use of com.google.crypto.tink.proto.Keyset in project tink by google.
the class KeysetManagerTest method testPromote_shouldPromote.
// Same tests as for setPrimary() for the deprecated promote(), which should be equivalent.
@Test
public void testPromote_shouldPromote() throws Exception {
int primaryKeyId = 42;
int newPrimaryKeyId = 43;
KeysetHandle handle = KeysetHandle.fromKeyset(TestUtil.createKeyset(createEnabledKey(primaryKeyId), createEnabledKey(newPrimaryKeyId)));
Keyset keyset = KeysetManager.withKeysetHandle(handle).promote(newPrimaryKeyId).getKeysetHandle().getKeyset();
assertThat(keyset.getKeyCount()).isEqualTo(2);
assertThat(keyset.getPrimaryKeyId()).isEqualTo(newPrimaryKeyId);
}
use of com.google.crypto.tink.proto.Keyset in project tink by google.
the class KeysetManagerTest method testAdd_shouldAddNewKey.
@Test
public void testAdd_shouldAddNewKey() throws Exception {
KeyTemplate kt = KeyTemplates.get("AES128_GCM");
Keyset keyset = KeysetManager.withEmptyKeyset().add(kt).getKeysetHandle().getKeyset();
assertThat(keyset.getKeyCount()).isEqualTo(1);
// No primary key because add doesn't automatically promote the new key to primary.
assertThat(keyset.getPrimaryKeyId()).isEqualTo(0);
Keyset.Key key = keyset.getKey(0);
assertThat(key.getStatus()).isEqualTo(KeyStatusType.ENABLED);
assertThat(key.getOutputPrefixType()).isEqualTo(OutputPrefixType.TINK);
assertThat(key.hasKeyData()).isTrue();
assertThat(key.getKeyData().getTypeUrl()).isEqualTo(kt.getTypeUrl());
AesGcmKeyFormat aesGcmKeyFormat = AesGcmKeyFormat.parseFrom(kt.getValue(), ExtensionRegistryLite.getEmptyRegistry());
AesGcmKey aesGcmKey = AesGcmKey.parseFrom(key.getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
assertThat(aesGcmKey.getKeyValue().size()).isEqualTo(aesGcmKeyFormat.getKeySize());
}
use of com.google.crypto.tink.proto.Keyset in project tink by google.
the class KeysetManagerTest method addKeyHandle_existingKeyset_shouldAddKey.
@Test
public void addKeyHandle_existingKeyset_shouldAddKey() throws Exception {
KeyTemplate keyTemplate1 = KeyTemplates.get("AES128_GCM_RAW");
KeyHandle keyHandle1 = KeyHandle.generateNew(keyTemplate1);
KeysetManager keysetManager = KeysetManager.withEmptyKeyset().add(keyHandle1);
keysetManager.setPrimary(keyHandle1.getId());
KeyTemplate keyTemplate2 = KeyTemplates.get("AES256_GCM_RAW");
KeyHandle keyHandle2 = KeyHandle.generateNew(keyTemplate2);
keysetManager = keysetManager.add(keyHandle2);
Keyset keyset = keysetManager.getKeysetHandle().getKeyset();
expect.that(keyset.getKeyCount()).isEqualTo(2);
expect.that(keyset.getPrimaryKeyId()).isEqualTo(keyHandle1.getId());
Keyset.Key key1 = keyset.getKey(0);
expect.that(key1.getKeyId()).isEqualTo(keyHandle1.getId());
expect.that(key1.getStatus()).isEqualTo(KeyStatusType.ENABLED);
expect.that(key1.getOutputPrefixType()).isEqualTo(OutputPrefixType.RAW);
expect.that(key1.hasKeyData()).isTrue();
expect.that(key1.getKeyData().getTypeUrl()).isEqualTo(keyTemplate1.getTypeUrl());
AesGcmKeyFormat aesGcmKeyFormat1 = AesGcmKeyFormat.parseFrom(keyTemplate1.getValue(), ExtensionRegistryLite.getEmptyRegistry());
AesGcmKey aesGcmKey1 = AesGcmKey.parseFrom(key1.getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
expect.that(aesGcmKey1.getKeyValue().size()).isEqualTo(aesGcmKeyFormat1.getKeySize());
Keyset.Key key2 = keyset.getKey(1);
expect.that(key2.getKeyId()).isEqualTo(keyHandle2.getId());
expect.that(key2.getStatus()).isEqualTo(KeyStatusType.ENABLED);
expect.that(key2.getOutputPrefixType()).isEqualTo(OutputPrefixType.RAW);
expect.that(key2.hasKeyData()).isTrue();
expect.that(key2.getKeyData().getTypeUrl()).isEqualTo(keyTemplate2.getTypeUrl());
AesGcmKeyFormat aesGcmKeyFormat2 = AesGcmKeyFormat.parseFrom(keyTemplate2.getValue(), ExtensionRegistryLite.getEmptyRegistry());
AesGcmKey aesGcmKey2 = AesGcmKey.parseFrom(key2.getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
expect.that(aesGcmKey2.getKeyValue().size()).isEqualTo(aesGcmKeyFormat2.getKeySize());
}
use of com.google.crypto.tink.proto.Keyset in project tink by google.
