1# Copyright 2019 Google LLC 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15"""Tests for tink.python.tink.public_key_sign_wrapper.""" 16 17from absl.testing import absltest 18from absl.testing import parameterized 19 20import tink 21from tink import signature 22from tink.testing import keyset_builder 23 24 25TEMPLATE = signature.signature_key_templates.ECDSA_P256 26LEGACY_TEMPLATE = keyset_builder.legacy_template(TEMPLATE) 27RAW_TEMPLATE = keyset_builder.raw_template(TEMPLATE) 28 29 30def setUpModule(): 31 signature.register() 32 33 34class SignatureWrapperTest(parameterized.TestCase): 35 36 @parameterized.parameters([TEMPLATE, LEGACY_TEMPLATE, RAW_TEMPLATE]) 37 def test_sign_verify(self, template): 38 private_handle = tink.new_keyset_handle(template) 39 public_handle = private_handle.public_keyset_handle() 40 sign_primitive = private_handle.primitive(signature.PublicKeySign) 41 verify_primitive = public_handle.primitive(signature.PublicKeyVerify) 42 43 data_signature = sign_primitive.sign(b'data') 44 verify_primitive.verify(data_signature, b'data') 45 46 @parameterized.parameters([TEMPLATE, LEGACY_TEMPLATE, RAW_TEMPLATE]) 47 def test_verify_fails_on_wrong_data(self, template): 48 private_handle = tink.new_keyset_handle(template) 49 public_handle = private_handle.public_keyset_handle() 50 sign_primitive = private_handle.primitive(signature.PublicKeySign) 51 verify_primitive = public_handle.primitive(signature.PublicKeyVerify) 52 53 data_signature = sign_primitive.sign(b'data') 54 with self.assertRaises(tink.TinkError): 55 verify_primitive.verify(data_signature, b'invalid data') 56 57 @parameterized.parameters([TEMPLATE, LEGACY_TEMPLATE, RAW_TEMPLATE]) 58 def test_verify_fails_on_unknown_signature(self, template): 59 unknown_handle = tink.new_keyset_handle(template) 60 unknown_sign_primitive = unknown_handle.primitive(signature.PublicKeySign) 61 unknown_data_signature = unknown_sign_primitive.sign(b'data') 62 63 private_handle = tink.new_keyset_handle(template) 64 public_handle = private_handle.public_keyset_handle() 65 verify_primitive = public_handle.primitive(signature.PublicKeyVerify) 66 with self.assertRaises(tink.TinkError): 67 verify_primitive.verify(unknown_data_signature, b'data') 68 69 @parameterized.parameters([(TEMPLATE, TEMPLATE), 70 (TEMPLATE, LEGACY_TEMPLATE), 71 (TEMPLATE, RAW_TEMPLATE), 72 (LEGACY_TEMPLATE, TEMPLATE), 73 (LEGACY_TEMPLATE, LEGACY_TEMPLATE), 74 (LEGACY_TEMPLATE, RAW_TEMPLATE), 75 (RAW_TEMPLATE, TEMPLATE), 76 (RAW_TEMPLATE, LEGACY_TEMPLATE), 77 (RAW_TEMPLATE, RAW_TEMPLATE)]) 78 def test_sign_verify_with_key_rotation(self, old_template, new_template): 79 builder = keyset_builder.new_keyset_builder() 80 older_key_id = builder.add_new_key(old_template) 81 builder.set_primary_key(older_key_id) 82 private_handle1 = builder.keyset_handle() 83 sign1 = private_handle1.primitive(signature.PublicKeySign) 84 verify1 = private_handle1.public_keyset_handle().primitive( 85 signature.PublicKeyVerify) 86 87 newer_key_id = builder.add_new_key(new_template) 88 private_handle2 = builder.keyset_handle() 89 sign2 = private_handle2.primitive(signature.PublicKeySign) 90 verify2 = private_handle2.public_keyset_handle().primitive( 91 signature.PublicKeyVerify) 92 93 builder.set_primary_key(newer_key_id) 94 private_handle3 = builder.keyset_handle() 95 sign3 = private_handle3.primitive(signature.PublicKeySign) 96 verify3 = private_handle3.public_keyset_handle().primitive( 97 signature.PublicKeyVerify) 98 99 builder.disable_key(older_key_id) 100 private_handle4 = builder.keyset_handle() 101 sign4 = private_handle4.primitive(signature.PublicKeySign) 102 verify4 = private_handle4.public_keyset_handle().primitive( 103 signature.PublicKeyVerify) 104 self.assertNotEqual(older_key_id, newer_key_id) 105 106 # 1 signs with the older key. So 1, 2 and 3 can verify it, but not 4. 107 data_signature1 = sign1.sign(b'data') 108 verify1.verify(data_signature1, b'data') 109 verify2.verify(data_signature1, b'data') 110 verify3.verify(data_signature1, b'data') 111 with self.assertRaises(tink.TinkError): 112 verify4.verify(data_signature1, b'data') 113 114 # 2 signs with the older key. So 1, 2 and 3 can verify it, but not 4. 115 data_signature2 = sign2.sign(b'data') 116 verify1.verify(data_signature2, b'data') 117 verify2.verify(data_signature2, b'data') 118 verify3.verify(data_signature2, b'data') 119 with self.assertRaises(tink.TinkError): 120 verify4.verify(data_signature2, b'data') 121 122 # 3 signs with the newer key. So 2, 3 and 4 can verify it, but not 1. 123 data_signature3 = sign3.sign(b'data') 124 with self.assertRaises(tink.TinkError): 125 verify1.verify(data_signature3, b'data') 126 verify2.verify(data_signature3, b'data') 127 verify3.verify(data_signature3, b'data') 128 verify4.verify(data_signature3, b'data') 129 130 # 4 signs with the newer key. So 2, 3 and 4 can verify it, but not 1. 131 data_signature4 = sign4.sign(b'data') 132 with self.assertRaises(tink.TinkError): 133 verify1.verify(data_signature4, b'data') 134 verify2.verify(data_signature4, b'data') 135 verify3.verify(data_signature4, b'data') 136 verify4.verify(data_signature4, b'data') 137 138 139if __name__ == '__main__': 140 absltest.main() 141