Automated rollback of commit 28001de.

PiperOrigin-RevId: 726361336
Change-Id: I2c62133c1129527250a9089713fd460b31160946

Author: morambro

aead/aead_factory.go

@@ -30,7 +30,7 @@ import (
 
 // New returns an AEAD primitive from the given keyset handle.
 func New(handle *keyset.Handle) (tink.AEAD, error) {
-	ps, err := handle.Primitives(internalapi.Token{})
+	ps, err := keyset.Primitives[tink.AEAD](handle, internalapi.Token{})
 	if err != nil {
 		return nil, fmt.Errorf("aead_factory: cannot obtain primitive set: %s", err)
 	}
@@ -40,7 +40,7 @@ func New(handle *keyset.Handle) (tink.AEAD, error) {
 // NewWithConfig creates an AEAD primitive from the given [keyset.Handle] using
 // the provided [Config].
 func NewWithConfig(handle *keyset.Handle, config keyset.Config) (tink.AEAD, error) {
-	ps, err := handle.Primitives(internalapi.Token{}, keyset.WithConfig(config))
+	ps, err := keyset.Primitives[tink.AEAD](handle, internalapi.Token{}, keyset.WithConfig(config))
 	if err != nil {
 		return nil, fmt.Errorf("aead_factory: cannot obtain primitive set with config: %s", err)
 	}
@@ -90,26 +90,18 @@ func (a *fullAEADPrimitiveAdapter) Decrypt(ciphertext, associatedData []byte) ([
 }
 
 // extractFullAEAD returns a full aeadAndKeyID primitive from the given
-// [primitiveset.Entry].
-func extractFullAEAD(entry *primitiveset.Entry) (*aeadAndKeyID, error) {
+// [primitiveset.Entry[tink.AEAD]].
+func extractFullAEAD(entry *primitiveset.Entry[tink.AEAD]) (*aeadAndKeyID, error) {
 	if entry.FullPrimitive != nil {
-		a, ok := (entry.FullPrimitive).(tink.AEAD)
-		if !ok {
-			return nil, fmt.Errorf("aead_factory: not an AEAD primitive")
-		}
-		return &aeadAndKeyID{primitive: a, keyID: entry.KeyID}, nil
-	}
-	a, ok := (entry.Primitive).(tink.AEAD)
-	if !ok {
-		return nil, fmt.Errorf("aead_factory: not an AEAD primitive")
+		return &aeadAndKeyID{primitive: entry.FullPrimitive, keyID: entry.KeyID}, nil
 	}
 	return &aeadAndKeyID{
-		primitive: &fullAEADPrimitiveAdapter{primitive: a, prefix: []byte(entry.Prefix)},
+		primitive: &fullAEADPrimitiveAdapter{primitive: entry.Primitive, prefix: []byte(entry.Prefix)},
 		keyID:     entry.KeyID,
 	}, nil
 }
 
-func newWrappedAead(ps *primitiveset.PrimitiveSet) (*wrappedAead, error) {
+func newWrappedAead(ps *primitiveset.PrimitiveSet[tink.AEAD]) (*wrappedAead, error) {
 	primary, err := extractFullAEAD(ps.Primary)
 	if err != nil {
 		return nil, err
@@ -136,7 +128,7 @@ func newWrappedAead(ps *primitiveset.PrimitiveSet) (*wrappedAead, error) {
 	}, nil
 }
 
-func createLoggers(ps *primitiveset.PrimitiveSet) (monitoring.Logger, monitoring.Logger, error) {
+func createLoggers(ps *primitiveset.PrimitiveSet[tink.AEAD]) (monitoring.Logger, monitoring.Logger, error) {
 	if len(ps.Annotations) == 0 {
 		return &monitoringutil.DoNothingLogger{}, &monitoringutil.DoNothingLogger{}, nil
 	}

daead/daead_factory.go

@@ -29,7 +29,7 @@ import (
 
 // New returns a DeterministicAEAD primitive from the given keyset handle.
 func New(handle *keyset.Handle) (tink.DeterministicAEAD, error) {
-	ps, err := handle.Primitives(internalapi.Token{})
+	ps, err := keyset.Primitives[tink.DeterministicAEAD](handle, internalapi.Token{})
 	if err != nil {
 		return nil, fmt.Errorf("daead_factory: cannot obtain primitive set: %s", err)
 	}
@@ -39,26 +39,15 @@ func New(handle *keyset.Handle) (tink.DeterministicAEAD, error) {
 // wrappedDeterministicAEAD is a DeterministicAEAD implementation that uses an underlying primitive set
 // for deterministic encryption and decryption.
 type wrappedDeterministicAEAD struct {
-	ps        *primitiveset.PrimitiveSet
+	ps        *primitiveset.PrimitiveSet[tink.DeterministicAEAD]
 	encLogger monitoring.Logger
 	decLogger monitoring.Logger
 }
 
