diff options
author | juerg <juerg@google.com> | 2023-07-20 03:36:22 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-07-20 03:38:47 -0700 |
commit | 7d1665c2c6d5479347b99938b661fd08994097ae (patch) | |
tree | 2f4569a6fd16f2c436f89aa0bcfb9c2e28feb672 /java_src | |
parent | 7ac3ceb9334b94bc8d327bd35f9b2c673211494e (diff) | |
download | tink-7d1665c2c6d5479347b99938b661fd08994097ae.tar.gz |
Remove remaining usages of Registry.getKeyManager and Registry.getUntypedKeyManager in some tests.
Instead, to verify that the key manager is registered, try to create a key.
Also, remove the initialization test. It doesn't really add any additional value.
PiperOrigin-RevId: 549582726
Diffstat (limited to 'java_src')
6 files changed, 83 insertions, 152 deletions
diff --git a/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/BUILD.bazel b/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/BUILD.bazel index 2441f4dc4..5ca1e21d1 100644 --- a/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/BUILD.bazel +++ b/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/BUILD.bazel @@ -146,10 +146,12 @@ java_test( "//proto:tink_java_proto", "//src/main/java/com/google/crypto/tink:hybrid_decrypt", "//src/main/java/com/google/crypto/tink:hybrid_encrypt", - "//src/main/java/com/google/crypto/tink:registry", + "//src/main/java/com/google/crypto/tink:key_templates", + "//src/main/java/com/google/crypto/tink:registry_cluster", + "//src/main/java/com/google/crypto/tink/hybrid:hybrid_decrypt_wrapper", + "//src/main/java/com/google/crypto/tink/hybrid:hybrid_encrypt_wrapper", "//src/main/java/com/google/crypto/tink/hybrid/internal:hpke_encrypt", "//src/main/java/com/google/crypto/tink/hybrid/internal:hpke_private_key_manager", - "//src/main/java/com/google/crypto/tink/hybrid/internal:hpke_public_key_manager", "//src/main/java/com/google/crypto/tink/internal:key_type_manager", "//src/main/java/com/google/crypto/tink/subtle:random", "//src/main/java/com/google/crypto/tink/testing:test_util", diff --git a/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/HpkePrivateKeyManagerTest.java b/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/HpkePrivateKeyManagerTest.java index 1e036ba2b..e92bb5d24 100644 --- a/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/HpkePrivateKeyManagerTest.java +++ b/java_src/src/test/java/com/google/crypto/tink/hybrid/internal/HpkePrivateKeyManagerTest.java @@ -22,7 +22,10 @@ import static org.junit.Assert.assertThrows; import com.google.crypto.tink.HybridDecrypt; import com.google.crypto.tink.HybridEncrypt; -import com.google.crypto.tink.Registry; +import com.google.crypto.tink.KeyTemplates; +import com.google.crypto.tink.KeysetHandle; +import com.google.crypto.tink.hybrid.HybridDecryptWrapper; +import com.google.crypto.tink.hybrid.HybridEncryptWrapper; import com.google.crypto.tink.internal.KeyTypeManager; import com.google.crypto.tink.proto.HpkeAead; import com.google.crypto.tink.proto.HpkeKdf; @@ -237,19 +240,26 @@ public final class HpkePrivateKeyManagerTest { @Test public void registerPair() throws Exception { - String publicKeyUrl = new HpkePublicKeyManager().getKeyType(); - String privateKeyUrl = new HpkePrivateKeyManager().getKeyType(); + if (TestUtil.isTsan()) { + // key generation is too slow in Tsan. + return; + } + HybridDecryptWrapper.register(); + HybridEncryptWrapper.register(); assertThrows( GeneralSecurityException.class, - () -> Registry.getKeyManager(publicKeyUrl, HybridEncrypt.class)); - assertThrows( - GeneralSecurityException.class, - () -> Registry.getKeyManager(privateKeyUrl, HybridDecrypt.class)); - - HpkePrivateKeyManager.registerPair(/*newKeyAllowed=*/ true); - - assertNotNull(Registry.getKeyManager(publicKeyUrl, HybridEncrypt.class)); - assertNotNull(Registry.getKeyManager(privateKeyUrl, HybridDecrypt.class)); + () -> + KeysetHandle.generateNew( + KeyTemplates.get("DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM"))); + + HpkePrivateKeyManager.registerPair(/* newKeyAllowed= */ true); + + KeysetHandle