def test_encrypt_decrypt_with_primary_key_succeeds(self): private_handle_with_primary = cleartext_keyset_handle.read( tink.JsonKeysetReader(PRIVATE_KEYSET_WITH_PRIMARY)) public_handle_with_primary = cleartext_keyset_handle.read( tink.JsonKeysetReader(PUBLIC_KEYSET_WITH_PRIMARY)) dec = private_handle_with_primary.primitive(hybrid.HybridDecrypt) enc = public_handle_with_primary.primitive(hybrid.HybridEncrypt) ciphertext = enc.encrypt(b'plaintext', b'context') self.assertEqual(dec.decrypt(ciphertext, b'context'), b'plaintext')
def test_encrypt_decrypt_without_primary_key_fails(self): with self.assertRaises(tink.TinkError): cleartext_keyset_handle.read( tink.JsonKeysetReader(PRIVATE_KEYSET_WITHOUT_PRIMARY)) # Currently, the public keyset only fails when 'encrypt' is called. # TODO(b/228140127): It would be preferable that it fails earlier. public_handle_without_primary = cleartext_keyset_handle.read( tink.JsonKeysetReader(PUBLIC_KEYSET_WITHOUT_PRIMARY)) enc_without_primary = public_handle_without_primary.primitive( hybrid.HybridEncrypt) with self.assertRaises(tink.TinkError): enc_without_primary.encrypt(b'plaintext', b'context')
def ReadEncrypted( self, request: testing_api_pb2.KeysetReadEncryptedRequest, context: grpc.ServicerContext ) -> testing_api_pb2.KeysetReadEncryptedResponse: """Reads an encrypted keyset.""" try: master_keyset_handle = cleartext_keyset_handle.read( tink.BinaryKeysetReader(request.master_keyset)) master_aead = master_keyset_handle.primitive(aead.Aead) if request.keyset_reader_type == testing_api_pb2.KEYSET_READER_BINARY: reader = tink.BinaryKeysetReader(request.encrypted_keyset) elif request.keyset_reader_type == testing_api_pb2.KEYSET_READER_JSON: reader = tink.JsonKeysetReader(request.encrypted_keyset.decode('utf8')) else: raise ValueError('unknown keyset reader type') if request.HasField('associated_data'): keyset_handle = tink.read_keyset_handle_with_associated_data( reader, master_aead, request.associated_data.value) else: keyset_handle = tink.read_keyset_handle(reader, master_aead) keyset = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(keyset), keyset_handle) return testing_api_pb2.KeysetReadEncryptedResponse( keyset=keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.KeysetReadEncryptedResponse(err=str(e))
def main(argv): del argv # Unused. # Initialise Tink try: jwt.register_jwt_signature() except tink.TinkError as e: logging.exception('Error initialising Tink: %s', e) return 1 # Read the keyset into a KeysetHandle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading keyset: %s', e) return 1 # Export Public Keyset as JWK set public_jwk_set = jwt.jwk_set_from_public_keyset_handle( keyset_handle.public_keyset_handle()) with open(FLAGS.public_jwk_set_path, 'wt') as public_jwk_set_file: public_jwk_set_file.write(public_jwk_set) logging.info('The public JWK set has been written to %s', FLAGS.public_jwk_set_path)
def test_write_encrypted_read_encrypted(self): encrypted_keyset = example_encrypted_keyset() stream = io.StringIO() writer = tink.JsonKeysetWriter(stream) writer.write_encrypted(encrypted_keyset) reader = tink.JsonKeysetReader(stream.getvalue()) self.assertEqual(encrypted_keyset, reader.read_encrypted())
def main(argv): del argv context_info = b'' if not FLAGS.context_info else bytes( FLAGS.context_info, 'utf-8') # Initialise Tink. try: hybrid.register() except tink.TinkError: logging.exception('Error initialising Tink.') return 1 # Read the keyset into a keyset_handle. with open(FLAGS.keyset_path, 'rt') as keyset_file: text = keyset_file.read() try: keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) except tink.TinkError: logging.exception('Error reading key.') return 1 # Get the primitive. try: primitive = keyset_handle.primitive(hybrid.HybridDecrypt) except tink.TinkError: logging.exception( 'Error creating hybrid decrypt primitive from keyset.') return 1 with open(FLAGS.input_path, 'rb') as input_file: with open(FLAGS.output_path, 'wb') as output_file: data = input_file.read() plaintext = primitive.decrypt(data, context_info) output_file.write(plaintext)
