cc/internal/registry_impl_test.cc

*e7b1675dSTing-Kang Chang// Copyright 2017 Google Inc.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License");
*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License.
*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang//      http://www.apache.org/licenses/LICENSE-2.0
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software
*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS,
*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and
*e7b1675dSTing-Kang Chang// limitations under the License.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang////////////////////////////////////////////////////////////////////////////////
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "tink/internal/registry_impl.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include <stdint.h>
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include <memory>
*e7b1675dSTing-Kang Chang#include <sstream>
*e7b1675dSTing-Kang Chang#include <string>
*e7b1675dSTing-Kang Chang#include <thread>  // NOLINT(build/c++11)
*e7b1675dSTing-Kang Chang#include <typeinfo>
*e7b1675dSTing-Kang Chang#include <utility>
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "gmock/gmock.h"
*e7b1675dSTing-Kang Chang#include "gtest/gtest.h"
*e7b1675dSTing-Kang Chang#include "absl/memory/memory.h"
*e7b1675dSTing-Kang Chang#include "absl/status/status.h"
*e7b1675dSTing-Kang Chang#include "absl/status/statusor.h"
*e7b1675dSTing-Kang Chang#include "absl/strings/string_view.h"
*e7b1675dSTing-Kang Chang#include "openssl/crypto.h"
*e7b1675dSTing-Kang Chang#include "tink/aead.h"
*e7b1675dSTing-Kang Chang#include "tink/aead/aead_wrapper.h"
*e7b1675dSTing-Kang Chang#include "tink/aead/aes_gcm_key_manager.h"
*e7b1675dSTing-Kang Chang#include "tink/core/key_manager_impl.h"
*e7b1675dSTing-Kang Chang#include "tink/core/key_type_manager.h"
*e7b1675dSTing-Kang Chang#include "tink/core/private_key_manager_impl.h"
*e7b1675dSTing-Kang Chang#include "tink/core/private_key_type_manager.h"
*e7b1675dSTing-Kang Chang#include "tink/core/template_util.h"
*e7b1675dSTing-Kang Chang#include "tink/hybrid/ecies_aead_hkdf_private_key_manager.h"
*e7b1675dSTing-Kang Chang#include "tink/hybrid/ecies_aead_hkdf_public_key_manager.h"
*e7b1675dSTing-Kang Chang#include "tink/hybrid_decrypt.h"
*e7b1675dSTing-Kang Chang#include "tink/input_stream.h"
*e7b1675dSTing-Kang Chang#include "tink/internal/fips_utils.h"
*e7b1675dSTing-Kang Chang#include "tink/key_manager.h"
*e7b1675dSTing-Kang Chang#include "tink/mac.h"
*e7b1675dSTing-Kang Chang#include "tink/monitoring/monitoring_client_mocks.h"
*e7b1675dSTing-Kang Chang#include "tink/primitive_set.h"
*e7b1675dSTing-Kang Chang#include "tink/primitive_wrapper.h"
*e7b1675dSTing-Kang Chang#include "tink/registry.h"
*e7b1675dSTing-Kang Chang#include "tink/subtle/aes_gcm_boringssl.h"
*e7b1675dSTing-Kang Chang#include "tink/subtle/random.h"
*e7b1675dSTing-Kang Chang#include "tink/util/input_stream_util.h"
*e7b1675dSTing-Kang Chang#include "tink/util/istream_input_stream.h"
*e7b1675dSTing-Kang Chang#include "tink/util/protobuf_helper.h"
*e7b1675dSTing-Kang Chang#include "tink/util/secret_data.h"
*e7b1675dSTing-Kang Chang#include "tink/util/status.h"
*e7b1675dSTing-Kang Chang#include "tink/util/statusor.h"
*e7b1675dSTing-Kang Chang#include "tink/util/test_matchers.h"
*e7b1675dSTing-Kang Chang#include "tink/util/test_util.h"
*e7b1675dSTing-Kang Chang#include "proto/aes_ctr_hmac_aead.pb.h"
*e7b1675dSTing-Kang Chang#include "proto/aes_gcm.pb.h"
*e7b1675dSTing-Kang Chang#include "proto/common.pb.h"
*e7b1675dSTing-Kang Chang#include "proto/ecdsa.pb.h"
*e7b1675dSTing-Kang Chang#include "proto/ecies_aead_hkdf.pb.h"
*e7b1675dSTing-Kang Chang#include "proto/tink.pb.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace crypto {
*e7b1675dSTing-Kang Changnamespace tink {
*e7b1675dSTing-Kang Changnamespace internal {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::AddLegacyKey;
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::AddRawKey;
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::AddTinkKey;
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::DummyAead;
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::IsOk;
*e7b1675dSTing-Kang Changusing ::crypto::tink::test::StatusIs;
*e7b1675dSTing-Kang Changusing ::crypto::tink::util::Status;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::AesCtrHmacAeadKey;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::AesGcmKey;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::AesGcmKeyFormat;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::EcdsaKeyFormat;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::EcdsaPrivateKey;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::EcdsaPublicKey;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::EcdsaSignatureEncoding;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::EcPointFormat;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::EllipticCurveType;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::HashType;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::KeyData;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::Keyset;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::KeysetInfo;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::KeyStatusType;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::KeyTemplate;
*e7b1675dSTing-Kang Changusing ::google::crypto::tink::OutputPrefixType;
*e7b1675dSTing-Kang Changusing ::portable_proto::MessageLite;
*e7b1675dSTing-Kang Changusing ::testing::Eq;
*e7b1675dSTing-Kang Changusing ::testing::HasSubstr;
*e7b1675dSTing-Kang Changusing ::testing::IsNull;
*e7b1675dSTing-Kang Changusing ::testing::Not;
*e7b1675dSTing-Kang Changusing ::testing::SizeIs;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass RegistryTest : public ::testing::Test {
*e7b1675dSTing-Kang Chang protected:
*e7b1675dSTing-Kang Chang  void SetUp() override { Registry::Reset(); }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  void TearDown() override {
*e7b1675dSTing-Kang Chang    // Reset is needed here to ensure Mock objects get deleted and do not leak.
*e7b1675dSTing-Kang Chang    Registry::Reset();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass TestKeyFactory : public KeyFactory {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  explicit TestKeyFactory(const std::string& key_type) : key_type_(key_type) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<portable_proto::MessageLite>> NewKey(
*e7b1675dSTing-Kang Chang      const MessageLite& key_format) const override {
*e7b1675dSTing-Kang Chang    return util::Status(absl::StatusCode::kUnknown,
*e7b1675dSTing-Kang Chang                        "TestKeyFactory cannot produce a key");
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<portable_proto::MessageLite>> NewKey(
*e7b1675dSTing-Kang Chang      absl::string_view serialized_key_format) const override {
*e7b1675dSTing-Kang Chang    return util::Status(absl::StatusCode::kUnknown,
*e7b1675dSTing-Kang Chang                        "TestKeyFactory cannot produce a key");
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<KeyData>> NewKeyData(
*e7b1675dSTing-Kang Chang      absl::string_view serialized_key_format) const override {
*e7b1675dSTing-Kang Chang    auto key_data = absl::make_unique<KeyData>();
*e7b1675dSTing-Kang Chang    key_data->set_type_url(key_type_);
*e7b1675dSTing-Kang Chang    key_data->set_value(std::string(serialized_key_format));
*e7b1675dSTing-Kang Chang    return std::move(key_data);
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  std::string key_type_;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass TestAeadKeyManager : public KeyManager<Aead> {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  explicit TestAeadKeyManager(const std::string& key_type)
*e7b1675dSTing-Kang Chang      : key_type_(key_type), key_factory_(key_type) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<Aead>> GetPrimitive(
*e7b1675dSTing-Kang Chang      const KeyData& key) const override {
*e7b1675dSTing-Kang Chang    std::unique_ptr<Aead> aead(new DummyAead(key_type_));
*e7b1675dSTing-Kang Chang    return std::move(aead);
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  util::StatusOr<std::unique_ptr<Aead>> GetPrimitive(
*e7b1675dSTing-Kang Chang      const MessageLite& key) const override {
*e7b1675dSTing-Kang Chang    return util::Status(absl::StatusCode::kUnknown,
*e7b1675dSTing-Kang Chang                        "TestKeyFactory cannot construct an aead");
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t get_version() const override { return 0; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  const std::string& get_key_type() const override { return key_type_; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  const KeyFactory& get_key_factory() const override { return key_factory_; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  std::string key_type_;
*e7b1675dSTing-Kang Chang  TestKeyFactory key_factory_;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// A class for testing. We will construct objects from an aead key, so that we
*e7b1675dSTing-Kang Chang// can check that a keymanager can handle multiple primitives. It is really
*e7b1675dSTing-Kang Chang// insecure, as it does nothing except provide access to the key.
*e7b1675dSTing-Kang Changclass AeadVariant {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  explicit AeadVariant(std::string s) : s_(s) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  std::string get() { return s_; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  std::string s_;
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass ExampleKeyTypeManager : public KeyTypeManager<AesGcmKey, AesGcmKeyFormat,
*e7b1675dSTing-Kang Chang                                                    List<Aead, AeadVariant>> {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  class AeadFactory : public PrimitiveFactory<Aead> {
*e7b1675dSTing-Kang Chang   public:
*e7b1675dSTing-Kang Chang    crypto::tink::util::StatusOr<std::unique_ptr<Aead>> Create(
*e7b1675dSTing-Kang Chang        const AesGcmKey& key) const override {
*e7b1675dSTing-Kang Chang      // Ignore the key and returned one with a fixed size for this test.
