Add tests for Registry, PrimitiveSet, and CleartextKeysetHandle.

Change-Id: Ieeef7fdc95b7a6aa44f56ce15652546af3468377 ORIGINAL_AUTHOR=Thanh Bui <thanhb@google.com> GitOrigin-RevId: 0639613850e991efc23406deabed9efd006efff5

Add tests for Registry, PrimitiveSet, and CleartextKeysetHandle.
Change-Id: Ieeef7fdc95b7a6aa44f56ce15652546af3468377 ORIGINAL_AUTHOR=Thanh Bui <thanhb@google.com> GitOrigin-RevId: 0639613850e991efc23406deabed9efd006efff5
e3b4b68f · Thanh Bui · Thai Duong · 4b78739b · e3b4b68f · e3b4b68f
Commit e3b4b68f authored 7 years ago by Thanh Bui Committed by Thai Duong 7 years ago
--- a/go/tink/BUILD
+++ b/go/tink/BUILD
@@ -27,9 +27,12 @@ TINK_SRCS = PRIMITIVES_SRCS + [
 ]

 TINK_TEST_SRCS = [
+    "cleartext_keyset_handle_test.go",
    "crypto_format_test.go",
    "encrypted_keyset_handle_test.go",
+    "keyset_manager_test.go",
    "primitive_set_test.go",
+    "registry_test.go",
 ]

 TINK_INTERNAL_TEST_SRCS = [
@@ -47,7 +50,12 @@ TINK_TEST_DEPS = TINK_DEPS + [
    "//go/aead",
    "//go/mac",
    "//go/signature",
+    "//go/subtle:aes",
+    "//go/subtle:hmac",
    "//go/util:testutil",
+    "//proto:aes_gcm_go_proto",
+    "//proto:common_go_proto",
+    "//proto:hmac_go_proto",
    ":tink",
 ]


--- a/go/tink/cleartext_keyset_handle_test.go
+++ b/go/tink/cleartext_keyset_handle_test.go
+// Copyright 2017 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+package tink_test
+
+import (
+  "fmt"
+  "testing"
+  "github.com/google/tink/go/tink/tink"
+  "github.com/google/tink/go/util/testutil"
+  "github.com/google/tink/go/mac/mac"
+  "github.com/golang/protobuf/proto"
+)
+
+func setupCleartextKeysetHandleTest() {
+  if _, err := mac.Config().RegisterStandardKeyTypes(); err != nil {
+    panic(fmt.Sprintln("cannot register mac key types: %s", err))
+  }
+}
+
+func TestCleartextKeysetHandleParseBasic(t *testing.T) {
+  setupCleartextKeysetHandleTest()
+
+  // Create a keyset that contains a single HmacKey.
+  manager := testutil.NewHmacKeysetManager()
+  handle, err := manager.GetKeysetHandle()
+  if handle == nil || err != nil {
+    t.Errorf("cannot get keyset handle: %s", err)
+  }
+  serializedKeyset, err := proto.Marshal(handle.Keyset())
+  if err != nil {
+    t.Errorf("cannot serialize keyset: %s", err)
+  }
+  // create handle rom serialized keyset
+  parsedHandle, err := tink.CleartextKeysetHandle().ParseSerializedKeyset(serializedKeyset)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  if handle.Keyset().String() != parsedHandle.Keyset().String() {
+    t.Errorf("parsed keyset doesn't match the original")
+  }
+  // create handle from keyset
+  parsedHandle, err = tink.CleartextKeysetHandle().ParseKeyset(handle.Keyset())
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  if handle.Keyset().String() != parsedHandle.Keyset().String() {
+    t.Errorf("parsed keyset doesn't match the original")
+  }
+}
+
+func TestCleartextKeysetHandleParseWithInvalidInput(t *testing.T) {
+  setupCleartextKeysetHandleTest()
+
+  manager := testutil.NewHmacKeysetManager()
+  handle, err := manager.GetKeysetHandle()
+  if handle == nil || err != nil {
+    t.Errorf("cannot get keyset handle: %s", err)
+  }
+  serializedKeyset, err := proto.Marshal(handle.Keyset())
+  if err != nil {