def main(argv): del argv # Unused. # Initialise Tink try: jwt.register_jwt_signature() except tink.TinkError as e: logging.exception('Error initialising Tink: %s', e) return 1 # Read the keyset into a KeysetHandle with open(_PUBLIC_KEYSET_PATH.value, 'rt') as keyset_file: try: text = keyset_file.read() public_keyset_handle = tink.read_no_secret_keyset_handle( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading keyset: %s', e) return 1 # Export Public Keyset as JWK set public_jwk_set = jwt.jwk_set_from_public_keyset_handle( public_keyset_handle) with open(_PUBLIC_JWK_SET_PATH.value, 'wt') as public_jwk_set_file: public_jwk_set_file.write(public_jwk_set) logging.info('The public JWK set has been written to %s', _PUBLIC_JWK_SET_PATH.value)
def main(argv): del argv # Unused. # Initialise Tink try: jwt.register_jwt_signature() except tink.TinkError as e: logging.exception('Error initialising Tink: %s', e) return 1 # Read the keyset into a keyset_handle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading keyset: %s', e) return 1 now = datetime.datetime.now(tz=datetime.timezone.utc) if FLAGS.mode == 'sign': # Get the JwtPublicKeySign primitive try: jwt_sign = keyset_handle.primitive(jwt.JwtPublicKeySign) except tink.TinkError as e: logging.exception('Error creating JwtPublicKeySign: %s', e) return 1 # Create token raw_jwt = jwt.new_raw_jwt(subject=FLAGS.subject, expiration=now + datetime.timedelta(seconds=100)) token = jwt_sign.sign_and_encode(raw_jwt) with open(FLAGS.token_path, 'wt') as token_file: token_file.write(token) logging.info('Token has been written to %s', FLAGS.token_path) return 0 # Get the JwtPublicKeyVerify primitive try: jwt_verify = keyset_handle.primitive(jwt.JwtPublicKeyVerify) except tink.TinkError as e: logging.exception('Error creating JwtPublicKeyVerify: %s', e) return 1 # Verify token with open(FLAGS.token_path, 'rt') as token_file: token = token_file.read() validator = jwt.new_validator(expected_subject=FLAGS.subject) try: verified_jwt = jwt_verify.verify_and_decode(token, validator) expires_in = verified_jwt.expiration() - now logging.info('Token is valid and expires in %s seconds', expires_in.seconds) return 0 except tink.TinkError as e: logging.info('JWT verification failed: %s', e) return 1
def main(argv): if len(argv) != 4: raise app.UsageError( 'Expected 3 arguments, got %d.\n' 'Usage: %s keyset-file (encrypt | decrypt) associated-data' % (len(argv) - 1, argv[0])) keyset_filename = argv[1] operation = argv[2] aad = argv[3].encode('utf-8') # TODO take hex and binascii.unhexlify if operation not in ('encrypt', 'decrypt'): logging.error('Operation %s not recognised', operation) return 1 # Initialise Tink. try: tink.tink_config.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 # Read the keyset. with open(keyset_filename, 'rb') as keyset_file: try: text = keyset_file.read() keyset = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.error('Error reading key: %s', e) return 1 # Get the primitive. try: cipher = keyset.primitive(tink.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 # Compute the operation. input_data = sys.stdin.buffer.read() try: if operation == 'encrypt': output_data = cipher.encrypt(input_data, aad) elif operation == 'decrypt': output_data = cipher.decrypt(input_data, aad) else: # Unreachable: We checked operation at the start. logging.error('(unreachable) Operation %s not recognised', operation) return 1 except tink.TinkError as e: logging.error('Operation failed: %s', e) return 1 sys.stdout.buffer.write(output_data) return 0
def main(argv): del argv # Unused mode = FLAGS.mode if mode not in ('encrypt', 'decrypt'): logging.error('Incorrect mode. Please select "encrypt" or "decrypt".') return 1 context_info = b'' if not FLAGS.context_info else bytes( FLAGS.context_info, 'utf-8') # Initialise Tink try: hybrid.register() except tink.TinkError as e: logging.exception('Error initialising Tink: %s', e) return 1 # Read the keyset into a keyset_handle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 with open(FLAGS.input_path, 'rb') as input_file: data = input_file.read() if mode == 'encrypt': # Get the primitive try: primitive = keyset_handle.primitive(hybrid.HybridEncrypt) except tink.TinkError as e: logging.exception( 'Error creating hybrid encrypt primitive from keyset: %s', e) return 1 # Encrypt data with open(FLAGS.output_path, 'wb') as output_file: ciphertext = primitive.encrypt(data, context_info) output_file.write(ciphertext) return 0 # Get the primitive try: primitive = keyset_handle.primitive(hybrid.HybridDecrypt) except tink.TinkError as e: logging.exception( 'Error creating hybrid encrypt primitive from keyset: %s', e) return 1 # Decrypt data with open(FLAGS.output_path, 'wb') as output_file: plaintext = primitive.decrypt(data, context_info) output_file.write(plaintext) return 0
