1// Copyright 2019 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15//////////////////////////////////////////////////////////////////////////////// 16 17package keyset_test 18 19import ( 20 "strings" 21 "testing" 22 23 "github.com/google/tink/go/keyset" 24 "github.com/google/tink/go/mac" 25 "github.com/google/tink/go/testkeyset" 26 "github.com/google/tink/go/testutil" 27 28 tinkpb "github.com/google/tink/go/proto/tink_go_proto" 29) 30 31func TestKeysetManagerBasic(t *testing.T) { 32 // Create a keyset that contains a single HmacKey. 33 ksm := keyset.NewManager() 34 kt := mac.HMACSHA256Tag128KeyTemplate() 35 keyID, err := ksm.Add(kt) 36 if err != nil { 37 t.Errorf("cannot add key: %s", err) 38 } 39 err = ksm.SetPrimary(keyID) 40 if err != nil { 41 t.Errorf("cannot set primary key: %s", err) 42 } 43 h, err := ksm.Handle() 44 if err != nil { 45 t.Errorf("cannot get keyset handle: %s", err) 46 } 47 ks := testkeyset.KeysetMaterial(h) 48 if len(ks.Key) != 1 { 49 t.Fatal("expect the number of keys in the keyset is 1") 50 } 51 if ks.Key[0].KeyId != ks.PrimaryKeyId || 52 ks.Key[0].KeyData.TypeUrl != testutil.HMACTypeURL || 53 ks.Key[0].Status != tinkpb.KeyStatusType_ENABLED || 54 ks.Key[0].OutputPrefixType != tinkpb.OutputPrefixType_TINK { 55 t.Errorf("incorrect key information: %s", ks.Key[0]) 56 } 57} 58 59func TestExistingKeyset(t *testing.T) { 60 // Create a keyset that contains a single HmacKey. 61 ksm1 := keyset.NewManager() 62 kt := mac.HMACSHA256Tag128KeyTemplate() 63 keyID1, err := ksm1.Add(kt) 64 if err != nil { 65 t.Errorf("cannot add key: %s", err) 66 } 67 err = ksm1.SetPrimary(keyID1) 68 if err != nil { 69 t.Errorf("cannot set primary key: %s", err) 70 } 71 h1, err := ksm1.Handle() 72 if err != nil { 73 t.Errorf("cannot get keyset handle: %s", err) 74 } 75 ks1 := testkeyset.KeysetMaterial(h1) 76 77 ksm2 := keyset.NewManagerFromHandle(h1) 78 keyID2, err := ksm2.Add(kt) 79 if err != nil { 80 t.Errorf("cannot add key: %s", err) 81 } 82 err = ksm2.SetPrimary(keyID2) 83 if err != nil { 84 t.Errorf("cannot set primary key: %s", err) 85 } 86 h2, err := ksm2.Handle() 87 if err != nil { 88 t.Errorf("cannot get keyset handle: %s", err) 89 } 90 ks2 := testkeyset.KeysetMaterial(h2) 91 92 if len(ks2.Key) != 2 { 93 t.Errorf("expect the number of keys to be 2, got %d", len(ks2.Key)) 94 } 95 if ks1.Key[0].String() != ks2.Key[0].String() { 96 t.Errorf("expect the first key in two keysets to be the same") 97 } 98 if ks2.Key[1].KeyId != ks2.PrimaryKeyId { 99 t.Errorf("expect the second key to be primary") 100 } 101} 102 103func TestKeysetManagerFull(t *testing.T) { 104 // Test a full keyset manager cycle: add, get info, set primary. 105 ksm := keyset.NewManager() 106 kt := mac.HMACSHA256Tag128KeyTemplate() 107 _, err := ksm.Add(kt) 108 if err != nil { 109 t.Errorf("Expected no error but got %s", err) 110 } 111 h1, err := ksm.Handle() 112 if err != nil { 113 t.Errorf("Expected no error but got %s", err) 114 } 115 info := h1.KeysetInfo() 116 if len(info.KeyInfo) != 1 { 117 t.Errorf("Expected one key but got %d", len(info.KeyInfo)) 118 } 119 newPrimaryKey := info.KeyInfo[0].KeyId 120 err = ksm.SetPrimary(newPrimaryKey) 121 if err != nil { 122 t.Errorf("Expected no error but got %s", err) 123 } 124 // validate this is a valid keyset 125 ks1 := testkeyset.KeysetMaterial(h1) 126 err = keyset.Validate(ks1) 127 if err != nil { 128 t.Errorf("Expected no error but got %s", err) 129 } 130} 131 132func TestKeysetManagerAdd(t *testing.T) { 133 ksm1 := keyset.NewManager() 134 kt := mac.HMACSHA256Tag128KeyTemplate() 