diff --git a/__init__.py b/__init__.py
index 5b8c5ab8aeb3c9a19ea95d27cd96f4c79a75e896..63ee79701397819b2c4b78ec4bb8724511137beb 100644
--- a/__init__.py
+++ b/__init__.py
@@ -24,7 +24,7 @@ from tink.python import daead
from tink.python import hybrid
from tink.python import mac
from tink.python import signature
-from tink.python.core import tink_config
+from tink.python import tink_config
Aead = aead.Aead
diff --git a/python/aead/aead_key_manager_test.py b/python/aead/aead_key_manager_test.py
index 685d93ef00b3f2cf1a15ce0ff62a84daf02fd9b3..6a1a9b481f59084dc8c64938c27b422dbeabd2d8 100644
--- a/python/aead/aead_key_manager_test.py
+++ b/python/aead/aead_key_manager_test.py
@@ -22,9 +22,9 @@ from absl.testing import absltest
from tink.proto import aes_eax_pb2
from tink.proto import aes_gcm_pb2
from tink.proto import tink_pb2
+from tink.python import tink_config
from tink.python.aead import aead
from tink.python.aead import aead_key_manager
-from tink.python.core import tink_config
from tink.python.core import tink_error
diff --git a/python/core/keyset_handle_test.py b/python/core/keyset_handle_test.py
index 3ab6595a4bf237007bd846820bc14babe8a02276..50ccb9aa3bf5bbee134323b605456f98adcc0154 100644
--- a/python/core/keyset_handle_test.py
+++ b/python/core/keyset_handle_test.py
@@ -27,7 +27,7 @@ from tink.python import aead
from tink.python import core
from tink.python import hybrid
from tink.python import mac
-from tink.python.core import tink_config
+from tink.python import tink_config
from tink.python.testing import helper
diff --git a/python/core/tink_config.py b/python/core/tink_config.py
deleted file mode 100644
index 0ba8523cc023b5f85b4cb72e03b9437b3f8b1287..0000000000000000000000000000000000000000
--- a/python/core/tink_config.py
+++ /dev/null
@@ -1,75 +0,0 @@
-# Copyright 2019 Google LLC.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Static methods for handling of Tink configurations."""
-
-from __future__ import absolute_import
-from __future__ import division
-from __future__ import print_function
-
-from tink.python import aead
-from tink.python import daead
-from tink.python import hybrid
-from tink.python import mac
-from tink.python import signature
-from tink.python.aead import aead_key_manager
-from tink.python.cc.clif import cc_tink_config
-from tink.python.core import registry
-from tink.python.daead import deterministic_aead_key_manager
-from tink.python.hybrid import hybrid_decrypt_key_manager
-from tink.python.hybrid import hybrid_encrypt_key_manager
-from tink.python.mac import mac_key_manager
-from tink.python.signature import public_key_sign_key_manager
-from tink.python.signature import public_key_verify_key_manager
-
-
-KEY_MANAGER_GENERATORS = {
- 'Aead': aead_key_manager.from_cc_registry,
- 'DeterministicAead': deterministic_aead_key_manager.from_cc_registry,
- 'HybridDecrypt': hybrid_decrypt_key_manager.from_cc_registry,
- 'HybridEncrypt': hybrid_encrypt_key_manager.from_cc_registry,
- 'Mac': mac_key_manager.from_cc_registry,
- 'PublicKeySign': public_key_sign_key_manager.from_cc_registry,
- 'PublicKeyVerify': public_key_verify_key_manager.from_cc_registry,
-}
-
-
-def register():
- cc_tink_config.register()
- _register_key_managers()
- _register_primitive_wrappers()
-
-
-def latest():
- return cc_tink_config.latest()
-
-
-def _register_key_managers():
- for entry in cc_tink_config.latest().entry:
- if entry.primitive_name in KEY_MANAGER_GENERATORS:
- registry.Registry.register_key_manager(
- KEY_MANAGER_GENERATORS[entry.primitive_name](entry.type_url),
- entry.new_key_allowed)
-
-
-def _register_primitive_wrappers():
- """Registers all primitive wrappers."""
- register_primitive_wrapper = registry.Registry.register_primitive_wrapper
- register_primitive_wrapper(aead.AeadWrapper())
- register_primitive_wrapper(daead.DeterministicAeadWrapper())
- register_primitive_wrapper(hybrid.HybridDecryptWrapper())
- register_primitive_wrapper(hybrid.HybridEncryptWrapper())
- register_primitive_wrapper(mac.MacWrapper())
- register_primitive_wrapper(signature.PublicKeySignWrapper())
- register_primitive_wrapper(signature.PublicKeyVerifyWrapper())
diff --git a/python/core/tink_config_test.py b/python/core/tink_config_test.py
deleted file mode 100644
index 6fe0e31614d8df79f59c2c67b2e68090db6f8271..0000000000000000000000000000000000000000
--- a/python/core/tink_config_test.py
+++ /dev/null
@@ -1,225 +0,0 @@
-# Copyright 2019 Google LLC.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-"""Tests for tink.python.tink_config."""
