def public_keyset_handle(private_keyset_handle) -> tink.KeysetHandle: """Generates a public keyset handle from a private one.""" with tempfile.TemporaryDirectory() as tmpdir: cli_path = os.path.join(_tools_path(), _TINKEY_CLI_PATH) private_keyset_filename = os.path.join(tmpdir, 'private_keyset_file') with open(private_keyset_filename, 'wb') as f: cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f), private_keyset_handle) public_keyset_filename = os.path.join(tmpdir, 'public_keyset_file') unused_return_value = subprocess.check_output([ cli_path, 'create-public-keyset', '--in-format', 'BINARY', '--in', private_keyset_filename, '--out-format', 'BINARY', '--out', public_keyset_filename, ]) with open(public_keyset_filename, 'rb') as f: public_keyset_data = f.read() return cleartext_keyset_handle.read( tink.BinaryKeysetReader(public_keyset_data))
def verify_mac(self, mac_value: bytes, data: bytes) -> None: with tempfile.TemporaryDirectory() as tmpdir: keyset_filename = os.path.join(tmpdir, 'keyset_file') with open(keyset_filename, 'wb') as f: cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f), self._keyset_handle) data_filename = os.path.join(tmpdir, 'data_file') with open(data_filename, 'wb') as f: f.write(data) mac_filename = os.path.join(tmpdir, 'mac_file') with open(mac_filename, 'wb') as f: f.write(mac_value) result_filename = os.path.join(tmpdir, 'result_file') try: unused_return_value = subprocess.check_output([ self._cli, keyset_filename, 'verify', data_filename, mac_filename, result_filename ]) except subprocess.CalledProcessError as e: raise tink.TinkError(e) with open(result_filename, 'rb') as f: result = f.read() if result != b'valid': raise tink.TinkError('verification failed') return None
def _run(self, operation: Text, input_data: bytes, associated_data: bytes) -> bytes: with tempfile.TemporaryDirectory() as tmpdir: keyset_filename = os.path.join(tmpdir, 'keyset_file') input_filename = os.path.join(tmpdir, 'input_file') associated_data_filename = os.path.join(tmpdir, 'associated_data_file') output_filename = os.path.join(tmpdir, 'output_file') with open(keyset_filename, 'wb') as f: cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f), self._keyset_handle) with open(input_filename, 'wb') as f: f.write(input_data) with open(associated_data_filename, 'wb') as f: f.write(associated_data) try: unused_return_value = subprocess.check_output([ self._cli, keyset_filename, operation, input_filename, associated_data_filename, output_filename ]) except subprocess.CalledProcessError as e: raise tink.TinkError(e) with open(output_filename, 'rb') as f: output_data = f.read() return output_data
def verify(self, sign: bytes, data: bytes) -> None: with tempfile.TemporaryDirectory() as tmpdir: public_keyset_filename = os.path.join(tmpdir, 'public_keyset_file') with open(public_keyset_filename, 'wb') as f: cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f), self._public_keyset_handle) signature_filename = os.path.join(tmpdir, 'signature_file') with open(signature_filename, 'wb') as f: f.write(sign) message_filename = os.path.join(tmpdir, 'message_file') with open(message_filename, 'wb') as f: f.write(data) output_filename = os.path.join(tmpdir, 'output_file') try: unused_return_value = subprocess.check_output([ self._cli, public_keyset_filename, signature_filename, message_filename, output_filename ]) except subprocess.CalledProcessError as e: raise tink.TinkError(e) with open(output_filename, 'rb') as f: output = f.read() if output != b'valid': raise tink.TinkError('verification failed') return None