def test_write_read_with_unicode_chars(self): keyset = tink_pb2.Keyset() key = keyset.key.add() key.key_data.type_url = ( u'\xe3\x82\xb3\xe3\x83\xb3\xe3\x83\x8b\xe3\x83\x81\xe3\x83\x8f') stream = io.StringIO() writer = tink.JsonKeysetWriter(stream) writer.write(keyset) reader = tink.JsonKeysetReader(stream.getvalue()) self.assertEqual(keyset, reader.read())
def main(argv): if len(argv) != 5 and len(argv) != 6: raise app.UsageError( 'Expected 4 or 5 arguments, got %d.\n' 'Usage: %s encrypt/decrypt key-file input-file output-file ' '[associated-data]' % (len(argv) - 1, argv[0])) mode = argv[1] key_file_path = argv[2] input_file_path = argv[3] output_file_path = argv[4] associated_data = b'' if len(argv) == 5 else bytes(argv[5], 'utf-8') # Initialise Tink try: daead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 # Read the keyset into a keyset_handle with open(key_file_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(daead.DeterministicAead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(input_file_path, 'rb') as input_file: input_data = input_file.read() if mode == 'decrypt': output_data = cipher.decrypt_deterministically( input_data, associated_data) elif mode == 'encrypt': output_data = cipher.encrypt_deterministically( input_data, associated_data) else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".' ) return 1 with open(output_file_path, 'wb') as output_file: output_file.write(output_data)
def main(argv): del argv # Unused. # Initialise Tink try: jwt.register_jwt_signature() except tink.TinkError as e: logging.exception('Error initialising Tink: %s', e) return 1 # Read the keyset into a KeysetHandle if _PUBLIC_KEYSET_PATH.present: with open(_PUBLIC_KEYSET_PATH.value, 'rt') as public_keyset_file: try: text = public_keyset_file.read() keyset_handle = tink.read_no_secret_keyset_handle( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading public keyset: %s', e) return 1 elif _PUBLIC_JWK_SET_PATH.present: with open(_PUBLIC_JWK_SET_PATH.value, 'rt') as public_jwk_set_file: try: text = public_jwk_set_file.read() keyset_handle = jwt.jwk_set_to_public_keyset_handle(text) except tink.TinkError as e: logging.exception('Error reading public JWK set: %s', e) return 1 else: logging.info( 'Either --public_keyset_path or --public_jwk_set_path must be set') now = datetime.datetime.now(tz=datetime.timezone.utc) try: jwt_verify = keyset_handle.primitive(jwt.JwtPublicKeyVerify) except tink.TinkError as e: logging.exception('Error creating JwtPublicKeyVerify: %s', e) return 1 # Verify token with open(_TOKEN_PATH.value, 'rt') as token_file: token = token_file.read() validator = jwt.new_validator(expected_audience=_AUDIENCE.value) try: verified_jwt = jwt_verify.verify_and_decode(token, validator) expires_in = verified_jwt.expiration() - now logging.info('Token is valid and expires in %s seconds', expires_in.seconds) return 0 except tink.TinkError as e: logging.info('JWT verification failed: %s', e) return 1
def FromJson( self, request: testing_api_pb2.KeysetFromJsonRequest, context: grpc.ServicerContext) -> testing_api_pb2.KeysetFromJsonResponse: """Converts a keyset from JSON to binary format.""" try: keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(request.json_keyset)) keyset = io.BytesIO() cleartext_keyset_handle.write( tink.BinaryKeysetWriter(keyset), keyset_handle) return testing_api_pb2.KeysetFromJsonResponse(keyset=keyset.getvalue()) except tink.TinkError as e: return testing_api_pb2.KeysetFromJsonResponse(err=str(e))
