Examples with KeysetManager com.google.crypto.tink.KeysetManager used on opensource projects

Example 1 with KeysetManager

use of com.google.crypto.tink.KeysetManager in project tink by google.

the class AndroidKeysetManager method readOrGenerateNewKeyset.

private KeysetManager readOrGenerateNewKeyset() throws GeneralSecurityException, IOException {
    try {
        return read();
    } catch (IOException e) {
        // Not found, handle below.
        Log.i(TAG, "cannot read keyset: " + e.toString());
    }
    // Not found.
    if (keyTemplate != null) {
        KeysetManager manager = KeysetManager.withEmptyKeyset().rotate(keyTemplate);
        write(manager);
        return manager;
    }
    throw new GeneralSecurityException("cannot obtain keyset handle");
}

Example 2 with KeysetManager

use of com.google.crypto.tink.KeysetManager in project tink by google.

the class TinkeyUtil method manipulateKey.

/**
 * Manipulates a key within a keyset.
 */
public static void manipulateKey(CommandType type, OutputStream outputStream, String outFormat, InputStream inputStream, String inFormat, String masterKeyUri, String credentialPath, int keyId) throws GeneralSecurityException, IOException {
    KeysetManager manager = KeysetManager.withKeysetHandle(getKeysetHandle(inputStream, inFormat, masterKeyUri, credentialPath));
    switch(type) {
        case DELETE_KEY:
            manager = manager.delete(keyId);
            break;
        case DESTROY_KEY:
            manager = manager.destroy(keyId);
            break;
        case DISABLE_KEY:
            manager = manager.disable(keyId);
            break;
        case ENABLE_KEY:
            manager = manager.enable(keyId);
            break;
        case PROMOTE_KEY:
            manager = manager.setPrimary(keyId);
            break;
        default:
            throw new GeneralSecurityException("invalid command");
    }
    writeKeyset(manager.getKeysetHandle(), outputStream, outFormat, masterKeyUri, credentialPath);
}

Example 3 with KeysetManager

use of com.google.crypto.tink.KeysetManager in project tink by google.

the class JwtPublicKeySignVerifyWrappersTest method test_wrapMultipleRawKeys.

@Test
public void test_wrapMultipleRawKeys() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_ES256_RAW");
    KeysetManager manager = KeysetManager.withEmptyKeyset();
    manager.addNewKey(KeyTemplateProtoConverter.toProto(template), /*asPrimary=*/
    true);
    KeysetHandle oldHandle = manager.getKeysetHandle();
    manager.addNewKey(KeyTemplateProtoConverter.toProto(template), /*asPrimary=*/
    true);
    KeysetHandle newHandle = manager.getKeysetHandle();
    JwtPublicKeySign oldSigner = oldHandle.getPrimitive(JwtPublicKeySign.class);
    JwtPublicKeySign newSigner = newHandle.getPrimitive(JwtPublicKeySign.class);
    JwtPublicKeyVerify oldVerifier = oldHandle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    JwtPublicKeyVerify newVerifier = newHandle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
    String oldSignedCompact = oldSigner.signAndEncode(rawToken);
    String newSignedCompact = newSigner.signAndEncode(rawToken);
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    assertThat(oldVerifier.verifyAndDecode(oldSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(newVerifier.verifyAndDecode(oldSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(newVerifier.verifyAndDecode(newSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThrows(GeneralSecurityException.class, () -> oldVerifier.verifyAndDecode(newSignedCompact, validator));
}

Example 4 with KeysetManager

use of com.google.crypto.tink.KeysetManager in project tink by google.

the class JwkSetConverter method toPublicKeysetHandle.

/**
 * Converts a Json Web Key (JWK) set with public keys into a Tink KeysetHandle.
 *
 * <p>It requires that all keys in the set have the "alg" field set. The currently supported
 * algorithms are ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384 and PS512. JWK is defined
 * in https://www.rfc-editor.org/rfc/rfc7517.txt.
 */
public static KeysetHandle toPublicKeysetHandle(String jwkSet) throws IOException, GeneralSecurityException {
    JsonObject jsonKeyset;
    try {
        JsonReader jsonReader = new JsonReader(new StringReader(jwkSet));
        jsonReader.setLenient(false);
        jsonKeyset = Streams.parse(jsonReader).getAsJsonObject();
    } catch (IllegalStateException | JsonParseException | StackOverflowError ex) {
        throw new IOException("JWK set is invalid JSON", ex);
    }
    KeysetManager manager = KeysetManager.withEmptyKeyset();
    JsonArray jsonKeys = jsonKeyset.get("keys").getAsJsonArray();
    for (JsonElement element : jsonKeys) {
        JsonObject jsonKey = element.getAsJsonObject();
        String algPrefix = getStringItem(jsonKey, "alg").substring(0, 2);
        KeyData keyData;
        switch(algPrefix) {
            case "RS":
                keyData = convertToRsaSsaPkcs1Key(jsonKey);
                break;
            case "PS":
                keyData = convertToRsaSsaPssKey(jsonKey);
                break;
            case "ES":
                keyData = convertToEcdsaKey(jsonKey);
                break;
            default:
                throw new IOException("unexpected alg value: " + getStringItem(jsonKey, "alg"));
        }
        manager.add(KeyHandle.createFromKey(new ProtoKey(keyData, com.google.crypto.tink.KeyTemplate.OutputPrefixType.RAW), KeyAccess.publicAccess()));
    }
    KeysetInfo info = manager.getKeysetHandle().getKeysetInfo();
    if (info.getKeyInfoCount() <= 0) {
        throw new IOException("empty keyset");
    }
    manager.setPrimary(info.getKeyInfo(0).getKeyId());
    return manager.getKeysetHandle();
}

Example 5 with KeysetManager

use of com.google.crypto.tink.KeysetManager in project tink by google.

the class JwtMacWrapperTest method test_wrapMultipleTinkKeys.

@Test
public void test_wrapMultipleTinkKeys() throws Exception {
    KeyTemplate tinkTemplate = KeyTemplates.get("JWT_HS256");
    KeysetManager manager = KeysetManager.withEmptyKeyset();
    manager.addNewKey(KeyTemplateProtoConverter.toProto(tinkTemplate), /*asPrimary=*/
    true);
    KeysetHandle oldHandle = manager.getKeysetHandle();
    manager.addNewKey(KeyTemplateProtoConverter.toProto(tinkTemplate), /*asPrimary=*/
    true);
    KeysetHandle newHandle = manager.getKeysetHandle();
    JwtMac oldJwtMac = oldHandle.getPrimitive(JwtMac.class);
    JwtMac newJwtMac = newHandle.getPrimitive(JwtMac.class);
    RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
    String oldSignedCompact = oldJwtMac.computeMacAndEncode(rawToken);
    String newSignedCompact = newJwtMac.computeMacAndEncode(rawToken);
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    assertThat(oldJwtMac.verifyMacAndDecode(oldSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(newJwtMac.verifyMacAndDecode(oldSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(newJwtMac.verifyMacAndDecode(newSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThrows(GeneralSecurityException.class, () -> oldJwtMac.verifyMacAndDecode(newSignedCompact, validator));
}