def _set_custom_kid(keyset_handle: tink.KeysetHandle, custom_kid: str) -> tink.KeysetHandle: """Sets the custom_kid field of the first key.""" buffer = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(buffer), keyset_handle) keyset = tink_pb2.Keyset.FromString(buffer.getvalue()) if keyset.key[0].key_data.type_url.endswith('JwtEcdsaPrivateKey'): jwt_ecdsa_key = jwt_ecdsa_pb2.JwtEcdsaPrivateKey.FromString( keyset.key[0].key_data.value) jwt_ecdsa_key.public_key.custom_kid.value = custom_kid keyset.key[0].key_data.value = jwt_ecdsa_key.SerializeToString() elif keyset.key[0].key_data.type_url.endswith('JwtRsaSsaPkcs1PrivateKey'): rsa_key = jwt_rsa_ssa_pkcs1_pb2.JwtRsaSsaPkcs1PrivateKey.FromString( keyset.key[0].key_data.value) rsa_key.public_key.custom_kid.value = custom_kid keyset.key[0].key_data.value = rsa_key.SerializeToString() elif keyset.key[0].key_data.type_url.endswith('JwtRsaSsaPssPrivateKey'): rsa_key = jwt_rsa_ssa_pss_pb2.JwtRsaSsaPssPrivateKey.FromString( keyset.key[0].key_data.value) rsa_key.public_key.custom_kid.value = custom_kid keyset.key[0].key_data.value = rsa_key.SerializeToString() else: raise tink.TinkError('unknown key type') return cleartext_keyset_handle.from_keyset(keyset)
def ReadEncrypted( self, request: testing_api_pb2.KeysetReadEncryptedRequest, context: grpc.ServicerContext ) -> testing_api_pb2.KeysetReadEncryptedResponse: """Reads an encrypted keyset.""" try: master_keyset_handle = cleartext_keyset_handle.read( tink.BinaryKeysetReader(request.master_keyset)) master_aead = master_keyset_handle.primitive(aead.Aead) if request.keyset_reader_type == testing_api_pb2.KEYSET_READER_BINARY: reader = tink.BinaryKeysetReader(request.encrypted_keyset) elif request.keyset_reader_type == testing_api_pb2.KEYSET_READER_JSON: reader = tink.JsonKeysetReader(request.encrypted_keyset.decode('utf8')) else: raise ValueError('unknown keyset reader type') if request.HasField('associated_data'): keyset_handle = tink.read_keyset_handle_with_associated_data( reader, master_aead, request.associated_data.value) else: keyset_handle = tink.read_keyset_handle(reader, master_aead) keyset = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(keyset), keyset_handle) return testing_api_pb2.KeysetReadEncryptedResponse( keyset=keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.KeysetReadEncryptedResponse(err=str(e))
def from_keyset_handle(keyset_handle: tink.KeysetHandle) -> KeysetBuilder: """Return a KeysetBuilder for a Keyset copied from a KeysetHandle.""" keyset_buffer = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(keyset_buffer), keyset_handle) keyset = tink_pb2.Keyset() keyset.ParseFromString(keyset_buffer.getvalue()) return KeysetBuilder(keyset)
def _change_output_prefix_to_tink( keyset_handle: tink.KeysetHandle) -> tink.KeysetHandle: """Changes the output prefix type of the first key to TINK.""" buffer = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(buffer), keyset_handle) keyset = tink_pb2.Keyset.FromString(buffer.getvalue()) keyset.key[0].output_prefix_type = tink_pb2.TINK return cleartext_keyset_handle.from_keyset(keyset)
def _set_custom_kid(keyset_handle: tink.KeysetHandle, custom_kid: str) -> tink.KeysetHandle: """Set the custom_kid field of the first key.""" buffer = io.BytesIO() cleartext_keyset_handle.write(tink.BinaryKeysetWriter(buffer), keyset_handle) keyset = tink_pb2.Keyset.FromString(buffer.getvalue()) hmac_key = jwt_hmac_pb2.JwtHmacKey.FromString(keyset.key[0].key_data.value) hmac_key.custom_kid.value = custom_kid keyset.key[0].key_data.value = hmac_key.SerializeToString() return cleartext_keyset_handle.from_keyset(keyset)
def test_write_read(self): handle = tink.new_keyset_handle( mac.mac_key_templates.HMAC_SHA256_128BITTAG) output_stream = io.BytesIO() writer = tink.BinaryKeysetWriter(output_stream) cleartext_keyset_handle.write(writer, handle) reader = tink.BinaryKeysetReader(output_stream.getvalue()) handle2 = cleartext_keyset_handle.read(reader) # Check that handle2 has the same primitive as handle. handle2.primitive(mac.Mac).verify_mac( handle.primitive(mac.Mac).compute_mac(b'data'), b'data')
