in cmd/conformance/main.go [837:996]
func runConfidentialUnwrapTestCase(ctx context.Context, t confidentialWrapUnwrapTest) error {
c, sessionContext, err := establishSecureSessionWithNullAttestation(ctx, t.keyInfo)
if err != nil {
return err
}
if t.closeSession {
if _, err := c.tls.Write([]byte(constants.EndSessionString)); err != nil {
return fmt.Errorf("session-encrypting the EndSession constant: %w", err)
}
records := c.shim.DrainSendBuf()
_, err := c.client.EndSession(ctx, &sspb.EndSessionRequest{
SessionContext: sessionContext,
TlsRecords: records,
})
if err != nil {
return fmt.Errorf("ending session: %w", err)
}
}
for i := 0; i <= t.extraCalls; i++ {
plaintext := []byte("This is plaintext to encrypt.")
keyPath := (t.keyInfo.uri)[strings.LastIndex(t.keyInfo.uri, "/")+1:]
// Send a ConfidentialWrapRequest so we have a wrapped blob to decrypt.
wrapReq := &cwpb.WrapRequest{
KeyPath: keyPath,
Plaintext: plaintext,
AdditionalContext: &cwpb.RequestContext{
RelativeResourceName: *unprotectedKeyResourceName,
AccessReasonContext: &cwpb.AccessReasonContext{Reason: cwpb.AccessReasonContext_CUSTOMER_INITIATED_ACCESS},
},
AdditionalAuthenticatedData: nil,
KeyUriPrefix: "",
}
marshaledWrapReq, err := proto.Marshal(wrapReq)
if err != nil {
return fmt.Errorf("error marshalling the WrapRequest to proto: %v", err)
}
if _, err := c.tls.Write(marshaledWrapReq); err != nil {
return fmt.Errorf("error writing the WrapRequest to the TLS session: %v", err)
}
records := c.shim.DrainSendBuf()
if t.mutateTLSRecords != nil {
records = t.mutateTLSRecords(records)
}
req := &cwpb.ConfidentialWrapRequest{
SessionContext: sessionContext,
TlsRecords: records,
RequestMetadata: &cwpb.RequestMetadata{
KeyPath: wrapReq.GetKeyPath(),
KeyUriPrefix: wrapReq.GetKeyUriPrefix(),
AdditionalContext: wrapReq.GetAdditionalContext(),
},
}
resp, err := c.client.ConfidentialWrap(ctx, req)
if err != nil {
return fmt.Errorf("error session-encrypting the records: %v", err)
}
// Session-decrypt the TLS records from the ConfidentialWrap call.
records = resp.GetTlsRecords()
c.shim.QueueReceiveBuf(records)
readBuf := make([]byte, recordBufferSize)
n, err := c.tls.Read(readBuf)
if err != nil {
return fmt.Errorf("error reading WrapResponse from TLS session: %v", err)
}
var wrapResp cwpb.WrapResponse
if err = proto.Unmarshal(readBuf[:n], &wrapResp); err != nil {
return fmt.Errorf("error parsing WrapResponse to proto: %v", err)
}
// Create an UnwrapRequest where the WrappedBlob is what we previously encrypted.
unwrapReq := &cwpb.UnwrapRequest{
KeyPath: keyPath,
WrappedBlob: wrapResp.GetWrappedBlob(),
AdditionalContext: &cwpb.RequestContext{
RelativeResourceName: *unprotectedKeyResourceName,
AccessReasonContext: &cwpb.AccessReasonContext{Reason: cwpb.AccessReasonContext_CUSTOMER_INITIATED_ACCESS},
},
AdditionalAuthenticatedData: nil,
KeyUriPrefix: "",
}
marshaledUnwrapReq, err := proto.Marshal(unwrapReq)
if err != nil {
return fmt.Errorf("error marshalling the WrapRequest to proto: %v", err)
}
if _, err := c.tls.Write(marshaledUnwrapReq); err != nil {
return fmt.Errorf("error writing the WrapRequest to the TLS session: %v", err)
}
records = c.shim.DrainSendBuf()
if t.mutateTLSRecords != nil {
records = t.mutateTLSRecords(records)
}
if t.mutateSessionKey != nil {
sessionContext = t.mutateSessionKey(sessionContext)
}
req2 := &cwpb.ConfidentialUnwrapRequest{
SessionContext: sessionContext,
TlsRecords: records,
RequestMetadata: &cwpb.RequestMetadata{
KeyPath: unwrapReq.GetKeyPath(),
KeyUriPrefix: unwrapReq.GetKeyUriPrefix(),
AdditionalContext: unwrapReq.GetAdditionalContext(),
},
}
if t.mutateJWT != nil {
newToken, err := t.mutateJWT(ctx, c.client.GetJWTToken())
if err != nil {
glog.Fatalf("Error mutating JWT: %v", err)
}
c.client.SetJWTToken(newToken)
}
resp2, err := c.client.ConfidentialUnwrap(ctx, req2)
if err != nil {
return fmt.Errorf("error session-encrypting the records: %v", err)
}
records = resp2.GetTlsRecords()
c.shim.QueueReceiveBuf(records)
readBuf = make([]byte, recordBufferSize)
n, err = c.tls.Read(readBuf)
if err != nil {
return fmt.Errorf("error reading UnwrapResponse from TLS session: %v", err)
}
var unwrapResp cwpb.UnwrapResponse
if err = proto.Unmarshal(readBuf[:n], &unwrapResp); err != nil {
return fmt.Errorf("error parsing UnwrapResponse: %v", err)
}
// Ensure session-decrypted plaintext in ConfidentialUnwrapRequest matches original plaintext.
if !bytes.Equal(unwrapResp.GetPlaintext(), plaintext) {
return fmt.Errorf("plaintext does not match original; got `%v`, want `%v`", unwrapResp.GetPlaintext(), plaintext)
}
}
return err
}