-
-from __future__ import absolute_import
-from __future__ import division
-from __future__ import print_function
-
-from absl.testing import absltest
-from tink.proto import tink_pb2
-from tink.python import aead
-from tink.python import core
-from tink.python import daead
-from tink.python import hybrid
-from tink.python import mac
-from tink.python import signature
-from tink.python.core import tink_config
-
-
-def setUpModule():
- tink_config.register()
-
-
-def _primitive_and_key(key_data, primitive_class, output_prefix_type):
- primitive = core.Registry.primitive(key_data, primitive_class)
- key = tink_pb2.Keyset.Key(
- key_id=1, status=tink_pb2.ENABLED, output_prefix_type=output_prefix_type)
- key.key_data.CopyFrom(key_data)
- return primitive, key
-
-
-def _new_primitive_and_key(template, primitive_class, output_prefix_type):
- return _primitive_and_key(
- core.Registry.new_key_data(template), primitive_class, output_prefix_type)
-
-
-def _public_primitive_and_key(private_key, primitive_class, output_prefix_type):
- return _primitive_and_key(
- core.Registry.public_key_data(private_key.key_data), primitive_class,
- output_prefix_type)
-
-
-class TinkConfigTest(absltest.TestCase):
-
- def test_all_aead_templates_are_registered(self):
- for template in [
- aead.aead_key_templates.AES128_EAX,
- aead.aead_key_templates.AES256_EAX,
- aead.aead_key_templates.AES128_GCM,
- aead.aead_key_templates.AES256_GCM,
- aead.aead_key_templates.AES128_CTR_HMAC_SHA256,
- aead.aead_key_templates.AES256_CTR_HMAC_SHA256,
- aead.aead_key_templates.XCHACHA20_POLY1305
- ]:
- key_data = core.Registry.new_key_data(template)
- primitive = core.Registry.primitive(key_data, aead.Aead)
- self.assertEqual(
- primitive.decrypt(primitive.encrypt(b'message', b'ad'), b'ad'),
- b'message')
-
- def test_all_mac_templates_are_registered(self):
- for template in [
- mac.mac_key_templates.HMAC_SHA256_128BITTAG,
- mac.mac_key_templates.HMAC_SHA256_256BITTAG
- ]:
- key_data = core.Registry.new_key_data(template)
- primitive = core.Registry.primitive(key_data, mac.Mac)
- self.assertIsNone(
- primitive.verify_mac(primitive.compute_mac(b'data'), b'data'))
-
- def test_all_deterministic_aead_templates_are_registered(self):
- key_data = core.Registry.new_key_data(
- daead.deterministic_aead_key_templates.AES256_SIV)
- daead_primitive = core.Registry.primitive(key_data, daead.DeterministicAead)
- ciphertext = daead_primitive.encrypt_deterministically(b'message', b'ad')
- self.assertEqual(
- daead_primitive.decrypt_deterministically(ciphertext, b'ad'),
- b'message')
-
- def test_aead_wrapper_is_correctly_registered(self):
- aead1, key1 = _new_primitive_and_key(aead.aead_key_templates.AES128_EAX,
- aead.Aead, tink_pb2.RAW)
- aead2, key2 = _new_primitive_and_key(aead.aead_key_templates.AES256_GCM,
- aead.Aead, tink_pb2.TINK)
- pset = core.PrimitiveSet(aead.Aead)
- pset.add_primitive(aead1, key1)
- pset.set_primary(pset.add_primitive(aead2, key2))
- wrapped_aead = core.Registry.wrap(pset)
-
- self.assertEqual(
- wrapped_aead.decrypt(aead1.encrypt(b'plaintext1', b'ad1'), b'ad1'),
- b'plaintext1')
- self.assertEqual(
- wrapped_aead.decrypt(
- wrapped_aead.encrypt(b'plaintext2', b'ad2'), b'ad2'), b'plaintext2')
-
- def test_mac_wrapper_is_correctly_registered(self):
- mac1, key1 = _new_primitive_and_key(
- mac.mac_key_templates.HMAC_SHA256_128BITTAG, mac.Mac, tink_pb2.RAW)
- mac2, key2 = _new_primitive_and_key(
- mac.mac_key_templates.HMAC_SHA256_256BITTAG, mac.Mac, tink_pb2.TINK)
- pset = core.PrimitiveSet(mac.Mac)
- pset.add_primitive(mac1, key1)
- pset.set_primary(pset.add_primitive(mac2, key2))
- wrapped_mac = core.Registry.wrap(pset)
-
- self.assertIsNone(
- wrapped_mac.verify_mac(mac1.compute_mac(b'data1'), b'data1'))
- self.assertIsNone(
