1 // Copyright 2023 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ////////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/aead/aes_gcm_proto_serialization.h"
18
19 #include <memory>
20 #include <string>
21
22 #include "gmock/gmock.h"
23 #include "gtest/gtest.h"
24 #include "tink/aead/aes_gcm_key.h"
25 #include "tink/aead/aes_gcm_parameters.h"
26 #include "tink/insecure_secret_key_access.h"
27 #include "tink/internal/mutable_serialization_registry.h"
28 #include "tink/internal/proto_key_serialization.h"
29 #include "tink/internal/proto_parameters_serialization.h"
30 #include "tink/partial_key_access.h"
31 #include "tink/restricted_data.h"
32 #include "tink/subtle/random.h"
33 #include "tink/util/test_matchers.h"
34 #include "proto/aes_gcm.pb.h"
35 #include "proto/tink.pb.h"
36
37 namespace crypto {
38 namespace tink {
39 namespace {
40
41 using ::crypto::tink::subtle::Random;
42 using ::crypto::tink::test::IsOk;
43 using ::crypto::tink::test::IsOkAndHolds;
44 using ::crypto::tink::test::StatusIs;
45 using ::google::crypto::tink::AesGcmKeyFormat;
46 using ::google::crypto::tink::KeyData;
47 using ::google::crypto::tink::OutputPrefixType;
48 using ::testing::Eq;
49 using ::testing::IsTrue;
50 using ::testing::NotNull;
51 using ::testing::TestWithParam;
52 using ::testing::Values;
53
54 struct TestCase {
55 AesGcmParameters::Variant variant;
56 OutputPrefixType output_prefix_type;
57 int key_size;
58 int iv_size;
59 int tag_size;
60 absl::optional<int> id;
61 std::string output_prefix;
62 };
63
64 class AesGcmProtoSerializationTest : public TestWithParam<TestCase> {
65 protected:
SetUp()66 void SetUp() override {
67 internal::MutableSerializationRegistry::GlobalInstance().Reset();
68 }
69 };
70
71 INSTANTIATE_TEST_SUITE_P(
72 AesGcmProtoSerializationTestSuite, AesGcmProtoSerializationTest,
73 Values(TestCase{AesGcmParameters::Variant::kTink, OutputPrefixType::TINK,
74 /*key_size=*/16, /*iv_size=*/12, /*tag_size=*/16,
75 /*id=*/0x02030400,
76 /*output_prefix=*/std::string("\x01\x02\x03\x04\x00", 5)},
77 TestCase{AesGcmParameters::Variant::kCrunchy,
78 OutputPrefixType::CRUNCHY, /*key_size=*/16, /*iv_size=*/12,
79 /*tag_size=*/16, /*id=*/0x01030005,
80 /*output_prefix=*/std::string("\x00\x01\x03\x00\x05", 5)},
81 TestCase{AesGcmParameters::Variant::kNoPrefix, OutputPrefixType::RAW,
82 /*key_size=*/32, /*iv_size=*/12, /*tag_size=*/16,
83 /*id=*/absl::nullopt, /*output_prefix=*/""}));
84
TEST_P(AesGcmProtoSerializationTest,ParseParameters)85 TEST_P(AesGcmProtoSerializationTest, ParseParameters) {
86 TestCase test_case = GetParam();
87 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
88
89 AesGcmKeyFormat key_format_proto;
90 key_format_proto.set_version(0);
91 key_format_proto.set_key_size(test_case.key_size);
92
93 util::StatusOr<internal::ProtoParametersSerialization> serialization =
94 internal::ProtoParametersSerialization::Create(
95 "type.googleapis.com/google.crypto.tink.AesGcmKey",
96 test_case.output_prefix_type, key_format_proto.SerializeAsString());
97 ASSERT_THAT(serialization, IsOk());
98
99 util::StatusOr<std::unique_ptr<Parameters>> params =
100 internal::MutableSerializationRegistry::GlobalInstance().ParseParameters(
101 *serialization);
102 ASSERT_THAT(params, IsOk());
103 EXPECT_THAT((*params)->HasIdRequirement(), test_case.id.has_value());
104
105 const AesGcmParameters* gcm_params =
106 dynamic_cast<const AesGcmParameters*>(params->get());
107 ASSERT_THAT(gcm_params, NotNull());
108 EXPECT_THAT(gcm_params->GetVariant(), Eq(test_case.variant));
109 EXPECT_THAT(gcm_params->KeySizeInBytes(), Eq(test_case.key_size));
110 EXPECT_THAT(gcm_params->IvSizeInBytes(), Eq(test_case.iv_size));
111 EXPECT_THAT(gcm_params->TagSizeInBytes(), Eq(test_case.tag_size));
