def _encrypt(keyset: tink_pb2.Keyset, master_key_primitive: aead.Aead, associated_data: bytes) -> tink_pb2.EncryptedKeyset: """Encrypts a Keyset and returns an EncryptedKeyset.""" encrypted_keyset = master_key_primitive.encrypt(keyset.SerializeToString(), associated_data) # Check if we can decrypt, to detect errors try: keyset2 = tink_pb2.Keyset.FromString( master_key_primitive.decrypt(encrypted_keyset, associated_data)) if keyset != keyset2: raise core.TinkError('cannot encrypt keyset: %s != %s' % (keyset, keyset2)) except message.DecodeError: raise core.TinkError('invalid keyset, corrupted key material') return tink_pb2.EncryptedKeyset(encrypted_keyset=encrypted_keyset, keyset_info=_keyset_info(keyset))
def _decrypt(encrypted_keyset: tink_pb2.EncryptedKeyset, master_key_aead: aead.Aead) -> tink_pb2.Keyset: """Decrypts an EncryptedKeyset and returns a Keyset.""" try: keyset = tink_pb2.Keyset.FromString( master_key_aead.decrypt(encrypted_keyset.encrypted_keyset, b'')) # Check emptiness here too, in case the encrypted keys unwrapped to nothing? _assert_enough_key_material(keyset) return keyset except message.DecodeError: raise core.TinkError('invalid keyset, corrupted key material')