def _change_key_id(keyset_handle: tink.KeysetHandle) -> tink.KeysetHandle: """Changes the key id of the first key and makes it primary.""" buffer = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(buffer), keyset_handle) keyset = tink_pb2.Keyset.FromString(buffer.getvalue()) # XOR the key id with an arbitrary 32-bit string to get a new key id. new_key_id = keyset.key[0].key_id ^ 0xdeadbeef keyset.key[0].key_id = new_key_id keyset.primary_key_id = new_key_id return cleartext_keyset_handle.from_keyset(keyset)
def FromJson( self, request: testing_api_pb2.KeysetFromJsonRequest, context: grpc.ServicerContext) -> testing_api_pb2.KeysetFromJsonResponse: """Converts a keyset from JSON to binary format.""" try: keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(request.json_keyset)) keyset = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(keyset), keyset_handle) return testing_api_pb2.KeysetFromJsonResponse(keyset=keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.KeysetFromJsonResponse(err=str(e))
def Generate( self, request: testing_api_pb2.GenerateKeysetRequest, context: grpc.ServicerContext) -> testing_api_pb2.KeysetResponse: """Generates a keyset.""" try: template = tink_pb2.KeyTemplate() template.ParseFromString(request.template) keyset_handle = tink.new_keyset_handle(template) keyset = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(keyset), keyset_handle) return testing_api_pb2.KeysetResponse(keyset=keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.KeysetResponse(err=str(e))
def Public( self, request: testing_api_pb2.KeysetPublicRequest, context: grpc.ServicerContext) -> testing_api_pb2.KeysetPublicResponse: """Generates a public-key keyset from a private-key keyset.""" try: private_keyset_handle = cleartext_keyset_handle.read( tink.BinaryKeysetReader(request.private_keyset)) public_keyset_handle = private_keyset_handle.public_keyset_handle() public_keyset = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(public_keyset), public_keyset_handle) return testing_api_pb2.KeysetPublicResponse( public_keyset=public_keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.KeysetPublicResponse(err=str(e))
def FromJwkSet( self, request: testing_api_pb2.JwtFromJwkSetRequest, context: grpc.ServicerContext ) -> testing_api_pb2.JwtFromJwkSetResponse: """Converts a JWK set into a Tink Keyset.""" try: keyset_handle = jwt.jwk_set_to_public_keyset_handle( request.jwk_set) keyset = io.BytesIO() cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset), keyset_handle) return testing_api_pb2.JwtFromJwkSetResponse( keyset=keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.JwtFromJwkSetResponse(err=str(e))
def compute_mac(self, data: bytes) -> bytes: with tempfile.TemporaryDirectory() as tmpdir: keyset_filename = os.path.join(tmpdir, 'keyset_file') with open(keyset_filename, 'wb') as f: cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f), self._keyset_handle) data_filename = os.path.join(tmpdir, 'data_file') with open(data_filename, 'wb') as f: f.write(data) mac_filename = os.path.join(tmpdir, 'mac_file') try: unused_return_value = subprocess.check_output([ self._cli, keyset_filename, 'compute', data_filename, mac_filename ]) except subprocess.CalledProcessError as e: raise tink.TinkError(e) with open(mac_filename, 'rb') as f: mac_value = f.read() return mac_value
