1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15//////////////////////////////////////////////////////////////////////////////// 16 17package hybrid_test 18 19// [START hybrid-example] 20 21import ( 22 "bytes" 23 "fmt" 24 "log" 25 26 "github.com/google/tink/go/hybrid" 27 "github.com/google/tink/go/insecurecleartextkeyset" 28 "github.com/google/tink/go/keyset" 29) 30 31func Example() { 32 // A private keyset created with 33 // "tinkey create-keyset --key-template=DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_256_GCM --out private_keyset.cfg". 34 // Note that this keyset has the secret key information in cleartext. 35 privateJSONKeyset := `{ 36 "key": [{ 37 "keyData": { 38 "keyMaterialType": 39 "ASYMMETRIC_PRIVATE", 40 "typeUrl": 41 "type.googleapis.com/google.crypto.tink.HpkePrivateKey", 42 "value": 43 "EioSBggBEAEYAhogVWQpmQoz74jcAp5WOD36KiBQ71MVCpn2iWfOzWLtKV4aINfn8qlMbyijNJcCzrafjsgJ493ZZGN256KTfKw0WN+p" 44 }, 45 "keyId": 958452012, 46 "outputPrefixType": "TINK", 47 "status": "ENABLED" 48 }], 49 "primaryKeyId": 958452012 50 }` 51 52 // The corresponding public keyset created with 53 // "tinkey create-public-keyset --in private_keyset.cfg". 54 publicJSONKeyset := `{ 55 "key": [{ 56 "keyData": { 57 "keyMaterialType": 58 "ASYMMETRIC_PUBLIC", 59 "typeUrl": 60 "type.googleapis.com/google.crypto.tink.HpkePublicKey", 61 "value": 62 "EgYIARABGAIaIFVkKZkKM++I3AKeVjg9+iogUO9TFQqZ9olnzs1i7Sle" 63 }, 64 "keyId": 958452012, 65 "outputPrefixType": "TINK", 66 "status": "ENABLED" 67 }], 68 "primaryKeyId": 958452012 69 }` 70 71 // Create a keyset handle from the keyset containing the public key. Because the 72 // public keyset does not contain any secrets, we can use [keyset.ReadWithNoSecrets]. 73 publicKeysetHandle, err := keyset.ReadWithNoSecrets( 74 keyset.NewJSONReader(bytes.NewBufferString(publicJSONKeyset))) 75 if err != nil { 76 log.Fatal(err) 77 } 78 79 // Retrieve the HybridEncrypt primitive from publicKeysetHandle. 80 encPrimitive, err := hybrid.NewHybridEncrypt(publicKeysetHandle) 81 if err != nil { 82 log.Fatal(err) 83 } 84 85 plaintext := []byte("message") 86 encryptionContext := []byte("encryption context") 87 ciphertext, err := encPrimitive.Encrypt(plaintext, encryptionContext) 88 if err != nil { 89 log.Fatal(err) 90 } 91 92 // Create a keyset handle from the cleartext private keyset in the previous 93 // step. The keyset handle provides abstract access to the underlying keyset to 94 // limit the access of the raw key material. WARNING: In practice, 95 // it is unlikely you will want to use a insecurecleartextkeyset, as it implies 96 // that your key material is passed in cleartext, which is a security risk. 97 // Consider encrypting it with a remote key in Cloud KMS, AWS KMS or HashiCorp Vault. 98 // See https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets. 99 privateKeysetHandle, err := insecurecleartextkeyset.Read( 100 keyset.NewJSONReader(bytes.NewBufferString(privateJSONKeyset))) 101 if err != nil { 102 log.Fatal(err) 103 } 104 105 // Retrieve the HybridDecrypt primitive from privateKeysetHandle. 106 decPrimitive, err := hybrid.NewHybridDecrypt(privateKeysetHandle) 107 if err != nil { 108 log.Fatal(err) 109 } 110 111 decrypted, err := decPrimitive.Decrypt(ciphertext, encryptionContext) 112 if err != nil { 113 log.Fatal(err) 114 } 115 116 fmt.Println(string(decrypted)) 117 // Output: message 118} 119// [END hybrid-example] 120