Search in sources :

Example 6 with EncryptedKeyset

use of com.google.crypto.tink.proto.EncryptedKeyset in project tink by google.

the class CreateKeysetCommandTest method testCreateEncrypted_shouldCreateNewKeyset.

private void testCreateEncrypted_shouldCreateNewKeyset(String outFormat) throws Exception {
    // This test requires KMS/internet access and thus cannot run on RBE.
    assumeFalse(TestUtil.isRemoteBuildExecution());
    // Create an encrypted keyset.
    String masterKeyUri = TestUtil.RESTRICTED_CRYPTO_KEY_URI;
    String credentialPath = TestUtil.SERVICE_ACCOUNT_FILE;
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    CreateKeysetCommand.create(outputStream, outFormat, masterKeyUri, credentialPath, template);
    EncryptedKeyset encryptedKeyset = TinkeyUtil.createKeysetReader(new ByteArrayInputStream(outputStream.toByteArray()), outFormat).readEncrypted();
    KeysetInfo keysetInfo = encryptedKeyset.getKeysetInfo();
    assertThat(keysetInfo.getKeyInfoCount()).isEqualTo(1);
    TestUtil.assertKeyInfo(template, keysetInfo.getKeyInfo(0));
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) EncryptedKeyset(com.google.crypto.tink.proto.EncryptedKeyset) ByteArrayOutputStream(java.io.ByteArrayOutputStream) KeysetInfo(com.google.crypto.tink.proto.KeysetInfo)

Example 7 with EncryptedKeyset

use of com.google.crypto.tink.proto.EncryptedKeyset in project tink by google.

the class KeysetHandle method decrypt.

/**
 * Decrypts the encrypted keyset with the {@link Aead} master key.
 */
private static Keyset decrypt(EncryptedKeyset encryptedKeyset, Aead masterKey) throws GeneralSecurityException {
    try {
        Keyset keyset = Keyset.parseFrom(masterKey.decrypt(encryptedKeyset.getEncryptedKeyset().toByteArray(), /* associatedData= */
        new byte[0]));
        // check emptiness here too, in case the encrypted keys unwrapped to nothing?
        assertEnoughKeyMaterial(keyset);
        return keyset;
    } catch (InvalidProtocolBufferException e) {
        throw new GeneralSecurityException("invalid keyset, corrupted key material");
    }
}
Also used : EncryptedKeyset(com.google.crypto.tink.proto.EncryptedKeyset) Keyset(com.google.crypto.tink.proto.Keyset) GeneralSecurityException(java.security.GeneralSecurityException) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException)

Example 8 with EncryptedKeyset

use of com.google.crypto.tink.proto.EncryptedKeyset in project tink by google.

the class KeysetHandle method readWithAssociatedData.

/**
 * Tries to create a {@link KeysetHandle} from an encrypted keyset obtained via {@code reader},
 * using the provided associated data.
 *
 * <p>Users that need to load cleartext keysets can use {@link CleartextKeysetHandle}.
 *
 * @return a new {@link KeysetHandle} from {@code encryptedKeysetProto} that was encrypted with
 *     {@code masterKey}
 * @throws GeneralSecurityException if cannot decrypt the keyset or it doesn't contain encrypted
 *     key material
 */
public static final KeysetHandle readWithAssociatedData(KeysetReader reader, Aead masterKey, byte[] associatedData) throws GeneralSecurityException, IOException {
    EncryptedKeyset encryptedKeyset = reader.readEncrypted();
    assertEnoughEncryptedKeyMaterial(encryptedKeyset);
    return new KeysetHandle(decrypt(encryptedKeyset, masterKey, associatedData));
}
Also used : EncryptedKeyset(com.google.crypto.tink.proto.EncryptedKeyset)

Example 9 with EncryptedKeyset

use of com.google.crypto.tink.proto.EncryptedKeyset in project tink by google.

the class RotateKeysetCommandTest method testRotateEncrypted_shouldAddNewKey.

@Test
public void testRotateEncrypted_shouldAddNewKey() throws Exception {
    // This test requires KMS/internet access and thus cannot run on RBE.
    assumeFalse(TestUtil.isRemoteBuildExecution());
    // Create an input stream containing an encrypted keyset.
    String masterKeyUri = TestUtil.RESTRICTED_CRYPTO_KEY_URI;
    String credentialPath = TestUtil.SERVICE_ACCOUNT_FILE;
    InputStream inputStream = TinkeyUtil.createKeyset(existingTemplate, INPUT_FORMAT, masterKeyUri, credentialPath);
    EncryptedKeyset encryptedKeyset = addNewKeyToKeyset(OUTPUT_FORMAT, inputStream, INPUT_FORMAT, masterKeyUri, credentialPath, newTemplate).readEncrypted();
    KeysetInfo keysetInfo = encryptedKeyset.getKeysetInfo();
    assertThat(keysetInfo.getKeyInfoCount()).isEqualTo(2);
    assertThat(keysetInfo.getPrimaryKeyId()).isEqualTo(keysetInfo.getKeyInfo(1).getKeyId());
    TestUtil.assertKeyInfo(existingTemplate, keysetInfo.getKeyInfo(0));
    TestUtil.assertKeyInfo(newTemplate, keysetInfo.getKeyInfo(0));
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) EncryptedKeyset(com.google.crypto.tink.proto.EncryptedKeyset) KeysetInfo(com.google.crypto.tink.proto.KeysetInfo) Test(org.junit.Test)

Aggregations

EncryptedKeyset (com.google.crypto.tink.proto.EncryptedKeyset)9 KeysetInfo (com.google.crypto.tink.proto.KeysetInfo)3 ByteArrayInputStream (java.io.ByteArrayInputStream)3 Keyset (com.google.crypto.tink.proto.Keyset)2 InvalidProtocolBufferException (com.google.protobuf.InvalidProtocolBufferException)2 InputStream (java.io.InputStream)2 GeneralSecurityException (java.security.GeneralSecurityException)2 Test (org.junit.Test)2 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1