def test_create_kms_aead_key_template(self):
template = aead.aead_key_templates.create_kms_aead_key_template(
key_uri='fake://kek/uri')
self.assertEqual(template.type_url,
'type.googleapis.com/google.crypto.tink.KmsAeadKey')
self.assertEqual(template.output_prefix_type, tink_pb2.RAW)
key_format = kms_aead_pb2.KmsAeadKeyFormat()
key_format.ParseFromString(template.value)
self.assertEqual(key_format.key_uri, 'fake://kek/uri')
def _create_kms_aead_key_template(key_uri: Text) -> tink_pb2.KeyTemplate: """Creates a KMS Envelope AEAD KeyTemplate, and fills in its values.""" key_format = kms_aead_pb2.KmsAeadKeyFormat() key_format.key_uri = key_uri key_template = tink_pb2.KeyTemplate() key_template.value = key_format.SerializeToString() key_template.type_url = 'type.googleapis.com/google.crypto.tink.KmsAeadKey' key_template.output_prefix_type = tink_pb2.RAW return key_template
def create_kms_aead_key_template(key_uri: str) -> tink_pb2.KeyTemplate:
"""Creates a KMS AEAD KeyTemplate from a KEK URI.
Keys generated by this key template uses RAW output prefix to make them
compatible with the remote KMS' encrypt/decrypt operations. Unlike other
templates, when you generate new keys with this template, Tink does not
generate new key material, but only creates a reference to the remote KEK.
Args:
key_uri: Text. The remote key URI.
Returns:
A KMS Aead KeyTemplate.
"""
key_format = kms_aead_pb2.KmsAeadKeyFormat()
key_format.key_uri = key_uri
key_template = tink_pb2.KeyTemplate()
key_template.value = key_format.SerializeToString()
key_template.type_url = _KMS_AEAD_KEY_TYPE_URL
key_template.output_prefix_type = tink_pb2.RAW
return key_template