager(publicKeyUrl, HybridEncrypt.class));
-    assertThrows(
-        GeneralSecurityException.class,
-        () -> Registry.getKeyManager(privateKeyUrl, HybridDecrypt.class));
-
-    HpkePrivateKeyManager.registerPair(/*newKeyAllowed=*/ true);
-
-    assertNotNull(Registry.getKeyManager(publicKeyUrl, HybridEncrypt.class));
-    assertNotNull(Registry.getKeyManager(privateKeyUrl, HybridDecrypt.class));
+        () ->
+            KeysetHandle.generateNew(
+                KeyTemplates.get("DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM")));
+
+    HpkePrivateKeyManager.registerPair(/* newKeyAllowed= */ true);
+
+    KeysetHandle privateHandle =
+        KeysetHandle.generateNew(
+            KeyTemplates.get("DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM"));
+    KeysetHandle publicHandle = privateHandle.getPublicKeysetHandle();
+    assertNotNull(privateHandle.getPrimitive(HybridDecrypt.class));
+    assertNotNull(publicHandle.getPrimitive(HybridEncrypt.class));
   }
 }
diff --git a/java_src/src/test/java/com/google/crypto/tink/signature/BUILD.bazel b/java_src/src/test/java/com/google/crypto/tink/signature/BUILD.bazel
index f1ae31541..0fcede9bc 100644
--- a/java_src/src/test/java/com/google/crypto/tink/signature/BUILD.bazel
+++ b/java_src/src/test/java/com/google/crypto/tink/signature/BUILD.bazel
@@ -193,13 +193,14 @@ java_test(
     srcs = ["SignatureConfigTest.java"],
     tags = ["fips"],
     deps = [
-        "//src/main/java/com/google/crypto/tink:public_key_sign",
-        "//src/main/java/com/google/crypto/tink:public_key_verify",
-        "//src/main/java/com/google/crypto/tink:registry",
+        "//src/main/java/com/google/crypto/tink:registry_cluster",
         "//src/main/java/com/google/crypto/tink/config:tink_fips",
         "//src/main/java/com/google/crypto/tink/config/internal:tink_fips_util",
+        "//src/main/java/com/google/crypto/tink/signature:predefined_signature_parameters",
         "//src/main/java/com/google/crypto/tink/signature:signature_config",
+        "@maven//:com_google_truth_truth",
         "@maven//:junit_junit",
+        "@maven//:org_conscrypt_conscrypt_openjdk_uber",
     ],
 )
 
diff --git a/java_src/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java b/java_src/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java
index d7f4ff042..7f6bf28bb 100644
--- a/java_src/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java
+++ b/java_src/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java
@@ -16,123 +16,78 @@
 
 package com.google.crypto.tink.signature;
 
-import static org.junit.Assert.assertNotNull;
+import static com.google.common.truth.Truth.assertThat;
 import static org.junit.Assert.assertThrows;
 
-import com.google.crypto.tink.PublicKeySign;
-import com.google.crypto.tink.PublicKeyVerify;
-import com.google.crypto.tink.Registry;
+import com.google.crypto.tink.KeysetHandle;
 import com.google.crypto.tink.config.TinkFips;
 import com.google.crypto.tink.config.internal.TinkFipsUtil;
 import java.security.GeneralSecurityException;
+import java.security.Security;
+import org.conscrypt.Conscrypt;
 import org.junit.Assume;
-import org.junit.FixMethodOrder;
+import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
-import org.junit.runners.MethodSorters;
 
-/**
- * Tests for SignatureConfig. Using FixedMethodOrder to ensure that aaaTestInitialization runs
- * first, as it tests execution of a static block within SignatureConfig-class.
- */
+/** Tests for SignatureConfig. */
 @RunWith(JUnit4.class)
-@FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class SignatureConfigTest {
 
-  // This test must run first.
-  @Test
-  public void aaaTestInitialization() throws Exception {
-    Assume.assumeFalse(TinkFips.useOnlyFips());
-    String typeUrl = "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey";
-
-    // Initialize the config.
-    SignatureConfig.register();
-
-    // After registration the key manager should be present.
-    assertNotNull(Registry.getKeyManager(typeUrl, PublicKeySign.class));
-
-    // Running init() manually again should succeed.
-    SignatureConfig.register();
+  @BeforeClass
+  public static void setup() {
+    try {
+      Conscrypt.checkAvailability();
+      Security.addProvider(Conscrypt.newProvider());
+    } catch (Throwable cause) {
+      // This test may be run without onlyFips turned on, in which case it is fine that installing
+      // conscrypt fails.
+    }
   }
 
   @Test
-  public void testNoFipsRegister() throws Exception {
+  public void notOnlyFips_shouldRegisterAllKeyTypes() throws Exception {
     Assume.assumeFalse(TinkFips.useOnlyFips());
 
-    // Register signature key manager
     SignatureConfig.register();
 