+    t.Errorf("cannot serialize keyset: %s", err)
+  }
+  serializedKeyset[0] = 0
+  _, err = tink.CleartextKeysetHandle().ParseSerializedKeyset(serializedKeyset)
+  if err == nil {
+    t.Errorf("expect an error when input is an invalid serialized keyset")
+  }
+  _, err = tink.CleartextKeysetHandle().ParseSerializedKeyset([]byte{})
+  if err == nil {
+    t.Errorf("expect an error when input is an empty slice")
+  }
+  _, err = tink.CleartextKeysetHandle().ParseSerializedKeyset(nil)
+  if err == nil {
+    t.Errorf("expect an error when input is nil")
+  }
+  _, err = tink.CleartextKeysetHandle().ParseKeyset(nil)
+  if err == nil {
+    t.Errorf("expect an error when input is nil")
+  }
+}
+
+func TestCleartextKeysetHandleGenerateNewBasic(t *testing.T) {
+  setupCleartextKeysetHandleTest()
+
+  macTemplate := mac.HmacSha256Tag128KeyTemplate()
+  handle, err := tink.CleartextKeysetHandle().GenerateNew(macTemplate)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  keyset := handle.Keyset()
+  if len(keyset.Key) != 1 {
+    t.Errorf("incorrect number of keys in the keyset: %d", len(keyset.Key))
+  }
+  key := keyset.Key[0]
+  if keyset.PrimaryKeyId != key.KeyId {
+    t.Errorf("incorrect primary key id, expect %d, got %d", key.KeyId, keyset.PrimaryKeyId)
+  }
+  if key.KeyData.TypeUrl != macTemplate.TypeUrl {
+    t.Errorf("incorrect type url, expect %s, got %s", macTemplate.TypeUrl, key.KeyData.TypeUrl)
+  }
+  if _, err = mac.Factory().GetPrimitive(handle); err != nil {
+    t.Errorf("cannot get primitive from generated keyset handle: %s", err)
+  }
+}
+
+func TestCleartextKeysetHandleGenerateNewWithInvalidInput(t *testing.T) {
+  setupCleartextKeysetHandleTest()
+
+  // template unregistered TypeUrl
+  template := mac.HmacSha256Tag128KeyTemplate()
+  template.TypeUrl = "some unknown TypeUrl"
+  if _, err := tink.CleartextKeysetHandle().GenerateNew(template); err == nil {
+    t.Errorf("expect an error when TypeUrl is not registered")
+  }
+  // nil
+  if _, err := tink.CleartextKeysetHandle().GenerateNew(nil); err == nil {
+    t.Errorf("expect an error when template is nil")
+  }
+}
\ No newline at end of file
--- a/go/tink/keyset_manager_test.go
+++ b/go/tink/keyset_manager_test.go
+// Copyright 2017 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+package tink_test
+
+import (
+  "fmt"
+  "strings"
+  "testing"
+  "github.com/google/tink/go/aead/aead"
+  "github.com/google/tink/go/mac/mac"
+  "github.com/google/tink/go/tink/tink"
+  "github.com/google/tink/go/util/testutil"
+  tinkpb "github.com/google/tink/proto/tink_go_proto"
+)
+
+func setupKeysetManagerTest() {
+  _, err := mac.Config().RegisterStandardKeyTypes()
+  if err != nil {
+    panic(fmt.Sprintln("cannot register mac key types: %s", err))
+  }
+  _, err = aead.Config().RegisterStandardKeyTypes()
+  if err != nil {
+    panic(fmt.Sprintln("cannot register aead key types: %s", err))
+  }
+}
+
+func TestKeysetManagerBasic(t *testing.T) {
+  setupKeysetManagerTest()
+
+  manager := tink.NewKeysetManager(nil, tinkpb.OutputPrefixType_TINK, nil, nil)
+  err := manager.Rotate()
+  if err == nil || !strings.Contains(err.Error(), "need key template"){
+    t.Errorf("expect an error when key template is nil")
+  }
+  // Create a keyset that contains a single HmacKey.