112 }
113
TEST_F(AesGcmProtoSerializationTest,ParseParametersWithInvalidSerialization)114 TEST_F(AesGcmProtoSerializationTest, ParseParametersWithInvalidSerialization) {
115 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
116
117 AesGcmKeyFormat key_format_proto;
118 key_format_proto.set_version(0);
119 key_format_proto.set_key_size(16);
120
121 util::StatusOr<internal::ProtoParametersSerialization> serialization =
122 internal::ProtoParametersSerialization::Create(
123 "type.googleapis.com/google.crypto.tink.AesGcmKey",
124 OutputPrefixType::RAW, "invalid_serialization");
125 ASSERT_THAT(serialization, IsOk());
126
127 util::StatusOr<std::unique_ptr<Parameters>> params =
128 internal::MutableSerializationRegistry::GlobalInstance().ParseParameters(
129 *serialization);
130 EXPECT_THAT(params.status(), StatusIs(absl::StatusCode::kInvalidArgument));
131 }
132
TEST_F(AesGcmProtoSerializationTest,ParseParametersWithUnkownOutputPrefix)133 TEST_F(AesGcmProtoSerializationTest, ParseParametersWithUnkownOutputPrefix) {
134 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
135
136 AesGcmKeyFormat key_format_proto;
137 key_format_proto.set_version(0);
138 key_format_proto.set_key_size(16);
139
140 util::StatusOr<internal::ProtoParametersSerialization> serialization =
141 internal::ProtoParametersSerialization::Create(
142 "type.googleapis.com/google.crypto.tink.AesGcmKey",
143 OutputPrefixType::UNKNOWN_PREFIX,
144 key_format_proto.SerializeAsString());
145 ASSERT_THAT(serialization, IsOk());
146
147 util::StatusOr<std::unique_ptr<Parameters>> params =
148 internal::MutableSerializationRegistry::GlobalInstance().ParseParameters(
149 *serialization);
150 EXPECT_THAT(params.status(), StatusIs(absl::StatusCode::kInvalidArgument));
151 }
152
TEST_F(AesGcmProtoSerializationTest,ParseParametersWithInvalidVersion)153 TEST_F(AesGcmProtoSerializationTest, ParseParametersWithInvalidVersion) {
154 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
155
156 AesGcmKeyFormat key_format_proto;
157 key_format_proto.set_version(1);
158 key_format_proto.set_key_size(16);
159
160 util::StatusOr<internal::ProtoParametersSerialization> serialization =
161 internal::ProtoParametersSerialization::Create(
162 "type.googleapis.com/google.crypto.tink.AesGcmKey",
163 OutputPrefixType::RAW,
164 key_format_proto.SerializeAsString());
165 ASSERT_THAT(serialization, IsOk());
166
167 util::StatusOr<std::unique_ptr<Parameters>> params =
168 internal::MutableSerializationRegistry::GlobalInstance().ParseParameters(
169 *serialization);
170 EXPECT_THAT(params.status(), StatusIs(absl::StatusCode::kInvalidArgument));
171 }
172
TEST_P(AesGcmProtoSerializationTest,SerializeParameters)173 TEST_P(AesGcmProtoSerializationTest, SerializeParameters) {
174 TestCase test_case = GetParam();
175 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
176
177 util::StatusOr<AesGcmParameters> parameters =
178 AesGcmParameters::Builder()
179 .SetVariant(test_case.variant)
180 .SetKeySizeInBytes(test_case.key_size)
181 .SetIvSizeInBytes(test_case.iv_size)
182 .SetTagSizeInBytes(test_case.tag_size)
183 .Build();
184 ASSERT_THAT(parameters, IsOk());
185
186 util::StatusOr<std::unique_ptr<Serialization>> serialization =
187 internal::MutableSerializationRegistry::GlobalInstance()
188 .SerializeParameters<internal::ProtoParametersSerialization>(
189 *parameters);
190 ASSERT_THAT(serialization, IsOk());
191 EXPECT_THAT((*serialization)->ObjectIdentifier(),
192 Eq("type.googleapis.com/google.crypto.tink.AesGcmKey"));
193
194 const internal::ProtoParametersSerialization* proto_serialization =
195 dynamic_cast<const internal::ProtoParametersSerialization*>(
196 serialization->get());
