diff options
author | tholenst <tholenst@google.com> | 2023-05-26 06:19:49 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-05-26 06:21:18 -0700 |
commit | 457ee1a9bb06351431ce872d80d070eb2dc2e073 (patch) | |
tree | b75329bc427eb76cf206b29008726b70b7b4152a /tools | |
parent | 3fbac4047309ffd4b068c2b3b38bd37f0226864f (diff) | |
download | tink-457ee1a9bb06351431ce872d80d070eb2dc2e073.tar.gz |
Refactor the CreatePublicKeysetCommand test.
PiperOrigin-RevId: 535599924
Diffstat (limited to 'tools')
-rw-r--r-- | tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/BUILD.bazel | 21 | ||||
-rw-r--r-- | tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/CreatePublicKeysetCommandTest.java | 271 |
2 files changed, 153 insertions, 139 deletions
diff --git a/tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/BUILD.bazel b/tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/BUILD.bazel index 956bd9d6c..5caef1319 100644 --- a/tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/BUILD.bazel +++ b/tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/BUILD.bazel @@ -11,23 +11,22 @@ java_test( "requires-network", ], deps = [ - "//tinkey/src/main/java/com/google/crypto/tink/tinkey:create_public_keyset_command", + "//tinkey/src/main/java/com/google/crypto/tink/tinkey", "//tinkey/src/main/java/com/google/crypto/tink/tinkey:tinkey_util", "@maven//:com_google_truth_truth", "@maven//:junit_junit", - "@tink_java//proto:tink_java_proto", + "@tink_java//src/main/java/com/google/crypto/tink:aead", "@tink_java//src/main/java/com/google/crypto/tink:cleartext_keyset_handle", - "@tink_java//src/main/java/com/google/crypto/tink:hybrid_decrypt", - "@tink_java//src/main/java/com/google/crypto/tink:hybrid_encrypt", - "@tink_java//src/main/java/com/google/crypto/tink:key_template", - "@tink_java//src/main/java/com/google/crypto/tink:key_templates", - "@tink_java//src/main/java/com/google/crypto/tink:keyset_reader", - "@tink_java//src/main/java/com/google/crypto/tink:public_key_sign", - "@tink_java//src/main/java/com/google/crypto/tink:public_key_verify", + "@tink_java//src/main/java/com/google/crypto/tink:insecure_secret_key_access", + "@tink_java//src/main/java/com/google/crypto/tink:key", + "@tink_java//src/main/java/com/google/crypto/tink:kms_clients", + "@tink_java//src/main/java/com/google/crypto/tink:private_key", "@tink_java//src/main/java/com/google/crypto/tink:registry_cluster", + "@tink_java//src/main/java/com/google/crypto/tink:tink_json_proto_keyset_format", + "@tink_java//src/main/java/com/google/crypto/tink:tink_proto_keyset_format", "@tink_java//src/main/java/com/google/crypto/tink/hybrid:hybrid_config", + "@tink_java//src/main/java/com/google/crypto/tink/signature:ed25519_parameters", "@tink_java//src/main/java/com/google/crypto/tink/signature:signature_config", - "@tink_java//src/main/java/com/google/crypto/tink/subtle:random", "@tink_java//src/main/java/com/google/crypto/tink/testing:test_util", ], ) @@ -43,7 +42,7 @@ java_test( "requires-network", ], deps = [ - "//tinkey/src/main/java/com/google/crypto/tink/tinkey:tinkey", + "//tinkey/src/main/java/com/google/crypto/tink/tinkey", "@maven//:com_google_truth_truth", "@maven//:junit_junit", "@tink_java//src/main/java/com/google/crypto/tink:aead", diff --git a/tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/CreatePublicKeysetCommandTest.java b/tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/CreatePublicKeysetCommandTest.java index a95d64d8d..a21eaf79b 100644 --- a/tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/CreatePublicKeysetCommandTest.java +++ b/tools/tinkey/src/test/java/com/google/crypto/tink/tinkey/CreatePublicKeysetCommandTest.java @@ -17,26 +17,24 @@ package com.google.crypto.tink.tinkey; import static