+  template := mac.HmacSha256Tag128KeyTemplate()
+  manager = tink.NewKeysetManager(template, tinkpb.OutputPrefixType_TINK, nil, nil)
+  err = manager.Rotate()
+  if err != nil {
+    t.Errorf("cannot rotate when key template is available: %s", err)
+  }
+  keyset := manager.Keyset()
+  if len(keyset.Key) != 1 {
+    t.Errorf("expect the number of keys in the keyset is 1")
+  }
+  if keyset.Key[0].KeyId != keyset.PrimaryKeyId ||
+      keyset.Key[0].KeyData.TypeUrl != mac.HMAC_TYPE_URL ||
+      keyset.Key[0].Status != tinkpb.KeyStatusType_ENABLED ||
+      keyset.Key[0].OutputPrefixType != tinkpb.OutputPrefixType_TINK {
+    t.Errorf("incorrect key information: %s", keyset.Key[0])
+  }
+}
+
+func TestEncryptedKeyset(t *testing.T) {
+  setupKeysetManagerTest()
+  macTemplate := mac.HmacSha256Tag128KeyTemplate()
+  aesTemplate := aead.Aes128GcmKeyTemplate()
+  keyData, err := tink.Registry().NewKeyData(aesTemplate)
+  if err != nil {
+    t.Errorf("cannot create new key data: %s", err)
+  }
+  p, err := tink.Registry().GetPrimitiveFromKeyData(keyData)
+  if p == nil || err != nil {
+    t.Errorf("cannot get primitive from key data: %s", err)
+  }
+  masterKey := p.(tink.Aead)
+  manager := tink.NewKeysetManager(macTemplate, tinkpb.OutputPrefixType_TINK, masterKey, nil)
+  err = manager.Rotate()
+  if err != nil {
+    t.Errorf("cannot rotate when key template is available: %s", err)
+  }
+  handle, err := manager.GetKeysetHandle()
+  if handle == nil || err != nil {
+    t.Errorf("cannot get keyset handle: %s", err)
+  }
+  info, err := handle.KeysetInfo()
+  if info == nil || err != nil {
+    t.Errorf("cannot get keyset info: %s", err)
+  }
+  if len(info.KeyInfo) != 1 {
+    t.Errorf("incorrect number of keys: %v", len(info.KeyInfo))
+  }
+  if info.PrimaryKeyId != info.KeyInfo[0].KeyId {
+    t.Errorf("incorrect primary key id: %d >< %d", info.PrimaryKeyId, info.KeyInfo[0].KeyId)
+  }
+  if info.KeyInfo[0].TypeUrl != mac.HMAC_TYPE_URL ||
+    info.KeyInfo[0].Status != tinkpb.KeyStatusType_ENABLED ||
+    info.KeyInfo[0].OutputPrefixType != tinkpb.OutputPrefixType_TINK {
+    t.Errorf("incorrect key info: %s", info.KeyInfo[0])
+  }
+}
+
+func TestExistingKeyset(t *testing.T) {
+  // Create a keyset that contains a single HmacKey.
+  macTemplate := mac.HmacSha256Tag128KeyTemplate()
+  manager1 := tink.NewKeysetManager(macTemplate, tinkpb.OutputPrefixType_TINK, nil, nil)
+  err := manager1.Rotate()
+  if err != nil {
+    t.Errorf("cannot rotate when key template is available: %s", err)
+  }
+  handle1, err := manager1.GetKeysetHandle()
+  if err != nil {
+    t.Errorf("cannot get keyset handle: %s", err)
+  }
+  keyset1 := handle1.Keyset()
+
+  manager2 := tink.NewKeysetManager(nil, tinkpb.OutputPrefixType_TINK, nil, keyset1)
+  manager2.RotateWithTemplate(macTemplate)
+  handle2, err := manager2.GetKeysetHandle()
+  if err != nil {
+    t.Errorf("cannot get keyset handle: %s", err)
+  }
+  keyset2 := handle2.Keyset()
+  if len(keyset2.Key) != 2 {
+    t.Errorf("expect the number of keys to be 2, got %d", len(keyset2.Key))
+  }
+  if keyset1.Key[0].String() != keyset2.Key[0].String() {
+    t.Errorf("expect the first key in two keysets to be the same")
+  }
+  if keyset2.Key[1].KeyId != keyset2.PrimaryKeyId {
+    t.Errorf("expect the second key to be primary")
+  }
+}
+
+/**
+ * Tests that when encryption with KMS failed, an exception is thrown.
