Create primitive from proto key serialization in AES-CTR-HMAC key man…

…ager

PiperOrigin-RevId: 714043459
Change-Id: I7df10834e7ea5abb02828e04642bfadedf13d090

aead/aesctrhmac/key_manager.go

@@ -20,9 +20,8 @@ import (
 
 	"google.golang.org/protobuf/proto"
 	"github.com/tink-crypto/tink-go/v2/aead/subtle"
-	"github.com/tink-crypto/tink-go/v2/insecuresecretdataaccess"
+	"github.com/tink-crypto/tink-go/v2/internal/protoserialization"
 	"github.com/tink-crypto/tink-go/v2/keyset"
-	"github.com/tink-crypto/tink-go/v2/secretdata"
 	"github.com/tink-crypto/tink-go/v2/subtle/random"
 	ctrpb "github.com/tink-crypto/tink-go/v2/proto/aes_ctr_go_proto"
 	aeadpb "github.com/tink-crypto/tink-go/v2/proto/aes_ctr_hmac_aead_go_proto"
@@ -45,37 +44,27 @@ type keyManager struct{}
 // Primitive creates a [subtle.NewEncryptThenAuthenticate] primitive for the given
 // serialized [aeadpb.AesCtrHmacAeadKey].
 func (km *keyManager) Primitive(serializedKey []byte) (any, error) {
-	protoKey := new(aeadpb.AesCtrHmacAeadKey)
-	if err := proto.Unmarshal(serializedKey, protoKey); err != nil {
-		return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid key")
-	}
-	if err := km.validateKey(protoKey); err != nil {
+	keySerialization, err := protoserialization.NewKeySerialization(&tinkpb.KeyData{
+		TypeUrl:         typeURL,
+		Value:           serializedKey,
+		KeyMaterialType: tinkpb.KeyData_SYMMETRIC,
+	}, tinkpb.OutputPrefixType_RAW, 0)
+	if err != nil {
 		return nil, err
 	}
-	params, err := NewParameters(ParametersOpts{
-		AESKeySizeInBytes:  int(len(protoKey.GetAesCtrKey().GetKeyValue())),
-		HMACKeySizeInBytes: int(len(protoKey.GetHmacKey().GetKeyValue())),
-		IVSizeInBytes:      int(protoKey.GetAesCtrKey().GetParams().GetIvSize()),
-		TagSizeInBytes:     int(protoKey.GetHmacKey().GetParams().GetTagSize()),
-		HashType:           HashType(protoKey.GetHmacKey().GetParams().GetHash()),
-		Variant:            VariantNoPrefix,
-	})
+	key, err := protoserialization.ParseKey(keySerialization)
 	if err != nil {
-		return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: %s", err)
+		return nil, err
 	}
-	key, err := NewKey(KeyOpts{
-		AESKeyBytes:  secretdata.NewBytesFromData(protoKey.GetAesCtrKey().GetKeyValue(), insecuresecretdataaccess.Token{}),
-		HMACKeyBytes: secretdata.NewBytesFromData(protoKey.GetHmacKey().GetKeyValue(), insecuresecretdataaccess.Token{}),
-		Parameters:   params,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: %s", err)
+	aesCTRHMACKey, ok := key.(*Key)
+	if !ok {
+		return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid key type: got %T, want %T", key, (*Key)(nil))
 	}
-	aead, err := newAEAD(key)
+	ret, err := newAEAD(aesCTRHMACKey)
 	if err != nil {
-		return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: %s", err)
+		return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err)
 	}
-	return aead, nil
+	return ret, nil
 }
 