135 keyID, err := ksm1.Add(kt) 136 if err != nil { 137 t.Errorf("Expected no error but got %s", err) 138 } 139 h, err := ksm1.Handle() 140 if err != nil { 141 t.Errorf("Cannot get keyset handle: %s", err) 142 } 143 ks := testkeyset.KeysetMaterial(h) 144 if len(ks.Key) != 1 { 145 t.Errorf("Expected one key but got %d", len(ks.Key)) 146 } 147 if ks.Key[0].KeyId != keyID { 148 t.Errorf("Expected added keyID to be %d but got %d", keyID, ks.Key[0].KeyId) 149 } 150 if ks.Key[0].Status != tinkpb.KeyStatusType_ENABLED { 151 t.Errorf("Expected key to be enabled but got %s", ks.Key[0].Status.String()) 152 } 153 // no primary key set 154 if ks.PrimaryKeyId != 0 { 155 t.Errorf("Expected no primary key but got %d", ks.PrimaryKeyId) 156 } 157} 158 159func TestKeysetManagerAddWithNilKeysetTemplateFails(t *testing.T) { 160 // ops with nil template should fail 161 ksm1 := keyset.NewManager() 162 _, err := ksm1.Add(nil) 163 if err == nil { 164 t.Errorf("ksm1.Add succeeded, but want error") 165 } 166} 167 168func TestKeysetManagerAddWithInvalidTypeUrlFails(t *testing.T) { 169 ksm1 := keyset.NewManager() 170 kt := &tinkpb.KeyTemplate{ 171 TypeUrl: "invalid type", 172 OutputPrefixType: tinkpb.OutputPrefixType_TINK, 173 } 174 _, err := ksm1.Add(kt) 175 if err == nil { 176 t.Errorf("ksm1.Add succeeded, want error") 177 } 178} 179 180func TestKeysetManagerAddWithUnknownOutputPrefixTypeFails(t *testing.T) { 181 ksm1 := keyset.NewManager() 182 kt := mac.HMACSHA256Tag128KeyTemplate() 183 kt.OutputPrefixType = tinkpb.OutputPrefixType_UNKNOWN_PREFIX 184 _, err := ksm1.Add(kt) 185 if err == nil { 186 t.Errorf("ksm1.Add(kt) where kt has an unknown prefix succeeded, want error") 187 } 188} 189 190func TestKeysetManagerEnable(t *testing.T) { 191 keyID := uint32(42) 192 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 193 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_DISABLED, keyID, tinkpb.OutputPrefixType_TINK) 194 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key}) 195 h1, err := testkeyset.NewHandle(ks1) 196 if err != nil { 197 t.Errorf("Expected no error but got error %s", err) 198 } 199 ksm1 := keyset.NewManagerFromHandle(h1) 200 // enable key 201 err = ksm1.Enable(keyID) 202 if err != nil { 203 t.Errorf("Expected no error but got error %s", err) 204 } 205 h2, _ := ksm1.Handle() 206 ks2 := testkeyset.KeysetMaterial(h2) 207 if len(ks2.Key) != 1 { 208 t.Fatalf("Expected only one key, got %d", len(ks2.Key)) 209 } 210 if ks2.Key[0].KeyId != keyID { 211 t.Errorf("Expected keyID %d, got %d", keyID, ks2.Key[0].KeyId) 212 } 213 if ks2.Key[0].Status != tinkpb.KeyStatusType_ENABLED { 214 t.Errorf("Expected key to be enabled, but got %s", ks2.Key[0].Status.String()) 215 } 216} 217 218func TestKeysetManagerEnableWithUnknownStatus(t *testing.T) { 219 keyID := uint32(42) 220 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 221 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_UNKNOWN_STATUS, keyID, tinkpb.OutputPrefixType_TINK) 222 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key}) 223 h1, err := testkeyset.NewHandle(ks1) 224 if err != nil { 225 t.Errorf("Expected no error but got error %s", err) 226 } 227 ksm1 := keyset.NewManagerFromHandle(h1) 228 // enable key 229 err = ksm1.Enable(keyID) 230 if err == nil { 231 t.Errorf("ksm1.Enable where key has unknown status succeeded, want error") 232 } 233 if !strings.Contains(err.Error(), "cannot enable") { 234 t.Errorf("Expected 'cannot enable' message, got %s", err) 235 } 236} 237 238func TestKeysetManagerEnableWithDestroyed(t *testing.T) { 239 keyID := uint32(42) 240 keyData := testutil.NewKeyData("some type url", nil, tinkpb.KeyData_SYMMETRIC) 241 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_DESTROYED, keyID, tinkpb.OutputPrefixType_TINK) 242 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key}) 243 h1, err := testkeyset.NewHandle(ks1) 244 if err != nil { 245 t.Errorf("Expected no error but got error %s", err) 246 } 247 ksm1 := keyset.NewManagerFromHandle(h1) 248 // enable key 249 err = ksm1.Enable(keyID) 250 if err == nil { 251 t.Errorf("ksm1.Enable where key was destroyed succeeded, want error") 252 } 253 if !strings.Contains(err.Error(), "cannot enable") { 254 t.Errorf("Expected 'cannot enable' message, got %s", err) 255 } 256} 257 258func TestKeysetManagerEnableWithMissingKey(t *testing.T) { 259 keyID := uint32(42) 260 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 261 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_UNKNOWN_STATUS, keyID, tinkpb.OutputPrefixType_TINK) 262 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key}) 263 h1, err := testkeyset.NewHandle(ks1) 264 if err != nil { 265 t.Errorf("Expected no error but got error %s", err) 266 } 267 ksm1 := keyset.NewManagerFromHandle(h1) 268 // enable key 269 err = ksm1.Enable(uint32(43)) 270 if err == nil { 271 t.Errorf("ksm1.Enable where key doesn't exist succeeded, want error") 272 } 273 if !strings.Contains(err.Error(), "not found") { 274 t.Errorf("Expected 'not found' message, got %s", err) 275 } 276} 277 278func TestKeysetManagerSetPrimary(t *testing.T) { 279 keyID := uint32(42) 280 newKeyID := uint32(43) 281 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 282 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, keyID, tinkpb.OutputPrefixType_TINK) 283 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, newKeyID, tinkpb.OutputPrefixType_TINK) 284 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key, key2}) 285 h1, err := testkeyset.NewHandle(ks1) 286 if err != nil { 287 t.Errorf("Expected no error but got error %s", err) 288 } 289 ksm1 := keyset.NewManagerFromHandle(h1) 290 // set primary key 291 err = ksm1.SetPrimary(newKeyID) 292 if err != nil { 293 t.Errorf("Expected no error but got error %s", err) 294 } 295 h2, err := ksm1.Handle() 296 if err != nil { 297 t.Errorf("Expected no error but got error %s", err) 298 } 299 ks2 := testkeyset.KeysetMaterial(h2) 300 if len(ks2.Key) != 2 { 301 t.Errorf("Expected two keys, got %d", len(ks2.Key)) 302 } 303 if ks2.PrimaryKeyId != newKeyID { 304 t.Errorf("Expected new key to be primary, got %d", ks2.PrimaryKeyId) 305 } 306} 307 308func TestKeysetManagerSetPrimaryWithDisabledKey(t *testing.T) { 309 keyID := uint32(42) 310 newKeyID := uint32(43) 311 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 312 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, keyID, tinkpb.OutputPrefixType_TINK) 313 // create a disabled key 314 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_DISABLED, newKeyID, tinkpb.OutputPrefixType_TINK) 315 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key, key2}) 316 h1, err := testkeyset.NewHandle(ks1) 317 if err != nil { 318 t.Errorf("Expected no error but got error %s", err) 319 } 320 ksm1 := keyset.NewManagerFromHandle(h1) 321 // set primary key 322 err = ksm1.SetPrimary(newKeyID) 323 if err == nil { 324 t.Errorf("ksm1.SetPrimary on disabled key succeeded, want error") 325 } 326 if !strings.Contains(err.Error(), "not enabled") { 327 t.Errorf("Expected 'not enabled' message, got %s", err) 328 } 329} 330 331func