Remove deprecated Rotate API

#tinkApiChange PiperOrigin-RevId: 532413994 Change-Id: I6ec8e250dfab688df688b86046e31865df6becef
tink-crypto · May 16, 2023 · 4ba657e · 4ba657e
1 parent 4ce1e28
commit 4ba657e
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 63 deletions.
diff --git a/keyset/manager.go b/keyset/manager.go
@@ -46,22 +46,6 @@ func NewManagerFromHandle(kh *Handle) *Manager {
 	return ret
 }
 
-// Rotate generates a fresh key using the given key template and
-// sets the new key as the primary key.
-//
-// Deprecated: please use Add instead. Rotate adds a new key and immediately promotes it to primary.
-// However, when performing keyset rotation, you almost never want a newly added key to immediately be set as the primary key.
-// Instead, you want to allow sufficient time for key propagation to occur.
-func (km *Manager) Rotate(kt *tinkpb.KeyTemplate) error {
-	keyID, err := km.Add(kt)
-	if err != nil {
-		return err
-	}
-	// Set the new key as the primary key
-	km.ks.PrimaryKeyId = keyID
-	return nil
-}
-
 // Add generates and adds a fresh key using the given key template.
 // the key is enabled on creation, but not set to primary.
 // It returns the ID of the new key

diff --git a/keyset/manager_test.go b/keyset/manager_test.go
@@ -32,9 +32,13 @@ func TestKeysetManagerBasic(t *testing.T) {
 	// Create a keyset that contains a single HmacKey.
 	ksm := keyset.NewManager()
 	kt := mac.HMACSHA256Tag128KeyTemplate()
-	err := ksm.Rotate(kt)
+	keyID, err := ksm.Add(kt)
 	if err != nil {
-		t.Errorf("cannot rotate when key template is available: %s", err)
+		t.Errorf("cannot add key: %s", err)
+	}
+	err = ksm.SetPrimary(keyID)
+	if err != nil {
+		t.Errorf("cannot set primary key: %s", err)
 	}
 	h, err := ksm.Handle()
 	if err != nil {
@@ -56,19 +60,29 @@ func TestExistingKeyset(t *testing.T) {
 	// Create a keyset that contains a single HmacKey.
 	ksm1 := keyset.NewManager()
 	kt := mac.HMACSHA256Tag128KeyTemplate()
-	err := ksm1.Rotate(kt)
+	keyID1, err := ksm1.Add(kt)
 	if err != nil {
-		t.Errorf("cannot rotate when key template is available: %s", err)
+		t.Errorf("cannot add key: %s", err)
+	}
+	err = ksm1.SetPrimary(keyID1)
+	if err != nil {
+		t.Errorf("cannot set primary key: %s", err)
 	}
-
 	h1, err := ksm1.Handle()
 	if err != nil {
 		t.Errorf("cannot get keyset handle: %s", err)
 	}
 	ks1 := testkeyset.KeysetMaterial(h1)
 
 	ksm2 := keyset.NewManagerFromHandle(h1)
-	ksm2.Rotate(kt)
+	keyID2, err := ksm2.Add(kt)
+	if err != nil {
+		t.Errorf("cannot add key: %s", err)
+	}
+	err = ksm2.SetPrimary(keyID2)
+	if err != nil {
+		t.Errorf("cannot set primary key: %s", err)
+	}
 	h2, err := ksm2.Handle()
 	if err != nil {
 		t.Errorf("cannot get keyset handle: %s", err)
@@ -115,29 +129,6 @@ func TestKeysetManagerFull(t *testing.T) {
 	}
 }
 
-func TestUnknowOutputPrefixTypeFails(t *testing.T) {
-	ksm1 := keyset.NewManager()
-	kt := mac.HMACSHA256Tag128KeyTemplate()
-	kt.OutputPrefixType = tinkpb.OutputPrefixType_UNKNOWN_PREFIX
-	err := ksm1.Rotate(kt)
-	if err == nil {
-		t.Errorf("ksm1.Rotate(kt) where kt has an unknown prefix succeeded, want error")
-	}
-}
-
-func TestKeysetManagerWithNilKeysetTemplate(t *testing.T) {
-	// ops with nil template should fail
-	ksm1 := keyset.NewManager()
-	err := ksm1.Rotate(nil)
-	if err == nil {
-		t.Error("ksm1.Rotate succeeded, but want error")
-	}
-	_, err = ksm1.Add(nil)
-	if err == nil {
-		t.Errorf("ksm1.Add succeeded, but want error")
-	}
-}
-
 func TestKeysetManagerAdd(t *testing.T) {
 	ksm1 := keyset.NewManager()
 	kt := mac.HMACSHA256Tag128KeyTemplate()
@@ -165,7 +156,16 @@ func TestKeysetManagerAdd(t *testing.T) {
 	}
 }
 