-    // Check if all key types are registered when not using FIPS mode.
-    String[] keyTypeUrlsSign = {
-      "type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PrivateKey",
-      "type.googleapis.com/google.crypto.tink.RsaSsaPssPrivateKey",
-      "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey",
-      "type.googleapis.com/google.crypto.tink.Ed25519PrivateKey"
-    };
-
-    for (String typeUrl : keyTypeUrlsSign) {
-      assertNotNull(Registry.getKeyManager(typeUrl, PublicKeySign.class));
-    }
-
-    String[] keyTypeUrlsVerify = {
-      "type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PublicKey",
-      "type.googleapis.com/google.crypto.tink.RsaSsaPssPublicKey",
-      "type.googleapis.com/google.crypto.tink.EcdsaPublicKey",
-      "type.googleapis.com/google.crypto.tink.Ed25519PublicKey"
-    };
-
-    for (String typeUrl : keyTypeUrlsVerify) {
-      assertNotNull(Registry.getKeyManager(typeUrl, PublicKeyVerify.class));
-    }
+    assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.RSA_SSA_PKCS1_3072_SHA256_F4))
+        .isNotNull();
+    assertThat(
+            KeysetHandle.generateNew(
+                PredefinedSignatureParameters.RSA_SSA_PSS_3072_SHA256_SHA256_32_F4))
+        .isNotNull();
+    assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.ECDSA_P256)).isNotNull();
+    assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.ED25519)).isNotNull();
   }
 
   @Test
-  public void testFipsRegisterFipsKeys() throws Exception {
+  public void onlyFips_shouldRegisterFipsKeyTypes() throws Exception {
     Assume.assumeTrue(TinkFips.useOnlyFips());
     Assume.assumeTrue(TinkFipsUtil.fipsModuleAvailable());
 
-    // Register AEAD key manager
     SignatureConfig.register();
 
-    // Check if all FIPS-compliant key types are registered when using FIPS mode.
-    String[] keyTypeUrlsSign = {
-      "type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PrivateKey",
-      "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey",
-    };
-
-    for (String typeUrl : keyTypeUrlsSign) {
-      assertNotNull(Registry.getKeyManager(typeUrl, PublicKeySign.class));
-    }
-
-    String[] keyTypeUrlsVerify = {
-      "type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PublicKey",
-      "type.googleapis.com/google.crypto.tink.EcdsaPublicKey",
-    };
-
-    for (String typeUrl : keyTypeUrlsVerify) {
-      assertNotNull(Registry.getKeyManager(typeUrl, PublicKeyVerify.class));
-    }
+    assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.RSA_SSA_PKCS1_3072_SHA256_F4))
+        .isNotNull();
+    assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.ECDSA_P256)).isNotNull();
   }
 
   @Test
-  public void testFipsRegisterNonFipsKeys() throws Exception {
+  public void onlyFips_shouldNotRegisterNonFipsKeyTypes() throws Exception {
     Assume.assumeTrue(TinkFips.useOnlyFips());
     Assume.assumeTrue(TinkFipsUtil.fipsModuleAvailable());
 
-    // Register signature key manager
     SignatureConfig.register();
 
-    // List of algorithms which are not part of FIPS and should not be registered.
-    String[] keyTypeUrls = {
-      "type.googleapis.com/google.crypto.tink.Ed25519PrivateKey",
-      "type.googleapis.com/google.crypto.tink.Ed25519PublicKey",
-      "type.googleapis.com/google.crypto.tink.RsaSsaPssPrivateKey",
-      "type.googleapis.com/google.crypto.tink.RsaSsaPssPublicKey",
-    };
-
-    for (String typeUrl : keyTypeUrls) {
-      assertThrows(GeneralSecurityException.class, () -> Registry.getUntypedKeyManager(typeUrl));
-    }
+    assertThrows(
+        GeneralSecurityException.class,
+        () ->
+            KeysetHandle.generateNew(
+                PredefinedSignatureParameters.RSA_SSA_PSS_3072_SHA256_SHA256_32_F4));
+    assertThrows(
+        GeneralSecurityException.class,
+        () -> KeysetHandle.generateNew(PredefinedSignatureParameters.ED25519));
   }
 }
diff --git a/java_src/src/test/java/com/google/crypto/tink/streamingaead/BUILD.bazel b/java_src/src/test/java/com/google/crypto/tink/streamingaead/BUILD.bazel
index 4af6735b7..b7738d01b 100644
--- a/java_src/src/test/java/com/google/crypto/tink/streamingaead/BUILD.bazel
+++ b/java_src/src/test/java/com/google/crypto/tink/streamingaead/BUILD.bazel
@@ -144,8 +144,8 @@ java_test(
     srcs = ["StreamingAeadConfigTest.java"],
     tags = ["fips"],
     deps = [
-        "//src/main/java/com/google/crypto/tink:registry",
-        "//src/main/java/com/google/crypto/tink:streaming_aead",
+        "//src/main/java/com/google/crypto/tink:key_templates",
+        "//src/main/java/com/google/crypto/tink:registry_cluster",
         "//src/main/java/com/google/crypto/tink/config:tink_fips",
         "//src/main/java/com/google/crypto/tink/streamingaead:streaming_aead_config",
         "@maven//:com_google_truth_truth",
diff --git a/java_src/src/test/java/com/google/crypto/tink/streamingaead/StreamingAeadConfigTest.java b/java_src/src/test/java/com/google/crypto/tink/streamingaead/StreamingAeadConfigTest.java
index e11421c68..fdfd961a1 100644
--- a/java_src/src/test/java/com/google/crypto/tink/streamingaead/StreamingAeadConfigTest.java
+++ b/java_src/src/test/java/com/google/crypto/tink/streamingaead/StreamingAeadConfigTest.java
@@ -17,80 +17,43 @@
 package com.google.crypto.tink.streamingaead;
 
 import static com.google.common.truth.Truth.assertThat;
-import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertThrows;
 
