xref: /aosp_15_r20/external/tink/go/keyset/keyset_test.go (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15////////////////////////////////////////////////////////////////////////////////
16
17package keyset_test
18
19// [START encrypted-keyset-example]
20
21import (
22	"bytes"
23	"fmt"
24	"log"
25
26	"github.com/google/tink/go/aead"
27	"github.com/google/tink/go/keyset"
28	"github.com/google/tink/go/testing/fakekms"
29)
30
31// The fake KMS should only be used in tests. It is not secure.
32const keyURI = "fake-kms://CM2b3_MDElQKSAowdHlwZS5nb29nbGVhcGlzLmNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2NtS2V5EhIaEIK75t5L-adlUwVhWvRuWUwYARABGM2b3_MDIAE"
33
34func Example_encryptedKeyset() {
35	// Get a KEK (key encryption key) AEAD. This is usually a remote AEAD to a KMS. In this example,
36	// we use a fake KMS to avoid making RPCs.
37	client, err := fakekms.NewClient(keyURI)
38	if err != nil {
39		log.Fatal(err)
40	}
41	kekAEAD, err := client.GetAEAD(keyURI)
42	if err != nil {
43		log.Fatal(err)
44	}
45
46	// Generate a new keyset handle for the primitive we want to use.
47	newHandle, err := keyset.NewHandle(aead.AES256GCMKeyTemplate())
48	if err != nil {
49		log.Fatal(err)
50	}
51
52	// Choose some associated data. This is the context in which the keyset will be used.
53	keysetAssociatedData := []byte("keyset encryption example")
54
55	// Encrypt the keyset with the KEK AEAD and the associated data.
56	buf := new(bytes.Buffer)
57	writer := keyset.NewBinaryWriter(buf)
58	err = newHandle.WriteWithAssociatedData(writer, kekAEAD, keysetAssociatedData)
59	if err != nil {
60		log.Fatal(err)
61	}
62	encryptedKeyset := buf.Bytes()
63
64	// The encrypted keyset can now be stored.
65
66	// To use the primitive, we first need to decrypt the keyset. We use the same
67	// KEK AEAD and the same associated data that we used to encrypt it.
68	reader := keyset.NewBinaryReader(bytes.NewReader(encryptedKeyset))
69	handle, err := keyset.ReadWithAssociatedData(reader, kekAEAD, keysetAssociatedData)
70	if err != nil {
71		log.Fatal(err)
72	}
73
74	// Get the primitive.
75	primitive, err := aead.New(handle)
76	if err != nil {
77		log.Fatal(err)
78	}
79
80	// Use the primitive.
81	plaintext := []byte("message")
82	associatedData := []byte("example encryption")
83	ciphertext, err := primitive.Encrypt(plaintext, associatedData)
84	if err != nil {
85		log.Fatal(err)
86	}
87	decrypted, err := primitive.Decrypt(ciphertext, associatedData)
88	if err != nil {
89		log.Fatal(err)
90	}
91	fmt.Println(string(decrypted))
92	// Output: message
93}
94
95// [END encrypted-keyset-example]
96