def public_keyset_handle(private_keyset_handle) -> tink.KeysetHandle:
"""Generates a public keyset handle from a private one."""
with tempfile.TemporaryDirectory() as tmpdir:
cli_path = os.path.join(_tools_path(), _TINKEY_CLI_PATH)
private_keyset_filename = os.path.join(tmpdir, 'private_keyset_file')
with open(private_keyset_filename, 'wb') as f:
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f),
private_keyset_handle)
public_keyset_filename = os.path.join(tmpdir, 'public_keyset_file')
unused_return_value = subprocess.check_output([
cli_path,
'create-public-keyset',
'--in-format',
'BINARY',
'--in',
private_keyset_filename,
'--out-format',
'BINARY',
'--out',
public_keyset_filename,
])
with open(public_keyset_filename, 'rb') as f:
public_keyset_data = f.read()
return cleartext_keyset_handle.read(
tink.BinaryKeysetReader(public_keyset_data))
def verify_mac(self, mac_value: bytes, data: bytes) -> None:
with tempfile.TemporaryDirectory() as tmpdir:
keyset_filename = os.path.join(tmpdir, 'keyset_file')
with open(keyset_filename, 'wb') as f:
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f),
self._keyset_handle)
data_filename = os.path.join(tmpdir, 'data_file')
with open(data_filename, 'wb') as f:
f.write(data)
mac_filename = os.path.join(tmpdir, 'mac_file')
with open(mac_filename, 'wb') as f:
f.write(mac_value)
result_filename = os.path.join(tmpdir, 'result_file')
try:
unused_return_value = subprocess.check_output([
self._cli, keyset_filename, 'verify', data_filename,
mac_filename, result_filename
])
except subprocess.CalledProcessError as e:
raise tink.TinkError(e)
with open(result_filename, 'rb') as f:
result = f.read()
if result != b'valid':
raise tink.TinkError('verification failed')
return None
def _run(self, operation: Text, input_data: bytes,
associated_data: bytes) -> bytes:
with tempfile.TemporaryDirectory() as tmpdir:
keyset_filename = os.path.join(tmpdir, 'keyset_file')
input_filename = os.path.join(tmpdir, 'input_file')
associated_data_filename = os.path.join(tmpdir,
'associated_data_file')
output_filename = os.path.join(tmpdir, 'output_file')
with open(keyset_filename, 'wb') as f:
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f),
self._keyset_handle)
with open(input_filename, 'wb') as f:
f.write(input_data)
with open(associated_data_filename, 'wb') as f:
f.write(associated_data)
try:
unused_return_value = subprocess.check_output([
self._cli, keyset_filename, operation, input_filename,
associated_data_filename, output_filename
])
except subprocess.CalledProcessError as e:
raise tink.TinkError(e)
with open(output_filename, 'rb') as f:
output_data = f.read()
return output_data
def verify(self, sign: bytes, data: bytes) -> None:
with tempfile.TemporaryDirectory() as tmpdir:
public_keyset_filename = os.path.join(tmpdir, 'public_keyset_file')
with open(public_keyset_filename, 'wb') as f:
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f),
self._public_keyset_handle)
signature_filename = os.path.join(tmpdir, 'signature_file')
with open(signature_filename, 'wb') as f:
f.write(sign)
message_filename = os.path.join(tmpdir, 'message_file')
with open(message_filename, 'wb') as f:
f.write(data)
output_filename = os.path.join(tmpdir, 'output_file')
try:
unused_return_value = subprocess.check_output([
self._cli, public_keyset_filename, signature_filename,
message_filename, output_filename
])
except subprocess.CalledProcessError as e:
raise tink.TinkError(e)
with open(output_filename, 'rb') as f:
output = f.read()
if output != b'valid':
raise tink.TinkError('verification failed')
return None
def _set_custom_kid(keyset_handle: tink.KeysetHandle,
custom_kid: str) -> tink.KeysetHandle:
"""Sets the custom_kid field of the first key."""
