├── .bazelignore ├── .bazelrc ├── .bazelversion ├── .gitattributes ├── BUILD.bazel ├── LICENSE ├── MANIFEST.in ├── MODULE.bazel ├── README.md ├── TINK_VERSION.txt ├── docs ├── CONTRIBUTING.md └── SECURITY.md ├── examples ├── .bazelrc ├── .bazelversion ├── BUILD.bazel ├── MODULE.bazel ├── aead │ ├── BUILD.bazel │ ├── README.md │ ├── aead_basic.py │ ├── aead_basic_test.py │ ├── aead_cli.py │ ├── aead_cli_test.sh │ └── aead_test_keyset.json ├── cleartext_keyset │ ├── BUILD.bazel │ ├── README.md │ ├── cleartext_keyset_cli.py │ └── cleartext_keyset_cli_test.sh ├── deterministic_aead │ ├── BUILD.bazel │ ├── README.md │ ├── deterministic_aead_basic.py │ ├── deterministic_aead_basic_test.py │ ├── deterministic_aead_cli.py │ ├── deterministic_aead_cli_test.sh │ └── deterministic_aead_test_keyset.json ├── encrypted_keyset │ ├── BUILD.bazel │ ├── README.md │ ├── encrypted_keyset_cli.py │ └── encrypted_keyset_cli_test.sh ├── envelope_aead │ ├── BUILD.bazel │ ├── README.md │ ├── envelope_cli.py │ └── envelope_cli_test.sh ├── gcs │ ├── BUILD.bazel │ ├── README.md │ ├── gcs_envelope_aead_cli.py │ └── gcs_envelope_aead_cli_test.sh ├── hybrid │ ├── BUILD.bazel │ ├── README.md │ ├── hybrid_basic.py │ ├── hybrid_basic_test.py │ ├── hybrid_cli.py │ ├── hybrid_cli_test.sh │ ├── hybrid_test_private_keyset.json │ └── hybrid_test_public_keyset.json ├── jwt │ ├── BUILD.bazel │ ├── README.md │ ├── jwt_generate_public_jwk_set.py │ ├── jwt_sign_cli.py │ ├── jwt_signature_test.sh │ ├── jwt_test_private_keyset.json │ ├── jwt_test_public_keyset.json │ └── jwt_verify_cli.py ├── mac │ ├── BUILD.bazel │ ├── README.md │ ├── mac_basic.py │ ├── mac_basic_test.py │ ├── mac_cli.py │ ├── mac_cli_test.sh │ └── mac_test_keyset.json ├── requirements.in ├── requirements.txt ├── signature │ ├── BUILD.bazel │ ├── README.md │ ├── signature_basic.py │ ├── signature_basic_test.py │ ├── signature_cli.py │ ├── signature_cli_test.sh │ ├── signature_test_private_keyset.json │ └── signature_test_public_keyset.json ├── streaming_aead │ ├── BUILD.bazel │ ├── README.md │ ├── streaming_aead_cli.py │ ├── streaming_aead_cli_test.sh │ └── streaming_aead_keyset.json ├── testdata │ ├── aws │ │ ├── BUILD.bazel │ │ ├── access_keys_bad.csv │ │ ├── credentials.cred │ │ ├── credentials.csv │ │ ├── credentials.ini │ │ ├── credentials_bad.csv │ │ ├── credentials_bad.ini │ │ ├── key_arn.txt │ │ └── key_arn_bad.txt │ └── gcp │ │ ├── BUILD.bazel │ │ ├── README.md │ │ ├── credential.json │ │ ├── credential_bad.json │ │ ├── key_name.txt │ │ └── key_name_bad.txt └── walkthrough │ ├── BUILD.bazel │ ├── create_keyset.py │ ├── create_keyset_test.py │ ├── load_cleartext_keyset.py │ ├── load_cleartext_keyset_test.py │ ├── load_encrypted_keyset.py │ ├── load_encrypted_keyset_test.py │ ├── obtain_and_use_a_primitive.py │ ├── obtain_and_use_a_primitive_test.py │ ├── write_cleartext_keyset.py │ ├── write_cleartext_keyset_test.py │ ├── write_keyset.py │ └── write_keyset_test.py ├── kokoro ├── create_github_release_branch.sh ├── create_github_release_tag.sh ├── gcp_ubuntu │ ├── bazel │ │ ├── run_tests.sh │ │ └── test_script.sh │ ├── pip │ │ ├── run_tests.sh │ │ └── test_script.sh │ └── release │ │ ├── bdist │ │ └── create │ │ │ └── run.sh │ │ └── sdist │ │ ├── create │ │ └── run.sh │ │ └── test │ │ └── run.sh ├── gcp_windows │ ├── bazel │ │ └── run_tests.bat │ ├── pip │ │ └── run_tests.bat │ └── release │ │ └── bdist │ │ └── create │ │ └── run.bat ├── macos_external │ ├── bazel │ │ └── run_tests.sh │ ├── pip │ │ └── run_tests.sh │ └── release │ │ └── bdist │ │ └── create │ │ └── run.sh ├── release_on_pypi.sh ├── release_requirements.in ├── release_requirements.txt └── testutils │ ├── BUILD.bazel │ ├── copy_credentials.sh │ ├── docker_execute.sh │ ├── github_release_util.sh │ ├── github_release_util_test.sh │ ├── install_protoc.sh │ ├── install_tink_via_pip.sh │ ├── install_vault.sh │ ├── py_test_container_images.sh │ ├── run_bazel_tests.sh │ ├── run_hcvault_test_server.sh │ └── test_utils.sh ├── pyproject.toml ├── requirements.in ├── requirements.txt ├── requirements_all.txt ├── requirements_awskms.in ├── requirements_gcpkms.in ├── requirements_hcvault.in ├── setup.py ├── testdata ├── aws │ ├── BUILD.bazel │ ├── access_keys_bad.csv │ ├── credentials.cred │ ├── credentials.csv │ ├── credentials.ini │ ├── credentials_bad.csv │ ├── credentials_bad.ini │ ├── key_arn.txt │ └── key_arn_bad.txt └── gcp │ ├── BUILD.bazel │ ├── README.md │ ├── credential.json │ ├── credential_bad.json │ ├── key_name.txt │ └── key_name_bad.txt ├── tink ├── BUILD.bazel ├── __init__.py ├── _insecure_keyset_handle.py ├── _insecure_keyset_handle_test.py ├── _json_proto_keyset_format.py ├── _json_proto_keyset_format_test.py ├── _keyset_handle.py ├── _keyset_handle_test.py ├── _keyset_reader.py ├── _keyset_reader_test.py ├── _keyset_writer.py ├── _keyset_writer_test.py ├── _kms_clients.py ├── _kms_clients_test.py ├── _proto_keyset_format.py ├── _proto_keyset_format_test.py ├── _secret_key_access.py ├── aead │ ├── BUILD.bazel │ ├── __init__.py │ ├── _aead.py │ ├── _aead_key_manager.py │ ├── _aead_key_manager_test.py │ ├── _aead_key_templates.py │ ├── _aead_key_templates_test.py │ ├── _aead_wrapper.py │ ├── _aead_wrapper_test.py │ ├── _kms_aead_key_manager.py │ ├── _kms_aead_key_manager_test.py │ ├── _kms_envelope_aead.py │ └── _kms_envelope_aead_test.py ├── cc │ ├── BUILD.bazel │ ├── cc_hpke_config.cc │ ├── cc_hpke_config.h │ ├── cc_jwt_config.cc │ ├── cc_jwt_config.h │ ├── cc_key_manager.h │ ├── cc_streaming_aead_wrappers.cc │ ├── cc_streaming_aead_wrappers.h │ ├── cc_streaming_aead_wrappers_test.cc │ ├── cc_tink_config.cc │ ├── cc_tink_config.h │ ├── input_stream_adapter.cc │ ├── input_stream_adapter.h │ ├── input_stream_adapter_test.cc │ ├── output_stream_adapter.cc │ ├── output_stream_adapter.h │ ├── output_stream_adapter_test.cc │ ├── pybind │ │ ├── BUILD.bazel │ │ ├── aead.cc │ │ ├── aead.h │ │ ├── cc_hpke_config.cc │ │ ├── cc_hpke_config.h │ │ ├── cc_jwt_config.cc │ │ ├── cc_jwt_config.h │ │ ├── cc_key_manager.cc │ │ ├── cc_key_manager.h │ │ ├── cc_key_manager_test.py │ │ ├── cc_streaming_aead_wrappers.cc │ │ ├── cc_streaming_aead_wrappers.h │ │ ├── cc_tink_config.cc │ │ ├── cc_tink_config.h │ │ ├── cc_tink_config_test.py │ │ ├── deterministic_aead.cc │ │ ├── deterministic_aead.h │ │ ├── hybrid_decrypt.cc │ │ ├── hybrid_decrypt.h │ │ ├── hybrid_encrypt.cc │ │ ├── hybrid_encrypt.h │ │ ├── import_helper.cc │ │ ├── import_helper.h │ │ ├── input_stream_adapter.cc │ │ ├── input_stream_adapter.h │ │ ├── mac.cc │ │ ├── mac.h │ │ ├── output_stream_adapter.cc │ │ ├── output_stream_adapter.h │ │ ├── prf.cc │ │ ├── prf.h │ │ ├── public_key_sign.cc │ │ ├── public_key_sign.h │ │ ├── public_key_verify.cc │ │ ├── public_key_verify.h │ │ ├── python_file_object_adapter.cc │ │ ├── python_file_object_adapter.h │ │ ├── streaming_aead.cc │ │ ├── streaming_aead.h │ │ ├── tink_bindings.cc │ │ └── tink_exception.h │ ├── python_file_object_adapter.h │ ├── python_input_stream.cc │ ├── python_input_stream.h │ ├── python_input_stream_test.cc │ ├── python_output_stream.cc │ ├── python_output_stream.h │ ├── python_output_stream_test.cc │ └── test_util.h ├── cleartext_keyset_handle.py ├── cleartext_keyset_handle_test.py ├── core │ ├── BUILD.bazel │ ├── __init__.py │ ├── _crypto_format.py │ ├── _crypto_format_test.py │ ├── _key_manager.py │ ├── _primitive_set.py │ ├── _primitive_set_test.py │ ├── _primitive_wrapper.py │ ├── _registry.py │ ├── _registry_test.py │ └── _tink_error.py ├── daead │ ├── BUILD.bazel │ ├── __init__.py │ ├── _deterministic_aead.py │ ├── _deterministic_aead_key_manager.py │ ├── _deterministic_aead_key_manager_test.py │ ├── _deterministic_aead_key_templates.py │ ├── _deterministic_aead_key_templates_test.py │ ├── _deterministic_aead_wrapper.py │ └── _deterministic_aead_wrapper_test.py ├── hybrid │ ├── BUILD.bazel │ ├── __init__.py │ ├── _hybrid_decrypt.py │ ├── _hybrid_encrypt.py │ ├── _hybrid_key_manager.py │ ├── _hybrid_key_manager_test.py │ ├── _hybrid_key_templates.py │ ├── _hybrid_key_templates_test.py │ ├── _hybrid_wrapper.py │ └── _hybrid_wrapper_test.py ├── integration │ ├── __init__.py │ ├── awskms │ │ ├── BUILD.bazel │ │ ├── __init__.py │ │ ├── _aws_kms_client.py │ │ ├── _aws_kms_client_test.py │ │ └── _aws_kms_integration_test.py │ ├── gcpkms │ │ ├── BUILD.bazel │ │ ├── __init__.py │ │ ├── _gcp_kms_aead_test.py │ │ ├── _gcp_kms_client.py │ │ ├── _gcp_kms_client_integration_test.py │ │ ├── _gcp_kms_client_test.py │ │ └── _gcp_kms_integration_test.py │ └── hcvault │ │ ├── BUILD.bazel │ │ ├── __init__.py │ │ ├── _hcvault_kms_aead.py │ │ ├── _hcvault_kms_aead_test.py │ │ └── _hcvault_kms_integration_test.py ├── internal │ ├── BUILD.bazel │ ├── __init__.py │ ├── big_integer_util.py │ └── big_integer_util_test.py ├── jwt │ ├── BUILD.bazel │ ├── __init__.py │ ├── _json_util.py │ ├── _json_util_test.py │ ├── _jwk_set_converter.py │ ├── _jwk_set_converter_test.py │ ├── _jwt_error.py │ ├── _jwt_format.py │ ├── _jwt_format_test.py │ ├── _jwt_hmac_key_manager.py │ ├── _jwt_hmac_key_manager_test.py │ ├── _jwt_key_templates.py │ ├── _jwt_key_templates_test.py │ ├── _jwt_mac.py │ ├── _jwt_mac_wrapper.py │ ├── _jwt_mac_wrapper_test.py │ ├── _jwt_public_key_sign.py │ ├── _jwt_public_key_verify.py │ ├── _jwt_signature_key_manager.py │ ├── _jwt_signature_key_manager_test.py │ ├── _jwt_signature_wrappers.py │ ├── _jwt_signature_wrappers_test.py │ ├── _jwt_validator.py │ ├── _jwt_validator_test.py │ ├── _raw_jwt.py │ ├── _raw_jwt_test.py │ ├── _verified_jwt.py │ └── _verified_jwt_test.py ├── mac │ ├── BUILD.bazel │ ├── __init__.py │ ├── _mac.py │ ├── _mac_key_manager.py │ ├── _mac_key_manager_test.py │ ├── _mac_key_templates.py │ ├── _mac_key_templates_test.py │ ├── _mac_wrapper.py │ └── _mac_wrapper_test.py ├── prf │ ├── BUILD.bazel │ ├── __init__.py │ ├── _prf_key_manager.py │ ├── _prf_key_manager_test.py │ ├── _prf_key_templates.py │ ├── _prf_set.py │ ├── _prf_set_wrapper.py │ └── _prf_set_wrapper_test.py ├── proto │ ├── BUILD.bazel │ ├── __init__.py │ ├── aes_cmac.proto │ ├── aes_cmac_prf.proto │ ├── aes_ctr.proto │ ├── aes_ctr_hmac_aead.proto │ ├── aes_ctr_hmac_streaming.proto │ ├── aes_eax.proto │ ├── aes_gcm.proto │ ├── aes_gcm_hkdf_streaming.proto │ ├── aes_gcm_siv.proto │ ├── aes_siv.proto │ ├── chacha20_poly1305.proto │ ├── common.proto │ ├── config.proto │ ├── ecdsa.proto │ ├── ecies_aead_hkdf.proto │ ├── ed25519.proto │ ├── empty.proto │ ├── hkdf_prf.proto │ ├── hmac.proto │ ├── hmac_prf.proto │ ├── hpke.proto │ ├── jwt_ecdsa.proto │ ├── jwt_hmac.proto │ ├── jwt_rsa_ssa_pkcs1.proto │ ├── jwt_rsa_ssa_pss.proto │ ├── kms_aead.proto │ ├── kms_envelope.proto │ ├── ml_dsa.proto │ ├── prf_based_deriver.proto │ ├── rsa_ssa_pkcs1.proto │ ├── rsa_ssa_pss.proto │ ├── slh_dsa.proto │ ├── test_proto.proto │ ├── tink.proto │ ├── x_aes_gcm.proto │ └── xchacha20_poly1305.proto ├── secret_key_access.py ├── secret_key_access_import_test.py ├── secret_key_access_test.py ├── signature │ ├── BUILD.bazel │ ├── __init__.py │ ├── _public_key_sign.py │ ├── _public_key_verify.py │ ├── _signature_key_manager.py │ ├── _signature_key_manager_test.py │ ├── _signature_key_templates.py │ ├── _signature_wrapper.py │ └── _signature_wrapper_test.py ├── streaming_aead │ ├── BUILD.bazel │ ├── __init__.py │ ├── _decrypting_stream.py │ ├── _decrypting_stream_test.py │ ├── _encrypting_stream.py │ ├── _encrypting_stream_test.py │ ├── _file_object_adapter.py │ ├── _file_object_adapter_test.py │ ├── _pybind11_python_file_object_adapter_test.py │ ├── _raw_streaming_aead.py │ ├── _rewindable_input_stream.py │ ├── _rewindable_input_stream_test.py │ ├── _streaming_aead.py │ ├── _streaming_aead_key_manager.py │ ├── _streaming_aead_key_manager_test.py │ ├── _streaming_aead_key_templates.py │ ├── _streaming_aead_key_templates_test.py │ ├── _streaming_aead_test.py │ ├── _streaming_aead_wrapper.py │ └── _streaming_aead_wrapper_test.py ├── testing │ ├── BUILD.bazel │ ├── __init__.py │ ├── bytes_io.py │ ├── bytes_io_test.py │ ├── fake_kms.py │ ├── fake_kms_test.py │ ├── helper.py │ ├── helper_test.py │ ├── keyset_builder.py │ └── keyset_builder_test.py ├── tink_config.py └── tink_config_test.py └── tools ├── BUILD.bazel └── distribution ├── build_linux_binary_wheels.sh ├── create_bdist.sh ├── create_sdist.sh ├── requirements.in ├── requirements.txt └── test_dist.sh /.bazelignore: -------------------------------------------------------------------------------- 1 | examples 2 | -------------------------------------------------------------------------------- /.bazelversion: -------------------------------------------------------------------------------- 1 | 8.2.1 2 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.bat text eol=crlf 2 | -------------------------------------------------------------------------------- /BUILD.bazel: -------------------------------------------------------------------------------- 1 | # Platform definition used when creating the binary wheels. Selected in setup.py. 2 | platform( 3 | name = "darwin_arm64", 4 | constraint_values = [ 5 | "@platforms//os:macos", 6 | "@platforms//cpu:arm64", 7 | ], 8 | ) 9 | 10 | # Platform definition used when creating the binary wheels. Selected in setup.py. 11 | platform( 12 | name = "darwin_x86_64", 13 | constraint_values = [ 14 | "@platforms//os:macos", 15 | "@platforms//cpu:x86_64", 16 | ], 17 | ) 18 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | # Files needed for Bazel to build the C++ bindings when creating a package 2 | # distribution. Note that this file is used when creating distributions with 3 | # "python setup.py sdist" or "python setup.py bdist_wheel". 4 | include requirements.in 5 | include requirements_awskms.in 6 | include requirements_gcpkms.in 7 | include requirements_hcvault.in 8 | # Required by tink_py_deps_init.bzl. 9 | include requirements_all.txt 10 | include .bazelrc 11 | include .bazelversion 12 | include TINK_VERSION.txt 13 | include BUILD.bazel 14 | include MODULE.bazel 15 | include pyproject.toml 16 | include tink_py_deps.bzl 17 | include tink_py_deps_init.bzl 18 | 19 | # Collect all sources needed for build 20 | graft tink 21 | graft tools 22 | -------------------------------------------------------------------------------- /TINK_VERSION.txt: -------------------------------------------------------------------------------- 1 | 1.12.0 2 | -------------------------------------------------------------------------------- /docs/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to contribute 2 | 3 | Please see the 4 | [developer documentation](https://developers.google.com/tink/contributing) on 5 | how to contribute to Tink. 6 | -------------------------------------------------------------------------------- /docs/SECURITY.md: -------------------------------------------------------------------------------- 1 | To report a security issue, please use http://g.co/vulnz. We use 2 | http://g.co/vulnz for our intake and coordination, and disclose vulnerabilities 3 | using GitHub Security Advisory. The Google Security Team will 4 | respond within 5 working days of your report on g.co/vulnz. 5 | -------------------------------------------------------------------------------- /examples/.bazelrc: -------------------------------------------------------------------------------- 1 | build --enable_platform_specific_config=true 2 | 3 | # Minumum C++ version. Override it building this project with 4 | # `bazel build --cxxopt='-std=c++' --host_cxxopt='c++' ...` 5 | # (Both -std and --host_cxxopt must be set to force the desired version.) 6 | build --cxxopt='-std=c++17' --host_cxxopt='-std=c++17' 7 | 8 | # Silence all C/C++ warnings in external code. 9 | # 10 | # Note that this will not silence warnings from external headers included 11 | # in project code. 12 | build --per_file_copt=external/.*@-w 13 | build --host_per_file_copt=external/.*@-w 14 | 15 | # https://github.com/protocolbuffers/protobuf/issues/20085 16 | build:windows --define=protobuf_allow_msvc=true 17 | 18 | # Configs for macOS on x86_64. 19 | build:macos_x86_64 --cpu=darwin 20 | # NOTE: If macos_minimum_os is unspecified, Bazel uses the default value of 21 | # macos_sdk_version which is taken from the default system Xcode [1], even if 22 | # MACOSX_DEPLOYMENT_TARGET is set [2]. 23 | # [1] https://bazel.build/reference/command-line-reference#flag--macos_minimum_os 24 | # [2] https://github.com/bazelbuild/bazel/issues/16932 25 | build:macos_x86_64 --macos_minimum_os=11.0 26 | 27 | # Configs for macOS on ARM64. 28 | build:macos_arm64 --cpu=darwin_arm64 29 | build:macos_arm64 --macos_cpus=arm64 30 | build:macos_arm64 --macos_minimum_os=11.0 31 | 32 | # See https://github.com/bazelbuild/bazel/issues/10472 33 | build:macos --copt=-isystem/usr/local/include 34 | -------------------------------------------------------------------------------- /examples/.bazelversion: -------------------------------------------------------------------------------- 1 | 8.2.1 2 | -------------------------------------------------------------------------------- /examples/BUILD.bazel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tink-crypto/tink-py/36c290e70ca0e333768c99977b1dba9f3c1470bf/examples/BUILD.bazel -------------------------------------------------------------------------------- /examples/MODULE.bazel: -------------------------------------------------------------------------------- 1 | module( 2 | name = "tink_py_examples", 3 | version = "0.0.0", 4 | compatibility_level = 1, 5 | ) 6 | 7 | bazel_dep(name = "rules_python", version = "1.4.0") 8 | bazel_dep(name = "tink_py") 9 | local_path_override( 10 | module_name = "tink_py", 11 | path = "..", 12 | ) 13 | 14 | archive_override( 15 | module_name = "tink_cc", 16 | strip_prefix = "tink-cc-66fe913dc2edd0909e640afa5f05bb538c90b2d7", 17 | urls = ["https://github.com/tink-crypto/tink-cc/archive/66fe913dc2edd0909e640afa5f05bb538c90b2d7.zip"], 18 | ) 19 | 20 | http_file = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file") 21 | 22 | http_file( 23 | name = "google_root_pem", 24 | urls = ["https://pki.goog/roots.pem"], 25 | ) 26 | 27 | python = use_extension("@rules_python//python/extensions:python.bzl", "python") 28 | python.toolchain( 29 | is_default = True, 30 | python_version = "3.9", 31 | ) 32 | 33 | pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip") 34 | pip.parse( 35 | hub_name = "pip_deps", 36 | python_version = "3.9", 37 | requirements_lock = "@tink_py_examples//:requirements.txt", 38 | ) 39 | use_repo(pip, "pip_deps") 40 | -------------------------------------------------------------------------------- /examples/aead/BUILD.bazel: -------------------------------------------------------------------------------- 1 | load("@rules_python//python:defs.bzl", "py_binary") 2 | load("@pip_deps//:requirements.bzl", "requirement") 