1// Copyright 2019 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15//////////////////////////////////////////////////////////////////////////////// 16 17package aead_test 18 19// [START kms-envelope-aead-example] 20 21import ( 22 "fmt" 23 "log" 24 25 "github.com/google/tink/go/aead" 26 "github.com/google/tink/go/testing/fakekms" 27) 28 29// The fake KMS should only be used in tests. It is not secure. 30const keyURI = "fake-kms://CM2b3_MDElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEIK75t5L-adlUwVhWvRuWUwYARABGM2b3_MDIAE" 31 32func Example_kmsEnvelopeAEAD() { 33 // Get a KEK (key encryption key) AEAD. This is usually a remote AEAD to a KMS. In this example, 34 // we use a fake KMS to avoid making RPCs. 35 client, err := fakekms.NewClient(keyURI) 36 if err != nil { 37 log.Fatal(err) 38 } 39 kekAEAD, err := client.GetAEAD(keyURI) 40 if err != nil { 41 log.Fatal(err) 42 } 43 44 // Get the KMS envelope AEAD primitive. 45 primitive := aead.NewKMSEnvelopeAEAD2(aead.AES256GCMKeyTemplate(), kekAEAD) 46 47 // Use the primitive. 48 plaintext := []byte("message") 49 associatedData := []byte("example KMS envelope AEAD encryption") 50 51 ciphertext, err := primitive.Encrypt(plaintext, associatedData) 52 if err != nil { 53 log.Fatal(err) 54 } 55 56 decrypted, err := primitive.Decrypt(ciphertext, associatedData) 57 if err != nil { 58 log.Fatal(err) 59 } 60 fmt.Println(string(decrypted)) 61 // Output: message 62} 63 64// [END kms-envelope-aead-example] 65 66