*e7b1675dSTing-Kang Chang      return {subtle::AesGcmBoringSsl::New(
*e7b1675dSTing-Kang Chang          util::SecretDataFromStringView(key.key_value()))};
*e7b1675dSTing-Kang Chang    }
*e7b1675dSTing-Kang Chang  };
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  class AeadVariantFactory : public PrimitiveFactory<AeadVariant> {
*e7b1675dSTing-Kang Chang   public:
*e7b1675dSTing-Kang Chang    crypto::tink::util::StatusOr<std::unique_ptr<AeadVariant>> Create(
*e7b1675dSTing-Kang Chang        const AesGcmKey& key) const override {
*e7b1675dSTing-Kang Chang      return absl::make_unique<AeadVariant>(key.key_value());
*e7b1675dSTing-Kang Chang    }
*e7b1675dSTing-Kang Chang  };
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ExampleKeyTypeManager()
*e7b1675dSTing-Kang Chang      : KeyTypeManager(absl::make_unique<AeadFactory>(),
*e7b1675dSTing-Kang Chang                       absl::make_unique<AeadVariantFactory>()) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  google::crypto::tink::KeyData::KeyMaterialType key_material_type()
*e7b1675dSTing-Kang Chang      const override {
*e7b1675dSTing-Kang Chang    return google::crypto::tink::KeyData::SYMMETRIC;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t get_version() const override { return kVersion; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  const std::string& get_key_type() const override { return kKeyType; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status ValidateKey(const AesGcmKey& key) const override {
*e7b1675dSTing-Kang Chang    return util::OkStatus();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status ValidateKeyFormat(
*e7b1675dSTing-Kang Chang      const AesGcmKeyFormat& key_format) const override {
*e7b1675dSTing-Kang Chang    return util::OkStatus();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<AesGcmKey> CreateKey(
*e7b1675dSTing-Kang Chang      const AesGcmKeyFormat& key_format) const override {
*e7b1675dSTing-Kang Chang    AesGcmKey result;
*e7b1675dSTing-Kang Chang    result.set_key_value(subtle::Random::GetRandomBytes(key_format.key_size()));
*e7b1675dSTing-Kang Chang    return result;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<AesGcmKey> DeriveKey(
*e7b1675dSTing-Kang Chang      const AesGcmKeyFormat& key_format,
*e7b1675dSTing-Kang Chang      InputStream* input_stream) const override {
*e7b1675dSTing-Kang Chang    // Note: in an actual key type manager we need to do more work, e.g., test
*e7b1675dSTing-Kang Chang    // that the generated key is long enough.
*e7b1675dSTing-Kang Chang    crypto::tink::util::StatusOr<std::string> randomness =
*e7b1675dSTing-Kang Chang        ReadBytesFromStream(key_format.key_size(), input_stream);
*e7b1675dSTing-Kang Chang    if (!randomness.status().ok()) {
*e7b1675dSTing-Kang Chang      return randomness.status();
*e7b1675dSTing-Kang Chang    }
*e7b1675dSTing-Kang Chang    AesGcmKey key;
*e7b1675dSTing-Kang Chang    key.set_key_value(randomness.value());
*e7b1675dSTing-Kang Chang    return key;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  MOCK_METHOD(FipsCompatibility, FipsStatus, (), (const, override));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  static constexpr int kVersion = 0;
*e7b1675dSTing-Kang Chang  const std::string kKeyType =
*e7b1675dSTing-Kang Chang      "type.googleapis.com/google.crypto.tink.AesGcmKey";
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changtemplate <typename P, typename Q = P>
*e7b1675dSTing-Kang Changclass TestWrapper : public PrimitiveWrapper<P, Q> {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  TestWrapper() = default;
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<std::unique_ptr<Q>> Wrap(
*e7b1675dSTing-Kang Chang      std::unique_ptr<PrimitiveSet<P>> primitive_set) const override {
*e7b1675dSTing-Kang Chang    return util::Status(absl::StatusCode::kUnimplemented,
*e7b1675dSTing-Kang Chang                        "This is a test wrapper.");
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass AeadVariantWrapper : public PrimitiveWrapper<AeadVariant, AeadVariant> {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<std::unique_ptr<AeadVariant>> Wrap(
*e7b1675dSTing-Kang Chang      std::unique_ptr<PrimitiveSet<AeadVariant>> primitive_set) const override {
*e7b1675dSTing-Kang Chang    return absl::make_unique<AeadVariant>(
*e7b1675dSTing-Kang Chang        primitive_set->get_primary()->get_primitive().get());
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass AeadVariantToStringWrapper
*e7b1675dSTing-Kang Chang    : public PrimitiveWrapper<AeadVariant, std::string> {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<std::unique_ptr<std::string>> Wrap(
*e7b1675dSTing-Kang Chang      std::unique_ptr<PrimitiveSet<AeadVariant>> primitive_set) const override {
*e7b1675dSTing-Kang Chang    return absl::make_unique<std::string>(
*e7b1675dSTing-Kang Chang        primitive_set->get_primary()->get_primitive().get());
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changvoid register_test_managers(const std::string& key_type_prefix,
*e7b1675dSTing-Kang Chang                            int manager_count) {
*e7b1675dSTing-Kang Chang  for (int i = 0; i < manager_count; i++) {
*e7b1675dSTing-Kang Chang    std::string key_type = key_type_prefix + std::to_string(i);
*e7b1675dSTing-Kang Chang    util::Status status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang        absl::make_unique<TestAeadKeyManager>(key_type),
*e7b1675dSTing-Kang Chang        /* new_key_allowed= */ true);
*e7b1675dSTing-Kang Chang    EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changvoid verify_test_managers(const std::string& key_type_prefix,
*e7b1675dSTing-Kang Chang                          int manager_count) {
*e7b1675dSTing-Kang Chang  for (int i = 0; i < manager_count; i++) {
*e7b1675dSTing-Kang Chang    std::string key_type = key_type_prefix + std::to_string(i);
*e7b1675dSTing-Kang Chang    auto manager_result = Registry::get_key_manager<Aead>(key_type);
*e7b1675dSTing-Kang Chang    EXPECT_TRUE(manager_result.ok()) << manager_result.status();
*e7b1675dSTing-Kang Chang    auto manager = manager_result.value();
*e7b1675dSTing-Kang Chang    EXPECT_EQ(key_type, manager->get_key_type());
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, testRegisterKeyManagerMoreRestrictiveNewKeyAllowed) {
*e7b1675dSTing-Kang Chang  std::string key_type = "some_key_type";
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url(key_type);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Register the key manager with new_key_allowed == true and verify that
*e7b1675dSTing-Kang Chang  // new key data can be created.
*e7b1675dSTing-Kang Chang  util::Status status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type),
*e7b1675dSTing-Kang Chang      /* new_key_allowed= */ true);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto result_before = Registry::NewKeyData(key_template);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(result_before.ok()) << result_before.status();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Re-register the key manager with new_key_allowed == false and check the
*e7b1675dSTing-Kang Chang  // restriction (i.e. new key data cannot be created).
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type),
*e7b1675dSTing-Kang Chang      /* new_key_allowed= */ false);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto result_after = Registry::NewKeyData(key_template);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(result_after.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument, result_after.status().code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, key_type,
*e7b1675dSTing-Kang Chang                      std::string(result_after.status().message()));
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "does not allow",
*e7b1675dSTing-Kang Chang                      std::string(result_after.status().message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, testRegisterKeyManagerLessRestrictiveNewKeyAllowed) {
*e7b1675dSTing-Kang Chang  std::string key_type = "some_key_type";
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url(key_type);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Register the key manager with new_key_allowed == false.
*e7b1675dSTing-Kang Chang  util::Status status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type),
*e7b1675dSTing-Kang Chang      /* new_key_allowed= */ false);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Verify that re-registering the key manager with new_key_allowed == true is
*e7b1675dSTing-Kang Chang  // not possible and that the restriction still holds after that operation
*e7b1675dSTing-Kang Chang  // (i.e. new key data cannot be created).
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type),
*e7b1675dSTing-Kang Chang      /* new_key_allowed= */ true);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(status.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kAlreadyExists, status.code()) << status;
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, key_type,
*e7b1675dSTing-Kang Chang                      std::string(status.message()))
*e7b1675dSTing-Kang Chang      << status;
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "forbidden new key operation",
*e7b1675dSTing-Kang Chang                      std::string(status.message()))
*e7b1675dSTing-Kang Chang      << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto result_after = Registry::NewKeyData(key_template);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(result_after.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument, result_after.status().code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, key_type,
*e7b1675dSTing-Kang Chang                      std::string(result_after.status().message()));
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "does not allow",
*e7b1675dSTing-Kang Chang                      std::string(result_after.status().message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, testConcurrentRegistration) {
*e7b1675dSTing-Kang Chang  std::string key_type_prefix_a = "key_type_a_";
*e7b1675dSTing-Kang Chang  std::string key_type_prefix_b = "key_type_b_";
*e7b1675dSTing-Kang Chang  int count_a = 42;
*e7b1675dSTing-Kang Chang  int count_b = 72;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Register some managers.
*e7b1675dSTing-Kang Chang  std::thread register_a(register_test_managers, key_type_prefix_a, count_a);
*e7b1675dSTing-Kang Chang  std::thread register_b(register_test_managers, key_type_prefix_b, count_b);
*e7b1675dSTing-Kang Chang  register_a.join();
*e7b1675dSTing-Kang Chang  register_b.join();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Check that the managers were registered. Also, keep registering new
*e7b1675dSTing-Kang Chang  // versions while we check.
*e7b1675dSTing-Kang Chang  std::thread register_more_a(register_test_managers, key_type_prefix_a,
*e7b1675dSTing-Kang Chang                              count_a);
*e7b1675dSTing-Kang Chang  std::thread register_more_b(register_test_managers, key_type_prefix_b,
*e7b1675dSTing-Kang Chang                              count_b);
*e7b1675dSTing-Kang Chang  std::thread verify_a(verify_test_managers, key_type_prefix_a, count_a);
*e7b1675dSTing-Kang Chang  std::thread verify_b(verify_test_managers, key_type_prefix_b, count_b);
*e7b1675dSTing-Kang Chang  verify_a.join();
*e7b1675dSTing-Kang Chang  verify_b.join();
*e7b1675dSTing-Kang Chang  register_more_a.join();
*e7b1675dSTing-Kang Chang  register_more_b.join();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Check that there are no extra managers.
*e7b1675dSTing-Kang Chang  std::string key_type = key_type_prefix_a + std::to_string(count_a - 1);
*e7b1675dSTing-Kang Chang  auto manager_result = Registry::get_key_manager<Aead>(key_type);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(manager_result.ok()) << manager_result.status();
*e7b1675dSTing-Kang Chang  EXPECT_EQ(key_type, manager_result.value()->get_key_type());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  key_type = key_type_prefix_a + std::to_string(count_a);
*e7b1675dSTing-Kang Chang  manager_result = Registry::get_key_manager<Aead>(key_type);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(manager_result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kNotFound, manager_result.status().code());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, testBasic) {
*e7b1675dSTing-Kang Chang  std::string key_type_1 = "google.crypto.tink.AesCtrHmacAeadKey";
*e7b1675dSTing-Kang Chang  std::string key_type_2 = "google.crypto.tink.AesGcmKey";
*e7b1675dSTing-Kang Chang  auto manager_result = Registry::get_key_manager<Aead>(key_type_1);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(manager_result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kNotFound, manager_result.status().code());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_1), true);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_2), true);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  manager_result = Registry::get_key_manager<Aead>(key_type_1);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(manager_result.ok()) << manager_result.status();
*e7b1675dSTing-Kang Chang  auto manager = manager_result.value();
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(manager->DoesSupport(key_type_1));
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(manager->DoesSupport(key_type_2));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  manager_result = Registry::get_key_manager<Aead>(key_type_2);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(manager_result.ok()) << manager_result.status();
*e7b1675dSTing-Kang Chang  manager = manager_result.value();
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(manager->DoesSupport(key_type_2));
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(manager->DoesSupport(key_type_1));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, testRegisterKeyManager) {
*e7b1675dSTing-Kang Chang  std::string key_type_1 = AesGcmKeyManager().get_key_type();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  std::unique_ptr<TestAeadKeyManager> null_key_manager = nullptr;
*e7b1675dSTing-Kang Chang  auto status = Registry::RegisterKeyManager(std::move(null_key_manager), true);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(status.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument, status.code()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Register a key manager.