197 ASSERT_THAT(proto_serialization, NotNull());
198 EXPECT_THAT(proto_serialization->GetKeyTemplate().type_url(),
199 Eq("type.googleapis.com/google.crypto.tink.AesGcmKey"));
200 EXPECT_THAT(proto_serialization->GetKeyTemplate().output_prefix_type(),
201 Eq(test_case.output_prefix_type));
202
203 AesGcmKeyFormat key_format;
204 ASSERT_THAT(
205 key_format.ParseFromString(proto_serialization->GetKeyTemplate().value()),
206 IsTrue());
207 EXPECT_THAT(key_format.key_size(), Eq(test_case.key_size));
208 }
209
TEST_F(AesGcmProtoSerializationTest,SerializeParametersWithDisallowedIvSize)210 TEST_F(AesGcmProtoSerializationTest, SerializeParametersWithDisallowedIvSize) {
211 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
212
213 util::StatusOr<AesGcmParameters> parameters =
214 AesGcmParameters::Builder()
215 .SetVariant(AesGcmParameters::Variant::kNoPrefix)
216 .SetKeySizeInBytes(16)
217 .SetIvSizeInBytes(14)
218 .SetTagSizeInBytes(16)
219 .Build();
220 ASSERT_THAT(parameters, IsOk());
221
222 util::StatusOr<std::unique_ptr<Serialization>> serialization =
223 internal::MutableSerializationRegistry::GlobalInstance()
224 .SerializeParameters<internal::ProtoParametersSerialization>(
225 *parameters);
226 EXPECT_THAT(serialization.status(),
227 StatusIs(absl::StatusCode::kInvalidArgument));
228 }
229
TEST_F(AesGcmProtoSerializationTest,SerializeParametersWithDisallowedTagSize)230 TEST_F(AesGcmProtoSerializationTest, SerializeParametersWithDisallowedTagSize) {
231 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
232
233 util::StatusOr<AesGcmParameters> parameters =
234 AesGcmParameters::Builder()
235 .SetVariant(AesGcmParameters::Variant::kNoPrefix)
236 .SetKeySizeInBytes(16)
237 .SetIvSizeInBytes(12)
238 .SetTagSizeInBytes(14)
239 .Build();
240 ASSERT_THAT(parameters, IsOk());
241
242 util::StatusOr<std::unique_ptr<Serialization>> serialization =
243 internal::MutableSerializationRegistry::GlobalInstance()
244 .SerializeParameters<internal::ProtoParametersSerialization>(
245 *parameters);
246 EXPECT_THAT(serialization.status(),
247 StatusIs(absl::StatusCode::kInvalidArgument));
248 }
249
TEST_P(AesGcmProtoSerializationTest,ParseKey)250 TEST_P(AesGcmProtoSerializationTest, ParseKey) {
251 TestCase test_case = GetParam();
252 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
253
254 std::string raw_key_bytes = Random::GetRandomBytes(test_case.key_size);
255 google::crypto::tink::AesGcmKey key_proto;
256 key_proto.set_version(0);
257 key_proto.set_key_value(raw_key_bytes);
258 RestrictedData serialized_key = RestrictedData(
259 key_proto.SerializeAsString(), InsecureSecretKeyAccess::Get());
260
261 util::StatusOr<internal::ProtoKeySerialization> serialization =
262 internal::ProtoKeySerialization::Create(
263 "type.googleapis.com/google.crypto.tink.AesGcmKey", serialized_key,
264 KeyData::SYMMETRIC, test_case.output_prefix_type, test_case.id);
265 ASSERT_THAT(serialization, IsOk());
266
267 util::StatusOr<std::unique_ptr<Key>> key =
268 internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
269 *serialization, InsecureSecretKeyAccess::Get());
270 ASSERT_THAT(key, IsOk());
271 EXPECT_THAT((*key)->GetIdRequirement(), Eq(test_case.id));
272 EXPECT_THAT((*key)->GetParameters().HasIdRequirement(),
273 test_case.id.has_value());
274
275 util::StatusOr<AesGcmParameters> expected_parameters =
276 AesGcmParameters::Builder()
277 .SetVariant(test_case.variant)
278 .SetKeySizeInBytes(test_case.key_size)
279 .SetIvSizeInBytes(test_case.iv_size)
280 .SetTagSizeInBytes(test_case.tag_size)
281 .Build();
282 ASSERT_THAT(expected_parameters, IsOk());
283
284 util::StatusOr<AesGcmKey> expected_key = AesGcmKey::Create(
285 *expected_parameters,