+ */
+func TestFaultyKms(t *testing.T) {
+  var masterKey tink.Aead = new(testutil.DummyAead)
+  template := mac.HmacSha256Tag128KeyTemplate()
+  manager := tink.NewKeysetManager(template, tinkpb.OutputPrefixType_TINK, masterKey, nil)
+  err := manager.Rotate()
+  if err != nil {
+    t.Errorf("cannot rotate when key template is available: %s", err)
+  }
+  _, err = manager.GetKeysetHandle()
+  if err == nil || !strings.Contains(err.Error(), "dummy"){
+    t.Errorf("expect an error with dummy aead: %s", err)
+  }
+}
\ No newline at end of file
--- a/go/tink/registry_test.go
+++ b/go/tink/registry_test.go
+// Copyright 2017 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+package tink_test
+
+import (
+  "fmt"
+  "sync"
+  "testing"
+  "github.com/google/tink/go/subtle/hmac"
+  "github.com/google/tink/go/subtle/aes"
+  "github.com/google/tink/go/util/util"
+  "github.com/google/tink/go/util/testutil"
+  "github.com/google/tink/go/mac/mac"
+  "github.com/google/tink/go/aead/aead"
+  "github.com/google/tink/go/tink/tink"
+  "github.com/golang/protobuf/proto"
+  hmacpb "github.com/google/tink/proto/hmac_go_proto"
+  tinkpb "github.com/google/tink/proto/tink_go_proto"
+  commonpb "github.com/google/tink/proto/common_go_proto"
+  gcmpb "github.com/google/tink/proto/aes_gcm_go_proto"
+)
+
+func TestKeyManagerMapBasic(t *testing.T) {
+  kmMap := tink.NewKeyManagerMap()
+  // try to put a HmacKeyManager
+  hmacManager := mac.NewHmacKeyManager()
+  typeUrl := mac.HMAC_TYPE_URL
+  kmMap.Put(typeUrl, hmacManager)
+  tmp, existed := kmMap.Get(typeUrl)
+  if !existed {
+    t.Errorf("a HmacKeyManager should be found")
+  }
+  var _ = tmp.(*mac.HmacKeyManager)
+  // Get type url that doesn't exist
+  if _, existed := kmMap.Get("some url"); existed == true {
+    t.Errorf("unknown typeUrl shouldn't exist in the map")
+  }
+}
+
+func TestKeyManagerMapConcurrency(t *testing.T) {
+  kmMap := tink.NewKeyManagerMap()
+  n := 100
+  urlPrefix := "typeUrl#"
+  // put
+  var wg sync.WaitGroup
+  wg.Add(n)
+  for i := 0; i < n; i++ {
+    go func(i int) {
+      defer wg.Done()
+      hmacManager := mac.NewHmacKeyManager()
+      kmMap.Put(fmt.Sprintf("%s%d", urlPrefix, i), hmacManager)
+    }(i)
+  }
+  wg.Wait()
+  // get
+  wg.Add(n)
+  for i := 0; i < n; i++ {
+    go func(i int) {
+      defer wg.Done()
+      km, existed := kmMap.Get(fmt.Sprintf("%s%d", urlPrefix, i))
+      var _ = km.(*mac.HmacKeyManager)
+      if !existed {
+        t.Errorf("key manager %d is missing", i)
+      }
+    }(i)
+  }
+  wg.Wait()
+}
+
+func setupRegistryTests() {
+  _, err := mac.Config().RegisterStandardKeyTypes()
+  if err != nil {
+    panic("cannot register Mac key types")
+  }
+  _, err = aead.Config().RegisterStandardKeyTypes()
+  if err != nil {
+    panic("cannot register Aead key types")
+  }
+}
+
+func TestKeyManagerRegistration(t *testing.T) {
+  var km tink.KeyManager
+  var err error
+  // register mac and aead types.
