Add some tests for KmsEnvelopeAeadKeyManager#createKeyTemplate" and rework the documentation of it.
Let me know if the documentation is confusing -- and ideas how to make it less confusing in particular are welcome.
PiperOrigin-RevId: 564643609
Change-Id: I8c943bc627ba234a1687fcda3309968190bd80ff
diff --git a/src/main/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManager.java b/src/main/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManager.java
index 81cf5da..9e45636 100644
--- a/src/main/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManager.java
+++ b/src/main/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManager.java
@@ -120,12 +120,16 @@
}
/**
- * Returns a new {@link KeyTemplate} that can generate a {@link
- * com.google.crypto.tink.proto.KmsEnvelopeAeadKey} whose key encrypting key (KEK) is pointing to
- * {@code kekUri} and DEK template is {@code dekTemplate}. Keys generated by this key template
- * uses RAW output prefix to make them compatible with the remote KMS' encrypt/decrypt operations.
- * Unlike other templates, when you call {@link KeysetHandle#generateNew} with this template, Tink
- * does not generate new key material, but only creates a reference to the remote KEK.
+ * Returns a new {@link KeyTemplate} that can generate a {@link LegacyKmsEnvelopeAeadKey} whose
+ * key encrypting key (KEK) is pointing to {@code kekUri} and DEK template is {@code dekTemplate}
+ * (or a derived version of it).
+ *
+ * <p><b>Note: </b> Unlike other templates, when you call {@link KeysetHandle#generateNew} with
+ * this template Tink does not generate new key material, but instead creates a reference to the
+ * remote KEK.
+ *
+ * <p>The second argument of the passed in template is used ignoring the Variant, and assuming
+ * NO_PREFIX instead.
*/
public static KeyTemplate createKeyTemplate(String kekUri, KeyTemplate dekTemplate) {
try {
diff --git a/src/test/java/com/google/crypto/tink/aead/BUILD.bazel b/src/test/java/com/google/crypto/tink/aead/BUILD.bazel
index 601ed83..c9461a0 100644
--- a/src/test/java/com/google/crypto/tink/aead/BUILD.bazel
+++ b/src/test/java/com/google/crypto/tink/aead/BUILD.bazel
@@ -106,12 +106,15 @@
"//proto:tink_java_proto",
"//src/main/java/com/google/crypto/tink:aead",
"//src/main/java/com/google/crypto/tink:key_template",
+ "//src/main/java/com/google/crypto/tink:key_templates",
"//src/main/java/com/google/crypto/tink:kms_clients",
"//src/main/java/com/google/crypto/tink:registry_cluster",
"//src/main/java/com/google/crypto/tink/aead:aead_config",
"//src/main/java/com/google/crypto/tink/aead:aes_ctr_hmac_aead_key_manager",
"//src/main/java/com/google/crypto/tink/aead:aes_gcm_key_manager",
+ "//src/main/java/com/google/crypto/tink/aead:aes_gcm_parameters",
"//src/main/java/com/google/crypto/tink/aead:kms_envelope_aead_key_manager",
+ "//src/main/java/com/google/crypto/tink/aead:legacy_kms_envelope_aead_parameters",
"//src/main/java/com/google/crypto/tink/internal:key_template_proto_converter",
"//src/main/java/com/google/crypto/tink/internal:key_type_manager",
"//src/main/java/com/google/crypto/tink/mac:hmac_key_manager",
diff --git a/src/test/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManagerTest.java b/src/test/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManagerTest.java
index b140599..c890890 100644
--- a/src/test/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManagerTest.java
+++ b/src/test/java/com/google/crypto/tink/aead/KmsEnvelopeAeadKeyManagerTest.java
@@ -22,6 +22,7 @@
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KeyTemplate;
+import com.google.crypto.tink.KeyTemplates;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KmsClients;
import com.google.crypto.tink.internal.KeyTemplateProtoConverter;
@@ -234,6 +235,41 @@
}
@Test
+ public void createKeyTemplate_ignoresOutputPrefix() throws Exception {
+ // When we create LegacyKmsEnvelopeAeadParameters, the underlying OutputPrefixType in the
+ // passed in dek Template is ignored.
+ KeyTemplate template1 =
+ KmsEnvelopeAeadKeyManager.createKeyTemplate(
+ "some URI", KeyTemplates.get("AES128_CTR_HMAC_SHA256"));
+ KeyTemplate template2 =
+ KmsEnvelopeAeadKeyManager.createKeyTemplate(
+ "some URI", KeyTemplates.get("AES128_CTR_HMAC_SHA256_RAW"));
+ assertThat(template1.toParameters()).isEqualTo(template2.toParameters());
+ }
+
+ @Test
+ public void createKeyTemplate_aesGcm_works() throws Exception {
+ LegacyKmsEnvelopeAeadParameters parameters =
+ LegacyKmsEnvelopeAeadParameters.builder()
+ .setKekUri("SomeMatchingKekUri")
+ .setDekParsingStrategy(
+ LegacyKmsEnvelopeAeadParameters.DekParsingStrategy.ASSUME_AES_GCM)
+ .setDekParametersForNewKeys(
+ AesGcmParameters.builder()
+ .setIvSizeBytes(12)
+ .setKeySizeBytes(16)
+ .setTagSizeBytes(16)
+ .setVariant(AesGcmParameters.Variant.NO_PREFIX)
+ .build())
+ .build();
+
+ KeyTemplate template1 =
+ KmsEnvelopeAeadKeyManager.createKeyTemplate(
+ "SomeMatchingKekUri", KeyTemplates.get("AES128_GCM"));
+ assertThat(template1.toParameters()).isEqualTo(parameters);
+ }
+
+ @Test
public void multipleAeadsWithSameKekAndSameDekTemplate_canDecryptEachOther() throws Exception {
String kekUri = FakeKmsClient.createFakeKeyUri();
KeyTemplate dekTemplate = AesCtrHmacAeadKeyManager.aes128CtrHmacSha256Template();