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_1), true);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Register the same key manager again, it should work (idempotence).
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_1), true);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Try overriding a key manager.
*e7b1675dSTing-Kang Chang  AesGcmKeyManager key_type_manager;
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      crypto::tink::internal::MakeKeyManager<Aead>(&key_type_manager), true);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(status.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kAlreadyExists, status.code()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Check the key manager is still registered.
*e7b1675dSTing-Kang Chang  auto manager_result = Registry::get_key_manager<Aead>(key_type_1);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(manager_result.ok()) << manager_result.status();
*e7b1675dSTing-Kang Chang  auto manager = manager_result.value();
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(manager->DoesSupport(key_type_1));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we register a key manager once more after a call to
*e7b1675dSTing-Kang Chang// get_key_manager, the key manager previously obtained with "get_key_manager()"
*e7b1675dSTing-Kang Chang// remains valid.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, GetKeyManagerRemainsValid) {
*e7b1675dSTing-Kang Chang  std::string key_type = AesGcmKeyManager().get_key_type();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestAeadKeyManager>(key_type), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<Aead>*> key_manager =
*e7b1675dSTing-Kang Chang      Registry::get_key_manager<Aead>(key_type);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(key_manager, IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestAeadKeyManager>(key_type), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key_manager.value()->get_key_type(), Eq(key_type));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, testGettingPrimitives) {
*e7b1675dSTing-Kang Chang  std::string key_type_1 = "google.crypto.tink.AesCtrHmacAeadKey";
*e7b1675dSTing-Kang Chang  std::string key_type_2 = "google.crypto.tink.AesGcmKey";
*e7b1675dSTing-Kang Chang  AesCtrHmacAeadKey dummy_key_1;
*e7b1675dSTing-Kang Chang  AesGcmKey dummy_key_2;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Prepare keyset.
*e7b1675dSTing-Kang Chang  Keyset keyset;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t key_id_1 = 1234543;
*e7b1675dSTing-Kang Chang  AddTinkKey(key_type_1, key_id_1, dummy_key_1, KeyStatusType::ENABLED,
*e7b1675dSTing-Kang Chang             KeyData::SYMMETRIC, &keyset);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t key_id_2 = 726329;
*e7b1675dSTing-Kang Chang  AddTinkKey(key_type_2, key_id_2, dummy_key_2, KeyStatusType::DISABLED,
*e7b1675dSTing-Kang Chang             KeyData::SYMMETRIC, &keyset);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t key_id_3 = 7213743;
*e7b1675dSTing-Kang Chang  AddLegacyKey(key_type_2, key_id_3, dummy_key_2, KeyStatusType::ENABLED,
*e7b1675dSTing-Kang Chang               KeyData::SYMMETRIC, &keyset);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t key_id_4 = 6268492;
*e7b1675dSTing-Kang Chang  AddRawKey(key_type_1, key_id_4, dummy_key_1, KeyStatusType::ENABLED,
*e7b1675dSTing-Kang Chang            KeyData::SYMMETRIC, &keyset);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t key_id_5 = 42;
*e7b1675dSTing-Kang Chang  AddRawKey(key_type_2, key_id_5, dummy_key_2, KeyStatusType::ENABLED,
*e7b1675dSTing-Kang Chang            KeyData::SYMMETRIC, &keyset);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  keyset.set_primary_key_id(key_id_3);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Register key managers.
*e7b1675dSTing-Kang Chang  util::Status status;
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_1), true);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_2), true);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Get and use primitives.
*e7b1675dSTing-Kang Chang  std::string plaintext = "some data";
*e7b1675dSTing-Kang Chang  std::string aad = "aad";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Key #1.
*e7b1675dSTing-Kang Chang  {
*e7b1675dSTing-Kang Chang    auto result = Registry::GetPrimitive<Aead>(keyset.key(0).key_data());
*e7b1675dSTing-Kang Chang    EXPECT_TRUE(result.ok()) << result.status();
*e7b1675dSTing-Kang Chang    auto aead = std::move(result.value());
*e7b1675dSTing-Kang Chang    EXPECT_EQ(DummyAead(key_type_1).Encrypt(plaintext, aad).value(),
*e7b1675dSTing-Kang Chang              aead->Encrypt(plaintext, aad).value());
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Key #3.
*e7b1675dSTing-Kang Chang  {
*e7b1675dSTing-Kang Chang    auto result = Registry::GetPrimitive<Aead>(keyset.key(2).key_data());
*e7b1675dSTing-Kang Chang    EXPECT_TRUE(result.ok()) << result.status();
*e7b1675dSTing-Kang Chang    auto aead = std::move(result.value());
*e7b1675dSTing-Kang Chang    EXPECT_EQ(DummyAead(key_type_2).Encrypt(plaintext, aad).value(),
*e7b1675dSTing-Kang Chang              aead->Encrypt(plaintext, aad).value());
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, testNewKeyData) {
*e7b1675dSTing-Kang Chang  std::string key_type_1 = "google.crypto.tink.AesCtrHmacAeadKey";
*e7b1675dSTing-Kang Chang  std::string key_type_2 = "google.crypto.tink.AesGcmKey";
*e7b1675dSTing-Kang Chang  std::string key_type_3 = "yet/another/keytype";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Register key managers.
*e7b1675dSTing-Kang Chang  util::Status status;
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_1),
*e7b1675dSTing-Kang Chang      /*new_key_allowed=*/true);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_2),
*e7b1675dSTing-Kang Chang      /*new_key_allowed=*/true);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestAeadKeyManager>(key_type_3),
*e7b1675dSTing-Kang Chang      /*new_key_allowed=*/false);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  {  // A supported key type.
*e7b1675dSTing-Kang Chang    KeyTemplate key_template;
*e7b1675dSTing-Kang Chang    key_template.set_type_url(key_type_1);
*e7b1675dSTing-Kang Chang    key_template.set_value("test value 42");
*e7b1675dSTing-Kang Chang    auto new_key_data_result = Registry::NewKeyData(key_template);
*e7b1675dSTing-Kang Chang    EXPECT_TRUE(new_key_data_result.ok()) << new_key_data_result.status();
*e7b1675dSTing-Kang Chang    EXPECT_EQ(key_type_1, new_key_data_result.value()->type_url());
*e7b1675dSTing-Kang Chang    EXPECT_EQ(key_template.value(), new_key_data_result.value()->value());
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  {  // Another supported key type.
*e7b1675dSTing-Kang Chang    KeyTemplate key_template;
*e7b1675dSTing-Kang Chang    key_template.set_type_url(key_type_2);
*e7b1675dSTing-Kang Chang    key_template.set_value("yet another test value 42");
*e7b1675dSTing-Kang Chang    auto new_key_data_result = Registry::NewKeyData(key_template);
*e7b1675dSTing-Kang Chang    EXPECT_TRUE(new_key_data_result.ok()) << new_key_data_result.status();
*e7b1675dSTing-Kang Chang    EXPECT_EQ(key_type_2, new_key_data_result.value()->type_url());
*e7b1675dSTing-Kang Chang    EXPECT_EQ(key_template.value(), new_key_data_result.value()->value());
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  {  // A key type that does not allow NewKey-operations.
*e7b1675dSTing-Kang Chang    KeyTemplate key_template;
*e7b1675dSTing-Kang Chang    key_template.set_type_url(key_type_3);
*e7b1675dSTing-Kang Chang    key_template.set_value("some other value 72");
*e7b1675dSTing-Kang Chang    auto new_key_data_result = Registry::NewKeyData(key_template);
*e7b1675dSTing-Kang Chang    EXPECT_FALSE(new_key_data_result.ok());
*e7b1675dSTing-Kang Chang    EXPECT_EQ(absl::StatusCode::kInvalidArgument,
*e7b1675dSTing-Kang Chang              new_key_data_result.status().code());
*e7b1675dSTing-Kang Chang    EXPECT_PRED_FORMAT2(testing::IsSubstring, key_type_3,
*e7b1675dSTing-Kang Chang                        std::string(new_key_data_result.status().message()));
*e7b1675dSTing-Kang Chang    EXPECT_PRED_FORMAT2(testing::IsSubstring, "does not allow",
*e7b1675dSTing-Kang Chang                        std::string(new_key_data_result.status().message()));
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  {  // A key type that is not supported.
*e7b1675dSTing-Kang Chang    KeyTemplate key_template;
*e7b1675dSTing-Kang Chang    std::string bad_type_url = "some key type that is not supported";
*e7b1675dSTing-Kang Chang    key_template.set_type_url(bad_type_url);
*e7b1675dSTing-Kang Chang    key_template.set_value("some totally other value 42");
*e7b1675dSTing-Kang Chang    auto new_key_data_result = Registry::NewKeyData(key_template);
*e7b1675dSTing-Kang Chang    EXPECT_FALSE(new_key_data_result.ok());
*e7b1675dSTing-Kang Chang    EXPECT_EQ(absl::StatusCode::kNotFound, new_key_data_result.status().code());
*e7b1675dSTing-Kang Chang    EXPECT_PRED_FORMAT2(testing::IsSubstring, bad_type_url,
*e7b1675dSTing-Kang Chang                        std::string(new_key_data_result.status().message()));
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, testGetPublicKeyData) {
*e7b1675dSTing-Kang Chang  // Setup the registry.
*e7b1675dSTing-Kang Chang  Registry::Reset();
*e7b1675dSTing-Kang Chang  auto private_key_type_manager =
*e7b1675dSTing-Kang Chang      absl::make_unique<EciesAeadHkdfPrivateKeyManager>();
*e7b1675dSTing-Kang Chang  auto public_key_type_manager =
*e7b1675dSTing-Kang Chang      absl::make_unique<EciesAeadHkdfPublicKeyManager>();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      internal::MakePrivateKeyManager<HybridDecrypt>(
*e7b1675dSTing-Kang Chang          private_key_type_manager.get(), public_key_type_manager.get()),
*e7b1675dSTing-Kang Chang      true);
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang  AesGcmKeyManager key_type_manager;
*e7b1675dSTing-Kang Chang  status = Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang      crypto::tink::internal::MakeKeyManager<Aead>(&key_type_manager), true);
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Get a test private key.