def sign(self, message: bytes) -> bytes: with tempfile.TemporaryDirectory() as tmpdir: private_keyset_filename = os.path.join(tmpdir, 'private_keyset_file') with open(private_keyset_filename, 'wb') as f: cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f), self._private_keyset_handle) message_filename = os.path.join(tmpdir, 'message_filename') with open(message_filename, 'wb') as f: f.write(message) output_filename = os.path.join(tmpdir, 'output_file') try: unused_return_value = subprocess.check_output([ self._cli, private_keyset_filename, message_filename, output_filename ]) except subprocess.CalledProcessError as e: raise tink.TinkError(e) with open(output_filename, 'rb') as f: output = f.read() return output
def encrypt(self, plaintext: bytes, context_info: bytes) -> bytes: with tempfile.TemporaryDirectory() as tmpdir: public_keyset_filename = os.path.join(tmpdir, 'public_keyset_file') with open(public_keyset_filename, 'wb') as f: cleartext_keyset_handle.write(tink.BinaryKeysetWriter(f), self._public_keyset_handle) plaintext_filename = os.path.join(tmpdir, 'plaintext_file') with open(plaintext_filename, 'wb') as f: f.write(plaintext) context_info_filename = os.path.join(tmpdir, 'context_info_file') with open(context_info_filename, 'wb') as f: f.write(context_info) ciphertext_filename = os.path.join(tmpdir, 'ciphertext_file') try: unused_return_value = subprocess.check_output([ self._cli, public_keyset_filename, plaintext_filename, context_info_filename, ciphertext_filename ]) except subprocess.CalledProcessError as e: raise tink.TinkError(e) with open(ciphertext_filename, 'rb') as f: ciphertext = f.read() return ciphertext
def ReadEncrypted( self, request: testing_api_pb2.KeysetReadEncryptedRequest, context: grpc.ServicerContext ) -> testing_api_pb2.KeysetReadEncryptedResponse: """Reads an encrypted keyset.""" try: master_keyset_handle = cleartext_keyset_handle.read( tink.BinaryKeysetReader(request.master_keyset)) master_aead = master_keyset_handle.primitive(aead.Aead) reader = tink.BinaryKeysetReader(request.encrypted_keyset) if request.HasField('associated_data'): keyset_handle = tink.read_keyset_handle_with_associated_data( reader, master_aead, request.associated_data.value) else: keyset_handle = tink.read_keyset_handle(reader, master_aead) keyset = io.BytesIO() cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset), keyset_handle) return testing_api_pb2.KeysetReadEncryptedResponse( keyset=keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.KeysetReadEncryptedResponse(err=str(e))
def main(argv): if len(argv) != 3 and len(argv) != 5: raise app.UsageError( 'Invalid arguments.\n' 'Usage: %s generate key-file.\n' 'Usage: %s encrypt/decrypt key-file ' 'input-file output-file.' % (argv[0], argv[0]) ) mode = argv[1] if mode not in ('encrypt', 'decrypt', 'generate'): raise app.UsageError( 'The first argument should be either encrypt, decrypt or generate') key_file_path = argv[2] input_file_path = argv[3] if len(argv) == 5 else None output_file_path = argv[4] if len(argv) == 5 else None # Initialise Tink try: aead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 if mode == 'generate': # [START generate-a-new-keyset] # Generate a new keyset try: key_template = aead.aead_key_templates.AES128_GCM keyset_handle = tink.KeysetHandle.generate_new(key_template) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 # [END generate-a-new-keyset] # [START store-a-cleartext-keyset] with open(key_file_path, 'wt') as keyset_file: try: cleartext_keyset_handle.write( tink.JsonKeysetWriter(keyset_file), keyset_handle) except tink.TinkError as e: logging.exception('Error writing key: %s', e) return 1 return 0 # [END store-a-cleartext-keyset] # Use the input keyset to encrypt/decrypt data # Read the keyset into a keyset_handle with open(key_file_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(aead.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(input_file_path, 'rb') as input_file: input_data = input_file.read() if mode == 'decrypt': output_data = cipher.decrypt(input_data, b'envelope_example') elif mode == 'encrypt': output_data = cipher.encrypt(input_data, b'envelope_example') else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".') return 1 with open(output_file_path, 'wb') as output_file: output_file.write(output_data)