- wrapped_mac.verify_mac(wrapped_mac.compute_mac(b'data2'), b'data2'))
-
- def test_deterministic_aead_wrapper_is_correctly_registered(self):
- daead1, key1 = _new_primitive_and_key(
- daead.deterministic_aead_key_templates.AES256_SIV,
- daead.DeterministicAead, tink_pb2.RAW)
- daead2, key2 = _new_primitive_and_key(
- daead.deterministic_aead_key_templates.AES256_SIV,
- daead.DeterministicAead, tink_pb2.TINK)
- pset = core.PrimitiveSet(daead.DeterministicAead)
- pset.add_primitive(daead1, key1)
- pset.set_primary(pset.add_primitive(daead2, key2))
- wrapped_daead = core.Registry.wrap(pset)
-
- self.assertEqual(
- wrapped_daead.decrypt_deterministically(
- daead1.encrypt_deterministically(b'plaintext1', b'ad1'), b'ad1'),
- b'plaintext1')
- self.assertEqual(
- wrapped_daead.decrypt_deterministically(
- wrapped_daead.encrypt_deterministically(b'plaintext2', b'ad2'),
- b'ad2'), b'plaintext2')
-
- def test_hybrid_wrappers_are_correctly_registered(self):
- dec1, dec1_key = _new_primitive_and_key(
- hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM,
- hybrid.HybridDecrypt, tink_pb2.RAW)
- enc1, enc1_key = _public_primitive_and_key(dec1_key, hybrid.HybridEncrypt,
- tink_pb2.RAW)
-
- dec2, dec2_key = _new_primitive_and_key(
- hybrid.hybrid_key_templates.ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM,
- hybrid.HybridDecrypt, tink_pb2.RAW)
- enc2, enc2_key = _public_primitive_and_key(dec2_key, hybrid.HybridEncrypt,
- tink_pb2.RAW)
-
- dec_pset = core.PrimitiveSet(hybrid.HybridDecrypt)
- dec_pset.add_primitive(dec1, dec1_key)
- dec_pset.set_primary(dec_pset.add_primitive(dec2, dec2_key))
- wrapped_dec = core.Registry.wrap(dec_pset)
-
- enc_pset = core.PrimitiveSet(hybrid.HybridEncrypt)
- enc_pset.add_primitive(enc1, enc1_key)
- enc_pset.set_primary(enc_pset.add_primitive(enc2, enc2_key))
- wrapped_enc = core.Registry.wrap(enc_pset)
-
- self.assertEqual(
- wrapped_dec.decrypt(enc1.encrypt(b'plaintext1', b'ad1'), b'ad1'),
- b'plaintext1')
- self.assertEqual(
- wrapped_dec.decrypt(wrapped_enc.encrypt(b'plaintext2', b'ad2'), b'ad2'),
- b'plaintext2')
-
- def test_key_managers_for_signature_templates_are_registered(self):
- key_templates = signature.signature_key_templates
- for template in [
- key_templates.ECDSA_P256, key_templates.ECDSA_P384,
- key_templates.ECDSA_P521, key_templates.ECDSA_P256_IEEE_P1363,
- key_templates.ECDSA_P256_IEEE_P1363,
- key_templates.ECDSA_P521_IEEE_P1363, key_templates.ED25519,
- key_templates.RSA_SSA_PSS_3072_SHA256_SHA256_32_F4,
- key_templates.RSA_SSA_PSS_4096_SHA512_SHA512_64_F4,
- key_templates.RSA_SSA_PKCS1_3072_SHA256_F4,
- key_templates.RSA_SSA_PKCS1_4096_SHA512_F4
- ]:
- key_data = core.Registry.new_key_data(template)
- primitive = core.Registry.primitive(key_data, signature.PublicKeySign)
- sig = primitive.sign(b'data')
-
- public_key = core.Registry.public_key_data(key_data)
- primitive_verify = core.Registry.primitive(public_key,
- signature.PublicKeyVerify)
-
- primitive_verify.verify(sig, b'data')
-
- def test_signature_wrapper_is_correctly_registered(self):
- sig1, key1 = _new_primitive_and_key(
- signature.signature_key_templates.ECDSA_P256, signature.PublicKeySign,
- tink_pb2.TINK)
- sig2, key2 = _new_primitive_and_key(
- signature.signature_key_templates.ECDSA_P256, signature.PublicKeySign,
- tink_pb2.TINK)
-
- ver1, pubkey1 = _public_primitive_and_key(key1, signature.PublicKeyVerify,
- tink_pb2.TINK)
- ver2, pubkey2 = _public_primitive_and_key(key2, signature.PublicKeyVerify,
- tink_pb2.TINK)
-
- pset = core.PrimitiveSet(signature.PublicKeySign)
- pset.add_primitive(sig1, key1)
- pset.set_primary(pset.add_primitive(sig2, key2))
- wrapped_sig = core.Registry.wrap(pset)
-
- pset_verify = core.new_primitive_set(signature.PublicKeyVerify)
- pset_verify.add_primitive(ver1, pubkey1)
- pset_verify.set_primary(pset_verify.add_primitive(ver2, pubkey2))
