def test_write_encrypted_read_encrypted(self):
encrypted_keyset = example_encrypted_keyset()
stream = io.StringIO()
writer = tink.JsonKeysetWriter(stream)
writer.write_encrypted(encrypted_keyset)
reader = tink.JsonKeysetReader(stream.getvalue())
self.assertEqual(encrypted_keyset, reader.read_encrypted())
def test_write_encrypted_invalid_fails(self):
with self.assertRaisesRegex(core.TinkError,
'invalid encrypted keyset'):
stream = io.StringIO()
writer = tink.JsonKeysetWriter(stream)
invalid_encrypted_keyset = cast(tink_pb2.EncryptedKeyset,
example_keyset())
writer.write_encrypted(invalid_encrypted_keyset)
def test_write_read_with_unicode_chars(self):
keyset = tink_pb2.Keyset()
key = keyset.key.add()
key.key_data.type_url = (
u'\xe3\x82\xb3\xe3\x83\xb3\xe3\x83\x8b\xe3\x83\x81\xe3\x83\x8f')
stream = io.StringIO()
writer = tink.JsonKeysetWriter(stream)
writer.write(keyset)
reader = tink.JsonKeysetReader(stream.getvalue())
self.assertEqual(keyset, reader.read())
def ToJson(
self, request: testing_api_pb2.KeysetToJsonRequest,
context: grpc.ServicerContext) -> testing_api_pb2.KeysetToJsonResponse:
"""Converts a keyset from binary to JSON format."""
try:
keyset_handle = cleartext_keyset_handle.read(
tink.BinaryKeysetReader(request.keyset))
json_keyset = io.StringIO()
cleartext_keyset_handle.write(
tink.JsonKeysetWriter(json_keyset), keyset_handle)
return testing_api_pb2.KeysetToJsonResponse(
json_keyset=json_keyset.getvalue())
except tink.TinkError as e:
return testing_api_pb2.KeysetToJsonResponse(err=str(e))
def WriteEncrypted(
self, request: testing_api_pb2.KeysetWriteEncryptedRequest,
context: grpc.ServicerContext
) -> testing_api_pb2.KeysetWriteEncryptedResponse:
"""Writes an encrypted keyset."""
try:
master_keyset_handle = cleartext_keyset_handle.read(
tink.BinaryKeysetReader(request.master_keyset))
keyset_handle = cleartext_keyset_handle.read(
tink.BinaryKeysetReader(request.keyset))
master_aead = master_keyset_handle.primitive(aead.Aead)
if request.keyset_writer_type == testing_api_pb2.KEYSET_WRITER_BINARY:
encrypted_keyset = io.BytesIO()
writer = tink.BinaryKeysetWriter(encrypted_keyset)
if request.HasField('associated_data'):
keyset_handle.write_with_associated_data(
writer, master_aead, request.associated_data.value)
else:
keyset_handle.write(writer, master_aead)
return testing_api_pb2.KeysetWriteEncryptedResponse(
encrypted_keyset=encrypted_keyset.getvalue())
elif request.keyset_writer_type == testing_api_pb2.KEYSET_WRITER_JSON:
encrypted_keyset = io.StringIO()
writer = tink.JsonKeysetWriter(encrypted_keyset)
if request.HasField('associated_data'):
keyset_handle.write_with_associated_data(
writer, master_aead, request.associated_data.value)
else:
keyset_handle.write(writer, master_aead)
return testing_api_pb2.KeysetWriteEncryptedResponse(
encrypted_keyset=encrypted_keyset.getvalue().encode(
'utf8'))
else:
raise ValueError('unknown keyset writer type')
except tink.TinkError as e:
return testing_api_pb2.KeysetWriteEncryptedResponse(err=str(e))
def main(argv):
if len(argv) != 3 and len(argv) != 5:
raise app.UsageError(
'Invalid arguments.\n'
'Usage: %s generate key-file.\n'
'Usage: %s encrypt/decrypt key-file '
'input-file output-file.' % (argv[0], argv[0])
)
mode = argv[1]
if mode not in ('encrypt', 'decrypt', 'generate'):
raise app.UsageError(
'The first argument should be either encrypt, decrypt or generate')
key_file_path = argv[2]
input_file_path = argv[3] if len(argv) == 5 else None
output_file_path = argv[4] if len(argv) == 5 else None
# Initialise Tink
try:
aead.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
if mode == 'generate':
# [START generate-a-new-keyset]
# Generate a new keyset
try:
key_template = aead.aead_key_templates.AES128_GCM
keyset_handle = tink.KeysetHandle.generate_new(key_template)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# [END generate-a-new-keyset]
# [START store-a-cleartext-keyset]
with open(key_file_path, 'wt') as keyset_file:
try:
cleartext_keyset_handle.write(
tink.JsonKeysetWriter(keyset_file), keyset_handle)
except tink.TinkError as e:
logging.exception('Error writing key: %s', e)
return 1
return 0
# [END store-a-cleartext-keyset]
# Use the input keyset to encrypt/decrypt data
# Read the keyset into a keyset_handle
with open(key_file_path, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.exception('Error reading key: %s', e)
return 1
# Get the primitive
try:
cipher = keyset_handle.primitive(aead.Aead)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
with open(input_file_path, 'rb') as input_file:
input_data = input_file.read()
if mode == 'decrypt':
output_data = cipher.decrypt(input_data, b'envelope_example')
elif mode == 'encrypt':
output_data = cipher.encrypt(input_data, b'envelope_example')
else:
logging.error(
'Error mode not supported. Please choose "encrypt" or "decrypt".')