 // Asserts that wrappedDeterministicAEAD implements the DeterministicAEAD interface.
 var _ tink.DeterministicAEAD = (*wrappedDeterministicAEAD)(nil)
 
-func newWrappedDeterministicAEAD(ps *primitiveset.PrimitiveSet) (*wrappedDeterministicAEAD, error) {
-	if _, ok := (ps.Primary.Primitive).(tink.DeterministicAEAD); !ok {
-		return nil, fmt.Errorf("daead_factory: not a DeterministicAEAD primitive")
-	}
-
-	for _, primitives := range ps.Entries {
-		for _, p := range primitives {
-			if _, ok := (p.Primitive).(tink.DeterministicAEAD); !ok {
-				return nil, fmt.Errorf("daead_factory: not a DeterministicAEAD primitive")
-			}
-		}
-	}
+func newWrappedDeterministicAEAD(ps *primitiveset.PrimitiveSet[tink.DeterministicAEAD]) (*wrappedDeterministicAEAD, error) {
 	encLogger, decLogger, err := createLoggers(ps)
 	if err != nil {
 		return nil, err
@@ -70,7 +59,7 @@ func newWrappedDeterministicAEAD(ps *primitiveset.PrimitiveSet) (*wrappedDetermi
 	}, nil
 }
 
-func createLoggers(ps *primitiveset.PrimitiveSet) (monitoring.Logger, monitoring.Logger, error) {
+func createLoggers(ps *primitiveset.PrimitiveSet[tink.DeterministicAEAD]) (monitoring.Logger, monitoring.Logger, error) {
 	if len(ps.Annotations) == 0 {
 		return &monitoringutil.DoNothingLogger{}, &monitoringutil.DoNothingLogger{}, nil
 	}
@@ -134,12 +123,7 @@ func (d *wrappedDeterministicAEAD) DecryptDeterministically(ct, aad []byte) ([]b
 		entries, err := d.ps.EntriesForPrefix(string(prefix))
 		if err == nil {
 			for i := 0; i < len(entries); i++ {
-				p, ok := (entries[i].Primitive).(tink.DeterministicAEAD)
-				if !ok {
-					return nil, fmt.Errorf("daead_factory: not a DeterministicAEAD primitive")
-				}
-
-				pt, err := p.DecryptDeterministically(ctNoPrefix, aad)
+				pt, err := entries[i].Primitive.DecryptDeterministically(ctNoPrefix, aad)
 				if err == nil {
 					d.decLogger.Log(entries[i].KeyID, len(ctNoPrefix))
 					return pt, nil
@@ -152,12 +136,7 @@ func (d *wrappedDeterministicAEAD) DecryptDeterministically(ct, aad []byte) ([]b
 	entries, err := d.ps.RawEntries()
 	if err == nil {
 		for i := 0; i < len(entries); i++ {
-			p, ok := (entries[i].Primitive).(tink.DeterministicAEAD)
-			if !ok {
-				return nil, fmt.Errorf("daead_factory: not a DeterministicAEAD primitive")
-			}
-
-			pt, err := p.DecryptDeterministically(ct, aad)
+			pt, err := entries[i].Primitive.DecryptDeterministically(ct, aad)
 			if err == nil {
 				d.decLogger.Log(entries[i].KeyID, len(ct))
 				return pt, nil

hybrid/hybrid_decrypt_factory.go

@@ -29,7 +29,7 @@ import (
 
 // NewHybridDecrypt returns an HybridDecrypt primitive from the given keyset handle.
 func NewHybridDecrypt(handle *keyset.Handle) (tink.HybridDecrypt, error) {
-	ps, err := handle.Primitives(internalapi.Token{})
+	ps, err := keyset.Primitives[tink.HybridDecrypt](handle, internalapi.Token{})
 	if err != nil {
 		return nil, fmt.Errorf("hybrid_factory: cannot obtain primitive set: %s", err)
 	}
@@ -39,22 +39,22 @@ func NewHybridDecrypt(handle *keyset.Handle) (tink.HybridDecrypt, error) {
 // wrappedHybridDecrypt is an HybridDecrypt implementation that uses the underlying primitive set
 // for decryption.
 type wrappedHybridDecrypt struct {
-	ps     *primitiveset.PrimitiveSet
+	ps     *primitiveset.PrimitiveSet[tink.HybridDecrypt]
 	logger monitoring.Logger
 }
 