com.google.common.truth.Truth.assertThat; +import static java.nio.charset.StandardCharsets.UTF_8; +import static org.junit.Assert.assertTrue; -import com.google.crypto.tink.CleartextKeysetHandle; -import com.google.crypto.tink.HybridDecrypt; -import com.google.crypto.tink.HybridEncrypt; -import com.google.crypto.tink.KeyTemplate; -import com.google.crypto.tink.KeyTemplates; +import com.google.crypto.tink.Aead; +import com.google.crypto.tink.InsecureSecretKeyAccess; +import com.google.crypto.tink.Key; import com.google.crypto.tink.KeysetHandle; -import com.google.crypto.tink.KeysetReader; -import com.google.crypto.tink.PublicKeySign; -import com.google.crypto.tink.PublicKeyVerify; +import com.google.crypto.tink.KmsClients; +import com.google.crypto.tink.PrivateKey; +import com.google.crypto.tink.TinkJsonProtoKeysetFormat; +import com.google.crypto.tink.TinkProtoKeysetFormat; import com.google.crypto.tink.hybrid.HybridConfig; -import com.google.crypto.tink.proto.EncryptedKeyset; -import com.google.crypto.tink.proto.Keyset; +import com.google.crypto.tink.signature.Ed25519Parameters; import com.google.crypto.tink.signature.SignatureConfig; -import com.google.crypto.tink.subtle.Random; import com.google.crypto.tink.testing.TestUtil; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; @@ -62,127 +60,144 @@ public class CreatePublicKeysetCommandTest { } @Test - public void testCreate_hybrid_cleartextPrivate_shouldCreateCleartextPublic() - throws Exception { - testCreate_cleartextPrivate_shouldCreateCleartextPublic( - KeyTemplates.get("ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM"), KeyType.HYBRID); + public void testCreatePublicKeyset_ed25519Json_works() throws Exception { + Path path = Files.createTempDirectory(/* prefix= */ ""); + Path privateKeyFile = Paths.get(path.toString(), "privateKeyFile"); + Path publicKeyFile = Paths.get(path.toString(), "publicKeyFile"); + + KeysetHandle privateKeyset = + KeysetHandle.generateNew(Ed25519Parameters.create(Ed25519Parameters.Variant.TINK)); + String serializedKeyset = + TinkJsonProtoKeysetFormat.serializeKeyset(privateKeyset, InsecureSecretKeyAccess.get()); + Files.write(privateKeyFile, serializedKeyset.getBytes(UTF_8)); + + Tinkey.main( + new String[] { + "create-public-keyset", + "--in", + privateKeyFile.toString(), + "--out", + publicKeyFile.toString() + }); + + KeysetHandle publicKeyset = + TinkJsonProtoKeysetFormat.parseKeysetWithoutSecret( + new String(Files.readAllBytes(publicKeyFile), UTF_8)); + assertThat(publicKeyset.size()).isEqualTo(1); + Key expectedPublicKey = ((PrivateKey) privateKeyset.getPrimary().getKey()).getPublicKey(); + assertTrue(publicKeyset.getPrimary().getKey().equalsKey(expectedPublicKey)); } @Test - public void testCreate_hybrid_encryptedPrivate_shouldCreateCleartextPublic() throws Exception { - testCreate_encryptedPrivate_shouldCreateCleartextPublic( - KeyTemplates.get("ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM"), KeyType.HYBRID); + public void testCreatePublicKeyset_ed25519Binary_works() throws Exception { + Path path = Files.createTempDirectory(/* prefix= */ ""); + Path privateKeyFile = Paths.get(path.toString(), "privateKeyFile"); + Path publicKeyFile = Paths.get(path.toString(), "publicKeyFile"); + + KeysetHandle privateKeyset = + KeysetHandle.generateNew(Ed25519Parameters.create(Ed25519Parameters.Variant.TINK)); + byte[] serializedKeyset = + TinkProtoKeysetFormat.serializeKeyset(privateKeyset, InsecureSecretKeyAccess.get()); + Files.write(privateKeyFile, serializedKeyset); + + Tinkey.main( + new String[] { + "create-public-keyset", + "--in", + privateKeyFile.toString(), + "--in-format", + "binary", + "--out", + publicKeyFile.toString(), + "--out-format", + "binary" + }); + + KeysetHandle publicKeyset = + TinkProtoKeysetFormat.parseKeysetWithoutSecret(Files.readAllBytes(publicKeyFile)); + assertThat(publicKeyset.size()).isEqualTo(1); + Key expectedPublicKey = ((PrivateKey) privateKeyset.getPrimary().getKey()).getPublicKey(); + assertTrue(publicKeyset.getPrimary().getKey().equalsKey(expectedPublicKey)); } @Test - public void testCreate_signature_cleartextPrivate_shouldCreateCleartextPublic() - throws Exception { - testCreate_cleartextPrivate_shouldCreateCleartextPublic( - KeyTemplates.get("ECDSA_P256"), KeyType.SIGNATURE); - testCreate_cleartextPrivate_shouldCreateCleartextPublic( - KeyTemplates.get("ED25519"), KeyType.SIGNATURE); + public void testCreatePublicKeyset_ed25519_encrypted_json_works() throws Exception { + Path path = Files.createTempDirectory(/* prefix= */ ""); + Path privateKeyFile = Paths.get(path.toString(), "privateKeyFile"); + Path publicKeyFile = Paths.get(path.toString(), "publicKeyFile"); + + KeysetHandle privateKeyset = + KeysetHandle.generateNew(Ed25519Parameters.create(Ed25519Parameters.Variant.TINK)); + + Aead masterKeyAead = + KmsClients.getAutoLoaded(TestUtil.GCP_KMS_TEST_KEY_URI) + .withCredentials(TestUtil.SERVICE_ACCOUNT_FILE) + .getAead(TestUtil.GCP_KMS_TEST_KEY_URI); + String serializedKeyset = + TinkJsonProtoKeysetFormat.serializeEncryptedKeyset( + privateKeyset, masterKeyAead, new byte[] {}); + + Files.write(privateKeyFile, serializedKeyset.getBytes(UTF_8)); + + Tinkey.main( + new String[] { + "create-public-keyset", + "--in", + privateKeyFile.toString(), + "--out", + publicKeyFile.toString(), + "--master-key-uri", + TestUtil.GCP_KMS_TEST_KEY_URI, + "--credential", + TestUtil.SERVICE_ACCOUNT_FILE + }); + + KeysetHandle publicKeyset = + TinkJsonProtoKeysetFormat.parseKeysetWithoutSecret( + new String(Files.readAllBytes(publicKeyFile), UTF_8)); + assertThat(publicKeyset.size()).isEqualTo(1); + Key expectedPublicKey = ((PrivateKey) privateKeyset.getPrimary().getKey()).getPublicKey(); + assertTrue(publicKeyset.getPrimary().getKey().equalsKey(expectedPublicKey)); } @Test - public void testCreate_signature_encryptedPrivate_shouldCreateCleartextPublic() throws Exception { - testCreate_encryptedPrivate_shouldCreateCleartextPublic( - KeyTemplates.get("ECDSA_P256"), KeyType.SIGNATURE); - testCreate_encryptedPrivate_shouldCreateCleartextPublic( - KeyTemplates.get("ED25519"), KeyType.SIGNATURE); - } - - private void testCreate_cleartextPrivate_shouldCreateCleartextPublic( - KeyTemplate template, KeyType type) throws Exception { - // Create a cleartext private keyset. - String masterKeyUri = null; - String credentialPath = null; - InputStream inputStream1 = TinkeyUtil.createKeyset( - template, INPUT_FORMAT, masterKeyUri, credentialPath); - KeysetReader privateReader = TinkeyUtil - .createKeysetReader(inputStream1, INPUT_FORMAT); - // Create the public keyset. - ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); - inputStream1.mark(inputStream1.available()); - CreatePublicKeysetCommand.create( - outputStream, OUTPUT_FORMAT, - inputStream1, INPUT_FORMAT, - masterKeyUri, credentialPath); - inputStream1.reset(); - InputStream inputStream2 = new ByteArrayInputStream(outputStream.toByteArray()); - KeysetReader publicReader = TinkeyUtil - .createKeysetReader(inputStream2, OUTPUT_FORMAT); - - assertPublicKey(type, privateReader, publicReader); - } - - private void testCreate_encryptedPrivate_shouldCreateCleartextPublic( - KeyTemplate template, KeyType type) throws Exception { - // Create an input stream containing a cleartext private keyset. - String masterKeyUri = TestUtil.GCP_KMS_TEST_KEY_URI; - String credentialPath = TestUtil.SERVICE_ACCOUNT_FILE; - InputStream inputStream1 = TinkeyUtil.createKeyset( - template, INPUT_FORMAT, masterKeyUri, credentialPath); - inputStream1.mark(inputStream1.available()); - final