286 RestrictedData(raw_key_bytes, InsecureSecretKeyAccess::Get()),
287 test_case.id, GetPartialKeyAccess());
288 ASSERT_THAT(expected_key, IsOk());
289
290 EXPECT_THAT(**key, Eq(*expected_key));
291 }
292
TEST_F(AesGcmProtoSerializationTest,ParseLegacyKeyAsCrunchy)293 TEST_F(AesGcmProtoSerializationTest, ParseLegacyKeyAsCrunchy) {
294 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
295
296 std::string raw_key_bytes = Random::GetRandomBytes(32);
297 google::crypto::tink::AesGcmKey key_proto;
298 key_proto.set_version(0);
299 key_proto.set_key_value(raw_key_bytes);
300 RestrictedData serialized_key = RestrictedData(
301 key_proto.SerializeAsString(), InsecureSecretKeyAccess::Get());
302
303 util::StatusOr<internal::ProtoKeySerialization> serialization =
304 internal::ProtoKeySerialization::Create(
305 "type.googleapis.com/google.crypto.tink.AesGcmKey", serialized_key,
306 KeyData::SYMMETRIC, OutputPrefixType::LEGACY, /*id_requirement=*/123);
307 ASSERT_THAT(serialization, IsOk());
308
309 util::StatusOr<std::unique_ptr<Key>> key =
310 internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
311 *serialization, InsecureSecretKeyAccess::Get());
312 ASSERT_THAT(key, IsOk());
313
314 const AesGcmKey* aes_gcm_key = dynamic_cast<const AesGcmKey*>(key->get());
315 ASSERT_THAT(aes_gcm_key, NotNull());
316 EXPECT_THAT(aes_gcm_key->GetParameters().GetVariant(),
317 Eq(AesGcmParameters::Variant::kCrunchy));
318 }
319
TEST_F(AesGcmProtoSerializationTest,ParseKeyWithInvalidSerialization)320 TEST_F(AesGcmProtoSerializationTest, ParseKeyWithInvalidSerialization) {
321 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
322
323 RestrictedData serialized_key =
324 RestrictedData("invalid_serialization", InsecureSecretKeyAccess::Get());
325
326 util::StatusOr<internal::ProtoKeySerialization> serialization =
327 internal::ProtoKeySerialization::Create(
328 "type.googleapis.com/google.crypto.tink.AesGcmKey", serialized_key,
329 KeyData::SYMMETRIC, OutputPrefixType::TINK,
330 /*id_requirement=*/0x23456789);
331 ASSERT_THAT(serialization, IsOk());
332
333 util::StatusOr<std::unique_ptr<Key>> key =
334 internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
335 *serialization, InsecureSecretKeyAccess::Get());
336 EXPECT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument));
337 }
338
TEST_F(AesGcmProtoSerializationTest,ParseKeyNoSecretKeyAccess)339 TEST_F(AesGcmProtoSerializationTest, ParseKeyNoSecretKeyAccess) {
340 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
341
342 std::string raw_key_bytes = Random::GetRandomBytes(16);
343 google::crypto::tink::AesGcmKey key_proto;
344 key_proto.set_version(0);
345 key_proto.set_key_value(raw_key_bytes);
346 RestrictedData serialized_key = RestrictedData(
347 key_proto.SerializeAsString(), InsecureSecretKeyAccess::Get());
348
349 util::StatusOr<internal::ProtoKeySerialization> serialization =
350 internal::ProtoKeySerialization::Create(
351 "type.googleapis.com/google.crypto.tink.AesGcmKey", serialized_key,
352 KeyData::SYMMETRIC, OutputPrefixType::TINK,
353 /*id_requirement=*/0x23456789);
354 ASSERT_THAT(serialization, IsOk());
355
356 util::StatusOr<std::unique_ptr<Key>> key =
357 internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
358 *serialization, /*token=*/absl::nullopt);
359 EXPECT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument));
360 }
361
TEST_F(AesGcmProtoSerializationTest,ParseKeyWithInvalidVersion)362 TEST_F(AesGcmProtoSerializationTest, ParseKeyWithInvalidVersion) {
363 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
364
365 std::string raw_key_bytes = Random::GetRandomBytes(16);
366 google::crypto::tink::AesGcmKey key_proto;
367 key_proto.set_version(1); // Invalid version number.