 // compile time assertion that wrappedHybridDecrypt implements the HybridDecrypt interface.
 var _ tink.HybridDecrypt = (*wrappedHybridDecrypt)(nil)
 
-func newWrappedHybridDecrypt(ps *primitiveset.PrimitiveSet) (*wrappedHybridDecrypt, error) {
-	if err := isHybridDecrypt(ps.Primary.Primitive); err != nil {
-		return nil, err
+func newWrappedHybridDecrypt(ps *primitiveset.PrimitiveSet[tink.HybridDecrypt]) (*wrappedHybridDecrypt, error) {
+	// Make sure the primitives do not implement tink.AEAD.
+	if isAEAD(ps.Primary.Primitive) || isAEAD(ps.Primary.FullPrimitive) {
+		return nil, fmt.Errorf("hybrid_factory: primary primitive must NOT implement tink.AEAD")
 	}
-
 	for _, primitives := range ps.Entries {
 		for _, p := range primitives {
-			if err := isHybridDecrypt(p.Primitive); err != nil {
-				return nil, err
+			if isAEAD(p.Primitive) || isAEAD(p.FullPrimitive) {
+				return nil, fmt.Errorf("hybrid_factory: primitive must NOT implement tink.AEAD")
 			}
 		}
 	}
@@ -68,7 +68,7 @@ func newWrappedHybridDecrypt(ps *primitiveset.PrimitiveSet) (*wrappedHybridDecry
 	}, nil
 }
 
-func createDecryptLogger(ps *primitiveset.PrimitiveSet) (monitoring.Logger, error) {
+func createDecryptLogger(ps *primitiveset.PrimitiveSet[tink.HybridDecrypt]) (monitoring.Logger, error) {
 	if len(ps.Annotations) == 0 {
 		return &monitoringutil.DoNothingLogger{}, nil
 	}
@@ -94,22 +94,19 @@ func (a *wrappedHybridDecrypt) Decrypt(ciphertext, contextInfo []byte) ([]byte,
 		entries, err := a.ps.EntriesForPrefix(string(prefix))
 		if err == nil {
 			for i := 0; i < len(entries); i++ {
-				p := entries[i].Primitive.(tink.HybridDecrypt) // verified in newWrappedHybridDecrypt
-				pt, err := p.Decrypt(ctNoPrefix, contextInfo)
+				pt, err := entries[i].Primitive.Decrypt(ctNoPrefix, contextInfo)
 				if err == nil {
 					a.logger.Log(entries[i].KeyID, len(ctNoPrefix))
 					return pt, nil
 				}
 			}
 		}
 	}
-
 	// try raw keys
 	entries, err := a.ps.RawEntries()
 	if err == nil {
 		for i := 0; i < len(entries); i++ {
-			p := entries[i].Primitive.(tink.HybridDecrypt) // verified in newWrappedHybridDecrypt
-			pt, err := p.Decrypt(ciphertext, contextInfo)
+			pt, err := entries[i].Primitive.Decrypt(ciphertext, contextInfo)
 			if err == nil {
 				a.logger.Log(entries[i].KeyID, len(ciphertext))
 				return pt, nil
@@ -121,15 +118,3 @@ func (a *wrappedHybridDecrypt) Decrypt(ciphertext, contextInfo []byte) ([]byte,
 	a.logger.LogFailure()
 	return nil, fmt.Errorf("hybrid_factory: decryption failed")
 }
-
-// Asserts `p` implements tink.HybridDecrypt and not tink.AEAD. The latter check
-// is required as implementations of tink.AEAD also satisfy tink.HybridDecrypt.
-func isHybridDecrypt(p any) error {
-	if _, ok := p.(tink.AEAD); ok {
-		return fmt.Errorf("hybrid_factory: tink.AEAD is not tink.HybridDecrypt")
-	}
-	if _, ok := p.(tink.HybridDecrypt); !ok {
-		return fmt.Errorf("hybrid_factory: not tink.HybridDecrypt")
-	}
-	return nil
-}

hybrid/hybrid_encrypt_factory.go

@@ -28,7 +28,7 @@ import (
 
 // NewHybridEncrypt returns an HybridEncrypt primitive from the given keyset handle.
 func NewHybridEncrypt(handle *keyset.Handle) (tink.HybridEncrypt, error) {
-	ps, err := handle.Primitives(internalapi.Token{})
+	ps, err := keyset.Primitives[tink.HybridEncrypt](handle, internalapi.Token{})
 	if err != nil {
 		return nil, fmt.Errorf("hybrid_factory: cannot obtain primitive set: %s", err)
 	}
@@ -37,22 +37,30 @@ func NewHybridEncrypt(handle *keyset.Handle) (tink.HybridEncrypt, error) {
 