buffer = io.BytesIO()
cleartext_keyset_handle.write(
tink.BinaryKeysetWriter(buffer), keyset_handle)
keyset = tink_pb2.Keyset.FromString(buffer.getvalue())
if keyset.key[0].key_data.type_url.endswith('JwtEcdsaPrivateKey'):
jwt_ecdsa_key = jwt_ecdsa_pb2.JwtEcdsaPrivateKey.FromString(
keyset.key[0].key_data.value)
jwt_ecdsa_key.public_key.custom_kid.value = custom_kid
keyset.key[0].key_data.value = jwt_ecdsa_key.SerializeToString()
elif keyset.key[0].key_data.type_url.endswith('JwtRsaSsaPkcs1PrivateKey'):
rsa_key = jwt_rsa_ssa_pkcs1_pb2.JwtRsaSsaPkcs1PrivateKey.FromString(
keyset.key[0].key_data.value)
rsa_key.public_key.custom_kid.value = custom_kid
keyset.key[0].key_data.value = rsa_key.SerializeToString()
elif keyset.key[0].key_data.type_url.endswith('JwtRsaSsaPssPrivateKey'):
rsa_key = jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssPrivateKey.FromString(
keyset.key[0].key_data.value)
rsa_key.public_key.custom_kid.value = custom_kid
keyset.key[0].key_data.value = rsa_key.SerializeToString()
else:
raise tink.TinkError('unknown key type')
return cleartext_keyset_handle.from_keyset(keyset)
def ReadEncrypted(
self, request: testing_api_pb2.KeysetReadEncryptedRequest,
context: grpc.ServicerContext
) -> testing_api_pb2.KeysetReadEncryptedResponse:
"""Reads an encrypted keyset."""
try:
master_keyset_handle = cleartext_keyset_handle.read(
tink.BinaryKeysetReader(request.master_keyset))
master_aead = master_keyset_handle.primitive(aead.Aead)
if request.keyset_reader_type == testing_api_pb2.KEYSET_READER_BINARY:
reader = tink.BinaryKeysetReader(request.encrypted_keyset)
elif request.keyset_reader_type == testing_api_pb2.KEYSET_READER_JSON:
reader = tink.JsonKeysetReader(request.encrypted_keyset.decode('utf8'))
else:
raise ValueError('unknown keyset reader type')
if request.HasField('associated_data'):
keyset_handle = tink.read_keyset_handle_with_associated_data(
reader, master_aead, request.associated_data.value)
else:
keyset_handle = tink.read_keyset_handle(reader, master_aead)
keyset = io.BytesIO()
cleartext_keyset_handle.write(
tink.BinaryKeysetWriter(keyset), keyset_handle)
return testing_api_pb2.KeysetReadEncryptedResponse(
keyset=keyset.getvalue())
except tink.TinkError as e:
return testing_api_pb2.KeysetReadEncryptedResponse(err=str(e))
def from_keyset_handle(keyset_handle: tink.KeysetHandle) -> KeysetBuilder:
"""Return a KeysetBuilder for a Keyset copied from a KeysetHandle."""
keyset_buffer = io.BytesIO()
cleartext_keyset_handle.write(
tink.BinaryKeysetWriter(keyset_buffer), keyset_handle)
keyset = tink_pb2.Keyset()
keyset.ParseFromString(keyset_buffer.getvalue())
return KeysetBuilder(keyset)
def _change_output_prefix_to_tink(
keyset_handle: tink.KeysetHandle) -> tink.KeysetHandle:
"""Changes the output prefix type of the first key to TINK."""
buffer = io.BytesIO()
cleartext_keyset_handle.write(
tink.BinaryKeysetWriter(buffer), keyset_handle)
keyset = tink_pb2.Keyset.FromString(buffer.getvalue())
keyset.key[0].output_prefix_type = tink_pb2.TINK
return cleartext_keyset_handle.from_keyset(keyset)
def _set_custom_kid(keyset_handle: tink.KeysetHandle,
custom_kid: str) -> tink.KeysetHandle:
"""Set the custom_kid field of the first key."""
buffer = io.BytesIO()
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(buffer),
keyset_handle)
keyset = tink_pb2.Keyset.FromString(buffer.getvalue())
hmac_key = jwt_hmac_pb2.JwtHmacKey.FromString(keyset.key[0].key_data.value)
hmac_key.custom_kid.value = custom_kid
keyset.key[0].key_data.value = hmac_key.SerializeToString()
return cleartext_keyset_handle.from_keyset(keyset)
def test_write_read(self):
handle = tink.new_keyset_handle(
mac.mac_key_templates.HMAC_SHA256_128BITTAG)
output_stream = io.BytesIO()
writer = tink.BinaryKeysetWriter(output_stream)
cleartext_keyset_handle.write(writer, handle)
reader = tink.BinaryKeysetReader(output_stream.getvalue())
handle2 = cleartext_keyset_handle.read(reader)
# Check that handle2 has the same primitive as handle.
handle2.primitive(mac.Mac).verify_mac(
handle.primitive(mac.Mac).compute_mac(b'data'), b'data')
def _change_key_id(keyset_handle: tink.KeysetHandle) -> tink.KeysetHandle:
"""Changes the key id of the first key and makes it primary."""