KeysetHandle privateHandle = TinkeyUtil.getKeysetHandle( - inputStream1, INPUT_FORMAT, masterKeyUri, credentialPath); - inputStream1.reset(); - KeysetReader privateReader = new KeysetReader() { - @Override - public Keyset read() throws IOException { - return TestUtil.getKeyset(privateHandle); - } - @Override - public EncryptedKeyset readEncrypted() throws IOException { - throw new IOException("Not Implemented"); - } - }; - ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); - inputStream1.mark(inputStream1.available()); - CreatePublicKeysetCommand.create( - outputStream, OUTPUT_FORMAT, - inputStream1, INPUT_FORMAT, - masterKeyUri, credentialPath); - inputStream1.reset(); - InputStream inputStream2 = new ByteArrayInputStream(outputStream.toByteArray()); - KeysetReader publicReader = TinkeyUtil - .createKeysetReader(inputStream2, OUTPUT_FORMAT); - - assertPublicKey(type, privateReader, publicReader); - } - - private void assertHybrid(KeysetReader privateReader, KeysetReader publicReader) - throws Exception { - KeysetHandle privateHandle = CleartextKeysetHandle.read(privateReader); - HybridDecrypt decrypter = privateHandle.getPrimitive(HybridDecrypt.class); - KeysetHandle publicHandle = CleartextKeysetHandle.read(publicReader); - HybridEncrypt encrypter = publicHandle.getPrimitive(HybridEncrypt.class); - byte[] message = Random.randBytes(10); - byte[] contextInfo = Random.randBytes(20); - - assertThat(decrypter.decrypt(encrypter.encrypt(message, contextInfo), contextInfo)).isEqualTo( - message); - } - - private void assertSignature(KeysetReader privateReader, KeysetReader publicReader) - throws Exception { - byte[] message = Random.randBytes(10); - KeysetHandle privateHandle = CleartextKeysetHandle.read(privateReader); - PublicKeySign signer = privateHandle.getPrimitive(PublicKeySign.class); - KeysetHandle publicHandle = CleartextKeysetHandle.read(publicReader); - PublicKeyVerify verifier = publicHandle.getPrimitive(PublicKeyVerify.class); - - verifier.verify(signer.sign(message), message); - } - - private void assertPublicKey(KeyType type, KeysetReader privateReader, - KeysetReader publicReader) throws Exception { - switch (type) { - case HYBRID: - assertHybrid(privateReader, publicReader); - break; - case SIGNATURE: - assertSignature(privateReader, publicReader); - break; - } + public void testCreatePublicKeyset_ed25519_encrypted_jsonBinaryMixed_works() throws Exception { + Path path = Files.createTempDirectory(/* prefix= */ ""); + Path privateKeyFile = Paths.get(path.toString(), "privateKeyFile"); + Path publicKeyFile = Paths.get(path.toString(), "publicKeyFile"); + + KeysetHandle privateKeyset = + KeysetHandle.generateNew(Ed25519Parameters.create(Ed25519Parameters.Variant.TINK)); + + Aead masterKeyAead = + KmsClients.getAutoLoaded(TestUtil.GCP_KMS_TEST_KEY_URI) + .withCredentials(TestUtil.SERVICE_ACCOUNT_FILE) + .getAead(TestUtil.GCP_KMS_TEST_KEY_URI); + byte[] serializedKeyset = + TinkProtoKeysetFormat.serializeEncryptedKeyset(privateKeyset, masterKeyAead, new byte[] {}); + + Files.write(privateKeyFile, serializedKeyset); + + Tinkey.main( + new String[] { + "create-public-keyset", + "--in", + privateKeyFile.toString(), + "--in-format", + "binary", + "--out", + publicKeyFile.toString(), + "--master-key-uri", + TestUtil.GCP_KMS_TEST_KEY_URI, + "--credential", + TestUtil.SERVICE_ACCOUNT_FILE + }); + + KeysetHandle publicKeyset = + TinkJsonProtoKeysetFormat.parseKeysetWithoutSecret( + new String(Files.readAllBytes(publicKeyFile), UTF_8)); + assertThat(publicKeyset.size()).isEqualTo(1); + Key expectedPublicKey = ((PrivateKey) privateKeyset.getPrimary().getKey()).getPublicKey(); + assertTrue(publicKeyset.getPrimary().getKey().equalsKey(expectedPublicKey)); } } |