def read_encrypted(self) -> tink_pb2.EncryptedKeyset:
if not self._serialized_keyset:
raise core.TinkError('No keyset found')
try:
encrypted_keyset = tink_pb2.EncryptedKeyset()
encrypted_keyset.ParseFromString(self._serialized_keyset)
return encrypted_keyset
except message.DecodeError as e:
raise core.TinkError(e)
def example_encrypted_keyset() -> tink_pb2.EncryptedKeyset:
encrypted_keyset = tink_pb2.EncryptedKeyset()
encrypted_keyset.encrypted_keyset = b'c29tZSBjaXBoZXJ0ZXh0IHdpdGgga2V5c2V0'
encrypted_keyset.keyset_info.primary_key_id = 42
key_info = encrypted_keyset.keyset_info.key_info.add()
key_info.type_url = 'type.googleapis.com/google.crypto.tink.AesGcmKey'
key_info.output_prefix_type = tink_pb2.TINK
key_info.key_id = 42
key_info.status = tink_pb2.ENABLED
return encrypted_keyset
def test_read_encrypted(self):
encrypted_keyset = tink_pb2.EncryptedKeyset()
encrypted_keyset.encrypted_keyset = b'c29tZSBjaXBoZXJ0ZXh0IHdpdGgga2V5c2V0'
encrypted_keyset.keyset_info.primary_key_id = 42
key_info = encrypted_keyset.keyset_info.key_info.add()
key_info.type_url = 'type.googleapis.com/google.crypto.tink.AesGcmKey'
key_info.output_prefix_type = tink_pb2.TINK
key_info.key_id = 42
key_info.status = tink_pb2.ENABLED
reader = core.BinaryKeysetReader(encrypted_keyset.SerializeToString())
self.assertEqual(encrypted_keyset, reader.read_encrypted())
def _encrypt(keyset: tink_pb2.Keyset,
master_key_primitive: aead.Aead) -> tink_pb2.EncryptedKeyset:
"""Encrypts a Keyset and returns an EncryptedKeyset."""
encrypted_keyset = master_key_primitive.encrypt(keyset.SerializeToString(),
b'')
# Check if we can decrypt, to detect errors
try:
keyset2 = tink_pb2.Keyset.FromString(
master_key_primitive.decrypt(encrypted_keyset, b''))
if keyset != keyset2:
raise tink_error.TinkError('cannot encrypt keyset: %s != %s' %
(keyset, keyset2))
except message.DecodeError:
raise tink_error.TinkError('invalid keyset, corrupted key material')
return tink_pb2.EncryptedKeyset(encrypted_keyset=encrypted_keyset,
keyset_info=_keyset_info(keyset))
def test_read_encrypted_ignores_keyset_info_json(self, lang):
# Use an arbitrary AEAD template that's supported in all languages,
# and use an arbitrary language to generate the keyset_encryption_keyset.
keyset_encryption_keyset = testing_servers.new_keyset(
'cc', aead.aead_key_templates.AES128_GCM)
# Also, generate an arbitrary keyset.
keyset = testing_servers.new_keyset('cc',
aead.aead_key_templates.AES128_GCM)
associated_data = b'associated_data'
encrypted_keyset = testing_servers.keyset_write_encrypted(
lang, keyset, keyset_encryption_keyset, associated_data,
'KEYSET_WRITER_JSON')
# encrypted_keyset is a JSON serialized tink_pb2.EncryptedKeyset
parsed_encrypted_keyset = json_format.Parse(encrypted_keyset,
tink_pb2.EncryptedKeyset())
# Note that some implementations (currently C++) do not set keyset_info.
# But we require that values are correct when they are set.
if parsed_encrypted_keyset.HasField('keyset_info'):
self.assertLen(parsed_encrypted_keyset.keyset_info.key_info, 1)
self.assertEqual(
parsed_encrypted_keyset.keyset_info.primary_key_id,
parsed_encrypted_keyset.keyset_info.key_info[0].key_id)
# keyset_info should be ignored when reading a keyset.
# To test this, we add something invalid and check that read still works.
# Some languages (C++ and Java) however do check that the fields of
# keyset_info are present. So we have to set all required fields here.
parsed_encrypted_keyset.keyset_info.key_info.append(
tink_pb2.KeysetInfo.KeyInfo(type_url='invalid',
status=tink_pb2.ENABLED,
key_id=123,
output_prefix_type=tink_pb2.LEGACY))
parsed_encrypted_keyset.keyset_info.primary_key_id = 123
modified_encrypted_keyset = json_format.MessageToJson(
parsed_encrypted_keyset).encode('utf8')
decrypted_keyset = testing_servers.keyset_read_encrypted(
lang, modified_encrypted_keyset, keyset_encryption_keyset,
associated_data, 'KEYSET_READER_JSON')
# Both keyset and decrypted_keyset are serialized tink_pb2.Keyset.
key_util.assert_tink_proto_equal(
self, tink_pb2.Keyset.FromString(keyset),
tink_pb2.Keyset.FromString(decrypted_keyset))
def read_encrypted(self) -> tink_pb2.EncryptedKeyset:
try:
return json_format.Parse(self._serialized_keyset,
tink_pb2.EncryptedKeyset())
except json_format.ParseError as e:
raise core.TinkError(e)
