# Copyright 2019 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Tests for tink.python.tink.cc.pybind.py_key_manager.""" from typing import cast from absl.testing import absltest from absl.testing import parameterized from tink.proto import aes_eax_pb2 from tink.proto import aes_siv_pb2 from tink.proto import common_pb2 from tink.proto import ecdsa_pb2 from tink.proto import ecies_aead_hkdf_pb2 from tink.proto import hmac_pb2 from tink.proto import hmac_prf_pb2 from tink.proto import hpke_pb2 from tink.proto import jwt_ecdsa_pb2 from tink.proto import jwt_hmac_pb2 from tink.proto import tink_pb2 from tink import aead from tink import hybrid from tink.cc.pybind import tink_bindings def setUpModule(): tink_bindings.register() tink_bindings.register_jwt() tink_bindings.register_hpke() class AeadKeyManagerTest(absltest.TestCase): def setUp(self): super().setUp() self.key_manager = tink_bindings.AeadKeyManager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.AesEaxKey') def new_aes_eax_key_template(self, iv_size, key_size): key_format = aes_eax_pb2.AesEaxKeyFormat() key_format.params.iv_size = iv_size key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.AesEaxKey' key_template.value = key_format.SerializeToString() return key_template.SerializeToString() def test_key_type(self): self.assertEqual(self.key_manager.key_type(), 'type.googleapis.com/google.crypto.tink.AesEaxKey') def test_new_key_data(self): key_template = self.new_aes_eax_key_template(12, 16) serialized_key_data = self.key_manager.new_key_data(key_template) key_data = tink_pb2.KeyData.FromString(serialized_key_data) self.assertEqual(key_data.type_url, self.key_manager.key_type()) self.assertEqual(key_data.key_material_type, tink_pb2.KeyData.SYMMETRIC) key = aes_eax_pb2.AesEaxKey.FromString(key_data.value) self.assertEqual(key.version, 0) self.assertEqual(key.params.iv_size, 12) self.assertLen(key.key_value, 16) def test_invalid_params_raise_exception(self): key_template = self.new_aes_eax_key_template(9, 16) with self.assertRaises(tink_bindings.PythonTinkException): self.key_manager.new_key_data(key_template) def test_encrypt_decrypt(self): key_template = self.new_aes_eax_key_template(12, 16) key_data = self.key_manager.new_key_data(key_template) primitive = self.key_manager.primitive(key_data) plaintext = b'plaintext' associated_data = b'associated_data' ciphertext = primitive.encrypt(plaintext, associated_data) self.assertEqual(primitive.decrypt(ciphertext, associated_data), plaintext) class DeterministicAeadKeyManagerTest(absltest.TestCase): def setUp(self): super().setUp() daead_key_manager = tink_bindings.DeterministicAeadKeyManager self.key_manager = daead_key_manager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.AesSivKey') def new_aes_siv_key_template(self, key_size): key_format = aes_siv_pb2.AesSivKeyFormat() key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.AesSivKey' key_template.value = key_format.SerializeToString() return key_template.SerializeToString() def test_key_type(self): self.assertEqual(self.key_manager.key_type(), 'type.googleapis.com/google.crypto.tink.AesSivKey') def test_new_key_data(self): key_template = self.new_aes_siv_key_template(64) key_data = tink_pb2.KeyData.FromString( self.key_manager.new_key_data(key_template)) self.assertEqual(key_data.type_url, self.key_manager.key_type()) self.assertEqual(key_data.key_material_type, tink_pb2.KeyData.SYMMETRIC) key = aes_siv_pb2.AesSivKey.FromString(key_data.value) self.assertEqual(key.version, 0) self.assertLen(key.key_value, 64) def test_invalid_params_raise_exception(self): key_template = self.new_aes_siv_key_template(65) with self.assertRaises(tink_bindings.PythonTinkException): self.key_manager.new_key_data(key_template) def test_encrypt_decrypt(self): key_template = self.new_aes_siv_key_template(64) key_data = self.key_manager.new_key_data(key_template) primitive = self.key_manager.primitive(key_data) plaintext = b'plaintext' associated_data = b'associated_data' ciphertext = primitive.encrypt_deterministically(plaintext, associated_data) self.assertEqual( primitive.decrypt_deterministically(ciphertext, associated_data), plaintext) class HybridKeyManagerTest(absltest.TestCase): def hybrid_decrypt_key_manager(self): return tink_bindings.HybridDecryptKeyManager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPrivateKey') def