Remove KMS cross-language tests based on CLIs.

The KMS are tested cross-langauge in kms_aead_test.py, and so this is not needed anymore.

PiperOrigin-RevId: 519992235

6 files changed, 0 insertions, 496 deletions

diff --git a/tools/testing/cc/BUILD.bazel b/tools/testing/cc/BUILD.bazel
index ec071c029..9e6a26d93 100644
--- a/tools/testing/cc/BUILD.bazel
+++ b/tools/testing/cc/BUILD.bazel
@@ -30,30 +30,6 @@ cc_library(
 )
 
 cc_binary(
-    name = "aws_kms_aead_cli",
-    srcs = ["aws_kms_aead_cli.cc"],
-    deps = [
-        ":cli_util",
-        "@aws_cpp_sdk//:aws_sdk_core",
-        "@tink_cc",
-        "@tink_cc_awskms//:aws_crypto",
-        "@tink_cc_awskms//:aws_kms_aead",
-        "@tink_cc_awskms//:aws_kms_client",
-    ],
-)
-
-cc_binary(
-    name = "gcp_kms_aead_cli",
-    srcs = ["gcp_kms_aead_cli.cc"],
-    deps = [
-        ":cli_util",
-        "@tink_cc",
-        "@tink_cc_gcpkms//:gcp_kms_aead",
-        "@tink_cc_gcpkms//:gcp_kms_client",
-    ],
-)
-
-cc_binary(
     name = "aead_cli_cc",
     srcs = ["aead_cli.cc"],
     deps = [
@@ -61,42 +37,3 @@ cc_binary(
         "@tink_cc",
     ],
 )
-
-sh_test(
-    name = "aws_kms_aead_test",
-    size = "medium",
-    srcs = [
-        "aws_kms_aead_test.sh",
-    ],
-    data = [
-        ":aws_kms_aead_cli",
-        "//testdata/aws:bad_credentials",
-        "//testdata/aws:credentials",
-        "//testing/cross_language:test_lib",
-    ],
-    tags = [
-        "manual",
-        "no_rbe",
-        "requires-network",
-    ],
-)
-
-sh_test(
-    name = "gcp_kms_aead_test",
-    size = "medium",
-    srcs = [
-        "gcp_kms_aead_test.sh",
-    ],
-    data = [
-        ":gcp_kms_aead_cli",
-        "//testdata/gcp:bad_credentials",
-        "//testdata/gcp:credentials",
-        "//testing/cross_language:test_lib",
-        "@google_root_pem//file",
-    ],
-    tags = [
-        "manual",
-        "no_rbe",
-        "requires-network",
-    ],
-)
diff --git a/tools/testing/cc/aws_kms_aead_cli.cc b/tools/testing/cc/aws_kms_aead_cli.cc
deleted file mode 100644
index dcc40f82b..000000000
--- a/tools/testing/cc/aws_kms_aead_cli.cc
+++ /dev/null
@@ -1,125 +0,0 @@
-// Copyright 2018 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-////////////////////////////////////////////////////////////////////////////////
-
-
-#include <string>
-#include <vector>
-
-#include "absl/strings/ascii.h"
-#include "aws/core/Aws.h"
-#include "aws/core/utils/crypto/Factories.h"
-#include "aws/core/utils/memory/AWSMemory.h"
-#include "aws/kms/KMSClient.h"
-#include "tink/aead.h"
-#include "tink/integration/awskms/aws_crypto.h"
-#include "tink/integration/awskms/aws_kms_aead.h"
-#include "tink/integration/awskms/aws_kms_client.h"
-#include "tink/util/status.h"
-#include "tink/util/statusor.h"
-#include "testing/cc/cli_util.h"
-
-using crypto::tink::Aead;
-using crypto::tink::integration::awskms::AwsKmsAead;
-using crypto::tink::integration::awskms::AwsKmsClient;
-
-// A command-line utility for testing AwsKmsAead.
