Making changes to RSA
BSSA client so that it can process NO_MASK message mask type.
Currently none of our use case configs are set to NO_MASK but we will change a use case currently in dogfood to NO_MASK after informing the relevant teams.
PiperOrigin-RevId: 559453271
diff --git a/quiche/blind_sign_auth/anonymous_tokens/cpp/client/anonymous_tokens_rsa_bssa_client.cc b/quiche/blind_sign_auth/anonymous_tokens/cpp/client/anonymous_tokens_rsa_bssa_client.cc
index 3738654..e40c669 100644
--- a/quiche/blind_sign_auth/anonymous_tokens/cpp/client/anonymous_tokens_rsa_bssa_client.cc
+++ b/quiche/blind_sign_auth/anonymous_tokens/cpp/client/anonymous_tokens_rsa_bssa_client.cc
@@ -56,11 +56,24 @@
} else if (public_key.salt_length() <= 0) {
return absl::InvalidArgumentError(
"Non-positive salt length is not allowed.");
- } else if (public_key.message_mask_type() == AT_MESSAGE_MASK_TYPE_UNDEFINED ||
- public_key.message_mask_type() == AT_MESSAGE_MASK_XOR) {
- return absl::InvalidArgumentError("Message mask type must be defined.");
- } else if (public_key.message_mask_size() <= 0) {
- return absl::InvalidArgumentError("Message mask size must be positive.");
+ }
+
+ switch (public_key.message_mask_type()) {
+ case AT_MESSAGE_MASK_CONCAT:
+ if (public_key.message_mask_size() < 32) {
+ return absl::InvalidArgumentError(
+ "Message mask concat type must have a size of at least 32 bytes.");
+ }
+ break;
+ case AT_MESSAGE_MASK_NO_MASK:
+ if (public_key.message_mask_size() != 0) {
+ return absl::InvalidArgumentError(
+ "Message mask no mask type must be set to size 0 bytes.");
+ }
+ break;
+ default:
+ return absl::InvalidArgumentError(
+ "Message mask type must be defined and supported.");
}
RSAPublicKey rsa_public_key;
diff --git a/quiche/blind_sign_auth/anonymous_tokens/cpp/client/anonymous_tokens_rsa_bssa_client_test.cc b/quiche/blind_sign_auth/anonymous_tokens/cpp/client/anonymous_tokens_rsa_bssa_client_test.cc
index 5602cba..2db0d02 100644
--- a/quiche/blind_sign_auth/anonymous_tokens/cpp/client/anonymous_tokens_rsa_bssa_client_test.cc
+++ b/quiche/blind_sign_auth/anonymous_tokens/cpp/client/anonymous_tokens_rsa_bssa_client_test.cc
@@ -16,11 +16,14 @@
#include <memory>
#include <string>
+#include <tuple>
#include <utility>
#include <vector>
#include "quiche/common/platform/api/quiche_test.h"
#include "quiche/common/test_tools/quiche_test_utils.h"
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
#include "absl/time/time.h"
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/constants.h"
#include "quiche/blind_sign_auth/anonymous_tokens/cpp/crypto/rsa_blind_signer.h"
@@ -162,15 +165,31 @@
testing::HasSubstr("Message mask type must be defined"));
}
-TEST(CreateAnonymousTokensRsaBssaClientTest, InvalidMessageMaskSize) {
+TEST(CreateAnonymousTokensRsaBssaClientTest,
+ MessageMaskConcatInvalidMessageMaskSize) {
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
auto rsa_key,
CreateClientTestKey("TEST_USE_CASE", 1, AT_MESSAGE_MASK_CONCAT, 0));
absl::StatusOr<std::unique_ptr<AnonymousTokensRsaBssaClient>> client =
AnonymousTokensRsaBssaClient::Create(rsa_key.first);
EXPECT_EQ(client.status().code(), absl::StatusCode::kInvalidArgument);
+ EXPECT_THAT(
+ client.status().message(),
+ testing::HasSubstr(
+ "Message mask concat type must have a size of at least 32 bytes"));
+}
+
+TEST(CreateAnonymousTokensRsaBssaClientTest,
+ MessageMaskNoMaskInvalidMessageMaskSize) {
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ auto rsa_key,
+ CreateClientTestKey("TEST_USE_CASE", 1, AT_MESSAGE_MASK_NO_MASK, 32));
+ absl::StatusOr<std::unique_ptr<AnonymousTokensRsaBssaClient>> client =