3 | 4 | package(default_visibility = ["//visibility:private"]) 5 | 6 | licenses(["notice"]) 7 | 8 | exports_files(["aead_test_keyset.json"]) 9 | 10 | py_binary( 11 | name = "aead_cli", 12 | srcs = ["aead_cli.py"], 13 | python_version = "PY3", 14 | deps = [ 15 | requirement("absl-py"), 16 | "@tink_py//tink:secret_key_access", 17 | "@tink_py//tink:tink_python", 18 | "@tink_py//tink/aead", 19 | ], 20 | ) 21 | 22 | py_library( 23 | name = "aead_basic", 24 | srcs = ["aead_basic.py"], 25 | deps = [ 26 | "@tink_py//tink:secret_key_access", 27 | "@tink_py//tink:tink_python", 28 | "@tink_py//tink/aead", 29 | ], 30 | ) 31 | 32 | py_test( 33 | name = "aead_basic_test", 34 | srcs = ["aead_basic_test.py"], 35 | python_version = "PY3", 36 | deps = [ 37 | requirement("absl-py"), 38 | ":aead_basic", 39 | ], 40 | ) 41 | 42 | sh_test( 43 | name = "aead_test", 44 | size = "small", 45 | srcs = ["aead_cli_test.sh"], 46 | args = [ 47 | "$(rootpath :aead_cli)", 48 | "$(rootpath :aead_test_keyset.json)", 49 | ], 50 | data = [ 51 | ":aead_cli", 52 | ":aead_test_keyset.json", 53 | ], 54 | ) 55 | 56 | # This runs the previous test assuming the Tink python package has been 57 | # installed previously with pip3 install. 58 | sh_test( 59 | name = "aead_test_package", 60 | size = "small", 61 | srcs = ["aead_cli_test.sh"], 62 | args = [ 63 | "'python3 $(rootpath :aead_cli.py)'", 64 | "$(rootpath :aead_test_keyset.json)", 65 | ], 66 | data = [ 67 | ":aead_cli.py", 68 | ":aead_test_keyset.json", 69 | ], 70 | ) 71 | -------------------------------------------------------------------------------- /examples/aead/README.md: -------------------------------------------------------------------------------- 1 | # Python AEAD example 2 | 3 | This example shows how to encrypt files with Tink using Authenticated Encryption 4 | with Associated Data (AEAD). 5 | 6 | It demonstrates the basic steps of using Tink, namely loading key material, 7 | obtaining a primitive, and using the primitive to do crypto. 8 | 9 | The key material was generated with Tinkey: 10 | 11 | ```shell 12 | $ tinkey create-keyset --key-template AES128_GCM --out-format JSON \ 13 | --out aead_test_keyset.json 14 | ``` 15 | 16 | ## Build and Run 17 | 18 | ### Bazel 19 | 20 | ```shell 21 | $ git clone https://github.com/tink-crypto/tink-py 22 | $ cd tink-py/examples 23 | $ bazel build ... 24 | ``` 25 | 26 | You can then encrypt a file with: 27 | 28 | ```shell 29 | $ echo "some data" > testdata.txt 30 | $ ./bazel-bin/aead/aead_cli --mode encrypt \ 31 | --keyset_path ./aead/aead_test_keyset.json \ 32 | --input_path testdata.txt --output_path testdata.txt.encrypted 33 | ``` 34 | 35 | and then decrypt the the output with: 36 | 37 | ```shell 38 | $ ./bazel-bin/aead/aead_cli --mode decrypt \ 39 | --keyset_path ./aead/aead_test_keyset.json \ 40 | --input_path testdata.txt.encrypted --output_path testdata.txt.decrypted 41 | $ diff testdata.txt testdata.txt.decrypted 42 | ``` 43 | -------------------------------------------------------------------------------- /examples/aead/aead_basic_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for aead_basic.""" 15 | 16 | from absl.testing import absltest 17 | from aead import aead_basic 18 | 19 | 20 | class AeadSimpleTest(absltest.TestCase): 21 | 22 | def test_example_works(self): 23 | aead_basic.example() 24 | 25 | if __name__ == '__main__': 26 | absltest.main() 27 | -------------------------------------------------------------------------------- /examples/aead/aead_test_keyset.json: -------------------------------------------------------------------------------- 1 | { 2 | "primaryKeyId":1931667682, 3 | "key":[{ 4 | "keyData":{ 5 | "typeUrl":"type.googleapis.com/google.crypto.tink.AesGcmKey", 6 | "value":"GhD+9l0RANZjzZEZ8PDp7LRW", 7 | "keyMaterialType":"SYMMETRIC"}, 8 | "status":"ENABLED", 9 | "keyId":1931667682, 10 | "outputPrefixType":"TINK" 11 | }] 12 | } 13 | -------------------------------------------------------------------------------- /examples/cleartext_keyset/BUILD.bazel: -------------------------------------------------------------------------------- 1 | load("@rules_python//python:defs.bzl", "py_binary") 2 | load("@pip_deps//:requirements.bzl", "requirement") 3 | 4 | package(default_visibility = ["//visibility:private"]) 5 | 6 | licenses(["notice"]) 7 | 8 | py_binary( 9 | name = "cleartext_keyset_cli", 10 | srcs = ["cleartext_keyset_cli.py"], 11 | python_version = "PY3", 12 | deps = [ 13 | requirement("absl-py"), 14 | "@tink_py//tink:secret_key_access", 15 | "@tink_py//tink:tink_python", 16 | "@tink_py//tink/aead", 17 | ], 18 | ) 19 | 20 | sh_test( 21 | name = "cleartext_keyset_test", 22 | size = "small", 23 | srcs = ["cleartext_keyset_cli_test.sh"], 24 | args = [ 25 | "$(rootpath :cleartext_keyset_cli)", 26 | ], 27 | data = [ 28 | ":cleartext_keyset_cli", 29 | ], 30 | ) 31 | -------------------------------------------------------------------------------- /examples/cleartext_keyset/README.md: -------------------------------------------------------------------------------- 1 | # Python example: working with cleartext keysets 2 | 3 | This example shows how to generate or load a cleartext keyset, obtain a 4 | primitive, and use the primitive to do crypto. 5 | 6 | WARNING: this is not recommended, consider protecting your keysets with a key 7 | management system. 8 | 9 | ## Build and run 10 | 11 | ### Bazel 12 | 13 | ```shell 14 | $ git clone https://github.com/tink-crypto/tink-py 15 | $ cd tink-py/examples 16 | $ bazel build ... 17 | ``` 18 | 19 | You can generate a cleartext keyset: 20 | 21 | ```shell 22 | $ ./bazel-bin/cleartext_keyset/cleartext_keyset_cli --mode generate \ 23 | --keyset_path aes128_gcm_test_keyset.json 24 | ``` 25 | 26 | You can then encrypt a file with the resulting keyset: 27 | 28 | ```shell 29 | $ echo "some data" > testdata.txt 30 | $ ./bazel-bin/cleartext_keyset/cleartext_keyset_cli --mode encrypt \ 31 | --keyset_path aes128_gcm_test_keyset.json \ 32 | --input_path testdata.txt --output_path testdata.txt.encrypted 33 | ``` 34 | 35 | Or decrypt a file with: 36 | 37 | ```shell 38 | $ ./bazel-bin/cleartext_keyset/cleartext_keyset_cli --mode decrypt \ 39 | --keyset_path aes128_gcm_test_keyset.json \ 40 | --input_path testdata.txt.encrypted --output_path testdata.txt.decrypted 41 | 42 | $ diff testdata.txt testdata.txt.decrypted 43 | ``` 44 | -------------------------------------------------------------------------------- /examples/deterministic_aead/README.md: -------------------------------------------------------------------------------- 1 | # Python Deterministic AEAD example 2 | 3 | This example shows how to encrypt files with Tink using Deterministic 4 | Authenticated Encryption with Associated Data (Deterministic AEAD). 