xref: /aosp_15_r20/external/tink/go/daead/daead_test.go (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1// Copyright 2019 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15////////////////////////////////////////////////////////////////////////////////
16
17package daead_test
18
19// [START deterministic-aead-example]
20
21import (
22	"bytes"
23	"fmt"
24	"log"
25
26	"github.com/google/tink/go/daead"
27	"github.com/google/tink/go/insecurecleartextkeyset"
28	"github.com/google/tink/go/keyset"
29)
30
31func Example() {
32	// A keyset created with "tinkey create-keyset --key-template=AES256_SIV". Note
33	// that this keyset has the secret key information in cleartext.
34	jsonKeyset := `{
35			"key": [{
36				"keyData": {
37						"keyMaterialType":
38								"SYMMETRIC",
39						"typeUrl":
40								"type.googleapis.com/google.crypto.tink.AesSivKey",
41						"value":
42								"EkAl9HCMmKTN1p3V186uhZpJQ+tivyc4IKyE+opg6SsEbWQ/WesWHzwCRrlgRuxdaggvgMzwWhjPnkk9gptBnGLK"
43				},
44				"keyId": 1919301694,
45				"outputPrefixType": "TINK",
46				"status": "ENABLED"
47		}],
48		"primaryKeyId": 1919301694
49	}`
50
51	// Create a keyset handle from the cleartext keyset in the previous
52	// step. The keyset handle provides abstract access to the underlying keyset to
53	// limit the exposure of accessing the raw key material. WARNING: In practice,
54	// it is unlikely you will want to use a insecurecleartextkeyset, as it implies
55	// that your key material is passed in cleartext, which is a security risk.
56	// Consider encrypting it with a remote key in Cloud KMS, AWS KMS or HashiCorp Vault.
57	// See https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets.
58	keysetHandle, err := insecurecleartextkeyset.Read(
59		keyset.NewJSONReader(bytes.NewBufferString(jsonKeyset)))
60	if err != nil {
61		log.Fatal(err)
62	}
63
64	// Retrieve the DAEAD primitive we want to use from the keyset handle.
65	primitive, err := daead.New(keysetHandle)
66	if err != nil {
67		log.Fatal(err)
68	}
69
70	// Use the primitive to encrypt a message. In this case the primary key of the
71	// keyset will be used (which is also the only key in this example).
72	plaintext := []byte("message")
73	associatedData := []byte("associated data")
74	ciphertext, err := primitive.EncryptDeterministically(plaintext, associatedData)
75	if err != nil {
76		log.Fatal(err)
77	}
78
79	// Use the primitive to decrypt the message. Decrypt finds the correct key in
80	// the keyset and decrypts the ciphertext. If no key is found or decryption
81	// fails, it returns an error.
82	decrypted, err := primitive.DecryptDeterministically(ciphertext, associatedData)
83	if err != nil {
84		log.Fatal(err)
85	}
86
87	fmt.Println(ciphertext)
88	fmt.Println(string(decrypted))
89	// Output:
90	// [1 114 102 56 62 150 98 146 84 99 211 36 127 214 229 231 157 56 143 192 250 132 32 153 124 244 238 112]
91	// message
92}
93
94// [END deterministic-aead-example]
95