diff options
author | juerg <juerg@google.com> | 2023-03-28 04:50:39 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-03-28 04:51:39 -0700 |
commit | 6a0f27a3466be70f3281ac8e914d7ac3a3b52fd0 (patch) | |
tree | 4e63be2e51851049d106716928268077b58d8bf2 /tools | |
parent | 09896be11894f88bb71194458600109ae6637b9b (diff) | |
download | tink-6a0f27a3466be70f3281ac8e914d7ac3a3b52fd0.tar.gz |
Remove KMS cross-language tests based on CLIs.
The KMS are tested cross-langauge in kms_aead_test.py, and so this is not needed anymore.
PiperOrigin-RevId: 519992235
Diffstat (limited to 'tools')
-rw-r--r-- | tools/testing/cc/BUILD.bazel | 63 | ||||
-rw-r--r-- | tools/testing/cc/aws_kms_aead_cli.cc | 125 | ||||
-rwxr-xr-x | tools/testing/cc/aws_kms_aead_test.sh | 73 | ||||
-rw-r--r-- | tools/testing/cc/gcp_kms_aead_cli.cc | 118 | ||||
-rwxr-xr-x | tools/testing/cc/gcp_kms_aead_test.sh | 77 | ||||
-rwxr-xr-x | tools/testing/cross_language/test_util.sh | 40 |
6 files changed, 0 insertions, 496 deletions
diff --git a/tools/testing/cc/BUILD.bazel b/tools/testing/cc/BUILD.bazel index ec071c029..9e6a26d93 100644 --- a/tools/testing/cc/BUILD.bazel +++ b/tools/testing/cc/BUILD.bazel @@ -30,30 +30,6 @@ cc_library( ) cc_binary( - name = "aws_kms_aead_cli", - srcs = ["aws_kms_aead_cli.cc"], - deps = [ - ":cli_util", - "@aws_cpp_sdk//:aws_sdk_core", - "@tink_cc", - "@tink_cc_awskms//:aws_crypto", - "@tink_cc_awskms//:aws_kms_aead", - "@tink_cc_awskms//:aws_kms_client", - ], -) - -cc_binary( - name = "gcp_kms_aead_cli", - srcs = ["gcp_kms_aead_cli.cc"], - deps = [ - ":cli_util", - "@tink_cc", - "@tink_cc_gcpkms//:gcp_kms_aead", - "@tink_cc_gcpkms//:gcp_kms_client", - ], -) - -cc_binary( name = "aead_cli_cc", srcs = ["aead_cli.cc"], deps = [ @@ -61,42 +37,3 @@ cc_binary( "@tink_cc", ], ) - -sh_test( - name = "aws_kms_aead_test", - size = "medium", - srcs = [ - "aws_kms_aead_test.sh", - ], - data = [ - ":aws_kms_aead_cli", - "//testdata/aws:bad_credentials", - "//testdata/aws:credentials", - "//testing/cross_language:test_lib", - ], - tags = [ - "manual", - "no_rbe", - "requires-network", - ], -) - -sh_test( - name = "gcp_kms_aead_test", - size = "medium", - srcs = [ - "gcp_kms_aead_test.sh", - ], - data = [ - ":gcp_kms_aead_cli", - "//testdata/gcp:bad_credentials", - "//testdata/gcp:credentials", - "//testing/cross_language:test_lib", - "@google_root_pem//file", - ], - tags = [ - "manual", - "no_rbe", - "requires-network", - ], -) diff --git a/tools/testing/cc/aws_kms_aead_cli.cc b/tools/testing/cc/aws_kms_aead_cli.cc deleted file mode 100644 index dcc40f82b..000000000 --- a/tools/testing/cc/aws_kms_aead_cli.cc +++ /dev/null @@ -1,125 +0,0 @@ -// Copyright 2018 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -//////////////////////////////////////////////////////////////////////////////// - - -#include <string> -#include <vector> - -#include "absl/strings/ascii.h" -#include "aws/core/Aws.h" -#include "aws/core/utils/crypto/Factories.h" -#include "aws/core/utils/memory/AWSMemory.h" -#include "aws/kms/KMSClient.h" -#include "tink/aead.h" -#include "tink/integration/awskms/aws_crypto.h" -#include "tink/integration/awskms/aws_kms_aead.h" -#include "tink/integration/awskms/aws_kms_client.h" -#include "tink/util/status.h" -#include "tink/util/statusor.h" -#include "testing/cc/cli_util.h" - -using crypto::tink::Aead; -using crypto::tink::integration::awskms::AwsKmsAead; -using crypto::tink::integration::awskms::AwsKmsClient; - -// A command-line utility for testing AwsKmsAead. -// It requires 6 arguments: -// key-arn-file: Amazon Resource Name of AWS KMS key