*e7b1675dSTing-Kang Chang  auto ecies_key = test::GetEciesAesGcmHkdfTestKey(
*e7b1675dSTing-Kang Chang      EllipticCurveType::NIST_P256, EcPointFormat::UNCOMPRESSED,
*e7b1675dSTing-Kang Chang      HashType::SHA256, /* aes_gcm_key_size= */ 24);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Extract public key data and check.
*e7b1675dSTing-Kang Chang  auto public_key_data_result = Registry::GetPublicKeyData(
*e7b1675dSTing-Kang Chang      EciesAeadHkdfPrivateKeyManager().get_key_type(),
*e7b1675dSTing-Kang Chang      ecies_key.SerializeAsString());
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(public_key_data_result.ok()) << public_key_data_result.status();
*e7b1675dSTing-Kang Chang  auto public_key_data = std::move(public_key_data_result.value());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(EciesAeadHkdfPublicKeyManager().get_key_type(),
*e7b1675dSTing-Kang Chang            public_key_data->type_url());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(KeyData::ASYMMETRIC_PUBLIC, public_key_data->key_material_type());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(ecies_key.public_key().SerializeAsString(),
*e7b1675dSTing-Kang Chang            public_key_data->value());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Try with a wrong key type.
*e7b1675dSTing-Kang Chang  auto wrong_key_type_result = Registry::GetPublicKeyData(
*e7b1675dSTing-Kang Chang      AesGcmKeyManager().get_key_type(), ecies_key.SerializeAsString());
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(wrong_key_type_result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument,
*e7b1675dSTing-Kang Chang            wrong_key_type_result.status().code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "PrivateKeyFactory",
*e7b1675dSTing-Kang Chang                      std::string(wrong_key_type_result.status().message()));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  // Try with a bad serialized key.
*e7b1675dSTing-Kang Chang  auto bad_key_result = Registry::GetPublicKeyData(
*e7b1675dSTing-Kang Chang      EciesAeadHkdfPrivateKeyManager().get_key_type(),
*e7b1675dSTing-Kang Chang      "some bad serialized key");
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(bad_key_result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument, bad_key_result.status().code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "Could not parse",
*e7b1675dSTing-Kang Chang                      std::string(bad_key_result.status().message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we register the same type of wrapper twice, the second call
*e7b1675dSTing-Kang Chang// succeeds.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterWrapperTwice) {
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterPrimitiveWrapper(absl::make_unique<AeadWrapper>())
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterPrimitiveWrapper(absl::make_unique<AeadWrapper>())
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we register the same type of wrapper twice, the second call
*e7b1675dSTing-Kang Chang// succeeds.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterTransformingWrapperTwice) {
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<AeadVariantToStringWrapper>())
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<AeadVariantToStringWrapper>())
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Test that if we register a second wrapper, wrapping to the same type as a
*e7b1675dSTing-Kang Chang// previous wrapper it will fail.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterTransformingWrapperTwiceMixing) {
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<AeadVariantToStringWrapper>())
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  // We cannot register a different wrapper creating a std::string.
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestWrapper<std::string>>()),
*e7b1675dSTing-Kang Chang              Not(IsOk()));
*e7b1675dSTing-Kang Chang  // But one creating an Aead.
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestWrapper<AeadVariant>>()),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Test that if we register a second wrapper, wrapping to the same type as a
*e7b1675dSTing-Kang Chang// previous wrapper it will fail (order swapped).
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterTransformingWrapperTwiceMixingBackwards) {
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestWrapper<std::string>>()),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  // We cannot register another wrapper producing strings.
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<AeadVariantToStringWrapper>()),
*e7b1675dSTing-Kang Chang              Not(IsOk()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we register different wrappers for the same primitive twice,
*e7b1675dSTing-Kang Chang// the second call fails.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterDifferentWrappers) {
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterPrimitiveWrapper(absl::make_unique<AeadWrapper>())
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang  util::Status result = Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang      absl::make_unique<TestWrapper<Aead>>());
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kAlreadyExists, result.code());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we register different wrappers for different primitives, this
*e7b1675dSTing-Kang Chang// returns ok.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterDifferentWrappersDifferentPrimitives) {
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterPrimitiveWrapper(absl::make_unique<TestWrapper<Aead>>())
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterPrimitiveWrapper(absl::make_unique<TestWrapper<Mac>>())
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we do not register a wrapper, then calls to Wrap
*e7b1675dSTing-Kang Chang// fail with "No wrapper registered" -- even if there is a wrapper for a
*e7b1675dSTing-Kang Chang// different primitive registered.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, NoWrapperRegistered) {
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterPrimitiveWrapper(absl::make_unique<TestWrapper<Mac>>())
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<std::unique_ptr<Aead>> result =
*e7b1675dSTing-Kang Chang      Registry::Wrap<Aead>(absl::make_unique<PrimitiveSet<Aead>>());
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kNotFound, result.status().code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "No wrapper registered",
*e7b1675dSTing-Kang Chang                      std::string(result.status().message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if the wrapper fails, the error of the wrapped is forwarded
*e7b1675dSTing-Kang Chang// in GetWrappedPrimitive.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, WrapperFails) {
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterPrimitiveWrapper(absl::make_unique<TestWrapper<Aead>>())
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<std::unique_ptr<Aead>> result =
*e7b1675dSTing-Kang Chang      Registry::Wrap<Aead>(absl::make_unique<PrimitiveSet<Aead>>());
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "This is a test wrapper",
*e7b1675dSTing-Kang Chang                      std::string(result.status().message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that wrapping works as expected in the usual case.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, UsualWrappingTest) {
*e7b1675dSTing-Kang Chang  KeysetInfo keyset_info;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  keyset_info.add_key_info();
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(0)->set_output_prefix_type(
*e7b1675dSTing-Kang Chang      OutputPrefixType::TINK);
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(0)->set_key_id(1234543);
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(0)->set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang  keyset_info.add_key_info();
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(1)->set_output_prefix_type(
*e7b1675dSTing-Kang Chang      OutputPrefixType::LEGACY);
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(1)->set_key_id(726329);
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(1)->set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang  keyset_info.add_key_info();
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(2)->set_output_prefix_type(
*e7b1675dSTing-Kang Chang      OutputPrefixType::TINK);
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(2)->set_key_id(7213743);
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(2)->set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto primitive_set = absl::make_unique<PrimitiveSet<Aead>>();
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(absl::make_unique<DummyAead>("aead0"),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(0))
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(absl::make_unique<DummyAead>("aead1"),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(1))
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  auto entry_result = primitive_set->AddPrimitive(
*e7b1675dSTing-Kang Chang      absl::make_unique<DummyAead>("primary_aead"), keyset_info.key_info(2));
*e7b1675dSTing-Kang Chang  ASSERT_THAT(primitive_set->set_primary(entry_result.value()), IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterPrimitiveWrapper(absl::make_unique<AeadWrapper>())
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto aead_result = Registry::Wrap<Aead>(std::move(primitive_set));
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(aead_result.ok()) << aead_result.status();
*e7b1675dSTing-Kang Chang  std::unique_ptr<Aead> aead = std::move(aead_result.value());
*e7b1675dSTing-Kang Chang  std::string plaintext = "some_plaintext";
*e7b1675dSTing-Kang Chang  std::string aad = "some_aad";
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto encrypt_result = aead->Encrypt(plaintext, aad);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(encrypt_result.ok()) << encrypt_result.status();
*e7b1675dSTing-Kang Chang  std::string ciphertext = encrypt_result.value();
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "primary_aead", ciphertext);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto decrypt_result = aead->Decrypt(ciphertext, aad);
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(decrypt_result.ok()) << decrypt_result.status();
*e7b1675dSTing-Kang Chang  EXPECT_EQ(plaintext, decrypt_result.value());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  decrypt_result = aead->Decrypt("some bad ciphertext", aad);
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(decrypt_result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_EQ(absl::StatusCode::kInvalidArgument, decrypt_result.status().code());
*e7b1675dSTing-Kang Chang  EXPECT_PRED_FORMAT2(testing::IsSubstring, "decryption failed",
*e7b1675dSTing-Kang Chang                      std::string(decrypt_result.status().message()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changstd::string AddAesGcmKey(uint32_t key_id, OutputPrefixType output_prefix_type,
*e7b1675dSTing-Kang Chang                         KeyStatusType key_status_type,
*e7b1675dSTing-Kang Chang                         Keyset& modified_keyset) {
*e7b1675dSTing-Kang Chang  AesGcmKey key;
*e7b1675dSTing-Kang Chang  key.set_version(0);
*e7b1675dSTing-Kang Chang  key.set_key_value(subtle::Random::GetRandomBytes(16));
*e7b1675dSTing-Kang Chang  KeyData key_data;
*e7b1675dSTing-Kang Chang  key_data.set_value(key.SerializeAsString());
*e7b1675dSTing-Kang Chang  key_data.set_type_url("type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang  test::AddKeyData(key_data, key_id, output_prefix_type, key_status_type,
*e7b1675dSTing-Kang Chang                   &modified_keyset);
*e7b1675dSTing-Kang Chang  return key.key_value();
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that wrapping of a keyset works in the usual case.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeysetWrappingTest) {
*e7b1675dSTing-Kang Chang  if (!IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported when BoringSSL is not built in FIPS-mode.";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  Keyset keyset;
*e7b1675dSTing-Kang Chang  std::string raw_key =
*e7b1675dSTing-Kang Chang      AddAesGcmKey(13, OutputPrefixType::TINK, KeyStatusType::ENABLED, keyset);
*e7b1675dSTing-Kang Chang  keyset.set_primary_key_id(13);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto fips_key_manager = absl::make_unique<ExampleKeyTypeManager>();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ON_CALL(*fips_key_manager, FipsStatus())
*e7b1675dSTing-Kang Chang      .WillByDefault(testing::Return(FipsCompatibility::kRequiresBoringCrypto));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_THAT(
*e7b1675dSTing-Kang Chang      Registry::RegisterKeyTypeManager(std::move(fips_key_manager), true),
*e7b1675dSTing-Kang Chang      IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<AeadVariantWrapper>()),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<std::unique_ptr<AeadVariant>> aead_variant =
*e7b1675dSTing-Kang Chang      RegistryImpl::GlobalInstance().WrapKeyset<AeadVariant>(
*e7b1675dSTing-Kang Chang          keyset, /*annotations=*/{});
*e7b1675dSTing-Kang Chang  EXPECT_THAT(aead_variant, IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(aead_variant.value()->get(), Eq(raw_key));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that wrapping of a keyset works.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, TransformingKeysetWrappingTest) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  Keyset keyset;
*e7b1675dSTing-Kang Chang  std::string raw_key =
*e7b1675dSTing-Kang Chang      AddAesGcmKey(13, OutputPrefixType::TINK, KeyStatusType::ENABLED, keyset);
*e7b1675dSTing-Kang Chang  keyset.set_primary_key_id(13);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<AeadVariantToStringWrapper>()),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<std::unique_ptr<std::string>> string_primitive =
*e7b1675dSTing-Kang Chang      RegistryImpl::GlobalInstance().WrapKeyset<std::string>(
*e7b1675dSTing-Kang Chang          keyset, /*annotations=*/{});
*e7b1675dSTing-Kang Chang  EXPECT_THAT(string_primitive, IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(*string_primitive.value(), Eq(raw_key));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that when we ask the registry to wrap a PrimitiveSet<Aead> into an
*e7b1675dSTing-Kang Chang// Aead, but the wrapper is in fact from something else into Aead, we give a
*e7b1675dSTing-Kang Chang// correct error message.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, TransformingPrimitiveWrapperCustomKeyManager) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  // Register a transforming wrapper taking strings and making Aeads.