+ AnonymousTokensRsaBssaClient::Create(rsa_key.first);
+ EXPECT_EQ(client.status().code(), absl::StatusCode::kInvalidArgument);
EXPECT_THAT(client.status().message(),
- testing::HasSubstr("Message mask size must be positive"));
+ testing::HasSubstr(
+ "Message mask no mask type must be set to size 0 bytes."));
}
class AnonymousTokensRsaBssaClientTest : public testing::Test {
@@ -211,6 +230,34 @@
EXPECT_TRUE(client_->ProcessResponse(response).ok());
}
+TEST_F(AnonymousTokensRsaBssaClientTest, SuccessMultipleMessagesNoMessageMask) {
+ RSABlindSignaturePublicKey public_key;
+ RSAPrivateKey private_key;
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ std::tie(public_key, private_key),
+ CreateClientTestKey("TEST_USE_CASE", /*key_version=*/1,
+ AT_MESSAGE_MASK_NO_MASK, /*message_mask_size=*/0));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ std::unique_ptr<AnonymousTokensRsaBssaClient> client,
+ AnonymousTokensRsaBssaClient::Create(public_key));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ std::vector<PlaintextMessageWithPublicMetadata> input_messages,
+ CreateInput({"message1", "msg2", "anotherMessage", "one_more_message"}));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(AnonymousTokensSignRequest request,
+ client->CreateRequest(input_messages));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(AnonymousTokensSignResponse response,
+ CreateResponse(request, private_key));
+ ASSERT_EQ(response.anonymous_tokens(), SizeIs(4));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ std::vector<RSABlindSignatureTokenWithInput> finalized_tokens_with_inputs,
+ client->ProcessResponse(response));
+
+ for (const RSABlindSignatureTokenWithInput& token_with_input :
+ finalized_tokens_with_inputs) {
+ EXPECT_TRUE(token_with_input.token().message_mask().empty());
+ }
+}
+
TEST_F(AnonymousTokensRsaBssaClientTest, EnsureRandomTokens) {
std::string message = "test_same_message";
ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
@@ -521,6 +568,39 @@
EXPECT_TRUE(public_metadata_client_->ProcessResponse(response).ok());
}
+TEST_F(AnonymousTokensRsaBssaClientWithPublicMetadataTest,
+ SuccessMultipleMessagesNoMessageMask) {
+ RSABlindSignaturePublicKey public_key;
+ RSAPrivateKey private_key;
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ std::tie(public_key, private_key),
+ CreateClientTestKey("TEST_USE_CASE", /*key_version=*/1,
+ AT_MESSAGE_MASK_NO_MASK, /*message_mask_size=*/0,
+ /*enable_public_metadata=*/true));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ std::unique_ptr<AnonymousTokensRsaBssaClient> public_metadata_client,
+ AnonymousTokensRsaBssaClient::Create(public_key));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ std::vector<PlaintextMessageWithPublicMetadata> input_messages,
+ CreateInput({"message1", "msg2", "anotherMessage", "one_more_message"},
+ {"md1", "md2", "md3", "md4"}));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ AnonymousTokensSignRequest request,
+ public_metadata_client->CreateRequest(input_messages));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ AnonymousTokensSignResponse response,
+ CreateResponse(request, private_key, /*enable_public_metadata=*/true));
+ ASSERT_EQ(response.anonymous_tokens(), SizeIs(4));
+ ANON_TOKENS_ASSERT_OK_AND_ASSIGN(
+ std::vector<RSABlindSignatureTokenWithInput> finalized_tokens_with_inputs,
+ public_metadata_client->ProcessResponse(response));
+
+ for (const RSABlindSignatureTokenWithInput& token_with_input :
+ finalized_tokens_with_inputs) {
+ EXPECT_TRUE(token_with_input.token().message_mask().empty());
+ }
+}
+
} // namespace
} // namespace anonymous_tokens
} // namespace private_membership