 // encryptPrimitiveSet is an HybridEncrypt implementation that uses the underlying primitive set for encryption.
 type wrappedHybridEncrypt struct {
-	ps     *primitiveset.PrimitiveSet
+	ps     *primitiveset.PrimitiveSet[tink.HybridEncrypt]
 	logger monitoring.Logger
 }
 
 // compile time assertion that wrappedHybridEncrypt implements the HybridEncrypt interface.
 var _ tink.HybridEncrypt = (*wrappedHybridEncrypt)(nil)
 
-func newEncryptPrimitiveSet(ps *primitiveset.PrimitiveSet) (*wrappedHybridEncrypt, error) {
-	if err := isHybridEncrypt(ps.Primary.Primitive); err != nil {
-		return nil, err
+func isAEAD(p any) bool {
+	if p == nil {
+		return false
 	}
+	_, ok := p.(tink.AEAD)
+	return ok
+}
 
+func newEncryptPrimitiveSet(ps *primitiveset.PrimitiveSet[tink.HybridEncrypt]) (*wrappedHybridEncrypt, error) {
+	// Make sure the primitives do not implement tink.AEAD.
+	if isAEAD(ps.Primary.Primitive) || isAEAD(ps.Primary.FullPrimitive) {
+		return nil, fmt.Errorf("hybrid_factory: primary primitive must NOT implement tink.AEAD")
+	}
 	for _, primitives := range ps.Entries {
 		for _, p := range primitives {
-			if err := isHybridEncrypt(p.Primitive); err != nil {
-				return nil, err
+			if isAEAD(p.Primitive) || isAEAD(p.FullPrimitive) {
+				return nil, fmt.Errorf("hybrid_factory: primitive must NOT implement tink.AEAD")
 			}
 		}
 	}
@@ -66,7 +74,7 @@ func newEncryptPrimitiveSet(ps *primitiveset.PrimitiveSet) (*wrappedHybridEncryp
 	}, nil
 }
 
-func createEncryptLogger(ps *primitiveset.PrimitiveSet) (monitoring.Logger, error) {
+func createEncryptLogger(ps *primitiveset.PrimitiveSet[tink.HybridEncrypt]) (monitoring.Logger, error) {
 	if len(ps.Annotations) == 0 {
 		return &monitoringutil.DoNothingLogger{}, nil
 	}
@@ -85,9 +93,7 @@ func createEncryptLogger(ps *primitiveset.PrimitiveSet) (monitoring.Logger, erro
 // It returns the concatenation of the primary's identifier and the ciphertext.
 func (a *wrappedHybridEncrypt) Encrypt(plaintext, contextInfo []byte) ([]byte, error) {
 	primary := a.ps.Primary
-	p := primary.Primitive.(tink.HybridEncrypt) // verified in newEncryptPrimitiveSet
-
-	ct, err := p.Encrypt(plaintext, contextInfo)
+	ct, err := primary.Primitive.Encrypt(plaintext, contextInfo)
 	if err != nil {
 		a.logger.LogFailure()
 		return nil, err
@@ -101,15 +107,3 @@ func (a *wrappedHybridEncrypt) Encrypt(plaintext, contextInfo []byte) ([]byte, e
 	output = append(output, ct...)
 	return output, nil
 }
-
-// Asserts `p` implements tink.HybridEncrypt and not tink.AEAD. The latter check
-// is required as implementations of tink.AEAD also satisfy tink.HybridEncrypt.
-func isHybridEncrypt(p any) error {
-	if _, ok := p.(tink.AEAD); ok {
-		return fmt.Errorf("hybrid_factory: tink.AEAD is not tink.HybridEncrypt")
-	}
-	if _, ok := p.(tink.HybridEncrypt); !ok {
-		return fmt.Errorf("hybrid_factory: not tink.HybridEncrypt")
-	}
-	return nil
-}

internal/monitoringutil/monitoring_util.go

@@ -59,7 +59,7 @@ func parseKeyTypeURL(ktu string) string {
 
 // KeysetInfoFromPrimitiveSet creates a `KeysetInfo` from a `PrimitiveSet`.
 // This function doesn't guarantee to preserve the ordering of the keys in the keyset.
-func KeysetInfoFromPrimitiveSet(ps *primitiveset.PrimitiveSet) (*monitoring.KeysetInfo, error) {
+func KeysetInfoFromPrimitiveSet[T any](ps *primitiveset.PrimitiveSet[T]) (*monitoring.KeysetInfo, error) {
 	if ps == nil {
 		return nil, fmt.Errorf("primitive set is nil")
 	}