return 1
with open(output_file_path, 'wb') as output_file:
output_file.write(output_data)
def main(argv):
del argv # Unused.
associated_data = b'' if not FLAGS.associated_data else bytes(
FLAGS.associated_data, 'utf-8')
# Initialise Tink
try:
aead.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
# Read the GCP credentials and set up a client
try:
gcpkms.GcpKmsClient.register_client(FLAGS.kek_uri,
FLAGS.gcp_credential_path)
except tink.TinkError as e:
logging.error('Error initializing GCP client: %s', e)
return 1
# Create an AEAD primitive from the key-encryption key (KEK) for encrypting
# Tink keysets
try:
handle = tink.KeysetHandle.generate_new(
aead.aead_key_templates.create_kms_aead_key_template(
key_uri=FLAGS.kek_uri))
gcp_aead = handle.primitive(aead.Aead)
except tink.TinkError as e:
logging.exception('Error creating KMS AEAD primitive: %s', e)
return 1
if FLAGS.mode == 'generate':
# [START generate-a-new-keyset]
# Generate a new keyset
try:
key_template = aead.aead_key_templates.AES128_GCM
keyset_handle = tink.KeysetHandle.generate_new(key_template)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# [END generate-a-new-keyset]
# [START encrypt-a-keyset]
# Encrypt the keyset_handle with the remote key-encryption key (KEK)
with open(FLAGS.keyset_path, 'wt') as keyset_file:
try:
keyset_handle.write(tink.JsonKeysetWriter(keyset_file),
gcp_aead)
except tink.TinkError as e:
logging.exception('Error writing key: %s', e)
return 1
return 0
# [END encrypt-a-keyset]
# Use the keyset to encrypt/decrypt data
# Read the encrypted keyset into a keyset_handle
with open(FLAGS.keyset_path, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = tink.KeysetHandle.read(tink.JsonKeysetReader(text),
gcp_aead)
except tink.TinkError as e:
logging.exception('Error reading key: %s', e)
return 1
# Get the primitive
try:
cipher = keyset_handle.primitive(aead.Aead)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
with open(FLAGS.input_path, 'rb') as input_file:
input_data = input_file.read()
if FLAGS.mode == 'decrypt':
output_data = cipher.decrypt(input_data, associated_data)
elif FLAGS.mode == 'encrypt':
output_data = cipher.encrypt(input_data, associated_data)
else:
logging.error(
'Error mode not supported. Please choose "encrypt" or "decrypt".'
)
return 1
with open(FLAGS.output_path, 'wb') as output_file:
output_file.write(output_data)
def printKeyInfo(self):
stream = io.StringIO()
writer = tink.JsonKeysetWriter(stream)
cleartext_keyset_handle.write(writer, self.keyset_handle)
return stream.getvalue()
def test_write_invalid_fails(self):
stream = io.StringIO()
writer = tink.JsonKeysetWriter(stream)
invalid_keyset = cast(tink_pb2.Keyset, example_encrypted_keyset())
with self.assertRaises(core.TinkError):
writer.write(invalid_keyset)
def main(argv):
del argv # Unused.