-import com.google.crypto.tink.Registry;
-import com.google.crypto.tink.StreamingAead;
+import com.google.crypto.tink.KeyTemplates;
+import com.google.crypto.tink.KeysetHandle;
 import com.google.crypto.tink.config.TinkFips;
 import java.security.GeneralSecurityException;
 import org.junit.Assume;
-import org.junit.FixMethodOrder;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
-import org.junit.runners.MethodSorters;
 
-/**
- * Tests for StreamingAeadConfig. Using FixedMethodOrder to ensure that aaaTestInitialization runs
- * first, as it tests execution of a static block within StreamingAeadConfig-class.
- */
+/** Tests for StreamingAeadConfig. */
 @RunWith(JUnit4.class)
-@FixMethodOrder(MethodSorters.NAME_ASCENDING)
 public class StreamingAeadConfigTest {
 
-  // This test must run first.
   @Test
-  public void aaaTestInitialization() throws Exception {
+  public void notOnlyFips_shouldRegisterAllKeyTypes() throws Exception {
     Assume.assumeFalse(TinkFips.useOnlyFips());
-    String typeUrl = "type.googleapis.com/google.crypto.tink.AesCtrHmacStreamingKey";
-    GeneralSecurityException e3 =
-        assertThrows(GeneralSecurityException.class, () -> Registry.getUntypedKeyManager(typeUrl));
-    assertThat(e3.toString()).contains("No key manager found");
 
-    // Initialize the config.
     StreamingAeadConfig.register();
 
-    // After registration the key manager should be present.
-    assertNotNull(Registry.getKeyManager(typeUrl, StreamingAead.class));
-
-    // Running init() manually again should succeed.
-    StreamingAeadConfig.register();
+    assertThat(KeysetHandle.generateNew(KeyTemplates.get("AES128_GCM_HKDF_4KB"))).isNotNull();
+    assertThat(KeysetHandle.generateNew(KeyTemplates.get("AES128_CTR_HMAC_SHA256_4KB")))
+        .isNotNull();
   }
 
   @Test
-  public void testNoFipsRegister() throws Exception {
-    Assume.assumeFalse(TinkFips.useOnlyFips());
-
-    // Register streaming AEAD key manager
-    StreamingAeadConfig.register();
-
-    // Check if all key types are registered when not using FIPS mode.
-    String[] keyTypeUrls = {
-      "type.googleapis.com/google.crypto.tink.AesCtrHmacStreamingKey",
-      "type.googleapis.com/google.crypto.tink.AesGcmHkdfStreamingKey",
-    };
-
-    for (String typeUrl : keyTypeUrls) {
-      assertNotNull(Registry.getKeyManager(typeUrl, StreamingAead.class));
-    }
-  }
-
-  @Test
-  public void testFipsRegisterNonFipsKeys() throws Exception {
+  public void onlyFips_shouldNotRegisterNonFipsKeyTypes() throws Exception {
     Assume.assumeTrue(TinkFips.useOnlyFips());
 
-    // Register streaming AEAD key manager
     StreamingAeadConfig.register();
 
-    // List of algorithms which are not part of FIPS and should not be registered.
-    String[] keyTypeUrls = {
-      "type.googleapis.com/google.crypto.tink.AesCtrHmacStreamingKey",
-      "type.googleapis.com/google.crypto.tink.AesGcmHkdfStreamingKey",
-    };
-
-    for (String typeUrl : keyTypeUrls) {
-      assertThrows(GeneralSecurityException.class, () -> Registry.getUntypedKeyManager(typeUrl));
-    }
+    assertThrows(
+        GeneralSecurityException.class,
+        () -> KeysetHandle.generateNew(KeyTemplates.get("AES128_GCM_HKDF_4KB")));
+    assertThrows(
+        GeneralSecurityException.class,
+        () -> KeysetHandle.generateNew(KeyTemplates.get("AES128_CTR_HMAC_SHA256_4KB")));
   }
 }
author	juerg <juerg@google.com>	2023-07-20 03:36:22 -0700
committer	Copybara-Service <copybara-worker@google.com>	2023-07-20 03:38:47 -0700
commit	7d1665c2c6d5479347b99938b661fd08994097ae (patch)
tree	2f4569a6fd16f2c436f89aa0bcfb9c2e28feb672 /java_src
parent	7ac3ceb9334b94bc8d327bd35f9b2c673211494e (diff)
download	tink-7d1665c2c6d5479347b99938b661fd08994097ae.tar.gz