Add test for encrypted keyset serialization overhead in C++.

PiperOrigin-RevId: 592207449 Change-Id: I0a8568ca87e507c469268432953e899764cfdc0b
tink-crypto · Dec 19, 2023 · de88496 · de88496
1 parent 99c416a
commit de88496
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 0 deletions.
diff --git a/tink/BUILD.bazel b/tink/BUILD.bazel
@@ -840,8 +840,18 @@ cc_test(
     srcs = ["core/binary_keyset_writer_test.cc"],
     deps = [
         ":binary_keyset_writer",
+        ":insecure_secret_key_access",
+        ":proto_keyset_format",
+        ":tink_cc",
+        "//tink/aead:aead_config",
+        "//tink/config:global_registry",
         "//proto:tink_cc_proto",
+        "//tink/util:secret_data",
+        "//tink/util:statusor",
+        "//tink/util:test_matchers",
         "//tink/util:test_util",
+        "@com_google_absl//absl/memory",
+        "@com_google_absl//absl/status",
         "@com_google_googletest//:gtest_main",
     ],
 )

diff --git a/tink/CMakeLists.txt b/tink/CMakeLists.txt
@@ -784,7 +784,17 @@ tink_cc_test(
     core/binary_keyset_writer_test.cc
   DEPS
     tink::core::binary_keyset_writer
+    tink::core::cc
+    tink::core::insecure_secret_key_access
+    tink::core::proto_keyset_format
     gmock
+    absl::memory
+    absl::status
+    tink::aead::aead_config
+    tink::config::global_registry
+    tink::util::secret_data
+    tink::util::statusor
+    tink::util::test_matchers
     tink::util::test_util
     tink::proto::tink_cc_proto
 )

diff --git a/tink/core/binary_keyset_writer_test.cc b/tink/core/binary_keyset_writer_test.cc
@@ -22,17 +22,33 @@
 #include <string>
 #include <utility>
 
+#include "gmock/gmock.h"
 #include "gtest/gtest.h"
+#include "absl/memory/memory.h"
+#include "absl/status/status.h"
+#include "tink/aead.h"
+#include "tink/aead/aead_config.h"
+#include "tink/aead_key_templates.h"
+#include "tink/config/global_registry.h"
+#include "tink/insecure_secret_key_access.h"
+#include "tink/keyset_handle.h"
+#include "tink/proto_keyset_format.h"
+#include "tink/util/secret_data.h"
+#include "tink/util/statusor.h"
+#include "tink/util/test_matchers.h"
 #include "tink/util/test_util.h"
 #include "proto/tink.pb.h"
 
 using crypto::tink::test::AddRawKey;
 using crypto::tink::test::AddTinkKey;
 
+using ::crypto::tink::test::IsOk;
 using google::crypto::tink::EncryptedKeyset;
 using google::crypto::tink::KeyData;
 using google::crypto::tink::Keyset;
 using google::crypto::tink::KeyStatusType;
+using testing::Le;
+using testing::SizeIs;
 
 namespace crypto {
 namespace tink {
@@ -41,6 +57,8 @@ namespace {
 class BinaryKeysetWriterTest : public ::testing::Test {
  protected:
   void SetUp() override {
+    ASSERT_THAT(AeadConfig::Register(), IsOk());
+
     Keyset::Key key;
     AddTinkKey("some key type", 42, key, KeyStatusType::ENABLED,
                KeyData::SYMMETRIC, &keyset_);
@@ -122,6 +140,45 @@ TEST_F(BinaryKeysetWriterTest, testDestinationStreamErrors) {
   }
 }
 
+TEST_F(BinaryKeysetWriterTest, EncryptedKeysetOverhead) {
+  util::StatusOr<std::unique_ptr<KeysetHandle>> keysetEncryptionHandle =
+      KeysetHandle::GenerateNew(AeadKeyTemplates::Aes128Gcm(),
+                                KeyGenConfigGlobalRegistry());
+  ASSERT_THAT(keysetEncryptionHandle, IsOk());
+  util::StatusOr<std::unique_ptr<Aead>> keyset_encryption_aead =
+      (*keysetEncryptionHandle)->GetPrimitive<Aead>(ConfigGlobalRegistry());
+  ASSERT_THAT(keyset_encryption_aead, IsOk());
+
+  util::StatusOr<std::unique_ptr<KeysetHandle>> handle =
+      KeysetHandle::GenerateNew(AeadKeyTemplates::Aes128Gcm(),
+                                KeyGenConfigGlobalRegistry());
+  ASSERT_THAT(handle, IsOk());
+
+  crypto::tink::util::StatusOr<util::SecretData> serialized_keyset =
+      SerializeKeysetToProtoKeysetFormat(**handle,
+                                         InsecureSecretKeyAccess::Get());
+  ASSERT_THAT(serialized_keyset, IsOk());
+  util::StatusOr<std::string> raw_encrypted_keyset =
+      (*keyset_encryption_aead)
+          ->Encrypt(util::SecretDataAsStringView(*serialized_keyset), "");
+  ASSERT_THAT(raw_encrypted_keyset, IsOk());
+
+  std::stringbuf encrypted_keyset;
+  crypto::tink::util::StatusOr<std::unique_ptr<BinaryKeysetWriter>> writer =
+      BinaryKeysetWriter::New(
+          absl::make_unique<std::ostream>(&encrypted_keyset));
+  ASSERT_THAT(writer, IsOk());
+
+  auto status = (*handle)->Write(writer->get(), **keyset_encryption_aead);
+  ASSERT_THAT(status, IsOk());
+
+  // encrypted_keyset is a serialized protocol buffer that only contains
+  // raw_encrypted_keyset in a field. So it should only be slightly larger than
+  // raw_encrypted_keyset.
+  EXPECT_THAT(encrypted_keyset.str(),
+              SizeIs(Le(raw_encrypted_keyset->size() + 6)));
+}
+
 }  // namespace
 }  // namespace tink
 }  // namespace crypto