5 | 6 | It demonstrates the basic steps of using Tink, namely loading key material, 7 | obtaining a primitive, and using the primitive to do crypto. 8 | 9 | The key material was generated with Tinkey: 10 | 11 | ```shell 12 | $ tinkey create-keyset --key-template AES256_SIV --out-format JSON \ 13 | --out deterministic_aead_test_keyset.json 14 | ``` 15 | 16 | ## Build and run 17 | 18 | ### Bazel 19 | 20 | ```shell 21 | $ git clone https://github.com/tink-crypto/tink-py 22 | $ cd tink-py/examples 23 | $ bazel build ... 24 | ``` 25 | 26 | You can then encrypt a file 27 | 28 | ```shell 29 | $ echo "some data" > testdata.txt 30 | $ ./bazel-bin/deterministic_aead/deterministic_aead_cli --mode encrypt \ 31 | --keyset_path deterministic_aead/deterministic_aead_test_keyset.json \ 32 | --input_path testdata.txt --output_path testdata.txt.encrypted 33 | ``` 34 | 35 | or decrypt the file with 36 | 37 | ```shell 38 | $ ./bazel-bin/deterministic_aead/deterministic_aead_cli --mode decrypt \ 39 | --keyset_path deterministic_aead/deterministic_aead_test_keyset.json \ 40 | --input_path testdata.txt.encrypted --output_path testdata.txt.decrypted 41 | $ diff testdata.txt testdata.txt.decrypted 42 | ``` 43 | -------------------------------------------------------------------------------- /examples/deterministic_aead/deterministic_aead_basic_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for deterministic_aead_basic.""" 15 | 16 | from absl.testing import absltest 17 | from deterministic_aead import deterministic_aead_basic 18 | 19 | 20 | class DeterministicAeadSimpleTest(absltest.TestCase): 21 | 22 | def test_example_works(self): 23 | deterministic_aead_basic.example() 24 | 25 | if __name__ == '__main__': 26 | absltest.main() 27 | -------------------------------------------------------------------------------- /examples/deterministic_aead/deterministic_aead_test_keyset.json: -------------------------------------------------------------------------------- 1 | {"primaryKeyId":208885046,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.AesSivKey","value":"EkDngrgZl+A18GbzL1RKVhXCdSnLoMvbV3H3iwhHWnU7Hu1YLTJCbGgIvUcalJgKFvJuE6OIIcANrPd4NotOPQAv","keyMaterialType":"SYMMETRIC"},"status":"ENABLED","keyId":208885046,"outputPrefixType":"TINK"}]} 2 | -------------------------------------------------------------------------------- /examples/envelope_aead/BUILD.bazel: -------------------------------------------------------------------------------- 1 | load("@rules_python//python:defs.bzl", "py_binary") 2 | load("@pip_deps//:requirements.bzl", "requirement") 3 | 4 | package(default_visibility = ["//visibility:private"]) 5 | 6 | licenses(["notice"]) 7 | 8 | py_binary( 9 | name = "envelope_cli", 10 | srcs = ["envelope_cli.py"], 11 | python_version = "PY3", 12 | deps = [ 13 | requirement("absl-py"), 14 | "@tink_py//tink:tink_python", 15 | "@tink_py//tink/integration/gcpkms", 16 | ], 17 | ) 18 | 19 | # In order to run this test, use your own Cloud KMS key and credential: 20 | sh_test( 21 | name = "envelope_test", 22 | size = "small", 23 | srcs = ["envelope_cli_test.sh"], 24 | args = [ 25 | "$(rootpath :envelope_cli)", 26 | # Change this to your key. 27 | "gcp-kms://projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key", 28 | # Change this to your credential. 29 | "$(rootpath //testdata/gcp:credential.json)", 30 | ], 31 | data = [ 32 | ":envelope_cli", 33 | "@google_root_pem//file", 34 | # Change this to your credential. 35 | "//testdata/gcp:credential.json", 36 | ], 37 | tags = ["manual"], 38 | ) 39 | 40 | # This runs the previous test, assuming the Tink python package has been 41 | # installed previously with pip3 install. 42 | sh_test( 43 | name = "envelope_test_package", 44 | size = "small", 45 | srcs = ["envelope_cli_test.sh"], 46 | args = [ 47 | "'python3 $(rootpath :envelope_cli.py)'", 48 | # Change this to your key. 49 | "gcp-kms://projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key", 50 | # Change this to your credential. 51 | "$(rootpath //testdata/gcp:credential.json)", 52 | ], 53 | data = [ 54 | ":envelope_cli.py", 55 | "@google_root_pem//file", 56 | # Change this to your credential. 57 | "//testdata/gcp:credential.json", 58 | ], 59 | tags = ["manual"], 60 | ) 61 | -------------------------------------------------------------------------------- /examples/hybrid/README.md: -------------------------------------------------------------------------------- 1 | # Python hybrid encryption example 2 | 3 | This example shows how to encrypt data with Tink using hybrid encryption. 4 | 5 | It demonstrates the basic steps of using Tink, namely loading key material, 6 | obtaining a primitive, and using the primitive to do crypto. 7 | 8 | The key material was generated with Tinkey: 9 | 10 | ```shell 11 | $ tinkey create-keyset \ 12 | --key-template DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_256_GCM \ 13 | --out-format JSON --out hybrid_test_private_keyset.json 14 | 15 | $ tinkey create-public-keyset --in hybrid_test_private_keyset.json \ 16 | --in-format JSON --out-format JSON --out hybrid_test_public_keyset.json 17 | ``` 18 | 19 | ## Build and Run 20 | 21 | ### Bazel 22 | 23 | ```shell 24 | $ git clone https://github.com/tink-crypto/tink-py 25 | $ cd tink-py/examples 26 | $ bazel build ... 27 | ``` 28 | 29 | You can then encrypt a file: 30 | 31 | ```shell 32 | $ echo "some data" > testdata.txt 33 | $ ./bazel-bin/hybrid/hybrid_cli --mode encrypt \ 34 | --keyset_path ./hybrid/hybrid_test_public_keyset.json \ 35 | --input_path testdata.txt --output_path testdata.txt.encrypted 36 | ``` 37 | 38 | Or decrypt the file with: 39 | 40 | ```shell 41 | $ ./bazel-bin/hybrid/hybrid_cli --mode decrypt \ 42 | --keyset_path ./hybrid/hybrid_test_private_keyset.json \ 43 | --input_path testdata.txt.encrypted --output_path testdata.txt.decrypted 44 | $ diff testdata.txt testdata.txt.decrypted 45 | ``` 46 | -------------------------------------------------------------------------------- /examples/hybrid/hybrid_basic_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for hybrid_basic.""" 