*e7b1675dSTing-Kang Chang  ASSERT_THAT(Registry::RegisterPrimitiveWrapper(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestWrapper<std::string, Aead>>()),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  KeysetInfo keyset_info;
*e7b1675dSTing-Kang Chang  keyset_info.add_key_info();
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(0)->set_output_prefix_type(
*e7b1675dSTing-Kang Chang      OutputPrefixType::TINK);
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(0)->set_key_id(1234543);
*e7b1675dSTing-Kang Chang  keyset_info.mutable_key_info(0)->set_status(KeyStatusType::ENABLED);
*e7b1675dSTing-Kang Chang  keyset_info.set_primary_key_id(1234543);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto primitive_set = absl::make_unique<PrimitiveSet<Aead>>();
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(primitive_set
*e7b1675dSTing-Kang Chang                  ->AddPrimitive(absl::make_unique<DummyAead>("aead0"),
*e7b1675dSTing-Kang Chang                                 keyset_info.key_info(0))
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::Wrap<Aead>(std::move(primitive_set)).status(),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kFailedPrecondition,
*e7b1675dSTing-Kang Chang                       HasSubstr("custom key manager")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that the error message in GetKeyManager contains the type_id.name() of
*e7b1675dSTing-Kang Chang// the primitive for which the key manager was actually registered.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, GetKeyManagerErrorMessage) {
*e7b1675dSTing-Kang Chang  AesGcmKeyManager key_type_manager;
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(
*e7b1675dSTing-Kang Chang      Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang          crypto::tink::internal::MakeKeyManager<Aead>(&key_type_manager), true)
*e7b1675dSTing-Kang Chang          .ok());
*e7b1675dSTing-Kang Chang  auto result =
*e7b1675dSTing-Kang Chang      Registry::get_key_manager<int>(AesGcmKeyManager().get_key_type());
*e7b1675dSTing-Kang Chang  EXPECT_FALSE(result.ok());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(std::string(result.status().message()),
*e7b1675dSTing-Kang Chang              HasSubstr(AesGcmKeyManager().get_key_type()));
*e7b1675dSTing-Kang Chang  // Note: The C++ standard does not guarantee the next line.  If some toolchain
*e7b1675dSTing-Kang Chang  // update fails it, one can delete it.
*e7b1675dSTing-Kang Chang  EXPECT_THAT(std::string(result.status().message()),
*e7b1675dSTing-Kang Chang              HasSubstr(typeid(Aead).name()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterKeyTypeManager) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterFipsKeyTypeManager) {
*e7b1675dSTing-Kang Chang  if (!kUseOnlyFips || !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Only supported in FIPS-mode with BoringCrypto available.";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto fips_key_manager = absl::make_unique<ExampleKeyTypeManager>();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ON_CALL(*fips_key_manager, FipsStatus())
*e7b1675dSTing-Kang Chang      .WillByDefault(testing::Return(FipsCompatibility::kRequiresBoringCrypto));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(
*e7b1675dSTing-Kang Chang      Registry::RegisterKeyTypeManager(std::move(fips_key_manager), true),
*e7b1675dSTing-Kang Chang      IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterFipsKeyTypeManagerNoBoringCrypto) {
*e7b1675dSTing-Kang Chang  if (!kUseOnlyFips || IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP()
*e7b1675dSTing-Kang Chang        << "Only supported in FIPS-mode with BoringCrypto not available.";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto fips_key_manager = absl::make_unique<ExampleKeyTypeManager>();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ON_CALL(*fips_key_manager, FipsStatus())
*e7b1675dSTing-Kang Chang      .WillByDefault(testing::Return(FipsCompatibility::kNotFips));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(
*e7b1675dSTing-Kang Chang      Registry::RegisterKeyTypeManager(std::move(fips_key_manager), true),
*e7b1675dSTing-Kang Chang      StatusIs(absl::StatusCode::kInternal));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyTypeManagerGetFirstKeyManager) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang  format.set_key_size(16);
*e7b1675dSTing-Kang Chang  AesGcmKey key = ExampleKeyTypeManager().CreateKey(format).value();
*e7b1675dSTing-Kang Chang  auto aead = Registry::get_key_manager<Aead>(
*e7b1675dSTing-Kang Chang                  "type.googleapis.com/google.crypto.tink.AesGcmKey")
*e7b1675dSTing-Kang Chang                  .value()
*e7b1675dSTing-Kang Chang                  ->GetPrimitive(key)
*e7b1675dSTing-Kang Chang                  .value();
*e7b1675dSTing-Kang Chang  std::string encryption = aead->Encrypt("TESTMESSAGE", "").value();
*e7b1675dSTing-Kang Chang  std::string decryption = aead->Decrypt(encryption, "").value();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(decryption, Eq("TESTMESSAGE"));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyTypeManagerGetSecondKeyManager) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang  format.set_key_size(16);
*e7b1675dSTing-Kang Chang  AesGcmKey key = ExampleKeyTypeManager().CreateKey(format).value();
*e7b1675dSTing-Kang Chang  auto aead_variant = Registry::get_key_manager<AeadVariant>(
*e7b1675dSTing-Kang Chang                          "type.googleapis.com/google.crypto.tink.AesGcmKey")
*e7b1675dSTing-Kang Chang                          .value()
*e7b1675dSTing-Kang Chang                          ->GetPrimitive(key)
*e7b1675dSTing-Kang Chang                          .value();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(aead_variant->get(), Eq(key.key_value()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyTypeManagerNotSupportedPrimitive) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::get_key_manager<Mac>(
*e7b1675dSTing-Kang Chang                  "type.googleapis.com/google.crypto.tink.AesGcmKey")
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kInvalidArgument,
*e7b1675dSTing-Kang Chang                       HasSubstr("not among supported primitives")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we register a key manager once more after a call to
*e7b1675dSTing-Kang Chang// get_key_manager, the key manager previously obtained with "get_key_manager()"
*e7b1675dSTing-Kang Chang// remains valid.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, GetKeyManagerRemainsValidForKeyTypeManagers) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<Aead>*> key_manager =
*e7b1675dSTing-Kang Chang      Registry::get_key_manager<Aead>(ExampleKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(key_manager, IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key_manager.value()->get_key_type(),
*e7b1675dSTing-Kang Chang              Eq(ExampleKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyTypeManagerNewKey) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang  format.set_key_size(32);
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url("type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang  key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  KeyData key_data = *Registry::NewKeyData(key_template).value();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key_data.type_url(),
*e7b1675dSTing-Kang Chang              Eq("type.googleapis.com/google.crypto.tink.AesGcmKey"));
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key_data.key_material_type(),
*e7b1675dSTing-Kang Chang              Eq(google::crypto::tink::KeyData::SYMMETRIC));
*e7b1675dSTing-Kang Chang  AesGcmKey key;
*e7b1675dSTing-Kang Chang  key.ParseFromString(key_data.value());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key.key_value(), SizeIs(32));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyTypeManagerNewKeyInvalidSize) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang  format.set_key_size(33);
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url("type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang  key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::NewKeyData(key_template), IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyTypeManagerDeriveKey) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang  format.set_key_size(32);
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url("type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang  key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::IstreamInputStream input_stream{
*e7b1675dSTing-Kang Chang      absl::make_unique<std::stringstream>(
*e7b1675dSTing-Kang Chang          "0123456789012345678901234567890123456789")};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto key_data_or =
*e7b1675dSTing-Kang Chang      RegistryImpl::GlobalInstance().DeriveKey(key_template, &input_stream);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(key_data_or, IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key_data_or.value().type_url(), Eq(key_template.type_url()));
*e7b1675dSTing-Kang Chang  AesGcmKey key;
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(key.ParseFromString(key_data_or.value().value()));
*e7b1675dSTing-Kang Chang  // 32 byte prefix of above string.
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key.key_value(), Eq("01234567890123456789012345678901"));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// The same, but we register the key manager twice. This should catch some of
*e7b1675dSTing-Kang Chang// the possible lifetime issues.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyTypeManagerDeriveKeyRegisterTwice) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang  format.set_key_size(32);
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url("type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang  key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::IstreamInputStream input_stream{
*e7b1675dSTing-Kang Chang      absl::make_unique<std::stringstream>(
*e7b1675dSTing-Kang Chang          "0123456789012345678901234567890123456789")};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto key_data_or =
*e7b1675dSTing-Kang Chang      RegistryImpl::GlobalInstance().DeriveKey(key_template, &input_stream);
*e7b1675dSTing-Kang Chang  ASSERT_THAT(key_data_or, IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key_data_or.value().type_url(), Eq(key_template.type_url()));
*e7b1675dSTing-Kang Chang  AesGcmKey key;
*e7b1675dSTing-Kang Chang  EXPECT_TRUE(key.ParseFromString(key_data_or.value().value()));
*e7b1675dSTing-Kang Chang  // 32 byte prefix of above string.
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key.key_value(), Eq("01234567890123456789012345678901"));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we register a KeyManager instead of a KeyTypeManager, DeriveKey
*e7b1675dSTing-Kang Chang// fails properly.
