def read_encrypted(self) -> tink_pb2.EncryptedKeyset: if not self._serialized_keyset: raise core.TinkError('No keyset found') try: encrypted_keyset = tink_pb2.EncryptedKeyset() encrypted_keyset.ParseFromString(self._serialized_keyset) return encrypted_keyset except message.DecodeError as e: raise core.TinkError(e)
def example_encrypted_keyset() -> tink_pb2.EncryptedKeyset: encrypted_keyset = tink_pb2.EncryptedKeyset() encrypted_keyset.encrypted_keyset = b'c29tZSBjaXBoZXJ0ZXh0IHdpdGgga2V5c2V0' encrypted_keyset.keyset_info.primary_key_id = 42 key_info = encrypted_keyset.keyset_info.key_info.add() key_info.type_url = 'type.googleapis.com/google.crypto.tink.AesGcmKey' key_info.output_prefix_type = tink_pb2.TINK key_info.key_id = 42 key_info.status = tink_pb2.ENABLED return encrypted_keyset
def test_read_encrypted(self): encrypted_keyset = tink_pb2.EncryptedKeyset() encrypted_keyset.encrypted_keyset = b'c29tZSBjaXBoZXJ0ZXh0IHdpdGgga2V5c2V0' encrypted_keyset.keyset_info.primary_key_id = 42 key_info = encrypted_keyset.keyset_info.key_info.add() key_info.type_url = 'type.googleapis.com/google.crypto.tink.AesGcmKey' key_info.output_prefix_type = tink_pb2.TINK key_info.key_id = 42 key_info.status = tink_pb2.ENABLED reader = core.BinaryKeysetReader(encrypted_keyset.SerializeToString()) self.assertEqual(encrypted_keyset, reader.read_encrypted())
def _encrypt(keyset: tink_pb2.Keyset, master_key_primitive: aead.Aead) -> tink_pb2.EncryptedKeyset: """Encrypts a Keyset and returns an EncryptedKeyset.""" encrypted_keyset = master_key_primitive.encrypt(keyset.SerializeToString(), b'') # Check if we can decrypt, to detect errors try: keyset2 = tink_pb2.Keyset.FromString( master_key_primitive.decrypt(encrypted_keyset, b'')) if keyset != keyset2: raise tink_error.TinkError('cannot encrypt keyset: %s != %s' % (keyset, keyset2)) except message.DecodeError: raise tink_error.TinkError('invalid keyset, corrupted key material') return tink_pb2.EncryptedKeyset(encrypted_keyset=encrypted_keyset, keyset_info=_keyset_info(keyset))
def test_read_encrypted_ignores_keyset_info_json(self, lang): # Use an arbitrary AEAD template that's supported in all languages, # and use an arbitrary language to generate the keyset_encryption_keyset. keyset_encryption_keyset = testing_servers.new_keyset( 'cc', aead.aead_key_templates.AES128_GCM) # Also, generate an arbitrary keyset. keyset = testing_servers.new_keyset('cc', aead.aead_key_templates.AES128_GCM) associated_data = b'associated_data' encrypted_keyset = testing_servers.keyset_write_encrypted( lang, keyset, keyset_encryption_keyset, associated_data, 'KEYSET_WRITER_JSON') # encrypted_keyset is a JSON serialized tink_pb2.EncryptedKeyset parsed_encrypted_keyset = json_format.Parse(encrypted_keyset, tink_pb2.EncryptedKeyset()) # Note that some implementations (currently C++) do not set keyset_info. # But we require that values are correct when they are set. if parsed_encrypted_keyset.HasField('keyset_info'): self.assertLen(parsed_encrypted_keyset.keyset_info.key_info, 1) self.assertEqual( parsed_encrypted_keyset.keyset_info.primary_key_id, parsed_encrypted_keyset.keyset_info.key_info[0].key_id) # keyset_info should be ignored when reading a keyset. # To test this, we add something invalid and check that read still works. # Some languages (C++ and Java) however do check that the fields of # keyset_info are present. So we have to set all required fields here. parsed_encrypted_keyset.keyset_info.key_info.append( tink_pb2.KeysetInfo.KeyInfo(type_url='invalid', status=tink_pb2.ENABLED, key_id=123, output_prefix_type=tink_pb2.LEGACY)) parsed_encrypted_keyset.keyset_info.primary_key_id = 123 modified_encrypted_keyset = json_format.MessageToJson( parsed_encrypted_keyset).encode('utf8') decrypted_keyset = testing_servers.keyset_read_encrypted( lang, modified_encrypted_keyset, keyset_encryption_keyset, associated_data, 'KEYSET_READER_JSON') # Both keyset and decrypted_keyset are serialized tink_pb2.Keyset. key_util.assert_tink_proto_equal( self, tink_pb2.Keyset.FromString(keyset), tink_pb2.Keyset.FromString(decrypted_keyset))
def read_encrypted(self) -> tink_pb2.EncryptedKeyset: try: return json_format.Parse(self._serialized_keyset, tink_pb2.EncryptedKeyset()) except json_format.ParseError as e: raise core.TinkError(e)