for encryption -// credentials-file: credentials file containing AWS access key -// operation: the actual AEAD-operation, i.e. "encrypt" or "decrypt" -// input-file: name of the file with input (plaintext for encryption, or -// or ciphertext for decryption) -// associated-data: a string to be used as associated data -// output-file: name of the file for the resulting output -int main(int argc, char** argv) { - if (argc != 7) { - std::clog << "Usage: " << argv[0] - << " key-arn-file credentials-file" - << " operation input-file associated-data output-file\n"; - exit(1); - } - std::string key_arn_filename(argv[1]); - std::string credentials_filename(argv[2]); - std::string operation(argv[3]); - std::string input_filename(argv[4]); - std::string associated_data(argv[5]); - std::string output_filename(argv[6]); - if (!(operation == "encrypt" || operation == "decrypt")) { - std::clog << "Unknown operation '" << operation << "'.\n" - << "Expected 'encrypt' or 'decrypt'.\n"; - exit(1); - } - std::clog << "Using key_arn from file " << key_arn_filename - << " and AWS credentials from file " << credentials_filename - << " to AEAD-" << operation - << " file "<< input_filename - << " with associated data '" << associated_data << "'.\n" - << "The resulting output will be written to file " - << output_filename << std::endl; - - std::string key_arn = CliUtil::Read(key_arn_filename); - absl::StripAsciiWhitespace(&key_arn); - std::clog << "Will use key ARN " << key_arn << std::endl; - - // Create AwsKmsClient. - auto client_result = AwsKmsClient::New("", credentials_filename); - if (!client_result.ok()) { - std::clog << "Aead creation failed: " - << client_result.status().message() - << "\n"; - exit(1); - } - auto client = std::move(client_result.value()); - - // Create Aead-primitive. - auto aead_result = client->GetAead("aws-kms://" + key_arn); - if (!aead_result.ok()) { - std::clog << "Aead creation failed: " - << aead_result.status().message() - << "\n"; - exit(1); - } - std::unique_ptr<Aead> aead(std::move(aead_result.value())); - - // Read the input. - std::string input = CliUtil::Read(input_filename); - - // Compute the output. - std::clog << operation << "ing...\n"; - std::string output; - if (operation == "encrypt") { - auto encrypt_result = aead->Encrypt(input, associated_data); - if (!encrypt_result.ok()) { - std::clog << "Error while encrypting the input:" - << encrypt_result.status().message() << std::endl; - exit(1); - } - output = encrypt_result.value(); - } else { // operation == "decrypt" - auto decrypt_result = aead->Decrypt(input, associated_data); - if (!decrypt_result.ok()) { - std::clog << "Error while decrypting the input:" - << decrypt_result.status().message() << std::endl; - exit(1); - } - output = decrypt_result.value(); - } - - // Write the output to the output file. - CliUtil::Write(output, output_filename); - - std::clog << "All done.\n"; -} diff --git a/tools/testing/cc/aws_kms_aead_test.sh b/tools/testing/cc/aws_kms_aead_test.sh deleted file mode 100755 index 5c487b333..000000000 --- a/tools/testing/cc/aws_kms_aead_test.sh +++ /dev/null @@ -1,73 +0,0 @@ -#!