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyManagerDeriveKeyFail) {
*e7b1675dSTing-Kang Chang  std::string key_type = "type.googleapis.com/google.crypto.tink.AesGcmKey";
*e7b1675dSTing-Kang Chang  ASSERT_THAT(Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestAeadKeyManager>(key_type),
*e7b1675dSTing-Kang Chang                  /* new_key_allowed= */ true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url("type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(
*e7b1675dSTing-Kang Chang      RegistryImpl::GlobalInstance().DeriveKey(key_template, nullptr).status(),
*e7b1675dSTing-Kang Chang      StatusIs(absl::StatusCode::kInvalidArgument, HasSubstr("cannot derive")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, KeyManagerDeriveNotRegistered) {
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url("some_inexistent_keytype");
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(
*e7b1675dSTing-Kang Chang      RegistryImpl::GlobalInstance().DeriveKey(key_template, nullptr).status(),
*e7b1675dSTing-Kang Chang      StatusIs(absl::StatusCode::kNotFound, HasSubstr("No manager")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterKeyTypeManagerTwiceMoreRestrictive) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), false),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterKeyTypeManagerTwice) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), false),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), false),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterKeyTypeManagerLessRestrictive) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), false),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterKeyTypeManagerBeforeKeyManager) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestAeadKeyManager>(
*e7b1675dSTing-Kang Chang                      "type.googleapis.com/google.crypto.tink.AesGcmKey"),
*e7b1675dSTing-Kang Chang                  true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterKeyTypeManagerAfterKeyManager) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestAeadKeyManager>(
*e7b1675dSTing-Kang Chang                      "type.googleapis.com/google.crypto.tink.AesGcmKey"),
*e7b1675dSTing-Kang Chang                  true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<ExampleKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// NOTE: These are outside of the anonymous namespace to allow compiling with
*e7b1675dSTing-Kang Chang// MSVC.
*e7b1675dSTing-Kang Changclass PrivatePrimitiveA {};
*e7b1675dSTing-Kang Changclass PrivatePrimitiveB {};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass TestPrivateKeyTypeManager
*e7b1675dSTing-Kang Chang    : public PrivateKeyTypeManager<EcdsaPrivateKey, EcdsaKeyFormat,
*e7b1675dSTing-Kang Chang                                   EcdsaPublicKey,
*e7b1675dSTing-Kang Chang                                   List<PrivatePrimitiveA, PrivatePrimitiveB>> {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  class PrivatePrimitiveAFactory : public PrimitiveFactory<PrivatePrimitiveA> {
*e7b1675dSTing-Kang Chang   public:
*e7b1675dSTing-Kang Chang    crypto::tink::util::StatusOr<std::unique_ptr<PrivatePrimitiveA>> Create(
*e7b1675dSTing-Kang Chang        const EcdsaPrivateKey& key) const override {
*e7b1675dSTing-Kang Chang      return util::Status(absl::StatusCode::kUnimplemented, "Not implemented");
*e7b1675dSTing-Kang Chang    }
*e7b1675dSTing-Kang Chang  };
*e7b1675dSTing-Kang Chang  class PrivatePrimitiveBFactory : public PrimitiveFactory<PrivatePrimitiveB> {
*e7b1675dSTing-Kang Chang   public:
*e7b1675dSTing-Kang Chang    crypto::tink::util::StatusOr<std::unique_ptr<PrivatePrimitiveB>> Create(
*e7b1675dSTing-Kang Chang        const EcdsaPrivateKey& key) const override {
*e7b1675dSTing-Kang Chang      return util::Status(absl::StatusCode::kUnimplemented, "Not implemented");
*e7b1675dSTing-Kang Chang    }
*e7b1675dSTing-Kang Chang  };
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  TestPrivateKeyTypeManager()
*e7b1675dSTing-Kang Chang      : PrivateKeyTypeManager(absl::make_unique<PrivatePrimitiveAFactory>(),
*e7b1675dSTing-Kang Chang                              absl::make_unique<PrivatePrimitiveBFactory>()) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  google::crypto::tink::KeyData::KeyMaterialType key_material_type()
*e7b1675dSTing-Kang Chang      const override {
*e7b1675dSTing-Kang Chang    return google::crypto::tink::KeyData::ASYMMETRIC_PRIVATE;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t get_version() const override { return 0; }
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status ValidateKey(
*e7b1675dSTing-Kang Chang      const EcdsaPrivateKey& key) const override {
*e7b1675dSTing-Kang Chang    return crypto::tink::util::OkStatus();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status ValidateKeyFormat(
*e7b1675dSTing-Kang Chang      const EcdsaKeyFormat& key) const override {
*e7b1675dSTing-Kang Chang    return crypto::tink::util::OkStatus();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  const std::string& get_key_type() const override { return kKeyType; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<EcdsaPrivateKey> CreateKey(
*e7b1675dSTing-Kang Chang      const EcdsaKeyFormat& key_format) const override {
*e7b1675dSTing-Kang Chang    EcdsaPublicKey public_key;
*e7b1675dSTing-Kang Chang    *public_key.mutable_params() = key_format.params();
*e7b1675dSTing-Kang Chang    EcdsaPrivateKey result;
*e7b1675dSTing-Kang Chang    *result.mutable_public_key() = public_key;
*e7b1675dSTing-Kang Chang    return result;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<EcdsaPublicKey> GetPublicKey(
*e7b1675dSTing-Kang Chang      const EcdsaPrivateKey& private_key) const override {
*e7b1675dSTing-Kang Chang    return private_key.public_key();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  MOCK_METHOD(FipsCompatibility, FipsStatus, (), (const, override));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  const std::string kKeyType =
*e7b1675dSTing-Kang Chang      "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey";
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// NOTE: These are outside of the anonymous namespace to allow compiling with
*e7b1675dSTing-Kang Chang// MSVC.
*e7b1675dSTing-Kang Changclass PublicPrimitiveA {};
*e7b1675dSTing-Kang Changclass PublicPrimitiveB {};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass TestPublicKeyTypeManager
*e7b1675dSTing-Kang Chang    : public KeyTypeManager<EcdsaPublicKey, void,
*e7b1675dSTing-Kang Chang                            List<PublicPrimitiveA, PublicPrimitiveB>> {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  class PublicPrimitiveAFactory : public PrimitiveFactory<PublicPrimitiveA> {
*e7b1675dSTing-Kang Chang   public:
*e7b1675dSTing-Kang Chang    crypto::tink::util::StatusOr<std::unique_ptr<PublicPrimitiveA>> Create(
*e7b1675dSTing-Kang Chang        const EcdsaPublicKey& key) const override {
*e7b1675dSTing-Kang Chang      return util::Status(absl::StatusCode::kUnimplemented, "Not implemented");
*e7b1675dSTing-Kang Chang    }
*e7b1675dSTing-Kang Chang  };
*e7b1675dSTing-Kang Chang  class PublicPrimitiveBFactory : public PrimitiveFactory<PublicPrimitiveB> {
*e7b1675dSTing-Kang Chang   public:
*e7b1675dSTing-Kang Chang    crypto::tink::util::StatusOr<std::unique_ptr<PublicPrimitiveB>> Create(
*e7b1675dSTing-Kang Chang        const EcdsaPublicKey& key) const override {
*e7b1675dSTing-Kang Chang      return util::Status(absl::StatusCode::kUnimplemented, "Not implemented");
*e7b1675dSTing-Kang Chang    }
*e7b1675dSTing-Kang Chang  };
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  TestPublicKeyTypeManager()
*e7b1675dSTing-Kang Chang      : KeyTypeManager(absl::make_unique<PublicPrimitiveAFactory>(),
*e7b1675dSTing-Kang Chang                       absl::make_unique<PublicPrimitiveBFactory>()) {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  google::crypto::tink::KeyData::KeyMaterialType key_material_type()
*e7b1675dSTing-Kang Chang      const override {
*e7b1675dSTing-Kang Chang    return google::crypto::tink::KeyData::ASYMMETRIC_PRIVATE;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t get_version() const override { return 0; }
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status ValidateKey(
*e7b1675dSTing-Kang Chang      const EcdsaPublicKey& key) const override {
*e7b1675dSTing-Kang Chang    return crypto::tink::util::OkStatus();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  const std::string& get_key_type() const override { return kKeyType; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  MOCK_METHOD(FipsCompatibility, FipsStatus, (), (const, override));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  const std::string kKeyType =
*e7b1675dSTing-Kang Chang      "type.googleapis.com/google.crypto.tink.EcdsaPublicKey";
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changstd::unique_ptr<TestPrivateKeyTypeManager>
*e7b1675dSTing-Kang ChangCreateTestPrivateKeyManagerFipsCompatible() {
*e7b1675dSTing-Kang Chang  auto private_key_manager = absl::make_unique<TestPrivateKeyTypeManager>();
*e7b1675dSTing-Kang Chang  ON_CALL(*private_key_manager, FipsStatus())
*e7b1675dSTing-Kang Chang      .WillByDefault(testing::Return(FipsCompatibility::kRequiresBoringCrypto));
*e7b1675dSTing-Kang Chang  return private_key_manager;
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changstd::unique_ptr<TestPublicKeyTypeManager>
*e7b1675dSTing-Kang ChangCreateTestPublicKeyManagerFipsCompatible() {
*e7b1675dSTing-Kang Chang  auto public_key_manager = absl::make_unique<TestPublicKeyTypeManager>();
*e7b1675dSTing-Kang Chang  ON_CALL(*public_key_manager, FipsStatus())
*e7b1675dSTing-Kang Chang      .WillByDefault(testing::Return(FipsCompatibility::kRequiresBoringCrypto));
*e7b1675dSTing-Kang Chang  return public_key_manager;
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterAsymmetricKeyManagers) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status status = Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang      CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang      CreateTestPublicKeyManagerFipsCompatible(), true);
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricMoreRestrictiveNewKey) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status status = Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang      CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang      CreateTestPublicKeyManagerFipsCompatible(), false);
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricSameNewKey) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status status = Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang      CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang      CreateTestPublicKeyManagerFipsCompatible(), true);
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), false)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  status = Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang      CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang      CreateTestPublicKeyManagerFipsCompatible(), false);
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricLessRestrictiveGivesError) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status status = Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang      CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang      CreateTestPublicKeyManagerFipsCompatible(), false);
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(status.ok()) << status;
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists,
*e7b1675dSTing-Kang Chang                       HasSubstr("forbidden new key operation")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Tests that if we register asymmetric key managers once more after a call to
*e7b1675dSTing-Kang Chang// get_key_manager, the key manager previously obtained with "get_key_manager()"
*e7b1675dSTing-Kang Chang// remains valid.
