xref: /aosp_15_r20/external/tink/cc/examples/walkthrough/load_encrypted_keyset.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2022 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #include "walkthrough/load_encrypted_keyset.h"
18 
19 // [START tink_walkthrough_load_encrypted_keyset]
20 #include <iostream>
21 #include <memory>
22 #include <utility>
23 
24 #include "absl/strings/string_view.h"
25 #include "tink/aead.h"
26 #include "tink/json_keyset_reader.h"
27 #include "tink/keyset_handle.h"
28 #include "tink/keyset_reader.h"
29 #include "tink/kms_client.h"
30 #include "tink/kms_clients.h"
31 #include "tink/util/statusor.h"
32 
33 namespace tink_walkthrough {
34 
35 using ::crypto::tink::KeysetHandle;
36 using ::crypto::tink::util::StatusOr;
37 
38 // Loads a JSON-serialized keyset encrypted with a KSM
39 // `serialized_encrypted_keyset`. The decryption uses the KMS master key
40 // `master_key_uri`.
41 //
42 // Prerequisites for this example:
43 //  - Register AEAD implementations of Tink.
44 //  - Register a KMS client for the given URI prefix using KmsClients::Add.
45 //  - Create a KMS encrypted keyset, for example using Tinkey with Cloud KMS:
46 //
47 //    tinkey create-keyset --key-template AES128_GCM \
48 //      --out-format json --out encrypted_aead_keyset.json \
49 //      --master-key-uri gcp-kms://<KMS key uri> \
50 //      --credentials gcp_credentials.json
51 //
LoadKeyset(absl::string_view serialized_encrypted_keyset,absl::string_view master_key_uri)52 StatusOr<std::unique_ptr<KeysetHandle>> LoadKeyset(
53     absl::string_view serialized_encrypted_keyset,
54     absl::string_view master_key_uri) {
55   // Get a KMS client for the given key URI.
56   StatusOr<const crypto::tink::KmsClient*> kms_client =
57       crypto::tink::KmsClients::Get(master_key_uri);
58   if (!kms_client.ok()) return kms_client.status();
59   // A KmsClient can return an Aead primitive.
60   StatusOr<std::unique_ptr<crypto::tink::Aead>> kms_aead =
61       (*kms_client)->GetAead(master_key_uri);
62   if (!kms_aead.ok()) return kms_aead.status();
63   // Use a JSON reader to read the encrypted keyset.
64   StatusOr<std::unique_ptr<crypto::tink::KeysetReader>> reader =
65       crypto::tink::JsonKeysetReader::New(serialized_encrypted_keyset);
66   if (!reader.ok()) return reader.status();
67   // Decrypt using the KMS, parse the keyset and retuns a handle to it.
68   return KeysetHandle::Read(*std::move(reader), **kms_aead);
69 }
70 
71 }  // namespace tink_walkthrough
72 // [END tink_walkthrough_load_encrypted_keyset]
73