def _keyset(keyset_handle: tink.KeysetHandle) -> bytes: """Returns the keyset contained in the keyset_handle.""" keyset_buffer = io.BytesIO() cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset_buffer), keyset_handle) return keyset_buffer.getvalue()
def from_keyset_handle(keyset_handle: tink.KeysetHandle) -> KeysetBuilder: """Return a KeysetBuilder for a Keyset copied from a KeysetHandle.""" keyset_buffer = io.BytesIO() cleartext_keyset_handle.write(tink.BinaryKeysetWriter(keyset_buffer), keyset_handle) return from_keyset(keyset_buffer.getvalue())
def main(argv): del argv # Unused. # Initialise Tink try: aead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 if FLAGS.mode == 'generate': # [START generate-a-new-keyset] # Generate a new keyset try: key_template = aead.aead_key_templates.AES128_GCM keyset_handle = tink.KeysetHandle.generate_new(key_template) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 # [END generate-a-new-keyset] # [START store-a-cleartext-keyset] with open(FLAGS.keyset_path, 'wt') as keyset_file: try: cleartext_keyset_handle.write( tink.JsonKeysetWriter(keyset_file), keyset_handle) except tink.TinkError as e: logging.exception('Error writing key: %s', e) return 1 return 0 # [END store-a-cleartext-keyset] # Use the input keyset to encrypt/decrypt data # Read the keyset into a keyset_handle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(aead.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(FLAGS.input_path, 'rb') as input_file: input_data = input_file.read() if FLAGS.mode == 'decrypt': output_data = cipher.decrypt(input_data, b'envelope_example') elif FLAGS.mode == 'encrypt': output_data = cipher.encrypt(input_data, b'envelope_example') else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".' ) return 1 with open(FLAGS.output_path, 'wb') as output_file: output_file.write(output_data)
def getKey(self): iostream = io.BytesIO() writer = tink.BinaryKeysetWriter(iostream) cleartext_keyset_handle.write(writer, self.keyset_handle) encoded_key = base64.b64encode(iostream.getvalue()).decode('utf-8') return encoded_key
def printKeyInfo(self): stream = io.StringIO() writer = tink.JsonKeysetWriter(stream) cleartext_keyset_handle.write(writer, self.keyset_handle) return stream.getvalue()
def public_keyset(self) -> bytes: public_handle = self.keyset_handle().public_keyset_handle() public_keyset = io.BytesIO() writer = tink.BinaryKeysetWriter(public_keyset) cleartext_keyset_handle.write(writer, public_handle) return public_keyset.getvalue()
from tink import daead from tink import cleartext_keyset_handle from tink import _keyset_writer import tink import scrypt # This part need to be run only once ------------------------------------------------- # generate secret key daead.register() keytemplate = daead.deterministic_aead_key_templates.AES256_SIV secret_key = tink.new_keyset_handle(keytemplate) # write the key in a file keyset = open('keys.txt', 'wb') cleartext_keyset_handle.write(_keyset_writer.BinaryKeysetWriter(keyset), secret_key) keyset.close() # add values to the database user = "******" pwd = "goodpassword" save_to_database(user, pwd) #-------------------------------------------------------------------------------------- # main def hash_password(password, salt): hashp = scrypt.hash(password, salt).hex() return hashp
def addKey(keyset_handle): with open(secret_key, "w") as file: our_writer = tink.JsonKeysetWriter(file) cleartext_keyset_handle.write(our_writer, keyset_handle)