Google Git
Sign in
android / platform / external / tink / 3d025c6568b892514bdebde87102405ab5c79369 / . / cc / examples / walkthrough / load_encrypted_keyset_test.cc
blob: 4a1c42abdd296f5c848f4a61319094af505b9d5d [file] [log] [blame]
// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
///////////////////////////////////////////////////////////////////////////////
#include "walkthrough/load_encrypted_keyset.h"
#include <memory>
#include <ostream>
#include <sstream>
#include <string>
#include <utility>
#include "gmock/gmock.h"
#include "absl/memory/memory.h"
#include "absl/status/status.h"
#include "absl/strings/string_view.h"
#include "tink/aead.h"
#include "tink/aead/aead_config.h"
#include "walkthrough/load_cleartext_keyset.h"
#include "walkthrough/test_util.h"
#include "tink/kms_clients.h"
#include "tink/registry.h"
#include "tink/util/statusor.h"
#include "tink/util/test_matchers.h"
namespace tink_walkthrough {
namespace {
constexpr absl::string_view kSerializedMasterKeyKeyset = R"json({
"key": [
{
"keyData": {
"keyMaterialType": "SYMMETRIC",
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"value": "GiBWyUfGgYk3RTRhj/LIUzSudIWlyjCftCOypTr0jCNSLg=="
},
"keyId": 294406504,
"outputPrefixType": "TINK",
"status": "ENABLED"
}
],
"primaryKeyId": 294406504
})json";
constexpr absl::string_view kSerializedKeysetToEncrypt = R"json({
"key": [
{
"keyData": {
"keyMaterialType": "SYMMETRIC",
"typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
"value": "GhD+9l0RANZjzZEZ8PDp7LRW"
},
"keyId": 1931667682,
"outputPrefixType": "TINK",
"status": "ENABLED"
}
],
"primaryKeyId": 1931667682
})json";
// Encryption of kSerializedKeysetToEncrypt using kSerializedMasterKeyKeyset.
constexpr absl::string_view kEncryptedKeyset = R"json({
"encryptedKeyset": "ARGMSWi6YHyZ/Oqxl00XSq631a0q2UPmf+rCvCIAggSZrwCmxFF797MpY0dqgaXu1fz2eQ8zFNhlyTXv9kwg1kY6COpyhY/68zNBUkyKX4CharLYfpg1LgRl+6rMzIQa0XDHh7ZDmp1CevzecZIKnG83uDRHxxSv3h8c/Kc="
})json";
constexpr absl::string_view kFakeKmsKeyUri = "fake://some_key";
using ::crypto::tink::Aead;
using ::crypto::tink::KeysetHandle;
using ::crypto::tink::Registry;
using ::crypto::tink::test::IsOk;
using ::crypto::tink::test::IsOkAndHolds;
using ::crypto::tink::test::StatusIs;
using ::crypto::tink::util::Status;
using ::crypto::tink::util::StatusOr;
using ::testing::Environment;
// Test environment used to register KMS clients only once for the whole test.
class LoadKeysetTestEnvironment : public Environment {
public:
~LoadKeysetTestEnvironment() override = default;
// Register FakeKmsClient and AlwaysFailingFakeKmsClient.
void SetUp() override {
auto fake_kms =
absl::make_unique<FakeKmsClient>(kSerializedMasterKeyKeyset);
ASSERT_THAT(crypto::tink::KmsClients::Add(std::move(fake_kms)), IsOk());
auto failing_kms = absl::make_unique<AlwaysFailingFakeKmsClient>();
ASSERT_THAT(crypto::tink::KmsClients::Add(std::move(failing_kms)), IsOk());
}
};
// Unused.
Environment *const test_env =
testing::AddGlobalTestEnvironment(new LoadKeysetTestEnvironment());
class LoadKeysetTest : public ::testing::Test {
public:
void TearDown() override { Registry::Reset(); }
};
TEST_F(LoadKeysetTest, LoadKeysetFailsWhenNoKmsRegistered) {
StatusOr<std::unique_ptr<KeysetHandle>> expected_keyset =
LoadKeyset(kEncryptedKeyset, /*master_key_uri=*/"other_kms://some_key");
EXPECT_THAT(expected_keyset.status(), StatusIs(absl::StatusCode::kNotFound));
}
TEST_F(LoadKeysetTest, LoadKeysetFailsWhenKmsClientFails) {
StatusOr<std::unique_ptr<KeysetHandle>> expected_keyset =
LoadKeyset(kEncryptedKeyset, /*master_key_uri=*/"failing://some_key");
EXPECT_THAT(expected_keyset.status(),
StatusIs(absl::StatusCode::kUnimplemented));
}
TEST_F(LoadKeysetTest, LoadKeysetFailsWhenAeadNotRegistered) {
StatusOr<std::unique_ptr<KeysetHandle>> expected_keyset =
LoadKeyset(kEncryptedKeyset, kFakeKmsKeyUri);
EXPECT_THAT(expected_keyset.status(), StatusIs(absl::StatusCode::kNotFound));
}
TEST_F(LoadKeysetTest, LoadKeysetFailsWhenInvalidKeyset) {
ASSERT_THAT(crypto::tink::AeadConfig::Register(), IsOk());
StatusOr<std::unique_ptr<KeysetHandle>> expected_keyset =
LoadKeyset("invalid", kFakeKmsKeyUri);
EXPECT_THAT(expected_keyset.status(),
StatusIs(absl::StatusCode::kInvalidArgument));
Registry::Reset();
}
TEST_F(LoadKeysetTest, LoadKeysetSucceeds) {
ASSERT_THAT(crypto::tink::AeadConfig::Register(), IsOk());
StatusOr<std::unique_ptr<KeysetHandle>> handle =
LoadKeyset(kEncryptedKeyset, kFakeKmsKeyUri);
ASSERT_THAT(handle, IsOk());
StatusOr<std::unique_ptr<Aead>> aead = (*handle)->GetPrimitive<Aead>();
ASSERT_THAT(aead, IsOk());
StatusOr<std::unique_ptr<KeysetHandle>> expected_keyset =
LoadKeyset(kSerializedKeysetToEncrypt);
ASSERT_THAT(expected_keyset, IsOk());
StatusOr<std::unique_ptr<Aead>> expected_aead =
(*expected_keyset)->GetPrimitive<Aead>();
ASSERT_THAT(expected_aead, IsOk());
std::string associated_data = "Some associated data";
std::string plaintext = "Some plaintext";
StatusOr<std::string> ciphertext =
(*aead)->Encrypt(plaintext, associated_data);
ASSERT_THAT(ciphertext, IsOk());
EXPECT_THAT((*expected_aead)->Decrypt(*ciphertext, associated_data),
IsOkAndHolds(plaintext));
}
} // namespace
} // namespace tink_walkthrough