-// It requires 6 arguments:
-//   key-arn-file:  Amazon Resource Name of AWS KMS key for encryption
-//   credentials-file: credentials file containing AWS access key
-//   operation: the actual AEAD-operation, i.e. "encrypt" or "decrypt"
-//   input-file:  name of the file with input (plaintext for encryption, or
-//                or ciphertext for decryption)
-//   associated-data:  a string to be used as associated data
-//   output-file:  name of the file for the resulting output
-int main(int argc, char** argv) {
-  if (argc != 7) {
-    std::clog << "Usage: " << argv[0]
-              << " key-arn-file credentials-file"
-              << " operation input-file associated-data output-file\n";
-    exit(1);
-  }
-  std::string key_arn_filename(argv[1]);
-  std::string credentials_filename(argv[2]);
-  std::string operation(argv[3]);
-  std::string input_filename(argv[4]);
-  std::string associated_data(argv[5]);
-  std::string output_filename(argv[6]);
-  if (!(operation == "encrypt" || operation == "decrypt")) {
-    std::clog << "Unknown operation '" << operation << "'.\n"
-              << "Expected 'encrypt' or 'decrypt'.\n";
-    exit(1);
-  }
-  std::clog << "Using key_arn from file " << key_arn_filename
-            << " and AWS credentials from file " << credentials_filename
-            << " to AEAD-" << operation
-            << " file "<< input_filename
-            << " with associated data '" << associated_data << "'.\n"
-            << "The resulting output will be written to file "
-            << output_filename << std::endl;
-
-  std::string key_arn = CliUtil::Read(key_arn_filename);
-  absl::StripAsciiWhitespace(&key_arn);
-  std::clog << "Will use key ARN " << key_arn << std::endl;
-
-  // Create AwsKmsClient.
-  auto client_result = AwsKmsClient::New("", credentials_filename);
-  if (!client_result.ok()) {
-    std::clog << "Aead creation failed: "
-              << client_result.status().message()
-              << "\n";
-    exit(1);
-  }
-  auto client = std::move(client_result.value());
-
-  // Create Aead-primitive.
-  auto aead_result = client->GetAead("aws-kms://" + key_arn);
-  if (!aead_result.ok()) {
-    std::clog << "Aead creation failed: "
-              << aead_result.status().message()
-              << "\n";
-    exit(1);
-  }
-  std::unique_ptr<Aead> aead(std::move(aead_result.value()));
-
-  // Read the input.
-  std::string input = CliUtil::Read(input_filename);
-
-  // Compute the output.
-  std::clog << operation << "ing...\n";
-  std::string output;
-  if (operation == "encrypt") {
-    auto encrypt_result = aead->Encrypt(input, associated_data);
-    if (!encrypt_result.ok()) {
-      std::clog << "Error while encrypting the input:"
-                << encrypt_result.status().message() << std::endl;
-      exit(1);
-    }
-    output = encrypt_result.value();
-  } else {  // operation == "decrypt"
-    auto decrypt_result = aead->Decrypt(input, associated_data);
-    if (!decrypt_result.ok()) {
-      std::clog << "Error while decrypting the input:"
-                << decrypt_result.status().message() << std::endl;
-      exit(1);
-    }
-    output = decrypt_result.value();
-  }
-
-  // Write the output to the output file.
-  CliUtil::Write(output, output_filename);
-
-  std::clog << "All done.\n";
-}
diff --git a/tools/testing/cc/aws_kms_aead_test.sh b/tools/testing/cc/aws_kms_aead_test.sh
deleted file mode 100755
index 5c487b333..000000000
--- a/tools/testing/cc/aws_kms_aead_test.sh
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/bin/bash
-# Copyright 2018 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-################################################################################
-
-REPO_DIR="${TEST_SRCDIR}"
-TOOLS_DIR="${REPO_DIR}/tools"
-AWS_KMS_AEAD_CLI="${TOOLS_DIR}/testing/cc/aws_kms_aead_cli"
-TEST_UTIL="${TOOLS_DIR}/testing/cross_language/test_util.sh"
-AWS_KEY_ARN_FILE="${TOOLS_DIR}/testdata/aws/key_arn.txt"
-CREDENTIALS_AWS_CSV_FILE="${TOOLS_DIR}/testdata/aws/credentials.ini"
-BAD_AWS_KEY_ARN_FILE="${TOOLS_DIR}/testdata/aws/key_arn_bad.txt"
-BAD_CREDENTIALS_AWS_CSV_FILE="${TOOLS_DIR}/testdata/aws/credentials_bad.ini"
-associated_data="some associated data"
-
-source $TEST_UTIL || exit 1
-
-#############################################################################
-# Bad access key test.