internal/monitoringutil/monitoring_util_test.go

@@ -18,23 +18,24 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/tink-crypto/tink-go/v2/internal/primitiveset"
 	"github.com/tink-crypto/tink-go/v2/internal/monitoringutil"
+	"github.com/tink-crypto/tink-go/v2/internal/primitiveset"
 	"github.com/tink-crypto/tink-go/v2/monitoring"
+	"github.com/tink-crypto/tink-go/v2/tink"
 	tpb "github.com/tink-crypto/tink-go/v2/proto/tink_go_proto"
 )
 
 func TestKeysetInfoFromPrimitiveSetWithNilPrimitiveSetFails(t *testing.T) {
-	if _, err := monitoringutil.KeysetInfoFromPrimitiveSet(nil); err == nil {
-		t.Errorf("KeysetInfoFromPrimitiveSet(nil) err = nil, want error")
+	if _, err := monitoringutil.KeysetInfoFromPrimitiveSet[any](nil); err == nil {
+		t.Errorf("monitoringutil.KeysetInfoFromPrimitiveSet[any](nil) err = nil, want error")
 	}
 }
 
-func validPrimitiveSet() *primitiveset.PrimitiveSet {
-	return &primitiveset.PrimitiveSet{
-		Primary: &primitiveset.Entry{},
-		Entries: map[string][]*primitiveset.Entry{
-			"one": []*primitiveset.Entry{
+func validPrimitiveSet() *primitiveset.PrimitiveSet[tink.AEAD] {
+	return &primitiveset.PrimitiveSet[tink.AEAD]{
+		Primary: &primitiveset.Entry[tink.AEAD]{},
+		Entries: map[string][]*primitiveset.Entry[tink.AEAD]{
+			"one": []*primitiveset.Entry[tink.AEAD]{
 				{
 					Status:  tpb.KeyStatusType_ENABLED,
 					TypeURL: "type.googleapis.com/google.crypto.tink.AesGcmKey",
@@ -68,7 +69,7 @@ func TestKeysetInfoFromPrimitiveSetWithNoPrimaryFails(t *testing.T) {
 
 func TestKeysetInfoFromPrimitiveSetWithInvalidKeyStatusFails(t *testing.T) {
 	ps := validPrimitiveSet()
-	ps.Entries["invalid_key_status"] = []*primitiveset.Entry{
+	ps.Entries["invalid_key_status"] = []*primitiveset.Entry[tink.AEAD]{
 		{
 			KeyID:  123,
 			Status: tpb.KeyStatusType_UNKNOWN_STATUS,
@@ -80,30 +81,30 @@ func TestKeysetInfoFromPrimitiveSetWithInvalidKeyStatusFails(t *testing.T) {
 }
 
 func TestKeysetInfoFromPrimitiveSet(t *testing.T) {
-	ps := &primitiveset.PrimitiveSet{
-		Primary: &primitiveset.Entry{
+	ps := &primitiveset.PrimitiveSet[tink.AEAD]{
+		Primary: &primitiveset.Entry[tink.AEAD]{
 			KeyID: 1,
 		},
 		Annotations: map[string]string{
 			"foo": "bar",
 			"zoo": "far",
 		},
-		Entries: map[string][]*primitiveset.Entry{
+		Entries: map[string][]*primitiveset.Entry[tink.AEAD]{
 			// Adding all entries under the same prefix to get deterministic output.
-			"one": []*primitiveset.Entry{
-				&primitiveset.Entry{
+			"one": []*primitiveset.Entry[tink.AEAD]{
+				&primitiveset.Entry[tink.AEAD]{
 					KeyID:      1,
 					Status:     tpb.KeyStatusType_ENABLED,
 					TypeURL:    "type.googleapis.com/google.crypto.tink.AesSivKey",
 					PrefixType: tpb.OutputPrefixType_TINK,
 				},
-				&primitiveset.Entry{
+				&primitiveset.Entry[tink.AEAD]{
 					KeyID:      2,
 					Status:     tpb.KeyStatusType_DISABLED,
 					TypeURL:    "type.googleapis.com/google.crypto.tink.AesGcmKey",
 					PrefixType: tpb.OutputPrefixType_TINK,
 				},
-				&primitiveset.Entry{
+				&primitiveset.Entry[tink.AEAD]{
 					KeyID:      3,
 					Status:     tpb.KeyStatusType_DESTROYED,
 					TypeURL:    "type.googleapis.com/google.crypto.tink.AesCtrHmacKey",