def test_write_encrypted_read_encrypted(self): encrypted_keyset = example_encrypted_keyset() stream = io.StringIO() writer = tink.JsonKeysetWriter(stream) writer.write_encrypted(encrypted_keyset) reader = tink.JsonKeysetReader(stream.getvalue()) self.assertEqual(encrypted_keyset, reader.read_encrypted())
def test_write_encrypted_invalid_fails(self): with self.assertRaisesRegex(core.TinkError, 'invalid encrypted keyset'): stream = io.StringIO() writer = tink.JsonKeysetWriter(stream) invalid_encrypted_keyset = cast(tink_pb2.EncryptedKeyset, example_keyset()) writer.write_encrypted(invalid_encrypted_keyset)
def test_write_read_with_unicode_chars(self): keyset = tink_pb2.Keyset() key = keyset.key.add() key.key_data.type_url = ( u'\xe3\x82\xb3\xe3\x83\xb3\xe3\x83\x8b\xe3\x83\x81\xe3\x83\x8f') stream = io.StringIO() writer = tink.JsonKeysetWriter(stream) writer.write(keyset) reader = tink.JsonKeysetReader(stream.getvalue()) self.assertEqual(keyset, reader.read())
def ToJson( self, request: testing_api_pb2.KeysetToJsonRequest, context: grpc.ServicerContext) -> testing_api_pb2.KeysetToJsonResponse: """Converts a keyset from binary to JSON format.""" try: keyset_handle = cleartext_keyset_handle.read( tink.BinaryKeysetReader(request.keyset)) json_keyset = io.StringIO() cleartext_keyset_handle.write( tink.JsonKeysetWriter(json_keyset), keyset_handle) return testing_api_pb2.KeysetToJsonResponse( json_keyset=json_keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.KeysetToJsonResponse(err=str(e))
def WriteEncrypted( self, request: testing_api_pb2.KeysetWriteEncryptedRequest, context: grpc.ServicerContext ) -> testing_api_pb2.KeysetWriteEncryptedResponse: """Writes an encrypted keyset.""" try: master_keyset_handle = cleartext_keyset_handle.read( tink.BinaryKeysetReader(request.master_keyset)) keyset_handle = cleartext_keyset_handle.read( tink.BinaryKeysetReader(request.keyset)) master_aead = master_keyset_handle.primitive(aead.Aead) if request.keyset_writer_type == testing_api_pb2.KEYSET_WRITER_BINARY: encrypted_keyset = io.BytesIO() writer = tink.BinaryKeysetWriter(encrypted_keyset) if request.HasField('associated_data'): keyset_handle.write_with_associated_data( writer, master_aead, request.associated_data.value) else: keyset_handle.write(writer, master_aead) return testing_api_pb2.KeysetWriteEncryptedResponse( encrypted_keyset=encrypted_keyset.getvalue()) elif request.keyset_writer_type == testing_api_pb2.KEYSET_WRITER_JSON: encrypted_keyset = io.StringIO() writer = tink.JsonKeysetWriter(encrypted_keyset) if request.HasField('associated_data'): keyset_handle.write_with_associated_data( writer, master_aead, request.associated_data.value) else: keyset_handle.write(writer, master_aead) return testing_api_pb2.KeysetWriteEncryptedResponse( encrypted_keyset=encrypted_keyset.getvalue().encode( 'utf8')) else: raise ValueError('unknown keyset writer type') except tink.TinkError as e: return testing_api_pb2.KeysetWriteEncryptedResponse(err=str(e))
def main(argv): if len(argv) != 3 and len(argv) != 5: raise app.UsageError( 'Invalid arguments.\n' 'Usage: %s generate key-file.\n' 'Usage: %s encrypt/decrypt key-file ' 'input-file output-file.' % (argv[0], argv[0]) ) mode = argv[1] if mode not in ('encrypt', 'decrypt', 'generate'): raise app.UsageError( 'The first argument should be either encrypt, decrypt or generate') key_file_path = argv[2] input_file_path = argv[3] if len(argv) == 5 else None output_file_path = argv[4] if len(argv) == 5 else None # Initialise Tink try: aead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 if mode == 'generate': # [START generate-a-new-keyset] # Generate a new keyset try: key_template = aead.aead_key_templates.AES128_GCM keyset_handle = tink.KeysetHandle.generate_new(key_template) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 # [END generate-a-new-keyset] # [START store-a-cleartext-keyset] with open(key_file_path, 'wt') as keyset_file: try: cleartext_keyset_handle.write( tink.JsonKeysetWriter(keyset_file), keyset_handle) except tink.TinkError as e: logging.exception('Error writing key: %s', e) return 1 return 0 # [END store-a-cleartext-keyset] # Use the input keyset to encrypt/decrypt data # Read the keyset into a keyset_handle with open(key_file_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(aead.