# Initialise Tink
try:
aead.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
if FLAGS.mode == 'generate':
# [START generate-a-new-keyset]
# Generate a new keyset
try:
key_template = aead.aead_key_templates.AES128_GCM
keyset_handle = tink.KeysetHandle.generate_new(key_template)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# [END generate-a-new-keyset]
# [START store-a-cleartext-keyset]
with open(FLAGS.keyset_path, 'wt') as keyset_file:
try:
cleartext_keyset_handle.write(
tink.JsonKeysetWriter(keyset_file), keyset_handle)
except tink.TinkError as e:
logging.exception('Error writing key: %s', e)
return 1
return 0
# [END store-a-cleartext-keyset]
# Use the input keyset to encrypt/decrypt data
# Read the keyset into a keyset_handle
with open(FLAGS.keyset_path, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = cleartext_keyset_handle.read(
tink.JsonKeysetReader(text))
except tink.TinkError as e:
logging.exception('Error reading key: %s', e)
return 1
# Get the primitive
try:
cipher = keyset_handle.primitive(aead.Aead)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
with open(FLAGS.input_path, 'rb') as input_file:
input_data = input_file.read()
if FLAGS.mode == 'decrypt':
output_data = cipher.decrypt(input_data, b'envelope_example')
elif FLAGS.mode == 'encrypt':
output_data = cipher.encrypt(input_data, b'envelope_example')
else:
logging.error(
'Error mode not supported. Please choose "encrypt" or "decrypt".'
)
return 1
with open(FLAGS.output_path, 'wb') as output_file:
output_file.write(output_data)
def main(argv):
if len(argv) != 5 and len(argv) != 7:
raise app.UsageError(
'Invalid arguments.\n'
'Usage: %s generate key-file kek-uri gcp-credential-file.\n'
'Usage: %s encrypt/decrypt key-file kek-uri gcp-credential-file '
'input-file output-file.' % (argv[0], argv[0]))
mode = argv[1]
if mode not in ('encrypt', 'decrypt', 'generate'):
raise app.UsageError(
'The first argument should be either encrypt, decrypt or generate')
key_file_path = argv[2]
kek_uri = argv[3]
gcp_credential_file = argv[4]
input_file_path = argv[5] if len(argv) == 7 else None
output_file_path = argv[6] if len(argv) == 7 else None
# Initialise Tink
try:
aead.register()
except tink.TinkError as e:
logging.error('Error initialising Tink: %s', e)
return 1
# Read the GCP credentials and set up a client
try:
gcpkms.GcpKmsClient.register_client(kek_uri, gcp_credential_file)
except tink.TinkError as e:
logging.error('Error initializing GCP client: %s', e)
return 1
# Create an AEAD primitive from the key-encryption key (KEK) for encrypting
# Tink keysets
try:
handle = tink.KeysetHandle.generate_new(
aead.aead_key_templates.create_kms_aead_key_template(
key_uri=kek_uri))
gcp_aead = handle.primitive(aead.Aead)
except tink.TinkError as e:
logging.exception('Error creating KMS AEAD primitive: %s', e)
return 1
if mode == 'generate':
# [START generate-a-new-keyset]
# Generate a new keyset
try:
key_template = aead.aead_key_templates.AES128_GCM
keyset_handle = tink.KeysetHandle.generate_new(key_template)
except tink.TinkError as e:
logging.exception('Error creating primitive: %s', e)
return 1
# [END generate-a-new-keyset]
# [START encrypt-a-keyset]
# Encrypt the keyset_handle with the remote key-encryption key (KEK)
with open(key_file_path, 'wt') as keyset_file:
try:
keyset_handle.write(tink.JsonKeysetWriter(keyset_file),
gcp_aead)
except tink.TinkError as e:
logging.exception('Error writing key: %s', e)
return 1
return 0
# [END encrypt-a-keyset]
# Use the keyset to encrypt/decrypt data
# Read the encrypted keyset into a keyset_handle
with open(key_file_path, 'rt') as keyset_file:
try:
text = keyset_file.read()
keyset_handle = tink.KeysetHandle.read(tink.JsonKeysetReader(text),
gcp_aead)
except tink.TinkError as e:
logging.exception('Error reading key: %s', e)
return 1
# Get the primitive
try:
cipher = keyset_handle.primitive(aead.Aead)
except tink.TinkError as e:
logging.error('Error creating primitive: %s', e)
return 1
with open(input_file_path, 'rb') as input_file:
input_data = input_file.read()
if mode == 'decrypt':
output_data = cipher.decrypt(input_data,
b'encrypted-keyset-example')
elif mode == 'encrypt':
output_data = cipher.encrypt(input_data,
b'encrypted-keyset-example')
else:
logging.error(
'Error mode not supported. Please choose "encrypt" or "decrypt".'
)
return 1
with open(output_file_path, 'wb') as output_file:
output_file.write(output_data)
def addKey(keyset_handle):
with open(secret_key, "w") as file:
our_writer = tink.JsonKeysetWriter(file)
cleartext_keyset_handle.write(our_writer, keyset_handle)