/bin/bash -# Copyright 2018 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ - -REPO_DIR="${TEST_SRCDIR}" -TOOLS_DIR="${REPO_DIR}/tools" -AWS_KMS_AEAD_CLI="${TOOLS_DIR}/testing/cc/aws_kms_aead_cli" -TEST_UTIL="${TOOLS_DIR}/testing/cross_language/test_util.sh" -AWS_KEY_ARN_FILE="${TOOLS_DIR}/testdata/aws/key_arn.txt" -CREDENTIALS_AWS_CSV_FILE="${TOOLS_DIR}/testdata/aws/credentials.ini" -BAD_AWS_KEY_ARN_FILE="${TOOLS_DIR}/testdata/aws/key_arn_bad.txt" -BAD_CREDENTIALS_AWS_CSV_FILE="${TOOLS_DIR}/testdata/aws/credentials_bad.ini" -associated_data="some associated data" - -source $TEST_UTIL || exit 1 - -############################################################################# -# Bad access key test. -test_name="bad_aws_access_key" -echo "+++ starting test $test_name ..." -generate_plaintext $test_name -encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin" -log_file="$TEST_TMPDIR/${test_name}.log" -$AWS_KMS_AEAD_CLI $AWS_KEY_ARN_FILE $BAD_CREDENTIALS_AWS_CSV_FILE\ - encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file - -assert_file_contains $log_file "UnrecognizedClientException" - -############################################################################# -# Bad key arn test. -test_name="bad_key_arn" -echo "+++ starting test $test_name ..." -generate_plaintext $test_name -encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin" -log_file="$TEST_TMPDIR/${test_name}.log" -$AWS_KMS_AEAD_CLI $BAD_AWS_KEY_ARN_FILE $CREDENTIALS_AWS_CSV_FILE\ - encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file - -assert_file_contains $log_file "AccessDeniedException" - -############################################################################# -# All good, encryption and decryption should work. -test_name="good_key_arn_and_access_key" -echo "+++ starting test $test_name ..." -generate_plaintext $test_name -encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin" -decrypted_file="$TEST_TMPDIR/${test_name}_decrypted.bin" -log_file="$TEST_TMPDIR/${test_name}.log" -echo " encrypting..." -$AWS_KMS_AEAD_CLI $AWS_KEY_ARN_FILE $CREDENTIALS_AWS_CSV_FILE\ - encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file -assert_file_contains $log_file "All done" -assert_files_different $plaintext_file $encrypted_file - -echo " decrypting..." -$AWS_KMS_AEAD_CLI $AWS_KEY_ARN_FILE $CREDENTIALS_AWS_CSV_FILE\ - decrypt $encrypted_file "$associated_data" $decrypted_file 2> $log_file -assert_file_contains $log_file "All done" - -echo " checking decryption result..." -assert_files_equal $plaintext_file $decrypted_file diff --git a/tools/testing/cc/gcp_kms_aead_cli.cc b/tools/testing/cc/gcp_kms_aead_cli.cc deleted file mode 100644 index 3b32cde0a..000000000 --- a/tools/testing/cc/gcp_kms_aead_cli.cc +++ /dev/null @@ -1,118 +0,0 @@ -// Copyright 2019 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -//////////////////////////////////////////////////////////////////////////////// - - -#include <string> -#include <vector> - -#include "absl/strings/ascii.h" -#include "tink/aead.h" -#include "tink/integration/gcpkms/gcp_kms_client.h" -#include "tink/util/status.h" -#include "tink/util/statusor.h" -#include "testing/cc/cli_util.h" - -using crypto::tink::Aead; -using crypto::tink::integration::gcpkms::GcpKmsClient; - -// A command-line utility for testing GcpKmsAead. -// It requires 6 arguments: -// key-name-file: Google Cloud KMS key to be used for encryption -// credentials-file: credentials file containing GCP credentials -// operation: the actual AEAD-operation, i.e. "encrypt" or "decrypt" -// input-file: name of the file with input (plaintext for encryption, or -// or ciphertext for decryption) -// associated-data: a string to be used as associated data -// output-file: name of the file for the resulting output -int main(int argc, char** argv) { - if (argc != 7) { - std::clog << "Usage: " << argv[0] - << " key-name-file credentials-file" - << " operation input-file associated-data output-file\n"; - exit(1); - } - std::string key_name_filename(argv[1]); - std::string credentials_filename(argv[2]); - std::string operation(argv[3]); - std::string input_filename(argv[4]); - std::string associated_data(argv[5]); - std::string output_filename(argv[6]); - if (!