-func TestKeysetManagerAddWithBadTemplate(t *testing.T) {
+func TestKeysetManagerAddWithNilKeysetTemplateFails(t *testing.T) {
+	// ops with nil template should fail
+	ksm1 := keyset.NewManager()
+	_, err := ksm1.Add(nil)
+	if err == nil {
+		t.Errorf("ksm1.Add succeeded, but want error")
+	}
+}
+
+func TestKeysetManagerAddWithInvalidTypeUrlFails(t *testing.T) {
 	ksm1 := keyset.NewManager()
 	kt := &tinkpb.KeyTemplate{
 		TypeUrl:          "invalid type",
@@ -177,6 +177,16 @@ func TestKeysetManagerAddWithBadTemplate(t *testing.T) {
 	}
 }
 
+func TestKeysetManagerAddWithUnknownOutputPrefixTypeFails(t *testing.T) {
+	ksm1 := keyset.NewManager()
+	kt := mac.HMACSHA256Tag128KeyTemplate()
+	kt.OutputPrefixType = tinkpb.OutputPrefixType_UNKNOWN_PREFIX
+	_, err := ksm1.Add(kt)
+	if err == nil {
+		t.Errorf("ksm1.Add(kt) where kt has an unknown prefix succeeded, want error")
+	}
+}
+
 func TestKeysetManagerEnable(t *testing.T) {
 	keyID := uint32(42)
 	keyData := testutil.NewKeyData("some type url", []byte{0}, tinkpb.KeyData_SYMMETRIC)
@@ -574,10 +584,6 @@ func TestKeysetManagerWithEmptyManager(t *testing.T) {
 	if err == nil {
 		t.Errorf("ksm1.Add succeeded on empty manager, want error")
 	}
-	err = ksm1.Rotate(mac.HMACSHA256Tag128KeyTemplate())
-	if err == nil {
-		t.Errorf("ksm1.Rotate succeeded on empty manager, want error")
-	}
 	err = ksm1.SetPrimary(0)
 	if err == nil {
 		t.Errorf("ksm1.SetPrimary succeeded on empty manager, want error")

diff --git a/prf/prf_set_factory_test.go b/prf/prf_set_factory_test.go
@@ -40,19 +40,15 @@ const (
 )
 
 func addKeyAndReturnID(m *keyset.Manager, template *tinkpb.KeyTemplate) (uint32, error) {
-	err := m.Rotate(template)
+	keyID, err := m.Add(template)
 	if err != nil {
-		return 0, fmt.Errorf("Could not add template: %v", err)
+		return 0, fmt.Errorf("Could not add key from the given template: %v", err)
 	}
-	h, err := m.Handle()
+	err = m.SetPrimary(keyID)
 	if err != nil {
-		return 0, fmt.Errorf("Could not obtain handle: %v", err)
+		return 0, fmt.Errorf("Could set key as primary: %v", err)
 	}
-	p, err := h.Primitives()
-	if err != nil {
-		return 0, fmt.Errorf("Could not obtain primitives: %v", err)
-	}
-	return p.Primary.KeyID, nil
+	return keyID, nil
 }
 
 func TestFactoryBasic(t *testing.T) {
@@ -172,7 +168,7 @@ func TestNonRawKeys(t *testing.T) {
 		t.Errorf("Expected non RAW prefix to fail to create prf.Set")
 	}
 	m := keyset.NewManagerFromHandle(h)
-	err = m.Rotate(prf.HMACSHA256PRFKeyTemplate())
+	_, err = addKeyAndReturnID(m, prf.HMACSHA256PRFKeyTemplate())
 	if err != nil {
 		t.Errorf("Expected to be able to add keys to the keyset: %v", err)
 	}
@@ -198,7 +194,7 @@ func TestNonPRFPrimitives(t *testing.T) {
 		t.Errorf("Expected non PRF primitive to fail to create prf.Set")
 	}
 	m := keyset.NewManagerFromHandle(h)
-	err = m.Rotate(prf.HMACSHA256PRFKeyTemplate())
+	_, err = addKeyAndReturnID(m, prf.HMACSHA256PRFKeyTemplate())
 	if err != nil {
 		t.Errorf("Expected to be able to add keys to the keyset: %v", err)
 	}

diff --git a/testutil/testutil.go b/testutil/testutil.go
@@ -604,9 +604,13 @@ func NewAESCMACKeyFormat(tagSize uint32) *cmacpb.AesCmacKeyFormat {
 func NewHMACKeysetManager() *keyset.Manager {
 	ksm := keyset.NewManager()
 	kt := mac.HMACSHA256Tag128KeyTemplate()
-	err := ksm.Rotate(kt)
+	keyID, err := ksm.Add(kt)
 	if err != nil {
-		panic(fmt.Sprintf("cannot rotate keyset manager: %s", err))
+		panic(fmt.Sprintf("cannot add key: %v", err))
+	}
+	err = ksm.SetPrimary(keyID)
+	if err != nil {
+		panic(fmt.Sprintf("cannot set primary key: %v", err))
 	}
 	return ksm
 }