def main(argv): del argv # Unused. # Initialise Tink. try: mac.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 # Read the keyset into a keyset_handle. with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.error('Error reading key: %s', e) return 1 # Get the primitive. try: cipher = keyset_handle.primitive(mac.Mac) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(FLAGS.data_path, 'rb') as data_file: data = data_file.read() if FLAGS.mode == 'compute': # Compute the MAC. code = cipher.compute_mac(data) with open(FLAGS.mac_path, 'wb') as mac_file: mac_file.write(binascii.hexlify(code)) return 0 with open(FLAGS.mac_path, 'rb') as mac_file: try: expected_mac = binascii.unhexlify(mac_file.read().strip()) except binascii.Error as e: logging.exception('Error reading expected code: %s', e) return 1 try: cipher.verify_mac(expected_mac, data) logging.info('MAC verification succeeded.') return 0 except tink.TinkError as e: logging.info('MAC verification failed.') return 1
def example(): """Encrypt and decrypt using deterministic AEAD.""" # Register the deterministic AEAD key manager. This is needed to create a # DeterministicAead primitive later. daead.register() # A keyset created with "tinkey create-keyset --key-template=AES256_SIV". Note # that this keyset has the secret key information in cleartext. keyset = r"""{ "key": [{ "keyData": { "keyMaterialType": "SYMMETRIC", "typeUrl": "type.googleapis.com/google.crypto.tink.AesSivKey", "value": "EkAl9HCMmKTN1p3V186uhZpJQ+tivyc4IKyE+opg6SsEbWQ/WesWHzwCRrlgRuxdaggvgMzwWhjPnkk9gptBnGLK" }, "keyId": 1919301694, "outputPrefixType": "TINK", "status": "ENABLED" }], "primaryKeyId": 1919301694 }""" # Create a keyset handle from the cleartext keyset in the previous # step. The keyset handle provides abstract access to the underlying keyset to # limit the exposure of accessing the raw key material. WARNING: In practice # it is unlikely you will want to use a cleartext_keyset_handle, as it implies # that your key material is passed in cleartext which is a security risk. keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(keyset)) # Retrieve the DeterministicAead primitive we want to use from the keyset # handle. primitive = keyset_handle.primitive(daead.DeterministicAead) # Use the primitive to encrypt a message. In this case the primary key of the # keyset will be used (which is also the only key in this example). ciphertext = primitive.encrypt_deterministically(b'msg', b'associated_data') # Use the primitive to decrypt the message. Decrypt finds the correct key in # the keyset and decrypts the ciphertext. If no key is found or decryption # fails, it raises an error. output = primitive.decrypt_deterministically(ciphertext, b'associated_data') # [END deterministic-aead-basic-example] assert output == b'msg'
def main(argv): del argv # Unused. associated_data = b'' if not FLAGS.associated_data else bytes( FLAGS.associated_data, 'utf-8') # Initialise Tink try: daead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 # Read the keyset into a keyset_handle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(daead.DeterministicAead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(FLAGS.input_path, 'rb') as input_file: input_data = input_file.read() if FLAGS.mode == 'decrypt': output_data = cipher.decrypt_deterministically( input_data, associated_data) elif FLAGS.mode == 'encrypt': output_data = cipher.encrypt_deterministically( input_data, associated_data) else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".' ) return 1 with open(FLAGS.output_path, 'wb') as output_file: output_file.write(output_data)