TestKeysetManagerSetPrimaryWithDestroyedKey(t *testing.T) { 332 keyID := uint32(42) 333 newKeyID := uint32(43) 334 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 335 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, keyID, tinkpb.OutputPrefixType_TINK) 336 // create a destroyed key 337 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_DESTROYED, newKeyID, tinkpb.OutputPrefixType_TINK) 338 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key, key2}) 339 h1, err := testkeyset.NewHandle(ks1) 340 if err != nil { 341 t.Errorf("Expected no error but got error %s", err) 342 } 343 ksm1 := keyset.NewManagerFromHandle(h1) 344 // set primary key 345 err = ksm1.SetPrimary(newKeyID) 346 if err == nil { 347 t.Errorf("ksm1.SetPrimary on destroyed key succeeded, want error") 348 } 349 if !strings.Contains(err.Error(), "not enabled") { 350 t.Errorf("Expected 'not enabled' message, got %s", err) 351 } 352} 353 354func TestKeysetManagerSetPrimaryWithUnknownStatusKey(t *testing.T) { 355 keyID := uint32(42) 356 newKeyID := uint32(43) 357 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 358 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, keyID, tinkpb.OutputPrefixType_TINK) 359 // create an unknown status key 360 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_UNKNOWN_STATUS, newKeyID, tinkpb.OutputPrefixType_TINK) 361 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key, key2}) 362 h1, err := testkeyset.NewHandle(ks1) 363 if err != nil { 364 t.Errorf("Expected no error but got error %s", err) 365 } 366 ksm1 := keyset.NewManagerFromHandle(h1) 367 // set primary key 368 err = ksm1.SetPrimary(newKeyID) 369 if err == nil { 370 t.Errorf("ksm1.SetPrimary on unknown key succeeded, want error") 371 } 372 if !strings.Contains(err.Error(), "not enabled") { 373 t.Errorf("Expected 'not enabled' message, got %s", err) 374 } 375} 376 377func TestKeysetManagerSetPrimaryWithMissingKey(t *testing.T) { 378 keyID := uint32(42) 379 newKeyID := uint32(43) 380 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 381 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, keyID, tinkpb.OutputPrefixType_TINK) 382 // create an unknown status key 383 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_UNKNOWN_STATUS, newKeyID, tinkpb.OutputPrefixType_TINK) 384 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key, key2}) 385 h1, err := testkeyset.NewHandle(ks1) 386 if err != nil { 387 t.Errorf("Expected no error but got error %s", err) 388 } 389 ksm1 := keyset.NewManagerFromHandle(h1) 390 // set primary key 391 err = ksm1.SetPrimary(uint32(44)) 392 if err == nil { 393 t.Errorf("ksm1.SetPrimary on missing key succeeded, want error") 394 } 395 if !strings.Contains(err.Error(), "not found") { 396 t.Errorf("Expected 'not found' message, got %s", err) 397 } 398} 399 400func TestKeysetManagerDisable(t *testing.T) { 401 primaryKeyID := uint32(42) 402 otherKeyID := uint32(43) 403 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 404 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, primaryKeyID, tinkpb.OutputPrefixType_TINK) 405 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, otherKeyID, tinkpb.OutputPrefixType_TINK) 406 ks1 := testutil.NewKeyset(primaryKeyID, []*tinkpb.Keyset_Key{key, key2}) 407 h1, err := testkeyset.NewHandle(ks1) 408 if err != nil { 409 t.Errorf("Expected no error but got error %s", err) 410 } 411 ksm1 := keyset.NewManagerFromHandle(h1) 412 // disable key 413 err = ksm1.Disable(otherKeyID) 414 if err != nil { 415 t.Errorf("Expected no error but got error %s", err) 