1*e7b1675dSTing-Kang Chang# Copyright 2022 Google LLC 2*e7b1675dSTing-Kang Chang# 3*e7b1675dSTing-Kang Chang# Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang# you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang# You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang# 7*e7b1675dSTing-Kang Chang# http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang# 9*e7b1675dSTing-Kang Chang# Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang# distributed under the License is distributed on an "AS-IS" BASIS, 11*e7b1675dSTing-Kang Chang# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang# See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang# limitations under the License. 14*e7b1675dSTing-Kang Chang"""A minimal example for using the AEAD API.""" 15*e7b1675dSTing-Kang Chang# [START aead-basic-example] 16*e7b1675dSTing-Kang Changimport tink 17*e7b1675dSTing-Kang Changfrom tink import aead 18*e7b1675dSTing-Kang Changfrom tink import cleartext_keyset_handle 19*e7b1675dSTing-Kang Chang 20*e7b1675dSTing-Kang Chang 21*e7b1675dSTing-Kang Changdef example(): 22*e7b1675dSTing-Kang Chang """Encrypt and decrypt using AEAD.""" 23*e7b1675dSTing-Kang Chang # Register the AEAD key managers. This is needed to create an Aead primitive 24*e7b1675dSTing-Kang Chang # later. 25*e7b1675dSTing-Kang Chang aead.register() 26*e7b1675dSTing-Kang Chang 27*e7b1675dSTing-Kang Chang # A keyset created with "tinkey create-keyset --key-template=AES256_GCM". Note 28*e7b1675dSTing-Kang Chang # that this keyset has the secret key information in cleartext. 29*e7b1675dSTing-Kang Chang keyset = r"""{ 30*e7b1675dSTing-Kang Chang "key": [{ 31*e7b1675dSTing-Kang Chang "keyData": { 32*e7b1675dSTing-Kang Chang "keyMaterialType": 33*e7b1675dSTing-Kang Chang "SYMMETRIC", 34*e7b1675dSTing-Kang Chang "typeUrl": 35*e7b1675dSTing-Kang Chang "type.googleapis.com/google.crypto.tink.AesGcmKey", 36*e7b1675dSTing-Kang Chang "value": 37*e7b1675dSTing-Kang Chang "GiBWyUfGgYk3RTRhj/LIUzSudIWlyjCftCOypTr0jCNSLg==" 38*e7b1675dSTing-Kang Chang }, 39*e7b1675dSTing-Kang Chang "keyId": 294406504, 40*e7b1675dSTing-Kang Chang "outputPrefixType": "TINK", 41*e7b1675dSTing-Kang Chang "status": "ENABLED" 42*e7b1675dSTing-Kang Chang }], 43*e7b1675dSTing-Kang Chang "primaryKeyId": 294406504 44*e7b1675dSTing-Kang Chang }""" 45*e7b1675dSTing-Kang Chang 46*e7b1675dSTing-Kang Chang # Create a keyset handle from the cleartext keyset in the previous 47*e7b1675dSTing-Kang Chang # step. The keyset handle provides abstract access to the underlying keyset to 48*e7b1675dSTing-Kang Chang # limit access of the raw key material. WARNING: In practice, it is unlikely 49*e7b1675dSTing-Kang Chang # you will want to use a cleartext_keyset_handle, as it implies that your key 50*e7b1675dSTing-Kang Chang # material is passed in cleartext, which is a security risk. 51*e7b1675dSTing-Kang Chang keyset_handle = cleartext_keyset_handle.read(tink.JsonKeysetReader(keyset)) 52*e7b1675dSTing-Kang Chang 53*e7b1675dSTing-Kang Chang # Retrieve the Aead primitive we want to use from the keyset handle. 54*e7b1675dSTing-Kang Chang primitive = keyset_handle.primitive(aead.Aead) 55*e7b1675dSTing-Kang Chang 56*e7b1675dSTing-Kang Chang # Use the primitive to encrypt a message. In this case the primary key of the 57*e7b1675dSTing-Kang Chang # keyset will be used (which is also the only key in this example). 58*e7b1675dSTing-Kang Chang ciphertext = primitive.encrypt(b'msg', b'associated_data') 59*e7b1675dSTing-Kang Chang 60*e7b1675dSTing-Kang Chang # Use the primitive to decrypt the message. Decrypt finds the correct key in 61*e7b1675dSTing-Kang Chang # the keyset and decrypts the ciphertext. If no key is found or decryption 62*e7b1675dSTing-Kang Chang # fails, it raises an error. 63*e7b1675dSTing-Kang Chang output = primitive.decrypt(ciphertext, b'associated_data') 64*e7b1675dSTing-Kang Chang # [END aead-basic-example] 65*e7b1675dSTing-Kang Chang assert output == b'msg' 66