+  setupRegistryTests()
+  // get HmacKeyManager
+  km, err = tink.Registry().GetKeyManager(mac.HMAC_TYPE_URL)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var _ *mac.HmacKeyManager = km.(*mac.HmacKeyManager)
+  // get AesGcmKeyManager
+  km, err = tink.Registry().GetKeyManager(aead.AES_GCM_TYPE_URL)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var _ *aead.AesGcmKeyManager = km.(*aead.AesGcmKeyManager)
+  // some random typeurl
+  if _, err = tink.Registry().GetKeyManager("some url"); err == nil {
+    t.Errorf("expect an error when a type url doesn't exist in the registry")
+  }
+}
+
+func TestKeyManagerRegistrationWithCollision(t *testing.T) {
+  // register mac and aead types.
+  setupRegistryTests()
+  // dummyKeyManager's typeUrl is equal to that of AesGcm
+  var dummyKeyManager tink.KeyManager = new(testutil.DummyAeadKeyManager)
+  // this should not overwrite the existing manager.
+  ok, err := tink.Registry().RegisterKeyManager(dummyKeyManager)
+  if ok == true || err != nil {
+    t.Errorf("AES_GCM_TYPE_URL shouldn't be registered again")
+  }
+  km, err := tink.Registry().GetKeyManager(aead.AES_GCM_TYPE_URL)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var _ *aead.AesGcmKeyManager = km.(*aead.AesGcmKeyManager)
+}
+
+func TestNewKeyData(t *testing.T) {
+  setupRegistryTests()
+  // new Keydata from a Hmac KeyTemplate
+  keyData, err := tink.Registry().NewKeyData(mac.HmacSha256Tag128KeyTemplate())
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  if keyData.TypeUrl != mac.HMAC_TYPE_URL {
+    t.Errorf("invalid key data")
+  }
+  key := new(hmacpb.HmacKey)
+  if err := proto.Unmarshal(keyData.Value, key); err != nil {
+    t.Errorf("unexpected error when unmarshal HmacKey: %s", err)
+  }
+  // nil
+  if _, err := tink.Registry().NewKeyData(nil); err == nil {
+    t.Errorf("expect an error when key template is nil")
+  }
+  // unregistered type url
+  template := &tinkpb.KeyTemplate{TypeUrl: "some url", Value: []byte{0}}
+  if _, err := tink.Registry().NewKeyData(template); err == nil {
+    t.Errorf("expect an error when key template contains unregistered typeUrl")
+  }
+}
+
+func TestNewKeyFromKeyTemplate(t *testing.T) {
+  setupRegistryTests()
+  // aead template
+  aesGcmTemplate := aead.Aes128GcmKeyTemplate()
+  key, err := tink.Registry().NewKeyFromKeyTemplate(aesGcmTemplate)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var aesGcmKey *gcmpb.AesGcmKey = key.(*gcmpb.AesGcmKey)
+  aesGcmFormat := new(gcmpb.AesGcmKeyFormat)
+  if err := proto.Unmarshal(aesGcmTemplate.Value, aesGcmFormat); err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  if aesGcmFormat.KeySize != uint32(len(aesGcmKey.KeyValue)) {
+    t.Errorf("key doesn't match template")
+  }
+  //nil
+  if _, err := tink.Registry().NewKeyFromKeyTemplate(nil); err == nil {
+    t.Errorf("expect an error when key template is nil")
+  }
+  // unregistered type url
+  template := &tinkpb.KeyTemplate{TypeUrl: "some url", Value: []byte{0}}
+  if _, err := tink.Registry().NewKeyFromKeyTemplate(template); err == nil {
+    t.Errorf("expect an error when key template is not registered")
+  }
+}
+
+func TestNewKeyFromKeyFormat(t *testing.T) {