hybrid_encrypt_key_manager(self): return tink_bindings.HybridEncryptKeyManager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.EciesAeadHkdfPublicKey') def test_new_key_data(self): key_manager = self.hybrid_decrypt_key_manager() key_data = tink_pb2.KeyData.FromString( key_manager.new_key_data( hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM .SerializeToString())) self.assertEqual(key_data.type_url, key_manager.key_type()) self.assertEqual(key_data.key_material_type, tink_pb2.KeyData.ASYMMETRIC_PRIVATE) key = ecies_aead_hkdf_pb2.EciesAeadHkdfPrivateKey.FromString(key_data.value) self.assertLen(key.key_value, 32) self.assertEqual(key.public_key.params.kem_params.curve_type, common_pb2.NIST_P256) def test_new_key_data_invalid_params_raise_exception(self): with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'Unsupported elliptic curve'): self.hybrid_decrypt_key_manager().new_key_data( hybrid.hybrid_key_templates.create_ecies_aead_hkdf_key_template( curve_type=cast(common_pb2.EllipticCurveType, 100), # invalid ec_point_format=common_pb2.UNCOMPRESSED, hash_type=common_pb2.SHA256, dem_key_template=aead.aead_key_templates.AES128_GCM) .SerializeToString()) def test_encrypt_decrypt(self): decrypt_key_manager = self.hybrid_decrypt_key_manager() encrypt_key_manager = self.hybrid_encrypt_key_manager() key_data = decrypt_key_manager.new_key_data( hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM .SerializeToString()) public_key_data = decrypt_key_manager.public_key_data(key_data) hybrid_encrypt = encrypt_key_manager.primitive(public_key_data) ciphertext = hybrid_encrypt.encrypt(b'some plaintext', b'some context info') hybrid_decrypt = decrypt_key_manager.primitive(key_data) self.assertEqual(hybrid_decrypt.decrypt(ciphertext, b'some context info'), b'some plaintext') def test_decrypt_fails(self): decrypt_key_manager = self.hybrid_decrypt_key_manager() key_data = decrypt_key_manager.new_key_data( hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM .SerializeToString()) hybrid_decrypt = decrypt_key_manager.primitive(key_data) with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'ciphertext too short'): hybrid_decrypt.decrypt(b'bad ciphertext', b'some context info') class HpkeKeyManagerTest(parameterized.TestCase): def hybrid_decrypt_key_manager(self): return tink_bindings.HybridDecryptKeyManager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.HpkePrivateKey') def hybrid_encrypt_key_manager(self): return tink_bindings.HybridEncryptKeyManager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.HpkePublicKey') def test_new_key_data(self): key_manager = self.hybrid_decrypt_key_manager() key_data = tink_pb2.KeyData.FromString( key_manager.new_key_data( hybrid.hybrid_key_templates .DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM.SerializeToString( ))) self.assertEqual(key_data.type_url, key_manager.key_type()) self.assertEqual(key_data.key_material_type, tink_pb2.KeyData.ASYMMETRIC_PRIVATE) key = hpke_pb2.HpkePrivateKey.FromString(key_data.value) self.assertLen(key.private_key, 32) # HPKE 'Nsk' parameter length = 32 self.assertEqual(key.public_key.params.kem, hpke_pb2.DHKEM_X25519_HKDF_SHA256) self.assertEqual(key.public_key.params.kdf, hpke_pb2.HKDF_SHA256) self.assertEqual(key.public_key.params.aead, hpke_pb2.AES_128_GCM) def test_new_key_data_invalid_kem_raise_exception(self): with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'Invalid KEM param.'): self.hybrid_decrypt_key_manager().new_key_data( hybrid.hybrid_key_templates._create_hpke_key_template( hpke_kem=hpke_pb2.KEM_UNKNOWN, hpke_kdf=hpke_pb2.HKDF_SHA256, hpke_aead=hpke_pb2.AES_128_GCM, output_prefix_type=tink_pb2.TINK).SerializeToString()) def test_new_key_data_invalid_kdf_raise_exception(self): with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'Invalid KDF param.'): self.hybrid_decrypt_key_manager().new_key_data( hybrid.hybrid_key_templates._create_hpke_key_template( hpke_kem=hpke_pb2.DHKEM_X25519_HKDF_SHA256, hpke_kdf=hpke_pb2.KDF_UNKNOWN, hpke_aead=hpke_pb2.AES_128_GCM, output_prefix_type=tink_pb2.TINK).SerializeToString()) def test_new_key_data_invalid_aead_raise_exception(self): with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'Invalid AEAD