1// Copyright 2019 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15//////////////////////////////////////////////////////////////////////////////// 16 17package gcpkms_test 18 19import ( 20 "bytes" 21 "context" 22 "os" 23 "path/filepath" 24 "testing" 25 26 "flag" 27 // context is used to cancel outstanding requests 28 "google.golang.org/api/option" 29 "github.com/google/tink/go/aead" 30 "github.com/google/tink/go/integration/gcpkms" 31) 32 33const ( 34 keyURI = "gcp-kms://projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key" 35) 36 37var ( 38 credFile = "tink_go/testdata/gcp/credential.json" 39) 40 41func init() { 42 certPath := filepath.Join(os.Getenv("TEST_SRCDIR"), "tink_base/roots.pem") 43 flag.Set("cacerts", certPath) 44 os.Setenv("SSL_CERT_FILE", certPath) 45} 46 47func TestGetAeadWithEnvelopeAead(t *testing.T) { 48 srcDir, ok := os.LookupEnv("TEST_SRCDIR") 49 if !ok { 50 t.Skip("TEST_SRCDIR not set") 51 } 52 ctx := context.Background() 53 gcpClient, err := gcpkms.NewClientWithOptions( 54 ctx, keyURI, option.WithCredentialsFile(filepath.Join(srcDir, credFile))) 55 if err != nil { 56 t.Fatalf("gcpkms.NewClientWithOptions() err = %q, want nil", err) 57 } 58 kekAEAD, err := gcpClient.GetAEAD(keyURI) 59 if err != nil { 60 t.Fatalf("gcpClient.GetAEAD(keyURI) err = %q, want nil", err) 61 } 62 63 dekTemplate := aead.AES128CTRHMACSHA256KeyTemplate() 64 a := aead.NewKMSEnvelopeAEAD2(dekTemplate, kekAEAD) 65 if err != nil { 66 t.Fatalf("a.Encrypt(plaintext, associatedData) err = %q, want nil", err) 67 } 68 plaintext := []byte("message") 69 associatedData := []byte("example KMS envelope AEAD encryption") 70 71 ciphertext, err := a.Encrypt(plaintext, associatedData) 72 if err != nil { 73 t.Fatalf("a.Encrypt(plaintext, associatedData) err = %q, want nil", err) 74 } 75 gotPlaintext, err := a.Decrypt(ciphertext, associatedData) 76 if err != nil { 77 t.Fatalf("a.Decrypt(ciphertext, associatedData) err = %q, want nil", err) 78 } 79 if !bytes.Equal(gotPlaintext, plaintext) { 80 t.Errorf("a.Decrypt() = %q, want %q", gotPlaintext, plaintext) 81 } 82 83 _, err = a.Decrypt(ciphertext, []byte("invalid associatedData")) 84 if err == nil { 85 t.Error("a.Decrypt(ciphertext, []byte(\"invalid associatedData\")) err = nil, want error") 86 } 87} 88