diff --git a/tink/BUILD.bazel b/tink/BUILD.bazel index 6e68067a..f8586202 100644 --- a/tink/BUILD.bazel +++ b/tink/BUILD.bazel @@ -840,8 +840,18 @@ cc_test( srcs = ["core/binary_keyset_writer_test.cc"], deps = [ ":binary_keyset_writer", + ":insecure_secret_key_access", + ":proto_keyset_format", + ":tink_cc", + "//tink/aead:aead_config", + "//tink/config:global_registry", "//proto:tink_cc_proto", + "//tink/util:secret_data", + "//tink/util:statusor", + "//tink/util:test_matchers", "//tink/util:test_util", + "@com_google_absl//absl/memory", + "@com_google_absl//absl/status", "@com_google_googletest//:gtest_main", ], ) diff --git a/tink/CMakeLists.txt b/tink/CMakeLists.txt index 9f8db691..5814a97e 100644 --- a/tink/CMakeLists.txt +++ b/tink/CMakeLists.txt @@ -784,7 +784,17 @@ tink_cc_test( core/binary_keyset_writer_test.cc DEPS tink::core::binary_keyset_writer + tink::core::cc + tink::core::insecure_secret_key_access + tink::core::proto_keyset_format gmock + absl::memory + absl::status + tink::aead::aead_config + tink::config::global_registry + tink::util::secret_data + tink::util::statusor + tink::util::test_matchers tink::util::test_util tink::proto::tink_cc_proto ) diff --git a/tink/core/binary_keyset_writer_test.cc b/tink/core/binary_keyset_writer_test.cc index cb0c9195..9010f889 100644 --- a/tink/core/binary_keyset_writer_test.cc +++ b/tink/core/binary_keyset_writer_test.cc @@ -22,17 +22,33 @@ #include #include +#include "gmock/gmock.h" #include "gtest/gtest.h" +#include "absl/memory/memory.h" +#include "absl/status/status.h" +#include "tink/aead.h" +#include "tink/aead/aead_config.h" +#include "tink/aead_key_templates.h" +#include "tink/config/global_registry.h" +#include "tink/insecure_secret_key_access.h" +#include "tink/keyset_handle.h" +#include "tink/proto_keyset_format.h" +#include "tink/util/secret_data.h" +#include "tink/util/statusor.h" +#include "tink/util/test_matchers.h" #include "tink/util/test_util.h" #include "proto/tink.pb.h" using crypto::tink::test::AddRawKey; using crypto::tink::test::AddTinkKey; +using ::crypto::tink::test::IsOk; using google::crypto::tink::EncryptedKeyset; using google::crypto::tink::KeyData; using google::crypto::tink::Keyset; using google::crypto::tink::KeyStatusType; +using testing::Le; +using testing::SizeIs; namespace crypto { namespace tink { @@ -41,6 +57,8 @@ namespace { class BinaryKeysetWriterTest : public ::testing::Test { protected: void SetUp() override { + ASSERT_THAT(AeadConfig::Register(), IsOk()); + Keyset::Key key; AddTinkKey("some key type", 42, key, KeyStatusType::ENABLED, KeyData::SYMMETRIC, &keyset_); @@ -122,6 +140,45 @@ TEST_F(BinaryKeysetWriterTest, testDestinationStreamErrors) { } } +TEST_F(BinaryKeysetWriterTest, EncryptedKeysetOverhead) { + util::StatusOr> keysetEncryptionHandle = + KeysetHandle::GenerateNew(AeadKeyTemplates::Aes128Gcm(), + KeyGenConfigGlobalRegistry()); + ASSERT_THAT(keysetEncryptionHandle, IsOk()); + util::StatusOr> keyset_encryption_aead = + (*keysetEncryptionHandle)->GetPrimitive(ConfigGlobalRegistry()); + ASSERT_THAT(keyset_encryption_aead, IsOk()); + + util::StatusOr> handle = + KeysetHandle::GenerateNew(AeadKeyTemplates::Aes128Gcm(), + KeyGenConfigGlobalRegistry()); + ASSERT_THAT(handle, IsOk()); + + crypto::tink::util::StatusOr serialized_keyset = + SerializeKeysetToProtoKeysetFormat(**handle, + InsecureSecretKeyAccess::Get()); + ASSERT_THAT(serialized_keyset, IsOk()); + util::StatusOr raw_encrypted_keyset = + (*keyset_encryption_aead) + ->Encrypt(util::SecretDataAsStringView(*serialized_keyset), ""); + ASSERT_THAT(raw_encrypted_keyset, IsOk()); + + std::stringbuf encrypted_keyset; + crypto::tink::util::StatusOr> writer = + BinaryKeysetWriter::New( + absl::make_unique(&encrypted_keyset)); + ASSERT_THAT(writer, IsOk()); + + auto status = (*handle)->Write(writer->get(), **keyset_encryption_aead); + ASSERT_THAT(status, IsOk()); + + // encrypted_keyset is a serialized protocol buffer that only contains + // raw_encrypted_keyset in a field. So it should only be slightly larger than + // raw_encrypted_keyset. + EXPECT_THAT(encrypted_keyset.str(), + SizeIs(Le(raw_encrypted_keyset->size() + 6))); +} + } // namespace } // namespace tink } // namespace crypto