(operation == "encrypt" || operation == "decrypt")) { - std::clog << "Unknown operation '" << operation << "'.\n" - << "Expected 'encrypt' or 'decrypt'.\n"; - exit(1); - } - std::clog << "Using key_name from file " << key_name_filename - << " and GCP credentials from file " << credentials_filename - << " to AEAD-" << operation - << " file "<< input_filename - << " with associated data '" << associated_data << "'.\n" - << "The resulting output will be written to file " - << output_filename << std::endl; - - std::string key_name = CliUtil::Read(key_name_filename); - absl::StripAsciiWhitespace(&key_name); - std::clog << "Will use key name " << key_name << std::endl; - - // Create GcpKmsClient. - auto client_result = GcpKmsClient::New("", credentials_filename); - if (!client_result.ok()) { - std::clog << "Aead creation failed: " - << client_result.status().message() - << "\n"; - exit(1); - } - auto client = std::move(client_result.value()); - - // Create Aead-primitive. - auto aead_result = client->GetAead("gcp-kms://" + key_name); - if (!aead_result.ok()) { - std::clog << "Aead creation failed: " - << aead_result.status().message() - << "\n"; - exit(1); - } - std::unique_ptr<Aead> aead(std::move(aead_result.value())); - - // Read the input. - std::string input = CliUtil::Read(input_filename); - - // Compute the output. - std::clog << operation << "ing...\n"; - std::string output; - if (operation == "encrypt") { - auto encrypt_result = aead->Encrypt(input, associated_data); - if (!encrypt_result.ok()) { - std::clog << "Error while encrypting the input:" - << encrypt_result.status().message() << std::endl; - exit(1); - } - output = encrypt_result.value(); - } else { // operation == "decrypt" - auto decrypt_result = aead->Decrypt(input, associated_data); - if (!decrypt_result.ok()) { - std::clog << "Error while decrypting the input:" - << decrypt_result.status().message() << std::endl; - exit(1); - } - output = decrypt_result.value(); - } - - // Write the output to the output file. - CliUtil::Write(output, output_filename); - - std::clog << "All done.\n"; -} diff --git a/tools/testing/cc/gcp_kms_aead_test.sh b/tools/testing/cc/gcp_kms_aead_test.sh deleted file mode 100755 index ccc1771e1..000000000 --- a/tools/testing/cc/gcp_kms_aead_test.sh +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################################ - -REPO_DIR="${TEST_SRCDIR}" -TOOLS_DIR="${REPO_DIR}/tools" -GCP_KMS_AEAD_CLI="${TOOLS_DIR}/testing/cc/gcp_kms_aead_cli" -TEST_UTIL="${TOOLS_DIR}/testing/cross_language/test_util.sh" -GCP_KEY_NAME_FILE="${TOOLS_DIR}/testdata/gcp/key_name.txt" -CREDENTIALS_GCP_JSON_FILE="${TOOLS_DIR}/testdata/gcp/credential.json" -BAD_GCP_KEY_NAME_FILE="${TOOLS_DIR}/testdata/gcp/key_name_bad.txt" -BAD_CREDENTIALS_GCP_JSON_FILE="${TOOLS_DIR}/testdata/gcp/credential_bad.json" -associated_data="some associated data" - -# Roots for GRPC -# (https://github.com/grpc/grpc/blob/master/doc/environment_variables.md) -export GRPC_DEFAULT_SSL_ROOTS_FILE_PATH="$TEST_SRCDIR/google_root_pem/file/downloaded" - -source $TEST_UTIL || exit 1 - -############################################################################# -# All good, encryption and decryption should work. -test_name="good_key_name_and_credentials" -echo "+++ starting test $test_name ..." -generate_plaintext $test_name -encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin" -decrypted_file="$TEST_TMPDIR/${test_name}_decrypted.bin" -log_file="$TEST_TMPDIR/${test_name}.log" -echo " encrypting..." -$GCP_KMS_AEAD_CLI $GCP_KEY_NAME_FILE $CREDENTIALS_GCP_JSON_FILE\ - encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file -assert_file_contains $log_file "All done" -assert_files_different $plaintext_file $encrypted_file - -echo " decrypting..." -$GCP_KMS_AEAD_CLI $GCP_KEY_NAME_FILE $CREDENTIALS_GCP_JSON_FILE\ - decrypt $encrypted_file "$associated_data" $decrypted_file 2> $log_file -assert_file_contains $log_file "All done" - -echo " checking decryption result..." -assert_files_equal $plaintext_file $decrypted_file - -############################################################################# -# Bad credentials test. -test_name="bad_gcp_credentials" -echo "+++ starting test $test_name ..." -generate_plaintext $test_name -encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin" -log_file="$TEST_TMPDIR/${test_name}.log" -$GCP_KMS_AEAD_CLI $GCP_KEY_NAME_FILE $BAD_CREDENTIALS_GCP_JSON_FILE\ - encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file - -assert_file_contains $log_file "invalid authentication credentials" - -############################################################################# -# Bad key name test. -test_name="bad_key_name" -echo "+++ starting test $test_name ..." -generate_plaintext $test_name -encrypted_file="$TEST_TMPDIR/${test_name}_encrypted.bin" -log_file="$TEST_TMPDIR/${test_name}.log" -$GCP_KMS_AEAD_CLI $BAD_GCP_KEY_NAME_FILE $CREDENTIALS_GCP_JSON_FILE\ - encrypt $plaintext_file "$associated_data" $encrypted_file 2> $log_file - -assert_file_contains $log_file "Permission" "denied" "or it may not exist" diff --git a/tools/testing/cross_language/test_util.sh b/tools/testing/cross_language/test_util.sh index 92eb8963f..e466760c4 100755 --- a/tools/testing/cross_language/test_util.sh +++ b/tools/testing/cross_language/test_util.sh @@ -18,7 +18,6 @@ REPO_DIR="${TEST_SRCDIR}" TOOLS_DIR="${REPO_DIR}/tools" TINKEY_CLI="${TOOLS_DIR}/tinkey/tinkey" -ENVELOPE_CLI="${TOOLS_DIR}/testing/go/generate_envelope_keyset" ############################################################################# ##### Helper functions. @@ -70,45 +69,6 @@ generate_symmetric_key() { echo "Done generating a symmetric keyset." } -# Generates an AWS Envelope Encryption using $key_template, -# which should be supported by Tinkey. -# Stores the key in file $aws_keyset_file. -generate_aws_keyset() { - local key_name="$1" - local key_template="$2" - local output_format="$3" - if [ "$output_format" == "" ]; then - output_format="BINARY" - fi - aws_keyset_file="$TEST_TMPDIR/${key_name}_aws_keyset.bin" - echo "--- Using AWS KMS and template $key_template to generate keyset"\ - "to file $aws_keyset_file ..." - - $ENVELOPE_CLI $aws_keyset_file "AWS" $key_template || exit 1 - - echo "Done generating an AWS KMS generated keyset." -} - -# Generates an GCP Envelope Encryption using $key_template, -# which should be supported by Tinkey. -# Stores the key in file $gcp_keyset_file. -generate_gcp_keyset() { - local key_name="$1" - local key_template="$2" - local output_format="$3" - - if [ "$output_format" == "" ]; then - output_format="BINARY" - fi - gcp_keyset_file="$TEST_TMPDIR/${key_name}_gcp_keyset.bin" - echo "--- Using GCP KMS and template $key_template to generate keyset"\ - "to file $gcp_keyset_file ..." - $ENVELOPE_CLI $gcp_keyset_file "GCP" $key_template || exit 1 - - echo "Done generating an GCP KMS generated keyset." - -} - # Generates some example plaintext data, and stores it in $plaintext_file. generate_plaintext() { local plaintext_name="$1" |