+  setupRegistryTests()
+  // use aes-gcm key format
+  format := util.NewAesGcmKeyFormat(16)
+  key, err := tink.Registry().NewKeyFromKeyFormat(aead.AES_GCM_TYPE_URL, format)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var aesGcmKey *gcmpb.AesGcmKey = key.(*gcmpb.AesGcmKey)
+  if uint32(len(aesGcmKey.KeyValue)) != format.KeySize {
+    t.Errorf("key doesn't match format")
+  }
+  // unregistered url
+  if _, err := tink.Registry().NewKeyFromKeyFormat("some url", format); err == nil {
+    t.Errorf("expect an error when typeUrl has not been registered")
+  }
+  // unmatched url
+  if _, err := tink.Registry().NewKeyFromKeyFormat(mac.HMAC_TYPE_URL, format); err == nil {
+    t.Errorf("expect an error when typeUrl doesn't match format")
+  }
+  // nil format
+  if _, err := tink.Registry().NewKeyFromKeyFormat(mac.HMAC_TYPE_URL, nil); err == nil {
+    t.Errorf("expect an error when format is nil")
+  }
+}
+
+func TestGetPrimitiveFromKey(t *testing.T) {
+  setupRegistryTests()
+  // hmac key
+  key := testutil.NewHmacKey(commonpb.HashType_SHA256, 16)
+  p, err := tink.Registry().GetPrimitiveFromKey(mac.HMAC_TYPE_URL, key)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var _ *hmac.Hmac = p.(*hmac.Hmac)
+  // unregistered url
+  if _, err := tink.Registry().GetPrimitiveFromKey("some url", key); err == nil {
+    t.Errorf("expect an error when typeUrl has not been registered")
+  }
+  // unmatched url
+  if _, err := tink.Registry().GetPrimitiveFromKey(aead.AES_GCM_TYPE_URL, key); err == nil {
+    t.Errorf("expect an error when typeUrl doesn't match key")
+  }
+  // nil key
+  if _, err := tink.Registry().GetPrimitiveFromKey(aead.AES_GCM_TYPE_URL, nil); err == nil {
+    t.Errorf("expect an error when key is nil")
+  }
+}
+
+func TestGetPrimitiveFromKeyData(t *testing.T) {
+  setupRegistryTests()
+  // hmac keydata
+  keyData := testutil.NewHmacKeyData(commonpb.HashType_SHA256, 16)
+  p, err := tink.Registry().GetPrimitiveFromKeyData(keyData)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var _ *hmac.Hmac = p.(*hmac.Hmac)
+  // unregistered url
+  keyData.TypeUrl = "some url"
+  if _, err := tink.Registry().GetPrimitiveFromKeyData(keyData); err == nil {
+    t.Errorf("expect an error when typeUrl has not been registered")
+  }
+  // unmatched url
+  keyData.TypeUrl = aead.AES_GCM_TYPE_URL
+  if _, err := tink.Registry().GetPrimitiveFromKeyData(keyData); err == nil {
+    t.Errorf("expect an error when typeUrl doesn't match key")
+  }
+  // nil
+  if _, err := tink.Registry().GetPrimitiveFromKeyData(nil); err == nil {
+    t.Errorf("expect an error when key data is nil")
+  }
+}
+
+func TestGetPrimitiveFromSerializedKey(t *testing.T) {
+  setupRegistryTests()
+  // hmac key
+  key := testutil.NewHmacKey(commonpb.HashType_SHA256, 16)
+  serializedKey, _ := proto.Marshal(key)
+  p, err := tink.Registry().GetPrimitiveFromSerializedKey(mac.HMAC_TYPE_URL, serializedKey)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var _ *hmac.Hmac = p.(*hmac.Hmac)
+  // unregistered url
+  if _, err := tink.Registry().GetPrimitiveFromSerializedKey("some url", serializedKey); err == nil {
+    t.Errorf("expect an error when typeUrl has not been registered")