-test_name="bad_aws_access_key"
-echo "+++ starting test $test_name ..."
-generate_plaintext $test_name
-encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin"
-log_file="$TEST_TMPDIR/${test_name}.log"
-$AWS_KMS_AEAD_CLI $AWS_KEY_ARN_FILE $BAD_CREDENTIALS_AWS_CSV_FILE\
-  encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file
-
-assert_file_contains $log_file "UnrecognizedClientException"
-
-#############################################################################
-# Bad key arn test.
-test_name="bad_key_arn"
-echo "+++ starting test $test_name ..."
-generate_plaintext $test_name
-encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin"
-log_file="$TEST_TMPDIR/${test_name}.log"
-$AWS_KMS_AEAD_CLI $BAD_AWS_KEY_ARN_FILE $CREDENTIALS_AWS_CSV_FILE\
-  encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file
-
-assert_file_contains $log_file "AccessDeniedException"
-
-#############################################################################
-# All good, encryption and decryption should work.
-test_name="good_key_arn_and_access_key"
-echo "+++ starting test $test_name ..."
-generate_plaintext $test_name
-encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin"
-decrypted_file="$TEST_TMPDIR/${test_name}_decrypted.bin"
-log_file="$TEST_TMPDIR/${test_name}.log"
-echo "    encrypting..."
-$AWS_KMS_AEAD_CLI $AWS_KEY_ARN_FILE $CREDENTIALS_AWS_CSV_FILE\
-  encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file
-assert_file_contains $log_file "All done"
-assert_files_different $plaintext_file $encrypted_file
-
-echo "    decrypting..."
-$AWS_KMS_AEAD_CLI $AWS_KEY_ARN_FILE $CREDENTIALS_AWS_CSV_FILE\
-  decrypt $encrypted_file "$associated_data" $decrypted_file 2> $log_file
-assert_file_contains $log_file "All done"
-
-echo "    checking decryption result..."
-assert_files_equal $plaintext_file $decrypted_file
diff --git a/tools/testing/cc/gcp_kms_aead_cli.cc b/tools/testing/cc/gcp_kms_aead_cli.cc
deleted file mode 100644
index 3b32cde0a..000000000
--- a/tools/testing/cc/gcp_kms_aead_cli.cc
+++ /dev/null
@@ -1,118 +0,0 @@
-// Copyright 2019 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-////////////////////////////////////////////////////////////////////////////////
-
-
-#include <string>
-#include <vector>
-
-#include "absl/strings/ascii.h"
-#include "tink/aead.h"
-#include "tink/integration/gcpkms/gcp_kms_client.h"
-#include "tink/util/status.h"
-#include "tink/util/statusor.h"
-#include "testing/cc/cli_util.h"
-
-using crypto::tink::Aead;
-using crypto::tink::integration::gcpkms::GcpKmsClient;
-
-// A command-line utility for testing GcpKmsAead.
-// It requires 6 arguments:
-//   key-name-file:  Google Cloud KMS key to be used for encryption
-//   credentials-file: credentials file containing GCP credentials
-//   operation: the actual AEAD-operation, i.e. "encrypt" or "decrypt"
-//   input-file:  name of the file with input (plaintext for encryption, or
-//                or ciphertext for decryption)
-//   associated-data:  a string to be used as associated data
-//   output-file:  name of the file for the resulting output
-int main(int argc, char** argv) {
-  if (argc != 7) {
-    std::clog << "Usage: " << argv[0]
-              << " key-name-file credentials-file"
-              << " operation input-file associated-data output-file\n";
-    exit(1);
-  }
-  std::string key_name_filename(argv[1]);
-  std::string credentials_filename(argv[2]);
-  std::string operation(argv[3]);
-  std::string input_filename(argv[4]);
-  std::string associated_data(argv[5]);
-  std::string output_filename(argv[6]);
-  if (!(operation == "encrypt" || operation == "decrypt")) {
-    std::clog << "Unknown operation '" << operation << "'.\n"
-              << "Expected 'encrypt' or 'decrypt'.\n";
-    exit(1);
-  }
-  std::clog << "Using key_name from file " << key_name_filename
-            << " and GCP credentials from file " << credentials_filename
-            << " to AEAD-" << operation
-            << " file "<< input_filename
-            << " with associated data '" << associated_data << "'.\n"
-            << "The resulting output will be written to file "
-            << output_filename << std::endl;
-
-  std::string key_name = CliUtil::Read(key_name_filename);
-  absl::StripAsciiWhitespace(&key_name);
-  std::clog << "Will use key name " << key_name << std::endl;
-
-  // Create GcpKmsClient.