def example(): """Encrypt and decrypt using AEAD.""" # Register the AEAD key managers. This is needed to create an Aead primitive # later. aead.register() # A keyset created with "tinkey create-keyset --key-template=AES256_GCM". Note # that this keyset has the secret key information in cleartext. keyset = r"""{ "key": [{ "keyData": { "keyMaterialType": "SYMMETRIC", "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey", "value": "GiBWyUfGgYk3RTRhj/LIUzSudIWlyjCftCOypTr0jCNSLg==" }, "keyId": 294406504, "outputPrefixType": "TINK", "status": "ENABLED" }], "primaryKeyId": 294406504 }""" # Create a keyset handle from the cleartext keyset in the previous # step. The keyset handle provides abstract access to the underlying keyset to # limit the exposure of accessing the raw key material. WARNING: In practice # it is unlikely you will want to use a cleartext_keyset_handle, as it implies # that your key material is passed in cleartext which is a security risk. keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(keyset)) # Retrieve the Aead primitive we want to use from the keyset handle. primitive = keyset_handle.primitive(aead.Aead) # Use the primitive to encrypt a message. In this case the primary key of the # keyset will be used (which is also the only key in this example). ciphertext = primitive.encrypt(b'msg', b'associated_data') # Use the primitive to decrypt the message. Decrypt finds the correct key in # the keyset and decrypts the ciphertext. If no key is found or decryption # fails, it raises an error. output = primitive.decrypt(ciphertext, b'associated_data') # [END aead-basic-example] assert output == b'msg'
def main(argv): del argv associated_data = b'' if not FLAGS.associated_data else bytes( FLAGS.associated_data, 'utf-8') # Initialise Tink. try: streaming_aead.register() except tink.TinkError as e: logging.exception('Error initialising Tink: %s', e) return 1 # Read the keyset into a keyset_handle. with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive. try: streaming_aead_primitive = keyset_handle.primitive( streaming_aead.StreamingAead) except tink.TinkError as e: logging.exception( 'Error creating streaming AEAD primitive from keyset: %s', e) return 1 # Encrypt or decrypt the file. with open(FLAGS.input_path, 'rb') as input_file: with open(FLAGS.output_path, 'wb') as output_file: if FLAGS.mode == 'encrypt': encrypt_file(input_file, output_file, associated_data, streaming_aead_primitive) elif FLAGS.mode == 'decrypt': decrypt_file(input_file, output_file, associated_data, streaming_aead_primitive)
def test_read(self): json_keyset = """ { "primaryKeyId": 42, "key": [ { "keyData": { "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey", "keyMaterialType": "SYMMETRIC", "value": "GhCS/1+ejWpx68NfGt6ziYHd" }, "outputPrefixType": "TINK", "keyId": 42, "status": "ENABLED" } ] }""" reader = tink.JsonKeysetReader(json_keyset) keyset = reader.read() self.assertEqual(keyset.primary_key_id, 42) self.assertLen(keyset.key, 1)
def encrypt_with_cluster_key(self, cluster_public_key, secret, openssl_executable): if openssl_executable: return self.encode_token_using_openssl(cluster_public_key, secret, openssl_executable) try: # pylint: disable=g-import-not-at-top import tink from tink import hybrid from tink import cleartext_keyset_handle # pylint: enable=g-import-not-at-top except ImportError: raise exceptions.PersonalAuthError( 'Cannot load the Tink cryptography library. Either the ' 'library is not installed, or site packages are not ' 'enabled for the Google Cloud SDK. Please consult Cloud ' 'Dataproc Personal Auth documentation on adding Tink to ' 'Google Cloud SDK for further instructions.\n' 'https://cloud.google.com/dataproc/docs/concepts/iam/personal-auth' ) hybrid.register() context = b'' # Extract value of key corresponding to primary key. public_key_value = json.loads( cluster_public_key)['key'][0]['keyData']['value'] cluster_key_hash = hashlib.sha256( (public_key_value + '\n').encode('utf-8')).hexdigest() # Load public key and create keyset handle. reader = tink.JsonKeysetReader(cluster_public_key) kh_pub = cleartext_keyset_handle.read(reader) # Create encrypter instance. encrypter = kh_pub.primitive(hybrid.HybridEncrypt) ciphertext = encrypter.encrypt(secret.encode('utf-8'), context) encoded_token = base64.b64encode(ciphertext).decode('utf-8') return '{}:{}'.format(cluster_key_hash, encoded_token)
def test_read_encrypted(self): # encryptedKeyset is a base64-encoding of 'some ciphertext with keyset' json_encrypted_keyset = """ { "encryptedKeyset": "c29tZSBjaXBoZXJ0ZXh0IHdpdGgga2V5c2V0", "keysetInfo": { "primaryKeyId": 42, "keyInfo": [ { "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey", "outputPrefixType": "TINK", "keyId": 42, "status": "ENABLED" } ] } }""" reader = tink.JsonKeysetReader(json_encrypted_keyset) enc_keyset = reader.read_encrypted() self.assertEqual(enc_keyset.encrypted_keyset, b'some ciphertext with keyset') self.assertLen(enc_keyset.keyset_info.key_info, 1) self.assertEqual(enc_keyset.keyset_info.key_info[0].type_url, 'type.googleapis.com/google.crypto.tink.AesGcmKey')