buffer = io.BytesIO()
cleartext_keyset_handle.write(
tink.BinaryKeysetWriter(buffer), keyset_handle)
keyset = tink_pb2.Keyset.FromString(buffer.getvalue())
# XOR the key id with an arbitrary 32-bit string to get a new key id.
new_key_id = keyset.key[0].key_id ^ 0xdeadbeef
keyset.key[0].key_id = new_key_id
keyset.primary_key_id = new_key_id
return cleartext_keyset_handle.from_keyset(keyset)
def FromJson(
self, request: testing_api_pb2.KeysetFromJsonRequest,
context: grpc.ServicerContext) -> testing_api_pb2.KeysetFromJsonResponse:
"""Converts a keyset from JSON to binary format."""
try:
keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(request.json_keyset))
keyset = io.BytesIO()
cleartext_keyset_handle.write(
tink.BinaryKeysetWriter(keyset), keyset_handle)
return testing_api_pb2.KeysetFromJsonResponse(keyset=keyset.getvalue())
except tink.TinkError as e:
return testing_api_pb2.KeysetFromJsonResponse(err=str(e))
def Generate(
self, request: testing_api_pb2.GenerateKeysetRequest,
context: grpc.ServicerContext) -> testing_api_pb2.KeysetResponse:
"""Generates a keyset."""
try:
template = tink_pb2.KeyTemplate()
template.ParseFromString(request.template)
keyset_handle = tink.new_keyset_handle(template)
keyset = io.BytesIO()
cleartext_keyset_handle.write(
tink.BinaryKeysetWriter(keyset), keyset_handle)
return testing_api_pb2.KeysetResponse(keyset=keyset.getvalue())
except tink.TinkError as e:
return testing_api_pb2.KeysetResponse(err=str(e))
def Public(
self, request: testing_api_pb2.KeysetPublicRequest,
context: grpc.ServicerContext) -> testing_api_pb2.KeysetPublicResponse:
"""Generates a public-key keyset from a private-key keyset."""
try:
private_keyset_handle = cleartext_keyset_handle.read(
tink.BinaryKeysetReader(request.private_keyset))
public_keyset_handle = private_keyset_handle.public_keyset_handle()
public_keyset = io.BytesIO()
cleartext_keyset_handle.write(
tink.BinaryKeysetWriter(public_keyset), public_keyset_handle)
return testing_api_pb2.KeysetPublicResponse(
public_keyset=public_keyset.getvalue())
except tink.TinkError as e:
return testing_api_pb2.KeysetPublicResponse(err=str(e))
def FromJwkSet(
self, request: testing_api_pb2.JwtFromJwkSetRequest,
context: grpc.ServicerContext
) -> testing_api_pb2.JwtFromJwkSetResponse:
"""Converts a JWK set into a Tink Keyset."""