15 | 16 | from absl.testing import absltest 17 | from hybrid import hybrid_basic 18 | 19 | 20 | class HybridEncryptionSimpleTest(absltest.TestCase): 21 | 22 | def test_example_works(self): 23 | hybrid_basic.example() 24 | 25 | 26 | if __name__ == '__main__': 27 | absltest.main() 28 | -------------------------------------------------------------------------------- /examples/hybrid/hybrid_test_private_keyset.json: -------------------------------------------------------------------------------- 1 | {"primaryKeyId":958452012,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.HpkePrivateKey","value":"EioSBggBEAEYAhogVWQpmQoz74jcAp5WOD36KiBQ71MVCpn2iWfOzWLtKV4aINfn8qlMbyijNJcCzrafjsgJ493ZZGN256KTfKw0WN+p","keyMaterialType":"ASYMMETRIC_PRIVATE"},"status":"ENABLED","keyId":958452012,"outputPrefixType":"TINK"}]} 2 | -------------------------------------------------------------------------------- /examples/hybrid/hybrid_test_public_keyset.json: -------------------------------------------------------------------------------- 1 | {"primaryKeyId":958452012,"key":[{"keyData":{"typeUrl":"type.googleapis.com/google.crypto.tink.HpkePublicKey","value":"EgYIARABGAIaIFVkKZkKM++I3AKeVjg9+iogUO9TFQqZ9olnzs1i7Sle","keyMaterialType":"ASYMMETRIC_PUBLIC"},"status":"ENABLED","keyId":958452012,"outputPrefixType":"TINK"}]} 2 | -------------------------------------------------------------------------------- /examples/jwt/README.md: -------------------------------------------------------------------------------- 1 | # Python JWT signature example 2 | 3 | This example shows how to generate and verify Json Web Tokens (JWT) with Tink. 4 | 5 | It demonstrates the basic steps of using Tink, namely loading key material, 6 | obtaining a primitive, and using the primitive to do crypto. 7 | 8 | The key material was generated with: 9 | 10 | ```shell 11 | $ tinkey create-keyset --key-template JWT_ES256 --out-format JSON \ 12 | --out jwt_test_private_keyset.json 13 | 14 | $ tinkey create-public-keyset --in jwt_test_private_keyset.json \ 15 | --in-format JSON --out jwt_test_public_keyset.json --out-format JSON 16 | ``` 17 | 18 | Note that these keysets use Tink's JSON keyset format, which is different and 19 | not compatible with JSON Web Key set (JWK set) format. 20 | 21 | ## Build and run 22 | 23 | ### Bazel 24 | 25 | Build the examples: 26 | 27 | ```shell 28 | $ git clone https://github.com/tink-crypto/tink-py 29 | $ cd tink-py/examples 30 | $ bazel build ... 31 | ``` 32 | 33 | Generate a JWT token using the private keyset: 34 | 35 | ```shell 36 | $ touch token_file.txt 37 | 38 | $ ./bazel-bin/jwt/jwt_sign_cli \ 39 | --private_keyset_path ./jwt/jwt_test_private_keyset.json \ 40 | --audience "audience" --token_path token_file.txt 41 | ``` 42 | 43 | You can convert the public keyset into 44 | [JWK Set](https://datatracker.ietf.org/doc/html/rfc7517#section-5) format. This 45 | is useful if you want to share the public keyset with someone who is not using 46 | Tink. Note that this functionality was added after the release v1.7.0. 47 | 48 | ```shell 49 | $ touch public_jwk_set.json 50 | 51 | $ ./bazel-bin/jwt/jwt_generate_public_jwk_set \ 52 | --public_keyset_path ./jwt/jwt_test_private_keyset.json \ 53 | --public_jwk_set_path public_jwk_set.json 54 | ``` 55 | 56 | You can verify a token using a public keyset given in JWK Set format: 57 | 58 | ```shell 59 | $ ./bazel-bin/jwt/jwt_verify_cli \ 60 | --public_jwk_set_path public_jwk_set.json \ 61 | --audience "audience" --token_path token_file.txt 62 | ``` 63 | -------------------------------------------------------------------------------- /examples/jwt/jwt_test_private_keyset.json: -------------------------------------------------------------------------------- 1 | { 2 | "primaryKeyId": 1742360595, 3 | "key": [ 4 | { 5 | "keyData": { 6 | "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPrivateKey", 7 | "value": "GiBgVYdAPg3Fa2FVFymGDYrI1trHMzVjhVNEMpIxG7t0HRJGIiBeoDMF9LS5BDCh6YgqE3DjHwWwnEKEI3WpPf8izEx1rRogbjQTXrTcw/1HKiiZm2Hqv41w7Vd44M9koyY/+VsP+SAQAQ==", 8 | "keyMaterialType": "ASYMMETRIC_PRIVATE" 9 | }, 10 | "status": "ENABLED", 11 | "keyId": 1742360595, 12 | "outputPrefixType": "TINK" 13 | } 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /examples/jwt/jwt_test_public_keyset.json: -------------------------------------------------------------------------------- 1 | { 2 | "primaryKeyId": 1742360595, 3 | "key": [ 4 | { 5 | "keyData": { 6 | "typeUrl": "type.googleapis.com/google.crypto.tink.JwtEcdsaPublicKey", 7 | "value": "EAEaIG40E1603MP9RyoomZth6r+NcO1XeODPZKMmP/lbD/kgIiBeoDMF9LS5BDCh6YgqE3DjHwWwnEKEI3WpPf8izEx1rQ==", 8 | "keyMaterialType": "ASYMMETRIC_PUBLIC" 9 | }, 10 | "status": "ENABLED", 11 | "keyId": 1742360595, 12 | "outputPrefixType": "TINK" 13 | } 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /examples/mac/BUILD.bazel: -------------------------------------------------------------------------------- 1 | load("@rules_python//python:defs.bzl", "py_binary") 2 | load("@pip_deps//:requirements.bzl", "requirement") 3 | 4 | package(default_visibility = ["//visibility:private"]) 5 | 6 | licenses(["notice"]) 7 | 8 | exports_files(["mac_test_keyset.json"]) 9 | 10 | py_binary( 11 | name = "mac_cli", 12 | srcs = ["mac_cli.py"], 13 | python_version = "PY3", 14 | deps = [ 15 | requirement("absl-py"), 16 | "@tink_py//tink:secret_key_access", 17 | "@tink_py//tink:tink_python", 18 | "@tink_py//tink/mac", 19 | ], 20 | ) 21 | 22 | sh_test( 23 | name = "mac_test", 24 | size = "small", 25 | srcs = ["mac_cli_test.sh"], 26 | args = [ 27 | "$(rootpath :mac_cli)", 28 | "$(rootpath :mac_test_keyset.json)", 29 | ], 30 | data = [ 31 | ":mac_cli", 32 | ":mac_test_keyset.json", 33 | ], 34 | ) 35 | 36 | # This runs the previous test assuming the Tink python package has been 37 | # installed previously with pip3 install. 