- wrapped_ver = core.Registry.wrap(pset_verify)
-
- sig = wrapped_sig.sign(b'data')
- wrapped_ver.verify(sig, b'data')
-
-
-if __name__ == '__main__':
- absltest.main()
diff --git a/python/daead/deterministic_aead_key_manager_test.py b/python/daead/deterministic_aead_key_manager_test.py
index 8856c6fbb7c5fea8a0aac121fdf657dd641ef6fb..94bf467ceb45030737e4494c9e8333ab9439b4a7 100644
--- a/python/daead/deterministic_aead_key_manager_test.py
+++ b/python/daead/deterministic_aead_key_manager_test.py
@@ -21,7 +21,7 @@ from __future__ import print_function
from absl.testing import absltest
from tink.proto import aes_siv_pb2
from tink.proto import tink_pb2
-from tink.python.core import tink_config
+from tink.python import tink_config
from tink.python.core import tink_error
from tink.python.daead import deterministic_aead
from tink.python.daead import deterministic_aead_key_manager
diff --git a/python/hybrid/hybrid_key_manager_test.py b/python/hybrid/hybrid_key_manager_test.py
index e4d1783f840c50139092e41c5b37cde6210c80aa..a6ebadd8f8b302fa8a25457836e7457cc8b0a611 100644
--- a/python/hybrid/hybrid_key_manager_test.py
+++ b/python/hybrid/hybrid_key_manager_test.py
@@ -22,8 +22,8 @@ from absl.testing import absltest
from tink.proto import common_pb2
from tink.proto import ecies_aead_hkdf_pb2
from tink.proto import tink_pb2
+from tink.python import tink_config
from tink.python.aead import aead_key_templates
-from tink.python.core import tink_config
from tink.python.core import tink_error
from tink.python.hybrid import hybrid_decrypt
from tink.python.hybrid import hybrid_decrypt_key_manager
diff --git a/python/signature/public_key_sign_key_manager_test.py b/python/signature/public_key_sign_key_manager_test.py
index bd18cbe4b9dbb53f051adfe5c48b3674d3cd787c..896df2fb75889477f9950fada4d67f67d49e67d0 100644
--- a/python/signature/public_key_sign_key_manager_test.py
+++ b/python/signature/public_key_sign_key_manager_test.py
@@ -23,7 +23,7 @@ from absl.testing import absltest
from tink.proto import common_pb2
from tink.proto import ecdsa_pb2
from tink.proto import tink_pb2
-from tink.python.core import tink_config
+from tink.python import tink_config
from tink.python.signature import public_key_sign
from tink.python.signature import public_key_sign_key_manager
from tink.python.signature import public_key_verify_key_manager
diff --git a/python/signature/public_key_verify_key_manager_test.py b/python/signature/public_key_verify_key_manager_test.py
index d58ea52cf8671c25561df60626863cc0e3af4ffe..bfd9a480f1bda80808d333a539ee90ebe54b1d45 100644
--- a/python/signature/public_key_verify_key_manager_test.py
+++ b/python/signature/public_key_verify_key_manager_test.py
@@ -23,7 +23,7 @@ from absl.testing import absltest
from tink.proto import common_pb2
from tink.proto import ecdsa_pb2
from tink.proto import tink_pb2
-from tink.python.core import tink_config
+from tink.python import tink_config
from tink.python.core import tink_error
from tink.python.signature import public_key_sign_key_manager
from tink.python.signature import public_key_verify_key_manager
diff --git a/python/signature/signature_key_templates_test.py b/python/signature/signature_key_templates_test.py
index da256d022b20d3d8a58e4d6ec904eb81371c2ff4..e5606681bdba778ee8e300aea6c41ac9d8ebdff8 100644
--- a/python/signature/signature_key_templates_test.py
+++ b/python/signature/signature_key_templates_test.py
@@ -26,7 +26,7 @@ from tink.proto import ecdsa_pb2
from tink.proto import rsa_ssa_pkcs1_pb2
from tink.proto import rsa_ssa_pss_pb2
from tink.proto import tink_pb2
-from tink.python.core import tink_config
+from tink.python import tink_config
from tink.python.signature import public_key_sign_key_manager
from tink.python.signature import signature_key_templates