param.'): self.hybrid_decrypt_key_manager().new_key_data( hybrid.hybrid_key_templates._create_hpke_key_template( hpke_kem=hpke_pb2.DHKEM_X25519_HKDF_SHA256, hpke_kdf=hpke_pb2.HKDF_SHA256, hpke_aead=hpke_pb2.AEAD_UNKNOWN, output_prefix_type=tink_pb2.TINK).SerializeToString()) def test_encrypt_decrypt(self): decrypt_key_manager = self.hybrid_decrypt_key_manager() encrypt_key_manager = self.hybrid_encrypt_key_manager() key_data = decrypt_key_manager.new_key_data( hybrid.hybrid_key_templates .DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM.SerializeToString()) public_key_data = decrypt_key_manager.public_key_data(key_data) hybrid_encrypt = encrypt_key_manager.primitive(public_key_data) ciphertext = hybrid_encrypt.encrypt(b'some plaintext', b'some context info') hybrid_decrypt = decrypt_key_manager.primitive(key_data) self.assertEqual( hybrid_decrypt.decrypt(ciphertext, b'some context info'), b'some plaintext') @parameterized.parameters( [tink_pb2.TINK, tink_pb2.RAW, tink_pb2.CRUNCHY, tink_pb2.LEGACY]) def test_encrypt_decrypt_by_prefix(self, prefix): decrypt_key_manager = self.hybrid_decrypt_key_manager() encrypt_key_manager = self.hybrid_encrypt_key_manager() key_data = decrypt_key_manager.new_key_data( hybrid.hybrid_key_templates._create_hpke_key_template( hpke_kem=hpke_pb2.DHKEM_X25519_HKDF_SHA256, hpke_kdf=hpke_pb2.HKDF_SHA256, hpke_aead=hpke_pb2.AES_128_GCM, output_prefix_type=prefix).SerializeToString()) public_key_data = decrypt_key_manager.public_key_data(key_data) hybrid_encrypt = encrypt_key_manager.primitive(public_key_data) ciphertext = hybrid_encrypt.encrypt(b'some plaintext', b'some context info') hybrid_decrypt = decrypt_key_manager.primitive(key_data) self.assertEqual( hybrid_decrypt.decrypt(ciphertext, b'some context info'), b'some plaintext') def test_decrypt_fails(self): decrypt_key_manager = self.hybrid_decrypt_key_manager() key_data = decrypt_key_manager.new_key_data( hybrid.hybrid_key_templates .DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM.SerializeToString()) hybrid_decrypt = decrypt_key_manager.primitive(key_data) with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'Ciphertext is too short.'): hybrid_decrypt.decrypt(b'bad ciphertext', b'some context info') class MacKeyManagerTest(absltest.TestCase): def setUp(self): super().setUp() self.key_manager = tink_bindings.MacKeyManager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.HmacKey') def new_hmac_key_template(self, hash_type, tag_size, key_size): key_format = hmac_pb2.HmacKeyFormat() key_format.params.hash = hash_type key_format.params.tag_size = tag_size key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.HmacKey' key_template.value = key_format.SerializeToString() return key_template.SerializeToString() def test_key_type(self): self.assertEqual(self.key_manager.key_type(), 'type.googleapis.com/google.crypto.tink.HmacKey') def test_new_key_data(self): key_template = self.new_hmac_key_template(common_pb2.SHA256, 24, 16) key_data = tink_pb2.KeyData.FromString( self.key_manager.new_key_data(key_template)) self.assertEqual(key_data.type_url, self.key_manager.key_type()) key = hmac_pb2.HmacKey.FromString(key_data.value) self.assertEqual(key.version, 0) self.assertEqual(key.params.hash, common_pb2.SHA256) self.assertEqual(key.params.tag_size, 24) self.assertLen(key.key_value, 16) def test_invalid_params_raise_exception(self): key_template = self.new_hmac_key_template(common_pb2.SHA256, 9, 16) with self.assertRaises(tink_bindings.PythonTinkException): self.key_manager.new_key_data(key_template) def test_mac_success(self): mac = self.key_manager.primitive( self.key_manager.new_key_data( self.new_hmac_key_template(common_pb2.SHA256, 24, 16))) data = b'data' tag = mac.compute_mac(data) self.assertLen(tag, 24) # No exception raised. mac.verify_mac(tag, data) def test_mac_wrong(self): mac = self.key_manager.primitive( self.key_manager.new_key_data( self.new_hmac_key_template(common_pb2.SHA256, 16, 16))) with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'verification failed'): mac.verify_mac(b'0123456789ABCDEF', b'data') class JwtMacKeyManagerTest(absltest.TestCase): def setUp(self): super().setUp() self.key_manager = tink_bindings.MacKeyManager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.JwtHmacKey') def new_jwt_hmac_key_template(self, algorithm, key_size): key_format = jwt_hmac_pb2.JwtHmacKeyFormat() key_format.algorithm = algorithm key_format.key_size = key_size key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.JwtHmacKey' key_template.value = key_format.SerializeToString() return key_template.SerializeToString() def test_key_type(self): self.assertEqual(self.key_manager.key_type(), 'type.googleapis.com/google.crypto.tink.JwtHmacKey') def test_new_key_data(self): key_template = self.new_jwt_hmac_key_template(jwt_hmac_pb2.HS256, 32) key_data = tink_pb2.KeyData.FromString( self.key_manager.new_key_data(key_template)) self.assertEqual(key_data.type_url, self.key_manager.key_type()) key = jwt_hmac_pb2.JwtHmacKey.FromString(key_data.value) self.assertEqual(key.version, 0) self.assertEqual(key.algorithm, jwt_hmac_pb2.HS256) self.assertLen(key.key_value, 32) def test_too_short_key_size_raises_exception(self): key_template = self.new_jwt_hmac_key_template(jwt_hmac_pb2.HS256, 31) with self.assertRaises(tink_bindings.PythonTinkException): self.key_manager.new_key_data(key_template) def test_mac_success(self): mac = self.key_manager.primitive( self.key_manager.new_key_data( self.new_jwt_hmac_key_template(jwt_hmac_pb2.HS256, 32))) data = b'data' tag = mac.compute_mac(data) self.assertLen(tag, 32) # No exception raised. mac.verify_mac(tag, data) def test_mac_wrong(self): mac = self.key_manager.primitive( self.key_manager.new_key_data( self.new_jwt_hmac_key_template(jwt_hmac_pb2.HS256, 32))) with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'verification failed'): mac.verify_mac(b'0123456789ABCDEF0123456789ABCDEF', b'data') class PrfKeyManagerTest(absltest.TestCase): def setUp(self): super().setUp() self.key_manager = tink_bindings.PrfKeyManager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.HmacPrfKey') def new_hmac_prf_key_template(self, hash_type, key_size): key_format = hmac_prf_pb2.HmacPrfKeyFormat() key_format.params.hash = hash_type key_format.key_size = key_size key_format.version = 0 key_template = tink_pb2.KeyTemplate() key_template.type_url = 'type.googleapis.com/google.crypto.tink.HmacPrfKey' key_template.value = key_format.SerializeToString() return key_template.SerializeToString() def test_key_type(self): self.assertEqual(self.key_manager.key_type(), 'type.googleapis.com/google.crypto.tink.HmacPrfKey') def test_new_key_data(self): key_template = self.new_hmac_prf_key_template( hash_type=common_pb2.SHA256, key_size=16) key_data = tink_pb2.KeyData.FromString( self.key_manager.new_key_data(key_template)) self.assertEqual(key_data.type_url, self.key_manager.key_type()) key = hmac_pb2.HmacKey.FromString(key_data.value) self.assertEqual(key.version, 0) self.assertEqual(key.params.hash, common_pb2.SHA256) self.assertLen(key.key_value, 16) def test_invalid_params_raise_exception(self): key_template = self.new_hmac_prf_key_template( hash_type=common_pb2.SHA256, key_size=7) with self.assertRaises(tink_bindings.PythonTinkException): self.key_manager.new_key_data(key_template) def test_prf_success(self): prf = self.key_manager.primitive( self.key_manager.new_key_data( self.new_hmac_prf_key_template( hash_type=common_pb2.SHA256, key_size=16))) output = prf.compute(b'input_data', output_length=31) self.assertLen(output, 31) self.assertEqual(prf.compute(b'input_data', output_length=31), output) def test_prf_bad_output_length(self): prf = self.key_manager.primitive( self.key_manager.new_key_data( self.new_hmac_prf_key_template( hash_type=common_pb2.SHA256, key_size=16))) with self.assertRaises(tink_bindings.PythonTinkException): _ = prf.compute(b'input_data', output_length=12345) class PublicKeySignVerifyKeyManagerTest(absltest.TestCase): def setUp(self): super().setUp() public_key_verify_manager = tink_bindings.PublicKeyVerifyKeyManager self.key_manager_verify = public_key_verify_manager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.EcdsaPublicKey') public_key_sign_manager = tink_bindings.PublicKeySignKeyManager self.key_manager_sign = public_key_sign_manager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.EcdsaPrivateKey') def new_ecdsa_key_template(self, hash_type, curve_type, encoding, public=False): params = ecdsa_pb2.EcdsaParams( hash_type=hash_type, curve=curve_type, encoding=encoding) key_format = ecdsa_pb2.EcdsaKeyFormat(params=params) key_template = tink_pb2.KeyTemplate() if public: append = 'EcdsaPublicKey' else: append = 