try:
keyset_handle = jwt.jwk_set_to_public_keyset_handle(
request.jwk_set)
keyset = io.BytesIO()
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset),
keyset_handle)
return testing_api_pb2.JwtFromJwkSetResponse(
keyset=keyset.getvalue())
except tink.TinkError as e:
return testing_api_pb2.JwtFromJwkSetResponse(err=str(e))
def compute_mac(self, data: bytes) -> bytes:
with tempfile.TemporaryDirectory() as tmpdir:
keyset_filename = os.path.join(tmpdir, 'keyset_file')
with open(keyset_filename, 'wb') as f:
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f),
self._keyset_handle)
data_filename = os.path.join(tmpdir, 'data_file')
with open(data_filename, 'wb') as f:
f.write(data)
mac_filename = os.path.join(tmpdir, 'mac_file')
try:
unused_return_value = subprocess.check_output([
self._cli, keyset_filename, 'compute', data_filename,
mac_filename
])
except subprocess.CalledProcessError as e:
raise tink.TinkError(e)
with open(mac_filename, 'rb') as f:
mac_value = f.read()
return mac_value
def sign(self, message: bytes) -> bytes:
with tempfile.TemporaryDirectory() as tmpdir:
private_keyset_filename = os.path.join(tmpdir,
'private_keyset_file')
with open(private_keyset_filename, 'wb') as f:
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f),
self._private_keyset_handle)
message_filename = os.path.join(tmpdir, 'message_filename')
with open(message_filename, 'wb') as f:
f.write(message)
output_filename = os.path.join(tmpdir, 'output_file')
try:
unused_return_value = subprocess.check_output([
self._cli, private_keyset_filename, message_filename,
output_filename
])
except subprocess.CalledProcessError as e:
raise tink.TinkError(e)
with open(output_filename, 'rb') as f:
output = f.read()
return output
def encrypt(self, plaintext: bytes, context_info: bytes) -> bytes:
with tempfile.TemporaryDirectory() as tmpdir:
public_keyset_filename = os.path.join(tmpdir, 'public_keyset_file')
with open(public_keyset_filename, 'wb') as f:
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f),
self._public_keyset_handle)
plaintext_filename = os.path.join(tmpdir, 'plaintext_file')
with open(plaintext_filename, 'wb') as f:
f.write(plaintext)
context_info_filename = os.path.join(tmpdir, 'context_info_file')
with open(context_info_filename, 'wb') as f:
f.write(context_info)
ciphertext_filename = os.path.join(tmpdir, 'ciphertext_file')
try:
unused_return_value = subprocess.check_output([
self._cli, public_keyset_filename, plaintext_filename,
context_info_filename, ciphertext_filename
])
except subprocess.CalledProcessError as e:
raise tink.TinkError(e)
with open(ciphertext_filename, 'rb') as f:
ciphertext = f.read()
return ciphertext
def ReadEncrypted(
self, request: testing_api_pb2.KeysetReadEncryptedRequest,
context: grpc.ServicerContext
) -> testing_api_pb2.KeysetReadEncryptedResponse:
"""Reads an encrypted keyset."""
try:
master_keyset_handle = cleartext_keyset_handle.read(
tink.BinaryKeysetReader(request.master_keyset))
master_aead = master_keyset_handle.primitive(aead.Aead)
reader = tink.BinaryKeysetReader(request.encrypted_keyset)
if request.HasField('associated_data'):
keyset_handle = tink.read_keyset_handle_with_associated_data(
reader, master_aead, request.associated_data.value)
else:
keyset_handle = tink.read_keyset_handle(reader, master_aead)
keyset = io.BytesIO()
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset),
keyset_handle)
return testing_api_pb2.KeysetReadEncryptedResponse(
keyset=keyset.getvalue())
except tink.TinkError as e:
return testing_api_pb2.KeysetReadEncryptedResponse(err=str(e))
def main(argv):
if len(argv) != 3 and len(argv) != 5:
raise app.UsageError(
'Invalid arguments.\n'
'Usage: %s generate key-file.\n'
'Usage: %s encrypt/decrypt key-file '
'input-file output-file.' % (argv[0], argv[0])
)
mode = argv[1]
if mode not in ('encrypt', 'decrypt', 'generate'):
raise app.UsageError(
'The first argument should be either encrypt, decrypt or generate')
key_file_path = argv[2]
input_file_path = argv[3] if len(argv) == 5 else None
output_file_path = argv[4] if len(argv) == 5 else None
# Initialise Tink
try:
aead.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
if mode == 'generate':
# [START generate-a-new-keyset]
# Generate a new keyset
try:
key_template = aead.aead_key_templates.AES128_GCM
keyset_handle = tink.KeysetHandle.generate_new(key_template)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# [END generate-a-new-keyset]
# [START store-a-cleartext-keyset]
with open(key_file_path, 'wt') as keyset_file:
try:
cleartext_keyset_handle.write(
tink.JsonKeysetWriter(keyset_file), keyset_handle)
except tink.TinkError as e:
logging.exception('Error writing key: %s', e)
return 1
return 0
# [END store-a-cleartext-keyset]
# Use the input keyset to encrypt/decrypt data
# Read the keyset into a keyset_handle
with open(key_file_path, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.exception('Error reading key: %s', e)
return 1
# Get the primitive
try:
cipher = keyset_handle.primitive(aead.Aead)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
with open(input_file_path, 'rb') as input_file:
input_data = input_file.read()
if mode == 'decrypt':
output_data = cipher.decrypt(input_data, b'envelope_example')
elif mode == 'encrypt':
output_data = cipher.encrypt(input_data, b'envelope_example')
else:
logging.error(
'Error mode not supported. Please choose "encrypt" or "decrypt".')