def main(argv): del argv # Unused. # Initialise Tink try: jwt.register_jwt_signature() except tink.TinkError as e: logging.exception('Error initialising Tink: %s', e) return 1 # Read the keyset into a KeysetHandle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading keyset: %s', e) return 1 now = datetime.datetime.now(tz=datetime.timezone.utc) # Get the JwtPublicKeySign primitive try: jwt_sign = keyset_handle.primitive(jwt.JwtPublicKeySign) except tink.TinkError as e: logging.exception('Error creating JwtPublicKeySign: %s', e) return 1 # Create token raw_jwt = jwt.new_raw_jwt(audiences=[FLAGS.audience], expiration=now + datetime.timedelta(seconds=100)) token = jwt_sign.sign_and_encode(raw_jwt) with open(FLAGS.token_path, 'wt') as token_file: token_file.write(token) logging.info('Token has been written to %s', FLAGS.token_path)
def main(argv): if len(argv) not in (3, 4): raise app.UsageError( 'Expected 2 or 3 arguments, got %d.\n' 'Usage: %s keyset-file data-file [expected-code-file]' % (len(argv) - 1, argv[0])) keyset_filename = argv[1] data_filename = argv[2] expected_code_filename = argv[3] if len(argv) == 4 else None if expected_code_filename is not None: with open(expected_code_filename, 'rb') as expected_code_file: expected_code_hex = expected_code_file.read().strip() logging.info( 'Using keyset from file %s to verify file %s against expected code %s', keyset_filename, data_filename, expected_code_hex.decode('utf-8')) else: expected_code_hex = None logging.info('Using keyset from file %s to verify file %s', keyset_filename, data_filename) # Initialise Tink. try: tink.tink_config.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 # Read the keyset into a keyset_handle. with open(keyset_filename, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read( tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.error('Error reading key: %s', e) return 1 # Get the primitive. try: cipher = keyset_handle.primitive(tink.Mac) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 # Compute the MAC. with open(data_filename, 'rb') as data_file: data = data_file.read() if expected_code_hex is None: code = cipher.compute_mac(data) logging.info('MAC output is %s', binascii.hexlify(code).decode('utf-8')) return 0 try: expected_code = binascii.unhexlify(expected_code_hex) except binascii.Error as e: logging.error('Error reading expected code: %s', e) return 1 try: cipher.verify_mac(expected_code, data) logging.info('MAC outputs matched. Success!') return 0 except tink.TinkError as e: logging.info('MAC outputs did not match!') code = binascii.hexlify(cipher.compute_mac(data)).decode('utf-8') logging.info('Actual MAC output is %s', code) return 1
def main(argv): if len(argv) != 3 and len(argv) != 5: raise app.UsageError( 'Invalid arguments.\n' 'Usage: %s generate key-file.\n' 'Usage: %s encrypt/decrypt key-file ' 'input-file output-file.' % (argv[0], argv[0]) ) mode = argv[1] if mode not in ('encrypt', 'decrypt', 'generate'): raise app.UsageError( 'The first argument should be either encrypt, decrypt or generate') key_file_path = argv[2] input_file_path = argv[3] if len(argv) == 5 else None output_file_path = argv[4] if len(argv) == 5 else None # Initialise Tink try: aead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 if mode == 'generate': # [START generate-a-new-keyset] # Generate a new keyset try: key_template = aead.aead_key_templates.AES128_GCM keyset_handle = tink.KeysetHandle.generate_new(key_template) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 # [END generate-a-new-keyset] # [START store-a-cleartext-keyset] with open(key_file_path, 'wt') as keyset_file: try: cleartext_keyset_handle.write( tink.JsonKeysetWriter(keyset_file), keyset_handle) except tink.TinkError as e: logging.exception('Error writing key: %s', e) return 1 return 0 # [END store-a-cleartext-keyset] # Use the input keyset to encrypt/decrypt data # Read the keyset into a keyset_handle with open(key_file_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(aead.