the class JsonKeysetReaderTest method testReadKeyset_hugeKeyId_convertsIntoSignedInt32.
@Test
public void testReadKeyset_hugeKeyId_convertsIntoSignedInt32() throws Exception {
// 2^32 - 21
String jsonKeysetString = createJsonKeysetWithId("4294967275");
Keyset keyset = JsonKeysetReader.withString(jsonKeysetString).read();
assertThat(keyset.getPrimaryKeyId()).isEqualTo(-21);
}
use of com.google.crypto.tink.proto.Keyset in project tink by google.
the class JwtHmacKeyManagerTest method createSignVerifyTink_withDifferentHeaders.
@Test
public void createSignVerifyTink_withDifferentHeaders() throws Exception {
KeyTemplate template = KeyTemplates.get("JWT_HS256");
KeysetHandle handle = KeysetHandle.generateNew(template);
Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
JwtHmacKey keyProto = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
byte[] keyValue = keyProto.getKeyValue().toByteArray();
SecretKeySpec keySpec = new SecretKeySpec(keyValue, "HMAC");
PrfHmacJce prf = new PrfHmacJce("HMACSHA256", keySpec);
PrfMac rawPrimitive = new PrfMac(prf, prf.getMaxOutputLength());
JwtMac primitive = handle.getPrimitive(JwtMac.class);
String kid = JwtFormat.getKid(keyset.getKey(0).getKeyId(), keyset.getKey(0).getOutputPrefixType()).get();
JsonObject payload = new JsonObject();
payload.addProperty("jti", "jwtId");
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
// Normal, valid signed compact.
JsonObject normalHeader = new JsonObject();
normalHeader.addProperty("alg", "HS256");
normalHeader.addProperty("kid", kid);
String normalToken = generateSignedCompact(rawPrimitive, normalHeader, payload);
primitive.verifyMacAndDecode(normalToken, validator);
// valid token, with "typ" set in the header
JsonObject headerWithTyp = new JsonObject();
headerWithTyp.addProperty("alg", "HS256");
headerWithTyp.addProperty("typ", "typeHeader");
headerWithTyp.addProperty("kid", kid);
String tokenWithTyp = generateSignedCompact(rawPrimitive, headerWithTyp, payload);
primitive.verifyMacAndDecode(tokenWithTyp, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
// invalid token without algorithm
JsonObject headerWithoutAlg = new JsonObject();
headerWithoutAlg.addProperty("kid", kid);
String tokenWithoutAlg = generateSignedCompact(rawPrimitive, headerWithoutAlg, payload);
assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithoutAlg, validator));
// invalid token with a valid but incorrect algorithm in the header
JsonObject headerWithBadAlg = new JsonObject();
headerWithBadAlg.addProperty("alg", "RS256");
headerWithBadAlg.addProperty("kid", kid);
String tokenWithBadAlg = generateSignedCompact(rawPrimitive, headerWithBadAlg, payload);
assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithBadAlg, validator));
// token with an unknown "kid" in the header is valid
JsonObject headerWithUnknownKid = new JsonObject();
headerWithUnknownKid.addProperty("alg", "HS256");
headerWithUnknownKid.addProperty("kid", "unknown");
String tokenWithUnknownKid = generateSignedCompact(rawPrimitive, headerWithUnknownKid, payload);
assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithUnknownKid, validator));
}
Aggregations