38 | sh_test( 39 | name = "mac_test_package", 40 | size = "small", 41 | srcs = ["mac_cli_test.sh"], 42 | args = [ 43 | "'python3 $(rootpath :mac_cli.py)'", 44 | "$(rootpath :mac_test_keyset.json)", 45 | ], 46 | data = [ 47 | ":mac_cli.py", 48 | ":mac_test_keyset.json", 49 | ], 50 | ) 51 | 52 | py_library( 53 | name = "mac_basic", 54 | srcs = ["mac_basic.py"], 55 | deps = [ 56 | "@tink_py//tink:secret_key_access", 57 | "@tink_py//tink:tink_python", 58 | "@tink_py//tink/mac", 59 | ], 60 | ) 61 | 62 | py_test( 63 | name = "mac_basic_test", 64 | srcs = ["mac_basic_test.py"], 65 | python_version = "PY3", 66 | deps = [ 67 | requirement("absl-py"), 68 | ":mac_basic", 69 | ], 70 | ) 71 | -------------------------------------------------------------------------------- /examples/mac/README.md: -------------------------------------------------------------------------------- 1 | # Python MAC example 2 | 3 | This example shows how to check the integrity of data using Message 4 | Authentication Code (MAC). 5 | 6 | It demonstrates the basic steps of using Tink, namely loading key material, 7 | obtaining a primitive, and using the primitive to do crypto. 8 | 9 | The key material was generated with: 10 | 11 | ```shell 12 | $ tinkey create-keyset --key-template HMAC_SHA256_256BITTAG --out-format JSON \ 13 | --out mac_test_keyset.json 14 | ``` 15 | 16 | ## Build and Run 17 | 18 | ### Bazel 19 | 20 | Build the examples: 21 | 22 | ```shell 23 | $ git clone https://github.com/tink-crypto/tink-py 24 | $ cd tink-py/examples 25 | $ bazel build ... 26 | ``` 27 | 28 | Compute a MAC: 29 | 30 | ```shell 31 | $ echo "some data" > data.txt 32 | $ touch mac_file.txt 33 | $ ./bazel-bin/mac/mac_cli --mode compute \ 34 | --keyset_path ./mac/mac_test_keyset.json \ 35 | --data_path data.txt --mac_path mac_file.txt 36 | ``` 37 | 38 | Verify a MAC: 39 | 40 | ```shell 41 | $ ./bazel-bin/mac/mac_cli --mode verify \ 42 | --keyset_path ./mac/mac_test_keyset.json \ 43 | --data_path data.txt --mac_path mac_file.txt 44 | ``` 45 | -------------------------------------------------------------------------------- /examples/mac/mac_basic_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for mac_basic.""" 15 | 16 | from absl.testing import absltest 17 | from mac import mac_basic 18 | 19 | 20 | class MacBasicTest(absltest.TestCase): 21 | 22 | def test_example_works(self): 23 | mac_basic.example() 24 | 25 | if __name__ == '__main__': 26 | absltest.main() 27 | -------------------------------------------------------------------------------- /examples/mac/mac_test_keyset.json: -------------------------------------------------------------------------------- 1 | { 2 | "primaryKeyId": 691856985, 3 | "key": [{ 4 | "keyData": { 5 | "typeUrl": "type.googleapis.com/google.crypto.tink.HmacKey", 6 | "keyMaterialType": "SYMMETRIC", 7 | "value": "EgQIAxAgGiDZsmkTufMG/XlKlk9m7bqxustjUPT2YULEVm8mOp2mSA\u003d\u003d" 8 | }, 9 | "outputPrefixType": "TINK", 10 | "keyId": 691856985, 11 | "status": "ENABLED" 12 | }] 13 | } 14 | -------------------------------------------------------------------------------- /examples/requirements.in: -------------------------------------------------------------------------------- 1 | absl-py>=2.1.0 2 | google-cloud-storage>=3.0.0 3 | protobuf>=6.30.2 4 | # We need to explicitly add rules to be able to use protobuf>=5. 5 | google-api-core>=2.24.2 6 | proto-plus>=1.26.1 7 | googleapis_common_protos>=1.70.0 8 | -------------------------------------------------------------------------------- /examples/signature/README.md: -------------------------------------------------------------------------------- 1 | # Python digital signature example 2 | 3 | This example shows how to sign and verify data with Tink using digital 4 | signatures. 5 | 6 | It demonstrates the basic steps of using Tink, namely loading key material, 7 | obtaining a primitive, and using the primitive to do crypto. 8 | 9 | The key material was generated with: 10 | 11 | ```shell 12 | $ tinkey create-keyset --key-template ECDSA_P256 --out-format JSON \ 13 | --out signature_test_private_keyset.json 14 | $ tinkey create-public-keyset --in signature_test_private_keyset.json \ 15 | --in-format JSON --out-format JSON --out signature_test_public_keyset.json 16 | ``` 17 | 18 | ## Build and run 19 | 20 | ### Bazel 21 | 22 | Build the examples: 23 | 24 | ```shell 25 | $ git clone https://github.com/tink-crypto/tink-py 26 | $ cd tink-py/examples 27 | $ bazel build ... 28 | ``` 29 | 30 | Generate a signature: 31 | 32 | ```shell 33 | $ echo "some data" > data.txt 34 | $ touch signature_file.txt 35 | 36 | $ ./bazel-bin/signature/signature_cli --mode sign \ 37 | --keyset_path ./signature/signature_test_private_keyset.json \ 38 | --data_path data.txt --signature_path signature_file.txt 39 | ``` 40 | 41 | Verify a signature: 42 | 43 | ```shell 44 | $ ./bazel-bin/signature/signature_cli --mode verify \ 45 | --keyset_path ./signature/signature_test_public_keyset.json \ 46 | --data_path data.txt --signature_path signature_file.txt 47 | ``` 48 | -------------------------------------------------------------------------------- /examples/signature/signature_basic_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for signature_basic.""" 15 | 16 | from absl.testing import absltest 17 | from signature import signature_basic 18 | 19 | 20 | class SignatureSimpleTest(absltest.TestCase): 21 | 22 | def test_example_works(self): 23 | signature_basic.example() 24 | 25 | if __name__ == '__main__': 26 | absltest.main() 27 | -------------------------------------------------------------------------------- /examples/signature/signature_test_private_keyset.json: -------------------------------------------------------------------------------- 1 | { 2 | "primaryKeyId":646750478, 3 | "key":[{ 4 | "keyData":{ 5 | "typeUrl":"type.googleapis.com/google.crypto.tink.EcdsaPrivateKey", 6 | "value":"EkwSBggDEAIYAhogQize3DetIS6sranu+JIGslvc7eVVGiDmd74DJpk2o8MiIAeM+KTUD1EgPmdmw0Z8Fa5PYVgybse/la3H2N6mXGyXGiBp3iULXOQBKfr/24De3jw3QDy+kwhb3VqJIxNjztDrHQ==", 7 | "keyMaterialType":"ASYMMETRIC_PRIVATE"}, 8 | "status":"ENABLED", 9 | "keyId":646750478, 10 | "outputPrefixType":"TINK"}] 11 | } 12 | -------------------------------------------------------------------------------- /examples/signature/signature_test_public_keyset.json: -------------------------------------------------------------------------------- 