368 key_proto.set_key_value(raw_key_bytes);
369 RestrictedData serialized_key = RestrictedData(
370 key_proto.SerializeAsString(), InsecureSecretKeyAccess::Get());
371
372 util::StatusOr<internal::ProtoKeySerialization> serialization =
373 internal::ProtoKeySerialization::Create(
374 "type.googleapis.com/google.crypto.tink.AesGcmKey", serialized_key,
375 KeyData::SYMMETRIC, OutputPrefixType::TINK,
376 /*id_requirement=*/0x23456789);
377 ASSERT_THAT(serialization, IsOk());
378
379 util::StatusOr<std::unique_ptr<Key>> key =
380 internal::MutableSerializationRegistry::GlobalInstance().ParseKey(
381 *serialization, InsecureSecretKeyAccess::Get());
382 EXPECT_THAT(key.status(), StatusIs(absl::StatusCode::kInvalidArgument));
383 }
384
TEST_P(AesGcmProtoSerializationTest,SerializeKey)385 TEST_P(AesGcmProtoSerializationTest, SerializeKey) {
386 TestCase test_case = GetParam();
387 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
388
389 util::StatusOr<AesGcmParameters> parameters =
390 AesGcmParameters::Builder()
391 .SetVariant(test_case.variant)
392 .SetKeySizeInBytes(test_case.key_size)
393 .SetIvSizeInBytes(test_case.iv_size)
394 .SetTagSizeInBytes(test_case.tag_size)
395 .Build();
396 ASSERT_THAT(parameters, IsOk());
397
398 std::string raw_key_bytes = Random::GetRandomBytes(test_case.key_size);
399 util::StatusOr<AesGcmKey> key = AesGcmKey::Create(
400 *parameters,
401 RestrictedData(raw_key_bytes, InsecureSecretKeyAccess::Get()),
402 test_case.id, GetPartialKeyAccess());
403 ASSERT_THAT(key, IsOk());
404
405 util::StatusOr<std::unique_ptr<Serialization>> serialization =
406 internal::MutableSerializationRegistry::GlobalInstance()
407 .SerializeKey<internal::ProtoKeySerialization>(
408 *key, InsecureSecretKeyAccess::Get());
409 ASSERT_THAT(serialization, IsOk());
410 EXPECT_THAT((*serialization)->ObjectIdentifier(),
411 Eq("type.googleapis.com/google.crypto.tink.AesGcmKey"));
412
413 const internal::ProtoKeySerialization* proto_serialization =
414 dynamic_cast<const internal::ProtoKeySerialization*>(
415 serialization->get());
416 ASSERT_THAT(proto_serialization, NotNull());
417 EXPECT_THAT(proto_serialization->TypeUrl(),
418 Eq("type.googleapis.com/google.crypto.tink.AesGcmKey"));
419 EXPECT_THAT(proto_serialization->KeyMaterialType(), Eq(KeyData::SYMMETRIC));
420 EXPECT_THAT(proto_serialization->GetOutputPrefixType(),
421 Eq(test_case.output_prefix_type));
422 EXPECT_THAT(proto_serialization->IdRequirement(), Eq(test_case.id));
423
424 google::crypto::tink::AesGcmKey proto_key;
425 // OSS proto library complains if input is not converted to a string.