+  }
+  // unmatched url
+  if _, err := tink.Registry().GetPrimitiveFromSerializedKey(aead.AES_GCM_TYPE_URL, serializedKey); err == nil {
+    t.Errorf("expect an error when typeUrl doesn't match key")
+  }
+  // void key
+  if _, err := tink.Registry().GetPrimitiveFromSerializedKey(aead.AES_GCM_TYPE_URL, nil); err == nil {
+    t.Errorf("expect an error when key is nil")
+  }
+  if _, err := tink.Registry().GetPrimitiveFromSerializedKey(aead.AES_GCM_TYPE_URL, []byte{}); err == nil {
+    t.Errorf("expect an error when key is nil")
+  }
+  if _, err := tink.Registry().GetPrimitiveFromSerializedKey(aead.AES_GCM_TYPE_URL, []byte{0}); err == nil {
+    t.Errorf("expect an error when key is nil")
+  }
+}
+
+func TestGetPrimitives(t *testing.T) {
+  setupRegistryTests()
+  // valid input
+  template1 := aead.Aes128GcmKeyTemplate()
+  template2 := aead.Aes256GcmKeyTemplate()
+  keyData1, _ := tink.Registry().NewKeyData(template1)
+  keyData2, _ := tink.Registry().NewKeyData(template2)
+  keyset := util.NewKeyset(2, []*tinkpb.Keyset_Key{
+    util.NewKey(keyData1, tinkpb.KeyStatusType_ENABLED, 1, tinkpb.OutputPrefixType_TINK),
+    util.NewKey(keyData2, tinkpb.KeyStatusType_ENABLED, 2, tinkpb.OutputPrefixType_TINK),
+  })
+  handle, _ := tink.CleartextKeysetHandle().ParseKeyset(keyset)
+  ps, err := tink.Registry().GetPrimitives(handle)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var aesGcm *aes.AesGcm = ps.Primary().Primitive().(*aes.AesGcm)
+  if len(aesGcm.Key) != 32 {
+    t.Errorf("primitive doesn't match input keyset handle")
+  }
+  // custom manager
+  customManager := new(testutil.DummyAeadKeyManager)
+  ps, err = tink.Registry().GetPrimitivesWithCustomManager(handle, customManager)
+  if err != nil {
+    t.Errorf("unexpected error: %s", err)
+  }
+  var _ *testutil.DummyAead = ps.Primary().Primitive().(*testutil.DummyAead)
+  // keysethandle is nil
+  if _, err := tink.Registry().GetPrimitives(nil); err == nil {
+    t.Errorf("expect an error when keysethandle is nil")
+  }
+  // keyset is empty
+  keyset = util.NewKeyset(1, []*tinkpb.Keyset_Key{})
+  handle, _ = tink.CleartextKeysetHandle().ParseKeyset(keyset)
+   if _, err := tink.Registry().GetPrimitives(handle); err == nil {
+    t.Errorf("expect an error when keyset is empty")
+  }
+  keyset = util.NewKeyset(1, nil)
+  handle, _ = tink.CleartextKeysetHandle().ParseKeyset(keyset)
+  if _, err := tink.Registry().GetPrimitives(handle); err == nil {
+    t.Errorf("expect an error when keyset is empty")
+  }
+  // no primary key
+  keyset = util.NewKeyset(3, []*tinkpb.Keyset_Key{
+    util.NewKey(keyData1, tinkpb.KeyStatusType_ENABLED, 1, tinkpb.OutputPrefixType_TINK),
+    util.NewKey(keyData2, tinkpb.KeyStatusType_ENABLED, 2, tinkpb.OutputPrefixType_TINK),
+  })
+  handle, _ = tink.CleartextKeysetHandle().ParseKeyset(keyset)
+  if _, err := tink.Registry().GetPrimitives(handle); err == nil {
+    t.Errorf("expect an error when there is no primary key")
+  }
+  // there is primary key but it is disabled
+  keyset = util.NewKeyset(1, []*tinkpb.Keyset_Key{
+    util.NewKey(keyData1, tinkpb.KeyStatusType_DISABLED, 1, tinkpb.OutputPrefixType_TINK),