privateHandle = + KeysetHandle.generateNew( + KeyTemplates.get("DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM")); + KeysetHandle publicHandle = privateHandle.getPublicKeysetHandle(); + assertNotNull(privateHandle.getPrimitive(HybridDecrypt.class)); + assertNotNull(publicHandle.getPrimitive(HybridEncrypt.class)); } } diff --git a/java_src/src/test/java/com/google/crypto/tink/signature/BUILD.bazel b/java_src/src/test/java/com/google/crypto/tink/signature/BUILD.bazel index f1ae31541..0fcede9bc 100644 --- a/java_src/src/test/java/com/google/crypto/tink/signature/BUILD.bazel +++ b/java_src/src/test/java/com/google/crypto/tink/signature/BUILD.bazel @@ -193,13 +193,14 @@ java_test( srcs = ["SignatureConfigTest.java"], tags = ["fips"], deps = [ - "//src/main/java/com/google/crypto/tink:public_key_sign", - "//src/main/java/com/google/crypto/tink:public_key_verify", - "//src/main/java/com/google/crypto/tink:registry", + "//src/main/java/com/google/crypto/tink:registry_cluster", "//src/main/java/com/google/crypto/tink/config:tink_fips", "//src/main/java/com/google/crypto/tink/config/internal:tink_fips_util", + "//src/main/java/com/google/crypto/tink/signature:predefined_signature_parameters", "//src/main/java/com/google/crypto/tink/signature:signature_config", + "@maven//:com_google_truth_truth", "@maven//:junit_junit", + "@maven//:org_conscrypt_conscrypt_openjdk_uber", ], ) diff --git a/java_src/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java b/java_src/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java index d7f4ff042..7f6bf28bb 100644 --- a/java_src/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java +++ b/java_src/src/test/java/com/google/crypto/tink/signature/SignatureConfigTest.java @@ -16,123 +16,78 @@ package com.google.crypto.tink.signature; -import static org.junit.Assert.assertNotNull; +import static com.google.common.truth.Truth.assertThat; import static org.junit.Assert.assertThrows; -import com.google.crypto.tink.PublicKeySign; -import com.google.crypto.tink.PublicKeyVerify; -import com.google.crypto.tink.Registry; +import com.google.crypto.tink.KeysetHandle; import com.google.crypto.tink.config.TinkFips; import com.google.crypto.tink.config.internal.TinkFipsUtil; import java.security.GeneralSecurityException; +import java.security.Security; +import org.conscrypt.Conscrypt; import org.junit.Assume; -import org.junit.FixMethodOrder; +import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; -import org.junit.runners.MethodSorters; -/** - * Tests for SignatureConfig. Using FixedMethodOrder to ensure that aaaTestInitialization runs - * first, as it tests execution of a static block within SignatureConfig-class. - */ +/** Tests for SignatureConfig. */ @RunWith(JUnit4.class) -@FixMethodOrder(MethodSorters.NAME_ASCENDING) public class SignatureConfigTest { - // This test must run first. - @Test - public void aaaTestInitialization() throws Exception { - Assume.assumeFalse(TinkFips.useOnlyFips()); - String typeUrl = "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey"; - - // Initialize the config. - SignatureConfig.register(); - - // After registration the key manager should be present. - assertNotNull(Registry.getKeyManager(typeUrl, PublicKeySign.class)); - - // Running init() manually again should succeed. - SignatureConfig.register(); + @BeforeClass + public static void setup() { + try { + Conscrypt.checkAvailability(); + Security.addProvider(Conscrypt.newProvider()); + } catch (Throwable cause) { + // This test may be run without onlyFips turned on, in which case it is fine that installing + // conscrypt fails. + } } @Test - public void testNoFipsRegister() throws Exception { + public void notOnlyFips_shouldRegisterAllKeyTypes() throws Exception { Assume.assumeFalse(TinkFips.useOnlyFips()); - // Register signature key manager SignatureConfig.register(); - // Check if all key types are registered when not using FIPS mode. - String[] keyTypeUrlsSign = { - "type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PrivateKey", - "type.googleapis.com/google.crypto.tink.RsaSsaPssPrivateKey", - "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey", - "type.googleapis.com/google.crypto.tink.Ed25519PrivateKey" - }; - - for (String typeUrl : keyTypeUrlsSign) { - assertNotNull(Registry.getKeyManager(typeUrl, PublicKeySign.class)); - } - - String[] keyTypeUrlsVerify = { - "type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PublicKey", - "type.googleapis.com/google.crypto.tink.RsaSsaPssPublicKey", - "type.googleapis.com/google.crypto.tink.EcdsaPublicKey", - "type.googleapis.com/google.crypto.tink.Ed25519PublicKey" - }; - - for (String typeUrl : keyTypeUrlsVerify) { - assertNotNull(Registry.getKeyManager(typeUrl, PublicKeyVerify.class)); - } + assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.RSA_SSA_PKCS1_3072_SHA256_F4)) + .isNotNull(); + assertThat( + KeysetHandle.generateNew( + PredefinedSignatureParameters.RSA_SSA_PSS_3072_SHA256_SHA256_32_F4)) + .isNotNull(); + assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.ECDSA_P256)).isNotNull(); + assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.ED25519)).isNotNull(); } @Test - public void testFipsRegisterFipsKeys() throws Exception { + public void onlyFips_shouldRegisterFipsKeyTypes() throws Exception { Assume.assumeTrue(TinkFips.useOnlyFips()); Assume.assumeTrue(TinkFipsUtil.fipsModuleAvailable()); - // Register AEAD key manager SignatureConfig.register(); - // Check if all FIPS-compliant key types are registered when using FIPS mode. - String[] keyTypeUrlsSign = { - "type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PrivateKey", - "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey", - }; - - for (String typeUrl : keyTypeUrlsSign) { - assertNotNull(Registry.getKeyManager(typeUrl, PublicKeySign.class)); - } - - String[] keyTypeUrlsVerify = { - "type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PublicKey", - "type.googleapis.com/google.crypto.tink.EcdsaPublicKey", - }; - - for (String typeUrl : keyTypeUrlsVerify) { - assertNotNull(Registry.getKeyManager(typeUrl, PublicKeyVerify.class)); - } + assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.RSA_SSA_PKCS1_3072_SHA256_F4)) + .isNotNull(); + assertThat(KeysetHandle.generateNew(PredefinedSignatureParameters.ECDSA_P256)).isNotNull(); } @Test - public void testFipsRegisterNonFipsKeys() throws Exception { + public void onlyFips_shouldNotRegisterNonFipsKeyTypes() throws Exception { Assume.assumeTrue(TinkFips.useOnlyFips()); Assume.assumeTrue(TinkFipsUtil.fipsModuleAvailable()); - // Register signature key manager SignatureConfig.register(); - // List of algorithms which are not part of FIPS and should not be registered. - String[] keyTypeUrls = { - "type.googleapis.com/google.crypto.tink.Ed25519PrivateKey", - "type.googleapis.com/google.crypto.tink.Ed25519PublicKey", - "type.googleapis.com/google.crypto.tink.RsaSsaPssPrivateKey", - "type.googleapis.com/google.crypto.tink.RsaSsaPssPublicKey", - }; - - for (String typeUrl : keyTypeUrls) { - assertThrows(GeneralSecurityException.class, () -> Registry.getUntypedKeyManager(typeUrl)); - } + assertThrows( + GeneralSecurityException.class, + () -> + KeysetHandle.generateNew( + PredefinedSignatureParameters.RSA_SSA_PSS_3072_SHA256_SHA256_32_F4)); + assertThrows( + GeneralSecurityException.class, + () -> KeysetHandle.generateNew(PredefinedSignatureParameters.ED25519)); } } diff --git a/java_src/src/test/java/com/google/crypto/tink/streamingaead/BUILD.bazel b/java_src/src/test/java/com/google/crypto/tink/streamingaead/BUILD.bazel index 4af6735b7..b7738d01b 100644 --- a/java_src/src/test/java/com/google/crypto/tink/streamingaead/BUILD.bazel +++ b/java_src/src/test/java/com/google/crypto/tink/streamingaead/BUILD.bazel @@ -144,8 +144,8 @@ java_test( srcs = ["StreamingAeadConfigTest.java"], tags = ["fips"], deps = [ - "//src/main/java/com/google/crypto/tink:registry", - "//src/main/java/com/google/crypto/tink:streaming_aead", + "//src/main/java/com/google/crypto/tink:key_templates", + "//src/main/java/com/google/crypto/tink:registry_cluster", "//src/main/java/com/google/crypto/tink/config:tink_fips", "//src/main/java/com/google/crypto/tink/streamingaead:streaming_aead_config", "@maven//:com_google_truth_truth", diff --git a/java_src/src/test/java/com/google/crypto/tink/streamingaead/StreamingAeadConfigTest.java b/java_src/src/test/java/com/google/crypto/tink/streamingaead/StreamingAeadConfigTest.java index e11421c68..fdfd961a1 100644 --- a/java_src/src/test/java/com/google/crypto/tink/streamingaead/StreamingAeadConfigTest.java +++ b/java_src/src/test/java/com/google/crypto/tink/streamingaead/StreamingAeadConfigTest.java @@ -17,80 +17,43 @@ package com.google.crypto.tink.streamingaead; import static com.google.common.truth.Truth.assertThat; -import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertThrows; -import com.google.crypto.tink.Registry; -import com.google.crypto.tink.StreamingAead; +import com.google.crypto.tink.KeyTemplates; +import com.google.crypto.tink.KeysetHandle; import com.google.crypto.tink.config.TinkFips; import java.security.GeneralSecurityException; import org.junit.Assume; -import org.junit.FixMethodOrder; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; -import org.junit.runners.MethodSorters; -/** - * Tests for StreamingAeadConfig. Using FixedMethodOrder to ensure that aaaTestInitialization runs - * first, as it tests execution of a static block within StreamingAeadConfig-class. - */ +/** Tests for StreamingAeadConfig. */ @RunWith(JUnit4.class) -@FixMethodOrder(MethodSorters.NAME_ASCENDING) public class StreamingAeadConfigTest { - // This test must run first. @Test - public void aaaTestInitialization() throws Exception { + public void notOnlyFips_shouldRegisterAllKeyTypes() throws Exception { Assume.assumeFalse(TinkFips.useOnlyFips()); - String typeUrl = "type.googleapis.com/google.crypto.tink.AesCtrHmacStreamingKey"; - GeneralSecurityException e3 = - assertThrows(GeneralSecurityException.class, () -> Registry.getUntypedKeyManager(typeUrl)); - assertThat(e3.toString()).contains("No key manager found"); - // Initialize the config. StreamingAeadConfig.register(); - // After registration the key manager should be present. - assertNotNull(Registry.getKeyManager(typeUrl, StreamingAead.class)); - - // Running init() manually again should succeed. - StreamingAeadConfig.register(); + assertThat(KeysetHandle.generateNew(KeyTemplates.get("AES128_GCM_HKDF_4KB"))).isNotNull(); + assertThat(KeysetHandle.generateNew(KeyTemplates.get("AES128_CTR_HMAC_SHA256_4KB"))) + .isNotNull(); } @Test - public void testNoFipsRegister() throws Exception { - Assume.assumeFalse(TinkFips.useOnlyFips()); - - // Register streaming AEAD key manager - StreamingAeadConfig.register(); - - // Check if all key types are registered when not using FIPS mode. - String[] keyTypeUrls = { - "type.googleapis.com/google.crypto.tink.AesCtrHmacStreamingKey", - "type.googleapis.com/google.crypto.tink.AesGcmHkdfStreamingKey", - }; - - for (String typeUrl : keyTypeUrls) { - assertNotNull(Registry.getKeyManager(typeUrl, StreamingAead.class)); - } - } - - @Test - public void testFipsRegisterNonFipsKeys() throws Exception { + public void onlyFips_shouldNotRegisterNonFipsKeyTypes() throws Exception { Assume.assumeTrue(TinkFips.useOnlyFips()); - // Register streaming AEAD key manager StreamingAeadConfig.register(); - // List of algorithms which are not part of FIPS and should not be registered. - String[] keyTypeUrls = { - "type.googleapis.com/google.crypto.tink.AesCtrHmacStreamingKey", - "type.googleapis.com/google.crypto.tink.AesGcmHkdfStreamingKey", - }; - - for (String typeUrl : keyTypeUrls) { - assertThrows(GeneralSecurityException.class, () -> Registry.getUntypedKeyManager(typeUrl)); - } + assertThrows( + GeneralSecurityException.class, + () -> KeysetHandle.generateNew(KeyTemplates.get("AES128_GCM_HKDF_4KB"))); + assertThrows( + GeneralSecurityException.class, + () -> KeysetHandle.generateNew(KeyTemplates.get("AES128_CTR_HMAC_SHA256_4KB"))); } } |