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterAsymmetricKeyManagersGetKeyManagerStaysValid) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_THAT(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<PrivatePrimitiveA>*>
*e7b1675dSTing-Kang Chang      private_key_manager = Registry::get_key_manager<PrivatePrimitiveA>(
*e7b1675dSTing-Kang Chang          TestPrivateKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<PublicPrimitiveA>*>
*e7b1675dSTing-Kang Chang      public_key_manager = Registry::get_key_manager<PublicPrimitiveA>(
*e7b1675dSTing-Kang Chang          TestPublicKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_THAT(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(private_key_manager.value()->get_key_type(),
*e7b1675dSTing-Kang Chang              Eq(TestPrivateKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang  EXPECT_THAT(public_key_manager.value()->get_key_type(),
*e7b1675dSTing-Kang Chang              Eq(TestPublicKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricPrivateRegisterAlone) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  // Registering the same as asymmetric key managers must fail, because doing so
*e7b1675dSTing-Kang Chang  // would mean we invalidate key managers previously obtained with
*e7b1675dSTing-Kang Chang  // get_key_manager().
*e7b1675dSTing-Kang Chang  ASSERT_FALSE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                   CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                   CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                   .ok());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricGetPrimitiveA) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<PrivatePrimitiveA>*> km =
*e7b1675dSTing-Kang Chang      Registry::get_key_manager<PrivatePrimitiveA>(
*e7b1675dSTing-Kang Chang          TestPrivateKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(km.ok()) << km.status();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(km.value()->get_key_type(),
*e7b1675dSTing-Kang Chang              Eq(TestPrivateKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricGetPrimitiveB) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<PrivatePrimitiveB>*> km =
*e7b1675dSTing-Kang Chang      Registry::get_key_manager<PrivatePrimitiveB>(
*e7b1675dSTing-Kang Chang          TestPrivateKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(km.ok()) << km.status();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(km.value()->get_key_type(),
*e7b1675dSTing-Kang Chang              Eq(TestPrivateKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricGetPublicPrimitiveA) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<PublicPrimitiveA>*> km =
*e7b1675dSTing-Kang Chang      Registry::get_key_manager<PublicPrimitiveA>(
*e7b1675dSTing-Kang Chang          TestPublicKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(km.ok()) << km.status();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(km.value()->get_key_type(),
*e7b1675dSTing-Kang Chang              Eq(TestPublicKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricGetPublicPrimitiveB) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<PublicPrimitiveB>*> km =
*e7b1675dSTing-Kang Chang      Registry::get_key_manager<PublicPrimitiveB>(
*e7b1675dSTing-Kang Chang          TestPublicKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(km.ok()) << km.status();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(km.value()->get_key_type(),
*e7b1675dSTing-Kang Chang              Eq(TestPublicKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricGetWrongPrimitiveError) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<const KeyManager<PublicPrimitiveA>*> km =
*e7b1675dSTing-Kang Chang      Registry::get_key_manager<PublicPrimitiveA>(
*e7b1675dSTing-Kang Chang          TestPrivateKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(km.status(),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kInvalidArgument,
*e7b1675dSTing-Kang Chang                       HasSubstr("not among supported primitives")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass PrivateKeyManagerImplTest : public testing::Test {
*e7b1675dSTing-Kang Chang  void SetUp() override { Registry::Reset(); }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  void TearDown() override {
*e7b1675dSTing-Kang Chang    // Reset is needed here to ensure Mock objects get deleted and do not leak.
*e7b1675dSTing-Kang Chang    Registry::Reset();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(PrivateKeyManagerImplTest, AsymmetricFactoryNewKeyFromMessage) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EcdsaKeyFormat key_format;
*e7b1675dSTing-Kang Chang  key_format.mutable_params()->set_encoding(EcdsaSignatureEncoding::DER);
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url(TestPrivateKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  key_template.set_value(key_format.SerializeAsString());
*e7b1675dSTing-Kang Chang  key_template.set_output_prefix_type(OutputPrefixType::TINK);
*e7b1675dSTing-Kang Chang  std::unique_ptr<KeyData> key_data =
*e7b1675dSTing-Kang Chang      Registry::NewKeyData(key_template).value();
*e7b1675dSTing-Kang Chang  EXPECT_THAT(key_data->type_url(),
*e7b1675dSTing-Kang Chang              Eq(TestPrivateKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang  EcdsaPrivateKey private_key;
*e7b1675dSTing-Kang Chang  private_key.ParseFromString(key_data->value());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(private_key.public_key().params().encoding(),
*e7b1675dSTing-Kang Chang              Eq(EcdsaSignatureEncoding::DER));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(PrivateKeyManagerImplTest, AsymmetricNewKeyDisallowed) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang                  CreateTestPublicKeyManagerFipsCompatible(), false)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url(TestPrivateKeyTypeManager().get_key_type());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(
*e7b1675dSTing-Kang Chang      Registry::NewKeyData(key_template).status(),
*e7b1675dSTing-Kang Chang      StatusIs(absl::StatusCode::kInvalidArgument, HasSubstr("not allow")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, AsymmetricGetPublicKeyData) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips && !IsFipsEnabledInSsl()) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported if FIPS-mode is used and BoringCrypto is "
*e7b1675dSTing-Kang Chang                    "not available";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status status = Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang      CreateTestPrivateKeyManagerFipsCompatible(),
*e7b1675dSTing-Kang Chang      CreateTestPublicKeyManagerFipsCompatible(), true);
*e7b1675dSTing-Kang Chang  EcdsaPrivateKey private_key;
*e7b1675dSTing-Kang Chang  private_key.mutable_public_key()->mutable_params()->set_encoding(
*e7b1675dSTing-Kang Chang      EcdsaSignatureEncoding::DER);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  std::unique_ptr<KeyData> key_data =
*e7b1675dSTing-Kang Chang      Registry::GetPublicKeyData(TestPrivateKeyTypeManager().get_key_type(),
*e7b1675dSTing-Kang Chang                                 private_key.SerializeAsString())
*e7b1675dSTing-Kang Chang          .value();
*e7b1675dSTing-Kang Chang  ASSERT_THAT(key_data->type_url(),
*e7b1675dSTing-Kang Chang              Eq(TestPublicKeyTypeManager().get_key_type()));
*e7b1675dSTing-Kang Chang  EcdsaPublicKey public_key;
*e7b1675dSTing-Kang Chang  public_key.ParseFromString(key_data->value());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(public_key.params().encoding(), Eq(EcdsaSignatureEncoding::DER));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass TestPrivateKeyTypeManager2 : public TestPrivateKeyTypeManager {};
*e7b1675dSTing-Kang Changclass TestPublicKeyTypeManager2 : public TestPublicKeyTypeManager {};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterAssymmetricReregistrationWithWrongClasses) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPrivateKeyTypeManager>(),
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPublicKeyTypeManager>(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPrivateKeyTypeManager2>(),
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPublicKeyTypeManager>(), true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists,
*e7b1675dSTing-Kang Chang                       HasSubstr("already registered")));
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPrivateKeyTypeManager>(),
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPublicKeyTypeManager2>(), true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists,
*e7b1675dSTing-Kang Chang                       HasSubstr("already registered")));
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPrivateKeyTypeManager2>(),
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPublicKeyTypeManager2>(), true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists,
*e7b1675dSTing-Kang Chang                       HasSubstr("already registered")));
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPrivateKeyTypeManager2>(), true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists,
*e7b1675dSTing-Kang Chang                       HasSubstr("already registered")));
*e7b1675dSTing-Kang Chang  EXPECT_THAT(Registry::RegisterKeyTypeManager(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPublicKeyTypeManager2>(), true),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists,
*e7b1675dSTing-Kang Chang                       HasSubstr("already registered")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass TestPublicKeyTypeManagerWithDifferentKeyType
*e7b1675dSTing-Kang Chang    : public TestPublicKeyTypeManager {
*e7b1675dSTing-Kang Chang  const std::string& get_key_type() const override { return kKeyType; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  const std::string kKeyType = "bla";
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryTest, RegisterAssymmetricReregistrationWithNewKeyType) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  ASSERT_TRUE(Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPrivateKeyTypeManager>(),
*e7b1675dSTing-Kang Chang                  absl::make_unique<TestPublicKeyTypeManager>(), true)
*e7b1675dSTing-Kang Chang                  .ok());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(
*e7b1675dSTing-Kang Chang      Registry::RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang          absl::make_unique<TestPrivateKeyTypeManager>(),
*e7b1675dSTing-Kang Chang          absl::make_unique<TestPublicKeyTypeManagerWithDifferentKeyType>(),
*e7b1675dSTing-Kang Chang          true),
*e7b1675dSTing-Kang Chang      StatusIs(absl::StatusCode::kInvalidArgument,
*e7b1675dSTing-Kang Chang               HasSubstr("impossible to register")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// The DelegatingKeyTypeManager calls the registry
*e7b1675dSTing-Kang Changclass DelegatingKeyTypeManager
*e7b1675dSTing-Kang Chang    : public PrivateKeyTypeManager<EcdsaPrivateKey, EcdsaKeyFormat,
*e7b1675dSTing-Kang Chang                                   EcdsaPublicKey, List<>> {
*e7b1675dSTing-Kang Chang public:
*e7b1675dSTing-Kang Chang  DelegatingKeyTypeManager() : PrivateKeyTypeManager() {}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  void set_registry(RegistryImpl* registry) { registry_ = registry; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  google::crypto::tink::KeyData::KeyMaterialType key_material_type()
*e7b1675dSTing-Kang Chang      const override {
*e7b1675dSTing-Kang Chang    return google::crypto::tink::KeyData::SYMMETRIC;
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  uint32_t get_version() const override { return kVersion; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  const std::string& get_key_type() const override { return kKeyType; }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status ValidateKey(
*e7b1675dSTing-Kang Chang      const EcdsaPrivateKey& key) const override {
*e7b1675dSTing-Kang Chang    return util::OkStatus();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::Status ValidateKeyFormat(
*e7b1675dSTing-Kang Chang      const EcdsaKeyFormat& key_format) const override {
*e7b1675dSTing-Kang Chang    return util::OkStatus();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<EcdsaPrivateKey> CreateKey(
*e7b1675dSTing-Kang Chang      const EcdsaKeyFormat& key_format) const override {
*e7b1675dSTing-Kang Chang    AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang    KeyTemplate key_template;
*e7b1675dSTing-Kang Chang    key_template.set_type_url(
*e7b1675dSTing-Kang Chang        "type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang    key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang    auto result = registry_->NewKeyData(key_template);
*e7b1675dSTing-Kang Chang    if (!result.ok()) return result.status();
*e7b1675dSTing-Kang Chang    // Return a string we can check for.
