examples/walkthrough/write_keyset.cc

*e7b1675dSTing-Kang Chang// Copyright 2022 Google LLC
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License");
*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License.
*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang//     http://www.apache.org/licenses/LICENSE-2.0
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software
*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS,
*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and
*e7b1675dSTing-Kang Chang// limitations under the License.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang///////////////////////////////////////////////////////////////////////////////
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "walkthrough/write_keyset.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// [START tink_walkthrough_write_keyset]
*e7b1675dSTing-Kang Chang#include <fstream>
*e7b1675dSTing-Kang Chang#include <memory>
*e7b1675dSTing-Kang Chang#include <ostream>
*e7b1675dSTing-Kang Chang#include <utility>
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang#include "absl/status/status.h"
*e7b1675dSTing-Kang Chang#include "absl/strings/string_view.h"
*e7b1675dSTing-Kang Chang#include "tink/aead.h"
*e7b1675dSTing-Kang Chang#include "tink/json_keyset_writer.h"
*e7b1675dSTing-Kang Chang#include "tink/keyset_handle.h"
*e7b1675dSTing-Kang Chang#include "tink/kms_client.h"
*e7b1675dSTing-Kang Chang#include "tink/kms_clients.h"
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changnamespace tink_walkthrough {
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Changusing ::crypto::tink::JsonKeysetWriter;
*e7b1675dSTing-Kang Changusing ::crypto::tink::util::StatusOr;
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang// Writes a `keyset` to `output_stream` in JSON format; the keyset is encrypted
*e7b1675dSTing-Kang Chang// through a KMS service using the KMS key `master_kms_key_uri`.
*e7b1675dSTing-Kang Chang//
*e7b1675dSTing-Kang Chang// Prerequisites for this example:
*e7b1675dSTing-Kang Chang//  - Register AEAD implementations of Tink.
*e7b1675dSTing-Kang Chang//  - Register a KMS client that can use `master_kms_key_uri`.
*e7b1675dSTing-Kang Chang//  - Create a keyset and obtain a KeysetHandle to it.
*e7b1675dSTing-Kang Changcrypto::tink::util::Status WriteEncryptedKeyset(
*e7b1675dSTing-Kang Chang    const crypto::tink::KeysetHandle& keyset,
*e7b1675dSTing-Kang Chang    std::unique_ptr<std::ostream> output_stream,
*e7b1675dSTing-Kang Chang    absl::string_view master_kms_key_uri) {
*e7b1675dSTing-Kang Chang  // Create a writer that will write the keyset to output_stream as JSON.
*e7b1675dSTing-Kang Chang  StatusOr<std::unique_ptr<JsonKeysetWriter>> writer =
*e7b1675dSTing-Kang Chang      JsonKeysetWriter::New(std::move(output_stream));
*e7b1675dSTing-Kang Chang  if (!writer.ok()) return writer.status();
*e7b1675dSTing-Kang Chang  // Get a KMS client for the given key URI.
*e7b1675dSTing-Kang Chang  StatusOr<const crypto::tink::KmsClient*> kms_client =
*e7b1675dSTing-Kang Chang      crypto::tink::KmsClients::Get(master_kms_key_uri);
*e7b1675dSTing-Kang Chang  if (!kms_client.ok()) return kms_client.status();
*e7b1675dSTing-Kang Chang  // Get an Aead primitive that uses the KMS service to encrypt/decrypt.
*e7b1675dSTing-Kang Chang  StatusOr<std::unique_ptr<crypto::tink::Aead>> kms_aead =
*e7b1675dSTing-Kang Chang      (*kms_client)->GetAead(master_kms_key_uri);
*e7b1675dSTing-Kang Chang  if (!kms_aead.ok()) return kms_aead.status();
*e7b1675dSTing-Kang Chang  return keyset.Write(writer->get(), **kms_aead);
*e7b1675dSTing-Kang Chang}
*e7b1675dSTing-Kang Chang
*e7b1675dSTing-Kang Chang}  // namespace tink_walkthrough
*e7b1675dSTing-Kang Chang// [END tink_walkthrough_write_keyset]