416 } 417 h2, err := ksm1.Handle() 418 if err != nil { 419 t.Errorf("Expected no error but got error %s", err) 420 } 421 ks2 := testkeyset.KeysetMaterial(h2) 422 if ks2.PrimaryKeyId != primaryKeyID { 423 t.Errorf("Expected same key to be primary, got %d", ks2.PrimaryKeyId) 424 } 425 if len(ks2.Key) != 2 { 426 t.Errorf("Expected two keys, got %d", len(ks2.Key)) 427 t.FailNow() 428 } 429 if ks2.Key[1].Status != tinkpb.KeyStatusType_DISABLED { 430 t.Errorf("Expected key to be disabled, got %s", ks2.Key[1].Status.String()) 431 } 432} 433 434func TestKeysetManagerDisableWithPrimaryKey(t *testing.T) { 435 primaryKeyID := uint32(42) 436 otherKeyID := uint32(43) 437 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 438 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, primaryKeyID, tinkpb.OutputPrefixType_TINK) 439 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, otherKeyID, tinkpb.OutputPrefixType_TINK) 440 ks1 := testutil.NewKeyset(primaryKeyID, []*tinkpb.Keyset_Key{key, key2}) 441 h1, err := testkeyset.NewHandle(ks1) 442 if err != nil { 443 t.Errorf("Expected no error but got error %s", err) 444 } 445 ksm1 := keyset.NewManagerFromHandle(h1) 446 // disable key 447 err = ksm1.Disable(primaryKeyID) 448 if err == nil { 449 t.Errorf("ksm1.Disable on primary key succeeded, want error") 450 } 451 if !strings.Contains(err.Error(), "cannot disable the primary key") { 452 t.Errorf("Expected 'cannot disable the primary key' message, got %s", err) 453 } 454 h2, err := ksm1.Handle() 455 if err != nil { 456 t.Errorf("Expected no error but got error %s", err) 457 } 458 ks2 := testkeyset.KeysetMaterial(h2) 459 if ks2.PrimaryKeyId != primaryKeyID { 460 t.Errorf("Expected same key to be primary, got %d", ks2.PrimaryKeyId) 461 } 462} 463 464func TestKeysetManagerDisableWithDestroyedKey(t *testing.T) { 465 primaryKeyID := uint32(42) 466 otherKeyID := uint32(43) 467 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 468 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, primaryKeyID, tinkpb.OutputPrefixType_TINK) 469 // destroyed key 470 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_DESTROYED, otherKeyID, tinkpb.OutputPrefixType_TINK) 471 ks1 := testutil.NewKeyset(primaryKeyID, []*tinkpb.Keyset_Key{key, key2}) 472 h1, err := testkeyset.NewHandle(ks1) 473 if err != nil { 474 t.Errorf("Expected no error but got error %s", err) 475 } 476 ksm1 := keyset.NewManagerFromHandle(h1) 477 // disable key 478 err = ksm1.Disable(otherKeyID) 479 if err == nil { 480 t.Errorf("ksm1.Disable on destroyed key succeeded, want error") 481 } 482 if !strings.Contains(err.Error(), "cannot disable") { 483 t.Errorf("Expected 'cannot disable' message, got %s", err) 484 } 485} 486 487func TestKeysetManagerDisableWithMissingKey(t *testing.T) { 488 primaryKeyID := uint32(42) 489 otherKeyID := uint32(43) 490 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 491 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, primaryKeyID, tinkpb.OutputPrefixType_TINK) 492 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, otherKeyID, tinkpb.OutputPrefixType_TINK) 493 ks1 := testutil.NewKeyset(primaryKeyID, []*tinkpb.Keyset_Key{key, key2}) 494 h1, err := testkeyset.NewHandle(ks1) 495 if err != nil { 496 t.Errorf("Expected no error but got error %s", err) 497 } 498 ksm1 := keyset.NewManagerFromHandle(h1) 499 // disable key 500 err = ksm1.Disable(uint32(44)) 501 if err == nil { 502 t.Errorf("ksm1.Disable on missing key succeeded, want error") 503 } 504 if !strings.Contains(err.Error(), "not found") { 505 