return 1
with open(output_file_path, 'wb') as output_file:
output_file.write(output_data)
def _keyset(keyset_handle: tink.KeysetHandle) -> bytes:
"""Returns the keyset contained in the keyset_handle."""
keyset_buffer = io.BytesIO()
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset_buffer),
keyset_handle)
return keyset_buffer.getvalue()
def from_keyset_handle(keyset_handle: tink.KeysetHandle) -> KeysetBuilder:
"""Return a KeysetBuilder for a Keyset copied from a KeysetHandle."""
keyset_buffer = io.BytesIO()
cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset_buffer),
keyset_handle)
return from_keyset(keyset_buffer.getvalue())
def main(argv):
del argv # Unused.
# Initialise Tink
try:
aead.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
if FLAGS.mode == 'generate':
# [START generate-a-new-keyset]
# Generate a new keyset
try:
key_template = aead.aead_key_templates.AES128_GCM
keyset_handle = tink.KeysetHandle.generate_new(key_template)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# [END generate-a-new-keyset]
# [START store-a-cleartext-keyset]
with open(FLAGS.keyset_path, 'wt') as keyset_file:
try:
cleartext_keyset_handle.write(
tink.JsonKeysetWriter(keyset_file), keyset_handle)
except tink.TinkError as e:
logging.exception('Error writing key: %s', e)
return 1
return 0
# [END store-a-cleartext-keyset]
# Use the input keyset to encrypt/decrypt data
# Read the keyset into a keyset_handle
with open(FLAGS.keyset_path, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.exception('Error reading key: %s', e)
return 1
# Get the primitive
try:
cipher = keyset_handle.primitive(aead.Aead)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
with open(FLAGS.input_path, 'rb') as input_file:
input_data = input_file.read()
if FLAGS.mode == 'decrypt':
output_data = cipher.decrypt(input_data, b'envelope_example')
elif FLAGS.mode == 'encrypt':
output_data = cipher.encrypt(input_data, b'envelope_example')
else:
logging.error(
'Error mode not supported. Please choose "encrypt" or "decrypt".'
)
return 1
with open(FLAGS.output_path, 'wb') as output_file:
output_file.write(output_data)
def getKey(self):
iostream = io.BytesIO()
writer = tink.BinaryKeysetWriter(iostream)
cleartext_keyset_handle.write(writer, self.keyset_handle)
encoded_key = base64.b64encode(iostream.getvalue()).decode('utf-8')
return encoded_key
def printKeyInfo(self):
stream = io.StringIO()
writer = tink.JsonKeysetWriter(stream)
cleartext_keyset_handle.write(writer, self.keyset_handle)
return stream.getvalue()
def public_keyset(self) -> bytes: public_handle = self.keyset_handle().public_keyset_handle() public_keyset = io.BytesIO() writer = tink.BinaryKeysetWriter(public_keyset) cleartext_keyset_handle.write(writer, public_handle) return public_keyset.getvalue()
from tink import daead
from tink import cleartext_keyset_handle
from tink import _keyset_writer
import tink
import scrypt
# This part need to be run only once -------------------------------------------------
# generate secret key
daead.register()
keytemplate = daead.deterministic_aead_key_templates.AES256_SIV
secret_key = tink.new_keyset_handle(keytemplate)
# write the key in a file
keyset = open('keys.txt', 'wb')
cleartext_keyset_handle.write(_keyset_writer.BinaryKeysetWriter(keyset), secret_key)
keyset.close()
# add values to the database
user = "******"
pwd = "goodpassword"
save_to_database(user, pwd)
#--------------------------------------------------------------------------------------
# main
def hash_password(password, salt):
hashp = scrypt.hash(password, salt).hex()
return hashp
def addKey(keyset_handle):
with open(secret_key, "w") as file:
our_writer = tink.JsonKeysetWriter(file)
cleartext_keyset_handle.write(our_writer, keyset_handle)
