1*e7b1675dSTing-Kang Chang# Copyright 2021 Google LLC 2*e7b1675dSTing-Kang Chang# 3*e7b1675dSTing-Kang Chang# Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang# you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang# You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang# 7*e7b1675dSTing-Kang Chang# http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang# 9*e7b1675dSTing-Kang Chang# Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang# distributed under the License is distributed on an "AS-IS" BASIS, 11*e7b1675dSTing-Kang Chang# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang# See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang# limitations under the License. 14*e7b1675dSTing-Kang Chang# [START aead-example] 15*e7b1675dSTing-Kang Chang"""A command-line utility for encrypting small files with AEAD. 16*e7b1675dSTing-Kang Chang 17*e7b1675dSTing-Kang ChangIt loads cleartext keys from disk - this is not recommended! 18*e7b1675dSTing-Kang Chang""" 19*e7b1675dSTing-Kang Chang 20*e7b1675dSTing-Kang Changfrom absl import app 21*e7b1675dSTing-Kang Changfrom absl import flags 22*e7b1675dSTing-Kang Changfrom absl import logging 23*e7b1675dSTing-Kang Chang 24*e7b1675dSTing-Kang Changimport tink 25*e7b1675dSTing-Kang Changfrom tink import aead 26*e7b1675dSTing-Kang Changfrom tink import cleartext_keyset_handle 27*e7b1675dSTing-Kang Chang 28*e7b1675dSTing-Kang Chang 29*e7b1675dSTing-Kang ChangFLAGS = flags.FLAGS 30*e7b1675dSTing-Kang Chang 31*e7b1675dSTing-Kang Changflags.DEFINE_enum('mode', None, ['encrypt', 'decrypt'], 32*e7b1675dSTing-Kang Chang 'The operation to perform.') 33*e7b1675dSTing-Kang Changflags.DEFINE_string('keyset_path', None, 34*e7b1675dSTing-Kang Chang 'Path to the keyset used for encryption.') 35*e7b1675dSTing-Kang Changflags.DEFINE_string('input_path', None, 'Path to the input file.') 36*e7b1675dSTing-Kang Changflags.DEFINE_string('output_path', None, 'Path to the output file.') 37*e7b1675dSTing-Kang Changflags.DEFINE_string('associated_data', None, 38*e7b1675dSTing-Kang Chang 'Optional associated data used for the encryption.') 39*e7b1675dSTing-Kang Chang 40*e7b1675dSTing-Kang Chang 41*e7b1675dSTing-Kang Changdef main(argv): 42*e7b1675dSTing-Kang Chang del argv # Unused. 43*e7b1675dSTing-Kang Chang 44*e7b1675dSTing-Kang Chang associated_data = b'' if not FLAGS.associated_data else bytes( 45*e7b1675dSTing-Kang Chang FLAGS.associated_data, 'utf-8') 46*e7b1675dSTing-Kang Chang 47*e7b1675dSTing-Kang Chang # Initialise Tink 48*e7b1675dSTing-Kang Chang aead.register() 49*e7b1675dSTing-Kang Chang 50*e7b1675dSTing-Kang Chang # Read the keyset into a keyset_handle 51*e7b1675dSTing-Kang Chang with open(FLAGS.keyset_path, 'rt') as keyset_file: 52*e7b1675dSTing-Kang Chang try: 53*e7b1675dSTing-Kang Chang text = keyset_file.read() 54*e7b1675dSTing-Kang Chang keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(text)) 55*e7b1675dSTing-Kang Chang except tink.TinkError as e: 56*e7b1675dSTing-Kang Chang logging.exception('Error reading key: %s', e) 57*e7b1675dSTing-Kang Chang return 1 58*e7b1675dSTing-Kang Chang 59*e7b1675dSTing-Kang Chang # Get the primitive 60*e7b1675dSTing-Kang Chang try: 61*e7b1675dSTing-Kang Chang cipher = keyset_handle.primitive(aead.Aead) 62*e7b1675dSTing-Kang Chang except tink.TinkError as e: 63*e7b1675dSTing-Kang Chang logging.error('Error creating primitive: %s', e) 64*e7b1675dSTing-Kang Chang return 1 65*e7b1675dSTing-Kang Chang 66*e7b1675dSTing-Kang Chang with open(FLAGS.input_path, 'rb') as input_file: 67*e7b1675dSTing-Kang Chang input_data = input_file.read() 68*e7b1675dSTing-Kang Chang if FLAGS.mode == 'decrypt': 69*e7b1675dSTing-Kang Chang output_data = cipher.decrypt(input_data, associated_data) 70*e7b1675dSTing-Kang Chang elif FLAGS.mode == 'encrypt': 71*e7b1675dSTing-Kang Chang output_data = cipher.encrypt(input_data, associated_data) 72*e7b1675dSTing-Kang Chang else: 73*e7b1675dSTing-Kang Chang logging.error( 74*e7b1675dSTing-Kang Chang 'Error mode not supported. Please choose "encrypt" or "decrypt".') 75*e7b1675dSTing-Kang Chang return 1 76*e7b1675dSTing-Kang Chang 77*e7b1675dSTing-Kang Chang with open(FLAGS.output_path, 'wb') as output_file: 78*e7b1675dSTing-Kang Chang output_file.write(output_data) 79*e7b1675dSTing-Kang Chang 80*e7b1675dSTing-Kang Chang 81*e7b1675dSTing-Kang Changif __name__ == '__main__': 82*e7b1675dSTing-Kang Chang flags.mark_flags_as_required([ 83*e7b1675dSTing-Kang Chang 'mode', 'keyset_path', 'input_path', 'output_path']) 84*e7b1675dSTing-Kang Chang app.run(main) 85*e7b1675dSTing-Kang Chang# [END aead-example] 86