-  auto client_result = GcpKmsClient::New("", credentials_filename);
-  if (!client_result.ok()) {
-    std::clog << "Aead creation failed: "
-              << client_result.status().message()
-              << "\n";
-    exit(1);
-  }
-  auto client = std::move(client_result.value());
-
-  // Create Aead-primitive.
-  auto aead_result = client->GetAead("gcp-kms://" + key_name);
-  if (!aead_result.ok()) {
-    std::clog << "Aead creation failed: "
-              << aead_result.status().message()
-              << "\n";
-    exit(1);
-  }
-  std::unique_ptr<Aead> aead(std::move(aead_result.value()));
-
-  // Read the input.
-  std::string input = CliUtil::Read(input_filename);
-
-  // Compute the output.
-  std::clog << operation << "ing...\n";
-  std::string output;
-  if (operation == "encrypt") {
-    auto encrypt_result = aead->Encrypt(input, associated_data);
-    if (!encrypt_result.ok()) {
-      std::clog << "Error while encrypting the input:"
-                << encrypt_result.status().message() << std::endl;
-      exit(1);
-    }
-    output = encrypt_result.value();
-  } else {  // operation == "decrypt"
-    auto decrypt_result = aead->Decrypt(input, associated_data);
-    if (!decrypt_result.ok()) {
-      std::clog << "Error while decrypting the input:"
-                << decrypt_result.status().message() << std::endl;
-      exit(1);
-    }
-    output = decrypt_result.value();
-  }
-
-  // Write the output to the output file.
-  CliUtil::Write(output, output_filename);
-
-  std::clog << "All done.\n";
-}
diff --git a/tools/testing/cc/gcp_kms_aead_test.sh b/tools/testing/cc/gcp_kms_aead_test.sh
deleted file mode 100755
index ccc1771e1..000000000
--- a/tools/testing/cc/gcp_kms_aead_test.sh
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/bin/bash
-# Copyright 2019 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-################################################################################
-
-REPO_DIR="${TEST_SRCDIR}"
-TOOLS_DIR="${REPO_DIR}/tools"
-GCP_KMS_AEAD_CLI="${TOOLS_DIR}/testing/cc/gcp_kms_aead_cli"
-TEST_UTIL="${TOOLS_DIR}/testing/cross_language/test_util.sh"
-GCP_KEY_NAME_FILE="${TOOLS_DIR}/testdata/gcp/key_name.txt"
-CREDENTIALS_GCP_JSON_FILE="${TOOLS_DIR}/testdata/gcp/credential.json"
-BAD_GCP_KEY_NAME_FILE="${TOOLS_DIR}/testdata/gcp/key_name_bad.txt"
-BAD_CREDENTIALS_GCP_JSON_FILE="${TOOLS_DIR}/testdata/gcp/credential_bad.json"
-associated_data="some associated data"
-
-# Roots for GRPC
-# (https://github.com/grpc/grpc/blob/master/doc/environment_variables.md)
-export GRPC_DEFAULT_SSL_ROOTS_FILE_PATH="$TEST_SRCDIR/google_root_pem/file/downloaded"
-
-source $TEST_UTIL || exit 1
-
-#############################################################################
-# All good, encryption and decryption should work.
-test_name="good_key_name_and_credentials"
-echo "+++ starting test $test_name ..."
-generate_plaintext $test_name
-encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin"
-decrypted_file="$TEST_TMPDIR/${test_name}_decrypted.bin"
-log_file="$TEST_TMPDIR/${test_name}.log"
-echo "    encrypting..."