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(input_file_path, 'rb') as input_file: input_data = input_file.read() if mode == 'decrypt': output_data = cipher.decrypt(input_data, b'envelope_example') elif mode == 'encrypt': output_data = cipher.encrypt(input_data, b'envelope_example') else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".') return 1 with open(output_file_path, 'wb') as output_file: output_file.write(output_data)
def main(argv): del argv # Unused. associated_data = b'' if not FLAGS.associated_data else bytes( FLAGS.associated_data, 'utf-8') # Initialise Tink try: aead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 # Read the GCP credentials and set up a client try: gcpkms.GcpKmsClient.register_client(FLAGS.kek_uri, FLAGS.gcp_credential_path) except tink.TinkError as e: logging.error('Error initializing GCP client: %s', e) return 1 # Create an AEAD primitive from the key-encryption key (KEK) for encrypting # Tink keysets try: handle = tink.KeysetHandle.generate_new( aead.aead_key_templates.create_kms_aead_key_template( key_uri=FLAGS.kek_uri)) gcp_aead = handle.primitive(aead.Aead) except tink.TinkError as e: logging.exception('Error creating KMS AEAD primitive: %s', e) return 1 if FLAGS.mode == 'generate': # [START generate-a-new-keyset] # Generate a new keyset try: key_template = aead.aead_key_templates.AES128_GCM keyset_handle = tink.KeysetHandle.generate_new(key_template) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 # [END generate-a-new-keyset] # [START encrypt-a-keyset] # Encrypt the keyset_handle with the remote key-encryption key (KEK) with open(FLAGS.keyset_path, 'wt') as keyset_file: try: keyset_handle.write(tink.JsonKeysetWriter(keyset_file), gcp_aead) except tink.TinkError as e: logging.exception('Error writing key: %s', e) return 1 return 0 # [END encrypt-a-keyset] # Use the keyset to encrypt/decrypt data # Read the encrypted keyset into a keyset_handle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = tink.KeysetHandle.read(tink.JsonKeysetReader(text), gcp_aead) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(aead.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(FLAGS.input_path, 'rb') as input_file: input_data = input_file.read() if FLAGS.mode == 'decrypt': output_data = cipher.decrypt(input_data, associated_data) elif FLAGS.mode == 'encrypt': output_data = cipher.encrypt(input_data, associated_data) else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".' ) return 1 with open(FLAGS.output_path, 'wb') as output_file: output_file.write(output_data)
def printKeyInfo(self): stream = io.StringIO() writer = tink.JsonKeysetWriter(stream) cleartext_keyset_handle.write(writer, self.keyset_handle) return stream.getvalue()
def test_write_invalid_fails(self): stream = io.StringIO() writer = tink.JsonKeysetWriter(stream) invalid_keyset = cast(tink_pb2.Keyset, example_encrypted_keyset()) with self.assertRaises(core.TinkError): writer.write(invalid_keyset)
