xref: /aosp_15_r20/external/tink/go/aead/internal/testing/kmsaead/key_manager_test.go (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15////////////////////////////////////////////////////////////////////////////////
16
17package kmsaead_test
18
19import (
20	"bytes"
21	"testing"
22
23	"github.com/google/tink/go/aead"
24	"github.com/google/tink/go/aead/internal/testing/kmsaead"
25	"github.com/google/tink/go/core/registry"
26	"github.com/google/tink/go/keyset"
27	"github.com/google/tink/go/testing/fakekms"
28)
29
30// The fake KMS should only be used in tests. It is not secure.
31const keyURI = "fake-kms://CM2b3_MDElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEIK75t5L-adlUwVhWvRuWUwYARABGM2b3_MDIAE"
32
33func TestCreateEncryptDecrypt(t *testing.T) {
34	registry.RegisterKeyManager(kmsaead.NewKeyManager())
35
36	client, err := fakekms.NewClient(keyURI)
37	if err != nil {
38		t.Fatalf("fakekms.NewClient(keyURI) err = %q, want nil", err)
39	}
40	registry.RegisterKMSClient(client)
41
42	template, err := kmsaead.CreateKeyTemplate(keyURI)
43	if err != nil {
44		t.Fatalf("kmsaead.CreateKeyTemplate(keyURI) err = %q, want nil", err)
45	}
46	handle, err := keyset.NewHandle(template)
47	if err != nil {
48		t.Fatalf("keyset.NewHandle(template) err = %q, want nil", err)
49	}
50	primitive, err := aead.New(handle)
51	if err != nil {
52		t.Fatalf("aead.New(handle) err = %q, want nil", err)
53	}
54
55	plaintext := []byte("plaintext")
56	associatedData := []byte("associatedData")
57
58	ciphertext, err := primitive.Encrypt(plaintext, associatedData)
59	if err != nil {
60		t.Fatalf("primitive.Encrypt(plaintext, associatedData) err = %q, want nil", err)
61	}
62
63	gotPlaintext, err := primitive.Decrypt(ciphertext, associatedData)
64	if err != nil {
65		t.Fatalf("primitive.Decrypt(ciphertext, associatedData) err = %q, want nil", err)
66	}
67	if !bytes.Equal(gotPlaintext, plaintext) {
68		t.Fatalf("gotPlaintext = %q, want %q", gotPlaintext, plaintext)
69	}
70
71	_, err = primitive.Decrypt(ciphertext, []byte("invalidAssociatedData"))
72	if err == nil {
73		t.Fatalf("primitive.Decrypt(ciphertext, []byte(\"invalidAssociatedData\")) err = nil, want error")
74	}
75
76	// Verify that the AEAD primitive returned by client is also able to decrypt.
77	primitive2, err := client.GetAEAD(keyURI)
78	if err != nil {
79		t.Fatalf("client.GetAEAD(keyURI) err = %q, want nil", err)
80	}
81	gotPlaintext2, err := primitive2.Decrypt(ciphertext, associatedData)
82	if err != nil {
83		t.Fatalf("primitive2.Decrypt(ciphertext, associatedData) err = %q, want nil", err)
84	}
85	if !bytes.Equal(gotPlaintext2, plaintext) {
86		t.Fatalf("gotPlaintext2 = %q, want %q", gotPlaintext, plaintext)
87	}
88}
89