xref: /aosp_15_r20/external/tink/go/aead/aead_test.go (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1// Copyright 2018 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15////////////////////////////////////////////////////////////////////////////////
16
17package aead_test
18
19// [START aead-example]
20
21import (
22	"bytes"
23	"fmt"
24	"log"
25
26	"github.com/google/tink/go/aead"
27	"github.com/google/tink/go/insecurecleartextkeyset"
28	"github.com/google/tink/go/keyset"
29)
30
31func Example() {
32	// A keyset created with "tinkey create-keyset --key-template=AES256_GCM". Note
33	// that this keyset has the secret key information in cleartext.
34	jsonKeyset := `{
35			"key": [{
36					"keyData": {
37							"keyMaterialType":
38									"SYMMETRIC",
39							"typeUrl":
40									"type.googleapis.com/google.crypto.tink.AesGcmKey",
41							"value":
42									"GiBWyUfGgYk3RTRhj/LIUzSudIWlyjCftCOypTr0jCNSLg=="
43					},
44					"keyId": 294406504,
45					"outputPrefixType": "TINK",
46					"status": "ENABLED"
47			}],
48			"primaryKeyId": 294406504
49	}`
50
51	// Create a keyset handle from the cleartext keyset in the previous
52	// step. The keyset handle provides abstract access to the underlying keyset to
53	// limit the exposure of accessing the raw key material. WARNING: In practice,
54	// it is unlikely you will want to use a insecurecleartextkeyset, as it implies
55	// that your key material is passed in cleartext, which is a security risk.
56	// Consider encrypting it with a remote key in Cloud KMS, AWS KMS or HashiCorp Vault.
57	// See https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets.
58	keysetHandle, err := insecurecleartextkeyset.Read(
59		keyset.NewJSONReader(bytes.NewBufferString(jsonKeyset)))
60	if err != nil {
61		log.Fatal(err)
62	}
63
64	// Retrieve the AEAD primitive we want to use from the keyset handle.
65	primitive, err := aead.New(keysetHandle)
66	if err != nil {
67		log.Fatal(err)
68	}
69
70	// Use the primitive to encrypt a message. In this case the primary key of the
71	// keyset will be used (which is also the only key in this example).
72	plaintext := []byte("message")
73	associatedData := []byte("associated data")
74	ciphertext, err := primitive.Encrypt(plaintext, associatedData)
75	if err != nil {
76		log.Fatal(err)
77	}
78
79	// Use the primitive to decrypt the message. Decrypt finds the correct key in
80	// the keyset and decrypts the ciphertext. If no key is found or decryption
81	// fails, it returns an error.
82	decrypted, err := primitive.Decrypt(ciphertext, associatedData)
83	if err != nil {
84		log.Fatal(err)
85	}
86
87	fmt.Println(string(decrypted))
88	// Output: message
89}
90
91// [END aead-example]
92