 // NewKey creates a new key according to the given serialized

aead/aesctrhmac/key_manager_test.go

@@ -19,8 +19,12 @@ import (
 
 	"google.golang.org/protobuf/proto"
 	"github.com/tink-crypto/tink-go/v2/aead"
+	aeadtestutil "github.com/tink-crypto/tink-go/v2/aead/internal/testutil"
+	"github.com/tink-crypto/tink-go/v2/aead/subtle"
 	"github.com/tink-crypto/tink-go/v2/core/registry"
+	subtleMac "github.com/tink-crypto/tink-go/v2/mac/subtle"
 	"github.com/tink-crypto/tink-go/v2/testutil"
+	"github.com/tink-crypto/tink-go/v2/tink"
 	ctrpb "github.com/tink-crypto/tink-go/v2/proto/aes_ctr_go_proto"
 	achpb "github.com/tink-crypto/tink-go/v2/proto/aes_ctr_hmac_aead_go_proto"
 	commonpb "github.com/tink-crypto/tink-go/v2/proto/common_go_proto"
@@ -138,6 +142,24 @@ func TestKeyManagerNewKeyWithInvalidSerializedKeyFormat(t *testing.T) {
 	}
 }
 
+func mustCreateSubtleAEAD(t *testing.T, key []byte, ivSize int, hashAlgo string, macKey []byte, tagSize int) tink.AEAD {
+	ctr, err := subtle.NewAESCTR(key, ivSize)
+	if err != nil {
+		t.Fatalf("subtle.NewAESCTR(key, ivSize) err = %v, want nil", err)
+	}
+
+	mac, err := subtleMac.NewHMAC(hashAlgo, macKey, uint32(tagSize))
+	if err != nil {
+		t.Fatalf("subtleMac.NewHMAC(hashAlgo, macKey, uint32(tagSize)) err = %v, want nil", err)
+	}
+
+	cipher, err := subtle.NewEncryptThenAuthenticate(ctr, mac, tagSize)
+	if err != nil {
+		t.Fatalf("subtle.NewEncryptThenAuthenticate(ctr, mac, tagSize) err = %v, want nil", err)
+	}
+	return cipher
+}
+
 func TestKeyManagerPrimitive(t *testing.T) {
 	keyManager, err := registry.GetKeyManager(testutil.AESCTRHMACAEADTypeURL)
 	if err != nil {
@@ -148,12 +170,12 @@ func TestKeyManagerPrimitive(t *testing.T) {
 		Version: 0,
 		AesCtrKey: &ctrpb.AesCtrKey{
 			Version:  0,
-			KeyValue: make([]byte, 32),
+			KeyValue: []byte("0123456789abcdef0123456789abcdef"),
 			Params:   &ctrpb.AesCtrParams{IvSize: 16},
 		},
 		HmacKey: &hmacpb.HmacKey{
 			Version:  0,
-			KeyValue: make([]byte, 32),
+			KeyValue: []byte("fedba9876543210fedcba9876543210"),
 			Params:   &hmacpb.HmacParams{Hash: commonpb.HashType_SHA256, TagSize: 32},
 		},
 	}
@@ -162,10 +184,22 @@ func TestKeyManagerPrimitive(t *testing.T) {
 		t.Fatalf("failed to marshal key: %s", err)
 	}
 
-	_, err = keyManager.Primitive(serializedKey)
+	p, err := keyManager.Primitive(serializedKey)
 	if err != nil {
 		t.Errorf("Primitive() err = %v, want nil", err)
 	}
+
+	aesCTRHMACAEAD, ok := p.(tink.AEAD)
+	if !ok {
+		t.Errorf("Primitive() returned %T, want tink.AEAD", p)
+	}
+	other := mustCreateSubtleAEAD(t, key.AesCtrKey.GetKeyValue(), 16, "SHA256", key.HmacKey.GetKeyValue(), 32)
+	if err := aeadtestutil.EncryptDecrypt(aesCTRHMACAEAD, other); err != nil {
+		t.Errorf("aeadtestutil.EncryptDecrypt(aesCTRHMACAEAD, other) err = %v, want nil", err)
+	}
+	if err := aeadtestutil.EncryptDecrypt(other, aesCTRHMACAEAD); err != nil {
+		t.Errorf("aeadtestutil.EncryptDecrypt(other, aesCTRHMACAEAD) err = %v, want nil", err)
+	}
 }
 
 func TestKeyManagerPrimitiveWithInvalidKey(t *testing.T) {