def main(argv): del argv # Unused. # Initialise Tink try: aead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 if FLAGS.mode == 'generate': # [START generate-a-new-keyset] # Generate a new keyset try: key_template = aead.aead_key_templates.AES128_GCM keyset_handle = tink.KeysetHandle.generate_new(key_template) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 # [END generate-a-new-keyset] # [START store-a-cleartext-keyset] with open(FLAGS.keyset_path, 'wt') as keyset_file: try: cleartext_keyset_handle.write( tink.JsonKeysetWriter(keyset_file), keyset_handle) except tink.TinkError as e: logging.exception('Error writing key: %s', e) return 1 return 0 # [END store-a-cleartext-keyset] # Use the input keyset to encrypt/decrypt data # Read the keyset into a keyset_handle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(aead.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(FLAGS.input_path, 'rb') as input_file: input_data = input_file.read() if FLAGS.mode == 'decrypt': output_data = cipher.decrypt(input_data, b'envelope_example') elif FLAGS.mode == 'encrypt': output_data = cipher.encrypt(input_data, b'envelope_example') else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".' ) return 1 with open(FLAGS.output_path, 'wb') as output_file: output_file.write(output_data)
def main(argv): if len(argv) != 5 and len(argv) != 7: raise app.UsageError( 'Invalid arguments.\n' 'Usage: %s generate key-file kek-uri gcp-credential-file.\n' 'Usage: %s encrypt/decrypt key-file kek-uri gcp-credential-file ' 'input-file output-file.' % (argv[0], argv[0])) mode = argv[1] if mode not in ('encrypt', 'decrypt', 'generate'): raise app.UsageError( 'The first argument should be either encrypt, decrypt or generate') key_file_path = argv[2] kek_uri = argv[3] gcp_credential_file = argv[4] input_file_path = argv[5] if len(argv) == 7 else None output_file_path = argv[6] if len(argv) == 7 else None # Initialise Tink try: aead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 # Read the GCP credentials and set up a client try: gcpkms.GcpKmsClient.register_client(kek_uri, gcp_credential_file) except tink.TinkError as e: logging.error('Error initializing GCP client: %s', e) return 1 # Create an AEAD primitive from the key-encryption key (KEK) for encrypting # Tink keysets try: handle = tink.KeysetHandle.generate_new( aead.aead_key_templates.create_kms_aead_key_template( key_uri=kek_uri)) gcp_aead = handle.primitive(aead.Aead) except tink.TinkError as e: logging.exception('Error creating KMS AEAD primitive: %s', e) return 1 if mode == 'generate': # [START generate-a-new-keyset] # Generate a new keyset try: key_template = aead.aead_key_templates.AES128_GCM keyset_handle = tink.KeysetHandle.generate_new(key_template) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 # [END generate-a-new-keyset] # [START encrypt-a-keyset] # Encrypt the keyset_handle with the remote key-encryption key (KEK) with open(key_file_path, 'wt') as keyset_file: try: keyset_handle.write(tink.JsonKeysetWriter(keyset_file), gcp_aead) except tink.TinkError as e: logging.exception('Error writing key: %s', e) return 1 return 0 # [END encrypt-a-keyset] # Use the keyset to encrypt/decrypt data # Read the encrypted keyset into a keyset_handle with open(key_file_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = tink.KeysetHandle.read(tink.JsonKeysetReader(text), gcp_aead) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(aead.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(input_file_path, 'rb') as input_file: input_data = input_file.read() if mode == 'decrypt': output_data = cipher.decrypt(input_data, b'encrypted-keyset-example') elif mode == 'encrypt': output_data = cipher.encrypt(input_data, b'encrypted-keyset-example') else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".' ) return 1 with open(output_file_path, 'wb') as output_file: output_file.write(output_data)
def addKey(keyset_handle): with open(secret_key, "w") as file: our_writer = tink.JsonKeysetWriter(file) cleartext_keyset_handle.write(our_writer, keyset_handle)