-$GCP_KMS_AEAD_CLI $GCP_KEY_NAME_FILE $CREDENTIALS_GCP_JSON_FILE\
-  encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file
-assert_file_contains $log_file "All done"
-assert_files_different $plaintext_file $encrypted_file
-
-echo "    decrypting..."
-$GCP_KMS_AEAD_CLI $GCP_KEY_NAME_FILE $CREDENTIALS_GCP_JSON_FILE\
-  decrypt $encrypted_file "$associated_data" $decrypted_file 2> $log_file
-assert_file_contains $log_file "All done"
-
-echo "    checking decryption result..."
-assert_files_equal $plaintext_file $decrypted_file
-
-#############################################################################
-# Bad credentials test.
-test_name="bad_gcp_credentials"
-echo "+++ starting test $test_name ..."
-generate_plaintext $test_name
-encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin"
-log_file="$TEST_TMPDIR/${test_name}.log"
-$GCP_KMS_AEAD_CLI $GCP_KEY_NAME_FILE $BAD_CREDENTIALS_GCP_JSON_FILE\
-  encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file
-
-assert_file_contains $log_file "invalid authentication credentials"
-
-#############################################################################
-# Bad key name test.
-test_name="bad_key_name"
-echo "+++ starting test $test_name ..."
-generate_plaintext $test_name
-encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin"
-log_file="$TEST_TMPDIR/${test_name}.log"
-$GCP_KMS_AEAD_CLI $BAD_GCP_KEY_NAME_FILE $CREDENTIALS_GCP_JSON_FILE\
-  encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file
-
-assert_file_contains $log_file "Permission" "denied" "or it may not exist"
diff --git a/tools/testing/cross_language/test_util.sh b/tools/testing/cross_language/test_util.sh
index 92eb8963f..e466760c4 100755
--- a/tools/testing/cross_language/test_util.sh
+++ b/tools/testing/cross_language/test_util.sh
@@ -18,7 +18,6 @@
 REPO_DIR="${TEST_SRCDIR}"
 TOOLS_DIR="${REPO_DIR}/tools"
 TINKEY_CLI="${TOOLS_DIR}/tinkey/tinkey"
-ENVELOPE_CLI="${TOOLS_DIR}/testing/go/generate_envelope_keyset"
 #############################################################################
 ##### Helper functions.
 
@@ -70,45 +69,6 @@ generate_symmetric_key() {
   echo "Done generating a symmetric keyset."
 }
 
-# Generates an AWS Envelope Encryption using $key_template,
-# which should be supported by Tinkey.
-# Stores the key in file $aws_keyset_file.
-generate_aws_keyset() {
-  local key_name="$1"
-  local key_template="$2"
-  local output_format="$3"
-  if [ "$output_format" == "" ]; then
-    output_format="BINARY"
-  fi
-  aws_keyset_file="$TEST_TMPDIR/${key_name}_aws_keyset.bin"
-  echo "--- Using AWS KMS and template $key_template to generate keyset"\
-       "to file $aws_keyset_file ..."
-
-  $ENVELOPE_CLI $aws_keyset_file "AWS" $key_template || exit 1
-
-  echo "Done generating an AWS KMS generated keyset."
-}
-
-# Generates an GCP Envelope Encryption using $key_template,
-# which should be supported by Tinkey.
-# Stores the key in file $gcp_keyset_file.
-generate_gcp_keyset() {
-  local key_name="$1"
-  local key_template="$2"
-  local output_format="$3"
-
-  if [ "$output_format" == "" ]; then
-    output_format="BINARY"
-  fi
-  gcp_keyset_file="$TEST_TMPDIR/${key_name}_gcp_keyset.bin"
-  echo "--- Using GCP KMS and template $key_template to generate keyset"\
-      "to file $gcp_keyset_file ..."
-  $ENVELOPE_CLI $gcp_keyset_file "GCP" $key_template || exit 1
-
-  echo "Done generating an GCP KMS generated keyset."
-
-}
-
 # Generates some example plaintext data, and stores it in $plaintext_file.
 generate_plaintext() {
   local plaintext_name="$1"