+    util.NewKey(keyData2, tinkpb.KeyStatusType_ENABLED, 2, tinkpb.OutputPrefixType_TINK),
+  })
+  handle, _ = tink.CleartextKeysetHandle().ParseKeyset(keyset)
+  if _, err := tink.Registry().GetPrimitives(handle); err == nil {
+    t.Errorf("expect an error when primary key is disabled")
+  }
+  // multiple primary keys
+  keyset = util.NewKeyset(1, []*tinkpb.Keyset_Key{
+    util.NewKey(keyData1, tinkpb.KeyStatusType_ENABLED, 1, tinkpb.OutputPrefixType_TINK),
+    util.NewKey(keyData2, tinkpb.KeyStatusType_ENABLED, 1, tinkpb.OutputPrefixType_TINK),
+  })
+  handle, _ = tink.CleartextKeysetHandle().ParseKeyset(keyset)
+  if _, err := tink.Registry().GetPrimitives(handle); err == nil {
+    t.Errorf("expect an error when there are multiple primary keys")
+  }
+}
\ No newline at end of file
--- a/go/util/testutil/test_util.go
+++ b/go/util/testutil/test_util.go
@@ -22,7 +22,7 @@ import (
  "github.com/google/tink/go/subtle/random"
  "github.com/google/tink/go/util/util"
  subtleUtil "github.com/google/tink/go/subtle/util"
-  // "github.com/google/tink/go/tink/tink"
+  "github.com/google/tink/go/tink/tink"
  "github.com/google/tink/go/mac/mac"
  "github.com/google/tink/go/aead/aead"
  "github.com/google/tink/go/signature/signature"
@@ -34,6 +34,34 @@ import (
  . "github.com/google/tink/proto/ecdsa_go_proto"
 )

+// DummyAeadKeyManager is a dummy implementation of the KeyManager interface.
+// It returns DummyAead when GetPrimitive() functions are called.
+type DummyAeadKeyManager struct {}
+var _ tink.KeyManager = (*DummyAeadKeyManager)(nil)
+
+func (_ *DummyAeadKeyManager) GetPrimitiveFromSerializedKey(serializedKey []byte) (interface{}, error) {
+  return new(DummyAead), nil
+}
+func (_ *DummyAeadKeyManager) GetPrimitiveFromKey(m proto.Message) (interface{}, error) {
+  return new(DummyAead), nil
+}
+func (_ *DummyAeadKeyManager) NewKeyFromSerializedKeyFormat(serializedKeyFormat []byte) (proto.Message, error) {
+  return nil, fmt.Errorf("not implemented")
+}
+func (_ *DummyAeadKeyManager) NewKeyFromKeyFormat(m proto.Message) (proto.Message, error) {
+  return nil, fmt.Errorf("not implemented")
+}
+func (_ *DummyAeadKeyManager) NewKeyData(serializedKeyFormat []byte) (*KeyData, error) {
+  return nil, fmt.Errorf("not implemented")
+}
+func (_ *DummyAeadKeyManager) DoesSupport(typeUrl string) bool {
+  return typeUrl == aead.AES_GCM_TYPE_URL
+}
+func (_ *DummyAeadKeyManager) GetKeyType() string {
+  return aead.AES_GCM_TYPE_URL
+}
+
+
 // DummyAead is a dummy implementation of Aead interface.
 type DummyAead struct {}

@@ -151,6 +179,16 @@ func NewHmacKeyFormat(hashType HashType, tagSize uint32) *HmacKeyFormat {
  return util.NewHmacKeyFormat(params, keySize)
 }

+func NewHmacKeysetManager() *tink.KeysetManager {
+  macTemplate := mac.HmacSha256Tag128KeyTemplate()
+  manager := tink.NewKeysetManager(macTemplate, OutputPrefixType_TINK, nil, nil)
+  err := manager.Rotate()
+  if err != nil {
+    panic(fmt.Sprintf("cannot rotate keyset manager: %s", err))
+  }
+  return manager
+}
+
 func NewHmacKeyData(hashType HashType, tagSize uint32) *KeyData {
  key := NewHmacKey(hashType, tagSize)
  serializedKey, _ := proto.Marshal(key)