-
Notifications
You must be signed in to change notification settings - Fork 2
/
main.go
100 lines (82 loc) · 2.38 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
// for creating keys https://cloud.google.com/bigquery/docs/reference/standard-sql/aead-encryption-concepts#keysets
package main
import (
"bytes"
"context"
"encoding/base64"
"encoding/json"
"log"
"github.com/tink-crypto/tink-go/v2/aead"
"github.com/tink-crypto/tink-go/v2/keyset"
gcpkms "github.com/tink-crypto/tink-go-gcpkms/v2/integration/gcpkms"
"github.com/tink-crypto/tink-go/v2/core/registry"
)
const (
keyURI = "gcp-kms://projects/mineral-minutia-820/locations/us-central1/keyRings/mykeyring/cryptoKeys/key1"
)
func main() {
ctx := context.Background()
gcpClient, err := gcpkms.NewClientWithOptions(ctx, "gcp-kms://")
if err != nil {
panic(err)
}
registry.RegisterKMSClient(gcpClient)
// generate wrapping AEAD w/ KMS
a, err := gcpClient.GetAEAD(keyURI)
if err != nil {
log.Printf("Could not acquire KMS AEAD %v", err)
return
}
memKeyset := &keyset.MemReaderWriter{}
kh1, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
if err != nil {
log.Printf("Could not create TINK keyHandle %v", err)
return
}
if err := kh1.Write(memKeyset, a); err != nil {
log.Printf("Could not serialize KeyHandle %v", err)
return
}
buf := new(bytes.Buffer)
w := keyset.NewJSONWriter(buf)
if err := w.WriteEncrypted(memKeyset.EncryptedKeyset); err != nil {
log.Printf("Could not write encrypted keyhandle %v", err)
return
}
var prettyJSON bytes.Buffer
error := json.Indent(&prettyJSON, buf.Bytes(), "", "\t")
if error != nil {
log.Fatalf("JSON parse error: %v ", error)
}
log.Println("Tink Keyset:\n", string(prettyJSON.Bytes()))
// Create an AEAD off of the keyhandle
ekh, err := aead.New(kh1)
if error != nil {
log.Fatalf("JSON parse error: %v ", error)
}
ct, err := ekh.Encrypt([]byte("this data needs to be encrypted"), []byte("associated data"))
if err != nil {
log.Fatal(err)
}
log.Printf("Cipher text: %s", base64.RawStdEncoding.EncodeToString(ct))
// reread the keyset
buf2 := bytes.NewBuffer(prettyJSON.Bytes())
r := keyset.NewJSONReader(buf2)
// decrypt it with the KMS handle
kh2, err := keyset.Read(r, a)
if err != nil {
log.Printf("Could not create TINK keyHandle %v", err)
return
}
// generate the aead
dkh, err := aead.New(kh2)
if error != nil {
log.Fatalf("JSON parse error: %v ", error)
}
// decrypt
pt, err := dkh.Decrypt(ct, []byte("associated data"))
if err != nil {
log.Fatal(err)
}
log.Printf("Plain text: %s", pt)
}