*e7b1675dSTing-Kang Chang    return util::Status(absl::StatusCode::kDeadlineExceeded,
*e7b1675dSTing-Kang Chang                        "CreateKey worked");
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<EcdsaPrivateKey> DeriveKey(
*e7b1675dSTing-Kang Chang      const EcdsaKeyFormat& key_format,
*e7b1675dSTing-Kang Chang      InputStream* input_stream) const override {
*e7b1675dSTing-Kang Chang    AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang    KeyTemplate key_template;
*e7b1675dSTing-Kang Chang    key_template.set_type_url(
*e7b1675dSTing-Kang Chang        "type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang    key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang    auto result = registry_->DeriveKey(key_template, input_stream);
*e7b1675dSTing-Kang Chang    if (!result.ok()) return result.status();
*e7b1675dSTing-Kang Chang    // Return a string we can check for.
*e7b1675dSTing-Kang Chang    return util::Status(absl::StatusCode::kDeadlineExceeded,
*e7b1675dSTing-Kang Chang                        "DeriveKey worked");
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  crypto::tink::util::StatusOr<EcdsaPublicKey> GetPublicKey(
*e7b1675dSTing-Kang Chang      const EcdsaPrivateKey& private_key) const override {
*e7b1675dSTing-Kang Chang    AesGcmKeyFormat format;
*e7b1675dSTing-Kang Chang    KeyTemplate key_template;
*e7b1675dSTing-Kang Chang    key_template.set_type_url(
*e7b1675dSTing-Kang Chang        "type.googleapis.com/google.crypto.tink.AesGcmKey");
*e7b1675dSTing-Kang Chang    key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang    auto result = registry_->NewKeyData(key_template);
*e7b1675dSTing-Kang Chang    if (!result.ok()) return result.status();
*e7b1675dSTing-Kang Chang    // Return a string we can check for.
*e7b1675dSTing-Kang Chang    return util::Status(absl::StatusCode::kDeadlineExceeded,
*e7b1675dSTing-Kang Chang                        "GetPublicKey worked");
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang private:
*e7b1675dSTing-Kang Chang  RegistryImpl* registry_;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  static constexpr int kVersion = 0;
*e7b1675dSTing-Kang Chang  const std::string kKeyType =
*e7b1675dSTing-Kang Chang      "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey";
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changclass RegistryImplTest : public ::testing::Test {
*e7b1675dSTing-Kang Chang protected:
*e7b1675dSTing-Kang Chang  void TearDown() override {
*e7b1675dSTing-Kang Chang    // Calling RestrictToFipsIfEmpty() may call SetFipsRestricted(), which
*e7b1675dSTing-Kang Chang    // set a global variable to true. We have to reset that after the test.
*e7b1675dSTing-Kang Chang    UnSetFipsRestricted();
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang};
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Check that we can call the registry again from within NewKeyData
*e7b1675dSTing-Kang ChangTEST_F(RegistryImplTest, CanDelegateCreateKey) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  RegistryImpl registry_impl;
*e7b1675dSTing-Kang Chang  auto delegating_key_manager = absl::make_unique<DelegatingKeyTypeManager>();
*e7b1675dSTing-Kang Chang  delegating_key_manager->set_registry(&registry_impl);
*e7b1675dSTing-Kang Chang  auto status =
*e7b1675dSTing-Kang Chang      registry_impl
*e7b1675dSTing-Kang Chang          .RegisterKeyTypeManager<EcdsaPrivateKey, EcdsaKeyFormat, List<>>(
*e7b1675dSTing-Kang Chang              std::move(delegating_key_manager), true);
*e7b1675dSTing-Kang Chang  EXPECT_THAT(status, IsOk());
*e7b1675dSTing-Kang Chang  status = registry_impl.RegisterKeyTypeManager<AesGcmKey, AesGcmKeyFormat,
*e7b1675dSTing-Kang Chang                                                List<Aead, AeadVariant>>(
*e7b1675dSTing-Kang Chang      absl::make_unique<ExampleKeyTypeManager>(), true);
*e7b1675dSTing-Kang Chang  EXPECT_THAT(status, IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EcdsaKeyFormat format;
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url(
*e7b1675dSTing-Kang Chang      "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey");
*e7b1675dSTing-Kang Chang  key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.NewKeyData(key_template).status(),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kDeadlineExceeded,
*e7b1675dSTing-Kang Chang                       HasSubstr("CreateKey worked")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Check that we can call the registry again from within NewKeyData
*e7b1675dSTing-Kang ChangTEST_F(RegistryImplTest, CanDelegateDeriveKey) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  RegistryImpl registry_impl;
*e7b1675dSTing-Kang Chang  auto delegating_key_manager = absl::make_unique<DelegatingKeyTypeManager>();
*e7b1675dSTing-Kang Chang  delegating_key_manager->set_registry(&registry_impl);
*e7b1675dSTing-Kang Chang  auto status =
*e7b1675dSTing-Kang Chang      registry_impl
*e7b1675dSTing-Kang Chang          .RegisterKeyTypeManager<EcdsaPrivateKey, EcdsaKeyFormat, List<>>(
*e7b1675dSTing-Kang Chang              std::move(delegating_key_manager), true);
*e7b1675dSTing-Kang Chang  EXPECT_THAT(status, IsOk());
*e7b1675dSTing-Kang Chang  status = registry_impl.RegisterKeyTypeManager<AesGcmKey, AesGcmKeyFormat,
*e7b1675dSTing-Kang Chang                                                List<Aead, AeadVariant>>(
*e7b1675dSTing-Kang Chang      absl::make_unique<ExampleKeyTypeManager>(), true);
*e7b1675dSTing-Kang Chang  EXPECT_THAT(status, IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EcdsaKeyFormat format;
*e7b1675dSTing-Kang Chang  KeyTemplate key_template;
*e7b1675dSTing-Kang Chang  key_template.set_type_url(
*e7b1675dSTing-Kang Chang      "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey");
*e7b1675dSTing-Kang Chang  key_template.set_value(format.SerializeAsString());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.DeriveKey(key_template, nullptr).status(),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kDeadlineExceeded,
*e7b1675dSTing-Kang Chang                       HasSubstr("DeriveKey worked")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryImplTest, CanDelegateGetPublicKey) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  RegistryImpl registry_impl;
*e7b1675dSTing-Kang Chang  auto delegating_key_manager = absl::make_unique<DelegatingKeyTypeManager>();
*e7b1675dSTing-Kang Chang  delegating_key_manager->set_registry(&registry_impl);
*e7b1675dSTing-Kang Chang  auto status = registry_impl.RegisterAsymmetricKeyManagers(
*e7b1675dSTing-Kang Chang      delegating_key_manager.release(),
*e7b1675dSTing-Kang Chang      absl::make_unique<TestPublicKeyTypeManager>().release(), true);
*e7b1675dSTing-Kang Chang  EXPECT_THAT(status, IsOk());
*e7b1675dSTing-Kang Chang  status = registry_impl.RegisterKeyTypeManager<AesGcmKey, AesGcmKeyFormat,
*e7b1675dSTing-Kang Chang                                                List<Aead, AeadVariant>>(
*e7b1675dSTing-Kang Chang      absl::make_unique<ExampleKeyTypeManager>(), true);
*e7b1675dSTing-Kang Chang  EXPECT_THAT(status, IsOk());
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EcdsaPrivateKey private_key;
*e7b1675dSTing-Kang Chang  private_key.mutable_public_key()->mutable_params()->set_encoding(
*e7b1675dSTing-Kang Chang      EcdsaSignatureEncoding::DER);
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl
*e7b1675dSTing-Kang Chang                  .GetPublicKeyData(DelegatingKeyTypeManager().get_key_type(),
*e7b1675dSTing-Kang Chang                                    private_key.SerializeAsString())
*e7b1675dSTing-Kang Chang                  .status(),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kDeadlineExceeded,
*e7b1675dSTing-Kang Chang                       HasSubstr("GetPublicKey worked")));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryImplTest, FipsRestrictionSucceedsOnEmptyRegistry) {
*e7b1675dSTing-Kang Chang  RegistryImpl registry_impl;
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.RestrictToFipsIfEmpty(), IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryImplTest, FipsRestrictionSucceedsWhenSettingMultipleTimes) {
*e7b1675dSTing-Kang Chang  RegistryImpl registry_impl;
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.RestrictToFipsIfEmpty(), IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.RestrictToFipsIfEmpty(), IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.RestrictToFipsIfEmpty(), IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryImplTest, FipsRestrictionSucceedsIfBuildInFipsMode) {
*e7b1675dSTing-Kang Chang  if (!kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported when Tink is not built in FIPS mode.";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang  RegistryImpl registry_impl;
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.RestrictToFipsIfEmpty(), IsOk());
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryImplTest, FipsFailsIfNotEmpty) {
*e7b1675dSTing-Kang Chang  if (kUseOnlyFips) {
*e7b1675dSTing-Kang Chang    GTEST_SKIP() << "Not supported in FIPS-only mode";
*e7b1675dSTing-Kang Chang  }
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  auto fips_key_manager = absl::make_unique<ExampleKeyTypeManager>();
*e7b1675dSTing-Kang Chang  ON_CALL(*fips_key_manager, FipsStatus())
*e7b1675dSTing-Kang Chang      .WillByDefault(testing::Return(FipsCompatibility::kRequiresBoringCrypto));
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  RegistryImpl registry_impl;
*e7b1675dSTing-Kang Chang  auto status = registry_impl.RegisterKeyTypeManager<AesGcmKey, AesGcmKeyFormat,
*e7b1675dSTing-Kang Chang                                                     List<Aead, AeadVariant>>(
*e7b1675dSTing-Kang Chang      std::move(fips_key_manager), true);
*e7b1675dSTing-Kang Chang  EXPECT_THAT(status, IsOk());
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.RestrictToFipsIfEmpty(),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kInternal));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang ChangTEST_F(RegistryImplTest, CanRegisterOnlyOneMonitoringFactory) {
*e7b1675dSTing-Kang Chang  auto monitoring_client_factory =
*e7b1675dSTing-Kang Chang      absl::make_unique<MockMonitoringClientFactory>();
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang  RegistryImpl registry_impl;
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.RegisterMonitoringClientFactory(
*e7b1675dSTing-Kang Chang                  std::move(monitoring_client_factory)),
*e7b1675dSTing-Kang Chang              IsOk());
*e7b1675dSTing-Kang Chang  ASSERT_THAT(registry_impl.GetMonitoringClientFactory(), Not(IsNull()));
*e7b1675dSTing-Kang Chang  EXPECT_THAT(registry_impl.RegisterMonitoringClientFactory(
*e7b1675dSTing-Kang Chang                  std::move(monitoring_client_factory)),
*e7b1675dSTing-Kang Chang              StatusIs(absl::StatusCode::kAlreadyExists));
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace
*e7b1675dSTing-Kang Chang}  // namespace internal
*e7b1675dSTing-Kang Chang}  // namespace tink
*e7b1675dSTing-Kang Chang}  // namespace crypto