426 ASSERT_THAT(proto_key.ParseFromString(std::string(
427 proto_serialization->SerializedKeyProto().GetSecret(
428 InsecureSecretKeyAccess::Get()))),
429 IsTrue());
430 EXPECT_THAT(proto_key.key_value().size(), Eq(test_case.key_size));
431 }
432
TEST_F(AesGcmProtoSerializationTest,SerializeKeyWithDisallowedIvSize)433 TEST_F(AesGcmProtoSerializationTest, SerializeKeyWithDisallowedIvSize) {
434 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
435
436 util::StatusOr<AesGcmParameters> parameters =
437 AesGcmParameters::Builder()
438 .SetVariant(AesGcmParameters::Variant::kNoPrefix)
439 .SetKeySizeInBytes(32)
440 .SetIvSizeInBytes(14)
441 .SetTagSizeInBytes(16)
442 .Build();
443 ASSERT_THAT(parameters, IsOk());
444
445 std::string raw_key_bytes = Random::GetRandomBytes(32);
446 util::StatusOr<AesGcmKey> key = AesGcmKey::Create(
447 *parameters,
448 RestrictedData(raw_key_bytes, InsecureSecretKeyAccess::Get()),
449 /*id_requirement=*/absl::nullopt, GetPartialKeyAccess());
450 ASSERT_THAT(key, IsOk());
451
452 util::StatusOr<std::unique_ptr<Serialization>> serialization =
453 internal::MutableSerializationRegistry::GlobalInstance()
454 .SerializeKey<internal::ProtoKeySerialization>(
455 *key, InsecureSecretKeyAccess::Get());
456 EXPECT_THAT(serialization.status(),
457 StatusIs(absl::StatusCode::kInvalidArgument));
458 }
459
TEST_F(AesGcmProtoSerializationTest,SerializeKeyWithDisallowedTagSize)460 TEST_F(AesGcmProtoSerializationTest, SerializeKeyWithDisallowedTagSize) {
461 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
462
463 util::StatusOr<AesGcmParameters> parameters =
464 AesGcmParameters::Builder()
465 .SetVariant(AesGcmParameters::Variant::kNoPrefix)
466 .SetKeySizeInBytes(32)
467 .SetIvSizeInBytes(12)
468 .SetTagSizeInBytes(14)
469 .Build();
470 ASSERT_THAT(parameters, IsOk());
471
472 std::string raw_key_bytes = Random::GetRandomBytes(32);
473 util::StatusOr<AesGcmKey> key = AesGcmKey::Create(
474 *parameters,
475 RestrictedData(raw_key_bytes, InsecureSecretKeyAccess::Get()),
476 /*id_requirement=*/absl::nullopt, GetPartialKeyAccess());
477 ASSERT_THAT(key, IsOk());
478
479 util::StatusOr<std::unique_ptr<Serialization>> serialization =
480 internal::MutableSerializationRegistry::GlobalInstance()
481 .SerializeKey<internal::ProtoKeySerialization>(
482 *key, InsecureSecretKeyAccess::Get());
483 EXPECT_THAT(serialization.status(),
484 StatusIs(absl::StatusCode::kInvalidArgument));
485 }
486
TEST_F(AesGcmProtoSerializationTest,SerializeKeyNoSecretKeyAccess)487 TEST_F(AesGcmProtoSerializationTest, SerializeKeyNoSecretKeyAccess) {
488 ASSERT_THAT(RegisterAesGcmProtoSerialization(), IsOk());
489
490 util::StatusOr<AesGcmParameters> parameters =
491 AesGcmParameters::Builder()
492 .SetVariant(AesGcmParameters::Variant::kNoPrefix)
493 .SetKeySizeInBytes(16)
494 .SetIvSizeInBytes(12)
495 .SetTagSizeInBytes(16)
496 .Build();
497 ASSERT_THAT(parameters, IsOk());
498
499 std::string raw_key_bytes = Random::GetRandomBytes(16);
500 util::StatusOr<AesGcmKey> key = AesGcmKey::Create(
501 *parameters,
502 RestrictedData(raw_key_bytes, InsecureSecretKeyAccess::Get()),
503 /*id_requirement=*/absl::nullopt, GetPartialKeyAccess());
504 ASSERT_THAT(key, IsOk());
505
506 util::StatusOr<std::unique_ptr<Serialization>> serialization =
507 internal::MutableSerializationRegistry::GlobalInstance()
508 .SerializeKey<internal::ProtoKeySerialization>(*key, absl::nullopt);
509 EXPECT_THAT(serialization.status(),
510 StatusIs(absl::StatusCode::kInvalidArgument));
511 }
512
513 } // namespace
514 } // namespace tink
515 } // namespace crypto
516