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(input_file_path, 'rb') as input_file: input_data = input_file.read() if mode == 'decrypt': output_data = cipher.decrypt(input_data, b'envelope_example') elif mode == 'encrypt': output_data = cipher.encrypt(input_data, b'envelope_example') else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".') return 1 with open(output_file_path, 'wb') as output_file: output_file.write(output_data)
def main(argv): del argv # Unused. associated_data = b'' if not FLAGS.associated_data else bytes( FLAGS.associated_data, 'utf-8') # Initialise Tink try: aead.register() except tink.TinkError as e: logging.error('Error initialising Tink: %s', e) return 1 # Read the GCP credentials and set up a client try: gcpkms.GcpKmsClient.register_client(FLAGS.kek_uri, FLAGS.gcp_credential_path) except tink.TinkError as e: logging.error('Error initializing GCP client: %s', e) return 1 # Create an AEAD primitive from the key-encryption key (KEK) for encrypting # Tink keysets try: handle = tink.KeysetHandle.generate_new( aead.aead_key_templates.create_kms_aead_key_template( key_uri=FLAGS.kek_uri)) gcp_aead = handle.primitive(aead.Aead) except tink.TinkError as e: logging.exception('Error creating KMS AEAD primitive: %s', e) return 1 if FLAGS.mode == 'generate': # [START generate-a-new-keyset] # Generate a new keyset try: key_template = aead.aead_key_templates.AES128_GCM keyset_handle = tink.KeysetHandle.generate_new(key_template) except tink.TinkError as e: logging.exception('Error creating primitive: %s', e) return 1 # [END generate-a-new-keyset] # [START encrypt-a-keyset] # Encrypt the keyset_handle with the remote key-encryption key (KEK) with open(FLAGS.keyset_path, 'wt') as keyset_file: try: keyset_handle.write(tink.JsonKeysetWriter(keyset_file), gcp_aead) except tink.TinkError as e: logging.exception('Error writing key: %s', e) return 1 return 0 # [END encrypt-a-keyset] # Use the keyset to encrypt/decrypt data # Read the encrypted keyset into a keyset_handle with open(FLAGS.keyset_path, 'rt') as keyset_file: try: text = keyset_file.read() keyset_handle = tink.KeysetHandle.read(tink.JsonKeysetReader(text), gcp_aead) except tink.TinkError as e: logging.exception('Error reading key: %s', e) return 1 # Get the primitive try: cipher = keyset_handle.primitive(aead.Aead) except tink.TinkError as e: logging.error('Error creating primitive: %s', e) return 1 with open(FLAGS.input_path, 'rb') as input_file: input_data = input_file.read() if FLAGS.mode == 'decrypt': output_data = cipher.decrypt(input_data, associated_data) elif FLAGS.mode == 'encrypt': output_data = cipher.encrypt(input_data, associated_data) else: logging.error( 'Error mode not supported. Please choose "encrypt" or "decrypt".' ) return 1 with open(FLAGS.output_path, 'wb') as output_file: output_file.write(output_data)
def test_from_private_keyset_fails(self): reader = tink.JsonKeysetReader(PRIVATEKEY_KEYSET) keyset_handle = cleartext_keyset_handle.read(reader) with self.assertRaises(tink.TinkError): jwt.jwk_set_from_public_keyset_handle(keyset_handle)
def test_from_crunchy_ecdsa_keyset_fails(self, keyset): crunchy_keyset = keyset.replace('RAW', 'CRUNCHY') reader = tink.JsonKeysetReader(crunchy_keyset) keyset_handle = cleartext_keyset_handle.read(reader) with self.assertRaises(tink.TinkError): jwt.jwk_set_from_public_keyset_handle(keyset_handle)
def test_primary_key_id_missing_success(self): keyset = ES256_KEYSET.replace('"primaryKeyId":282600252,', '') reader = tink.JsonKeysetReader(keyset) keyset_handle = cleartext_keyset_handle.read(reader) jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle) self.assertEqual(jwk_set, ES256_JWK_SET)
def test_convert_from_jwt_key(self, tink_keyset, expected_jwk_set): reader = tink.JsonKeysetReader(tink_keyset) keyset_handle = cleartext_keyset_handle.read(reader) jwk_set = jwt.jwk_set_from_public_keyset_handle(keyset_handle) self.assertEqual(jwk_set, expected_jwk_set)