xref: /aosp_15_r20/external/tink/python/examples/envelope_aead/envelope_test.sh (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1#!/bin/bash
2# Copyright 2021 Google LLC
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8#      http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15################################################################################
16
17set -euo pipefail
18
19#############################################################################
20# Tests for envelope encryption AEAD example.
21#############################################################################
22
23CLI="$1"
24KEY_URI="$2"
25CRED_FILE="$3"
26
27# Root certificates for GRPC.
28# Referece:
29#   https://github.com/grpc/grpc/blob/master/doc/environment_variables.md
30export GRPC_DEFAULT_SSL_ROOTS_FILE_PATH="${TEST_SRCDIR}/google_root_pem/file/downloaded"
31
32DATA_FILE="$TEST_TMPDIR/example_data.txt"
33
34echo "This is some plaintext to be encrypted." > "${DATA_FILE}"
35
36#############################################################################
37
38# A helper function for getting the return code of a command that may fail
39# Temporarily disables error safety and stores return value in ${TEST_STATUS}
40# Usage:
41# % test_command somecommand some args
42# % echo ${TEST_STATUS}
43test_command() {
44  set +e
45  "$@"
46  TEST_STATUS=$?
47  set -e
48}
49
50print_test() {
51  echo "+++ Starting test $1..."
52}
53
54#############################################################################
55
56print_test "encrypt"
57
58# Run encryption
59test_command ${CLI} --mode encrypt --kek_uri "${KEY_URI}" \
60  --gcp_credential_path "${CRED_FILE}" \
61  --input_path "${DATA_FILE}" --output_path  "${DATA_FILE}.encrypted"
62
63if (( TEST_STATUS == 0 )); then
64  echo "+++ Success: file was encrypted."
65else
66  echo "--- Failure: could not encrypt file."
67  exit 1
68fi
69
70#############################################################################
71
72print_test "decrypt"
73
74# Run decryption
75test_command ${CLI} --mode decrypt --kek_uri "${KEY_URI}" \
76  --gcp_credential_path "${CRED_FILE}" \
77  --input_path "${DATA_FILE}.encrypted" --output_path "${DATA_FILE}.decrypted"
78
79if (( TEST_STATUS == 0 )); then
80  echo "+++ Success: file was successfully decrypted."
81else
82  echo "--- Failure: could not decrypt file."
83  exit 1
84fi
85
86if cmp -s "${DATA_FILE}" "${DATA_FILE}.decrypted"; then
87  echo "+++ Success: file content is the same after decryption."
88else
89  echo "--- Failure: file content is not the same after decryption."
90  exit 1
91fi
92
93#############################################################################
94
95print_test "test_encrypt_decrypt_succeeds_with_associated_data"
96
97# Run encryption
98ASSOCIATED_DATA="header information"
99test_command ${CLI} --mode encrypt --kek_uri "${KEY_URI}" \
100  --gcp_credential_path "${CRED_FILE}" \
101  --input_path "${DATA_FILE}" --output_path  "${DATA_FILE}.encrypted" \
102  --associated_data "${ASSOCIATED_DATA}"
103
104if (( TEST_STATUS == 0 )); then
105  echo "+++ Encryption successful."
106else
107  echo "--- Encryption failed."
108  exit 1
109fi
110
111# Run decryption
112test_command ${CLI} --mode decrypt --kek_uri "${KEY_URI}" \
113  --gcp_credential_path "${CRED_FILE}" \
114  --input_path "${DATA_FILE}.encrypted" --output_path "${DATA_FILE}.decrypted" \
115  --associated_data "${ASSOCIATED_DATA}"
116
117if (( TEST_STATUS == 0 )); then
118  echo "+++ Decryption successful."
119else
120  echo "--- Decryption failed."
121  exit 1
122fi
123
124cmp --silent "${DATA_FILE}" "${DATA_FILE}.decrypted"
125
126#############################################################################
127
128print_test "test_encrypt_decrypt_fails_with_modified_associated_data"
129
130# Run encryption
131ASSOCIATED_DATA="header information"
132test_command ${CLI} --mode encrypt --kek_uri "${KEY_URI}" \
133  --gcp_credential_path "${CRED_FILE}" \
134  --input_path "${DATA_FILE}" --output_path "${DATA_FILE}.encrypted" \
135  --associated_data "${ASSOCIATED_DATA}"
136
137if (( TEST_STATUS == 0 )); then
138  echo "+++ Encryption successful."
139else
140  echo "--- Encryption failed."
141  exit 1
142fi
143
144# Run decryption
145MODIFIED_ASSOCIATED_DATA="modified header information"
146test_command ${CLI} --mode decrypt --kek_uri "${KEY_URI}" \
147  --gcp_credential_path "${CRED_FILE}" \
148  --input_path "${DATA_FILE}.encrypted" --output_path "${DATA_FILE}.decrypted" \
149  --associated_data "${MODIFIED_ASSOCIATED_DATA}"
150
151if (( TEST_STATUS == 1 )); then
152  echo "+++ Decryption failed as expected."
153else
154  echo "--- Decryption succeeded but expected to fail."
155  exit 1
156fi
157