t.Errorf("Expected 'not found' message, got %s", err) 506 } 507} 508 509func TestKeysetManagerDelete(t *testing.T) { 510 keyID := uint32(42) 511 otherKeyID := uint32(43) 512 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 513 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, keyID, tinkpb.OutputPrefixType_TINK) 514 key2 := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, otherKeyID, tinkpb.OutputPrefixType_TINK) 515 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key, key2}) 516 h1, err := testkeyset.NewHandle(ks1) 517 if err != nil { 518 t.Errorf("Expected no error but got error %s", err) 519 } 520 ksm1 := keyset.NewManagerFromHandle(h1) 521 // delete key 522 err = ksm1.Delete(otherKeyID) 523 if err != nil { 524 t.Errorf("Expected no error but got error %s", err) 525 } 526 h2, _ := ksm1.Handle() 527 ks2 := testkeyset.KeysetMaterial(h2) 528 if len(ks2.Key) != 1 { 529 t.Errorf("Expected only one key but got %d", len(ks2.Key)) 530 t.Fail() 531 } 532 if ks2.Key[0].KeyId != ks2.PrimaryKeyId || ks2.Key[0].KeyId != keyID { 533 t.Errorf("Expected keyID %d to be present but got %d", keyID, ks2.Key[0].KeyId) 534 } 535 if ks2.Key[0].Status != tinkpb.KeyStatusType_ENABLED { 536 t.Errorf("Expected key to be enabled but got %s", ks2.Key[0].Status.String()) 537 } 538} 539 540func TestKeysetManagerDeleteWithPrimaryKey(t *testing.T) { 541 keyID := uint32(42) 542 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 543 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, keyID, tinkpb.OutputPrefixType_TINK) 544 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key}) 545 h1, err := testkeyset.NewHandle(ks1) 546 if err != nil { 547 t.Errorf("Expected no error but got error %s", err) 548 } 549 ksm1 := keyset.NewManagerFromHandle(h1) 550 // delete key 551 err = ksm1.Delete(keyID) 552 if err == nil { 553 t.Errorf("ksm1.Delete succeeded but expected error") 554 } 555 if !strings.Contains(err.Error(), "primary key") { 556 t.Errorf("Expected 'primary key' message but got %s", err) 557 } 558} 559 560func TestKeysetManagerDeleteWithMissingKey(t *testing.T) { 561 keyID := uint32(42) 562 keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC) 563 key := testutil.NewKey(keyData, tinkpb.KeyStatusType_ENABLED, keyID, tinkpb.OutputPrefixType_TINK) 564 ks1 := testutil.NewKeyset(keyID, []*tinkpb.Keyset_Key{key}) 565 h1, err := testkeyset.NewHandle(ks1) 566 if err != nil { 567 t.Errorf("Expected no error but got error %s", err) 568 } 569 ksm1 := keyset.NewManagerFromHandle(h1) 570 // delete key 571 err = ksm1.Delete(uint32(43)) 572 if err == nil { 573 t.Errorf("ksm1.Delete succeeded but expected error") 574 } 575 if !strings.Contains(err.Error(), "not found") { 576 t.Errorf("Expected 'not found' message but got %s", err) 577 } 578} 579 580func TestKeysetManagerWithEmptyManager(t *testing.T) { 581 // all ops with empty manager should fail 582 ksm1 := &keyset.Manager{} 583 _, err := ksm1.Add(mac.HMACSHA256Tag128KeyTemplate()) 584 if err == nil { 585 t.Errorf("ksm1.Add succeeded on empty manager, want error") 586 } 587 err = ksm1.SetPrimary(0) 588 if err == nil { 589 t.Errorf("ksm1.SetPrimary succeeded on empty manager, want error") 590 } 591 err = ksm1.Enable(0) 592 if err == nil { 593 t.Errorf("ksm1.Enable succeeded on empty manager, want error") 594 } 595 err = ksm1.Delete(0) 596 if err == nil { 597 t.Errorf("ksm1.Delete succeeded on empty manager, want error") 598 } 599 err = ksm1.Disable(0) 600 if err == nil { 601 t.Errorf("ksm1.Disable succeeded on empty manager, want error") 602 } 603} 604