1*e7b1675dSTing-Kang Chang# Copyright 2022 Google LLC 2*e7b1675dSTing-Kang Chang# 3*e7b1675dSTing-Kang Chang# Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang# you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang# You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang# 7*e7b1675dSTing-Kang Chang# http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang# 9*e7b1675dSTing-Kang Chang# Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang# distributed under the License is distributed on an "AS-IS" BASIS, 11*e7b1675dSTing-Kang Chang# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang# See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang# limitations under the License. 14*e7b1675dSTing-Kang Chang"""Example to showcase how to create a keyset.""" 15*e7b1675dSTing-Kang Chang# [START tink_walkthrough_write_keyset] 16*e7b1675dSTing-Kang Changfrom typing import TextIO 17*e7b1675dSTing-Kang Chang 18*e7b1675dSTing-Kang Changimport tink 19*e7b1675dSTing-Kang Changfrom tink import aead 20*e7b1675dSTing-Kang Chang 21*e7b1675dSTing-Kang Chang 22*e7b1675dSTing-Kang Changdef GetKmsAead(kms_kek_uri: str) -> aead.Aead: 23*e7b1675dSTing-Kang Chang """Returns an AEAD primitive from a KMS Key Encryption Key URI.""" 24*e7b1675dSTing-Kang Chang # To obtain a primitive that uses the KMS to encrypt/decrypt we simply create 25*e7b1675dSTing-Kang Chang # keyset from the appropriate template and get an AEAD primitive from it. 26*e7b1675dSTing-Kang Chang template = aead.aead_key_templates.create_kms_aead_key_template(kms_kek_uri) 27*e7b1675dSTing-Kang Chang kms_aead_keyset_handle = tink.new_keyset_handle(template) 28*e7b1675dSTing-Kang Chang return kms_aead_keyset_handle.primitive(aead.Aead) 29*e7b1675dSTing-Kang Chang 30*e7b1675dSTing-Kang Chang 31*e7b1675dSTing-Kang Changdef WriteEncryptedKeyset(keyset_handle: tink.KeysetHandle, 32*e7b1675dSTing-Kang Chang text_io_stream: TextIO, 33*e7b1675dSTing-Kang Chang kms_kek_uri: str, 34*e7b1675dSTing-Kang Chang associated_data: bytes = b'') -> None: 35*e7b1675dSTing-Kang Chang """Encrypts keyset_hanlde with a KMS and writes it to text_io_stream as JSON. 36*e7b1675dSTing-Kang Chang 37*e7b1675dSTing-Kang Chang The keyset is encrypted with a KMS using the KMS key kms_kek_uri. 38*e7b1675dSTing-Kang Chang 39*e7b1675dSTing-Kang Chang Prerequisites: 40*e7b1675dSTing-Kang Chang - Register AEAD implementations of Tink. 41*e7b1675dSTing-Kang Chang - Register a KMS client that can use kms_kek_uri. 42*e7b1675dSTing-Kang Chang - Create a keyset and obtain a handle to it. 43*e7b1675dSTing-Kang Chang 44*e7b1675dSTing-Kang Chang Args: 45*e7b1675dSTing-Kang Chang keyset_handle: Keyset to write. 46*e7b1675dSTing-Kang Chang text_io_stream: I/O stream where writng the Keyset to. 47*e7b1675dSTing-Kang Chang kms_kek_uri: URI of the KMS key to use to encrypt the keyset. 48*e7b1675dSTing-Kang Chang associated_data: Associated data to which tie the ciphertext. 49*e7b1675dSTing-Kang Chang 50*e7b1675dSTing-Kang Chang Raises: 51*e7b1675dSTing-Kang Chang tink.TinkError in case of errors. 52*e7b1675dSTing-Kang Chang """ 53*e7b1675dSTing-Kang Chang keyset_handle.write_with_associated_data( 54*e7b1675dSTing-Kang Chang tink.JsonKeysetWriter(text_io_stream), GetKmsAead(kms_kek_uri), 55*e7b1675dSTing-Kang Chang associated_data) 56*e7b1675dSTing-Kang Chang 57*e7b1675dSTing-Kang Chang 58*e7b1675dSTing-Kang Chang# [END tink_walkthrough_write_keyset] 59