'EcdsaPrivateKey' key_template.type_url = 'type.googleapis.com/google.crypto.tink.' + append key_template.value = key_format.SerializeToString() return key_template.SerializeToString() def test_key_type_sign(self): self.assertEqual(self.key_manager_sign.key_type(), 'type.googleapis.com/google.crypto.tink.EcdsaPrivateKey') def test_key_type_verify(self): self.assertEqual(self.key_manager_verify.key_type(), 'type.googleapis.com/google.crypto.tink.EcdsaPublicKey') def test_new_key_data_sign(self): key_template = self.new_ecdsa_key_template( common_pb2.SHA256, common_pb2.NIST_P256, ecdsa_pb2.DER) key_data = tink_pb2.KeyData.FromString( self.key_manager_sign.new_key_data(key_template)) self.assertEqual(key_data.type_url, self.key_manager_sign.key_type()) key = ecdsa_pb2.EcdsaPrivateKey.FromString(key_data.value) public_key = key.public_key self.assertEqual(key.version, 0) self.assertEqual(public_key.version, 0) self.assertEqual(public_key.params.hash_type, common_pb2.SHA256) self.assertEqual(public_key.params.curve, common_pb2.NIST_P256) self.assertEqual(public_key.params.encoding, ecdsa_pb2.DER) self.assertLen(key.key_value, 32) def test_new_key_data_verify(self): key_template = self.new_ecdsa_key_template( common_pb2.SHA256, common_pb2.NIST_P256, ecdsa_pb2.DER, True) with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'not supported'): self.key_manager_verify.new_key_data(key_template) def test_signature_success(self): priv_key = self.key_manager_sign.new_key_data( self.new_ecdsa_key_template(common_pb2.SHA256, common_pb2.NIST_P256, ecdsa_pb2.DER)) pub_key = self.key_manager_sign.public_key_data(priv_key) verifier = self.key_manager_verify.primitive(pub_key) signer = self.key_manager_sign.primitive(priv_key) data = b'data' signature = signer.sign(data) # Starts with a DER sequence self.assertEqual(bytearray(signature)[0], 0x30) verifier.verify(signature, data) def test_signature_fails(self): key_template = self.new_ecdsa_key_template( common_pb2.SHA256, common_pb2.NIST_P256, ecdsa_pb2.DER, False) priv_key = self.key_manager_sign.new_key_data(key_template) pub_key = self.key_manager_sign.public_key_data(priv_key) signer = self.key_manager_sign.primitive(priv_key) verifier = self.key_manager_verify.primitive(pub_key) data = b'data' signature = signer.sign(data) with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'Signature is not valid'): verifier.verify(signature, b'wrongdata') with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'Signature is not valid'): verifier.verify(b'wrongsignature', data) class JwtPublicKeySignVerifyKeyManagerTest(absltest.TestCase): def setUp(self): super().setUp() public_key_verify_manager = tink_bindings.PublicKeyVerifyKeyManager self.key_manager_verify = public_key_verify_manager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey') public_key_sign_manager = tink_bindings.PublicKeySignKeyManager self.key_manager_sign = public_key_sign_manager.from_cc_registry( 'type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey') def test_new_key_data_verify_fails(self): key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(algorithm=jwt_ecdsa_pb2.ES256) key_template = tink_pb2.KeyTemplate() key_template.type_url = ( 'type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey') key_template.value = key_format.SerializeToString() with self.assertRaisesRegex(tink_bindings.PythonTinkException, 'not supported'): self.key_manager_verify.new_key_data(key_template.SerializeToString()) def test_signature_success(self): key_format = jwt_ecdsa_pb2.JwtEcdsaKeyFormat(algorithm=jwt_ecdsa_pb2.ES256) key_template = tink_pb2.KeyTemplate() key_template.type_url = ( 'type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey') key_template.value = key_format.SerializeToString() priv_key = self.key_manager_sign.new_key_data( key_template.SerializeToString()) pub_key = self.key_manager_sign.public_key_data(priv_key) verifier = self.key_manager_verify.primitive(pub_key) signer = self.key_manager_sign.primitive(priv_key) data = b'data' signature = signer.sign(data) verifier.verify(signature, data) with self.assertRaises(tink_bindings.PythonTinkException): verifier.verify(signature, b'wrongdata') with self.assertRaises(tink_bindings.PythonTinkException): verifier.verify(b'wrongsignature', data) if __name__ == '__main__': absltest.main()