1 | { 2 | "primaryKeyId":646750478, 3 | "key":[ 4 | {"keyData": 5 | {"typeUrl":"type.googleapis.com/google.crypto.tink.EcdsaPublicKey", 6 | "value":"EgYIAxACGAIaIEIs3tw3rSEurK2p7viSBrJb3O3lVRog5ne+AyaZNqPDIiAHjPik1A9RID5nZsNGfBWuT2FYMm7Hv5Wtx9jeplxslw==", 7 | "keyMaterialType":"ASYMMETRIC_PUBLIC"}, 8 | "status":"ENABLED", 9 | "keyId":646750478, 10 | "outputPrefixType":"TINK"} 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /examples/streaming_aead/BUILD.bazel: -------------------------------------------------------------------------------- 1 | load("@rules_python//python:defs.bzl", "py_binary") 2 | load("@pip_deps//:requirements.bzl", "requirement") 3 | 4 | package(default_visibility = ["//visibility:private"]) 5 | 6 | licenses(["notice"]) 7 | 8 | exports_files([ 9 | "streaming_aead_keyset.json", 10 | ]) 11 | 12 | py_binary( 13 | name = "streaming_aead_cli", 14 | srcs = ["streaming_aead_cli.py"], 15 | python_version = "PY3", 16 | deps = [ 17 | requirement("absl-py"), 18 | "@tink_py//tink:secret_key_access", 19 | "@tink_py//tink:tink_python", 20 | "@tink_py//tink/streaming_aead", 21 | ], 22 | ) 23 | 24 | sh_test( 25 | name = "streaming_aead_test", 26 | size = "small", 27 | srcs = ["streaming_aead_cli_test.sh"], 28 | args = [ 29 | "$(rootpath :streaming_aead_cli)", 30 | "$(rootpath :streaming_aead_keyset.json)", 31 | ], 32 | data = [ 33 | ":streaming_aead_cli", 34 | ":streaming_aead_keyset.json", 35 | ], 36 | ) 37 | 38 | # This runs the previous test assuming the Tink python package has been 39 | # installed previously with pip3 install. 40 | sh_test( 41 | name = "streaming_aead_test_package", 42 | size = "small", 43 | srcs = ["streaming_aead_cli_test.sh"], 44 | args = [ 45 | "'python3 $(rootpath :streaming_aead_cli.py)'", 46 | "$(rootpath :streaming_aead_keyset.json)", 47 | ], 48 | data = [ 49 | ":streaming_aead_cli", 50 | ":streaming_aead_cli.py", 51 | ":streaming_aead_keyset.json", 52 | ], 53 | ) 54 | -------------------------------------------------------------------------------- /examples/streaming_aead/README.md: -------------------------------------------------------------------------------- 1 | # Python streaming AEAD example 2 | 3 | This example shows how to encrypt files with Tink using streaming Authenticated 4 | Encryption with Associated Data (AEAD). 5 | 6 | It demonstrates the basic steps of using Tink, namely loading key material, 7 | obtaining a primitive, and using the primitive to do crypto. 8 | 9 | The key material was generated using Tinkey: 10 | 11 | ```shell 12 | $ tinkey create-keyset --key-template AES256_CTR_HMAC_SHA256_1MB \ 13 | --out-format JSON --out streaming_aead_keyset.json 14 | ``` 15 | 16 | ## Build and run 17 | 18 | ### Bazel 19 | 20 | Build the examples: 21 | 22 | ```shell 23 | $ git clone https://github.com/tink-crypto/tink-py 24 | $ cd tink-py/examples 25 | $ bazel build ... 26 | ``` 27 | 28 | You can then encrypt a file with: 29 | 30 | ```shell 31 | $ echo "some data" > testdata.txt 32 | 33 | $ ./bazel-bin/streaming_aead/streaming_aead_cli --mode encrypt \ 34 | --keyset_path ./streaming_aead/streaming_aead_keyset.json \ 35 | --input_path testdata.txt \ 36 | --output_path testdata.txt.ciphertext 37 | ``` 38 | 39 | And then decrypt the the output with: 40 | 41 | ```shell 42 | $ ./bazel-bin/streaming_aead/streaming_aead_cli --mode decrypt \ 43 | --keyset_path ./streaming_aead/streaming_aead_keyset.json \ 44 | --input_path testdata.txt.ciphertext \ 45 | --output_path testdata.txt.plaintext 46 | 47 | $ diff testdata.txt testdata.txt.decrypted 48 | ``` 49 | -------------------------------------------------------------------------------- /examples/streaming_aead/streaming_aead_keyset.json: -------------------------------------------------------------------------------- 1 | { 2 | "primaryKeyId": 1720777699, 3 | "key": [{ 4 | "keyData": { 5 | "typeUrl": "type.googleapis.com/google.crypto.tink.AesCtrHmacStreamingKey", 6 | "keyMaterialType": "SYMMETRIC", 7 | "value": "Eg0IgCAQIBgDIgQIAxAgGiDtesd/4gCnQdTrh+AXodwpm2b6BFJkp043n+8mqx0YGw==" 8 | }, 9 | "outputPrefixType": "RAW", 10 | "keyId": 1720777699, 11 | "status": "ENABLED" 12 | }] 13 | } 14 | -------------------------------------------------------------------------------- /examples/testdata/aws/BUILD.bazel: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | licenses(["notice"]) 4 | 5 | filegroup( 6 | name = "credentials", 7 | testonly = 1, 8 | srcs = [ 9 | "credentials.cred", 10 | "credentials.csv", 11 | "credentials.ini", 12 | "key_arn.txt", 13 | ], 14 | ) 15 | 16 | filegroup( 17 | name = "bad_credentials", 18 | testonly = 1, 19 | srcs = [ 20 | "access_keys_bad.csv", 21 | "credentials_bad.csv", 22 | "credentials_bad.ini", 23 | "key_arn_bad.txt", 24 | ], 25 | ) 26 | -------------------------------------------------------------------------------- /examples/testdata/aws/access_keys_bad.csv: -------------------------------------------------------------------------------- 1 | Access key ID,Secret access key 2 | AKIAIOSFODNN7EXAMPLE,wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 3 | -------------------------------------------------------------------------------- /examples/testdata/aws/credentials.cred: -------------------------------------------------------------------------------- 1 | [default] 2 | accessKey = AKIAIIK5X7P3NAHNSNUQ 3 | secretKey = c7k55Gw83QlN1gYBhVPEEn1pKV909sxbll8JOvHF 4 | -------------------------------------------------------------------------------- /examples/testdata/aws/credentials.csv: -------------------------------------------------------------------------------- 1 | User name,Password,Access key ID,Secret access key,Console login link 2 | tink-user1,,AKIAIIK5X7P3NAHNSNUQ,c7k55Gw83QlN1gYBhVPEEn1pKV909sxbll8JOvHF,https://235739564943.signin.aws.amazon.com/console 3 | 4 | -------------------------------------------------------------------------------- /examples/testdata/aws/credentials.ini: -------------------------------------------------------------------------------- 1 | [default] 2 | aws_access_key_id = AKIAIIK5X7P3NAHNSNUQ 3 | aws_secret_access_key = c7k55Gw83QlN1gYBhVPEEn1pKV909sxbll8JOvHF 4 | -------------------------------------------------------------------------------- /examples/testdata/aws/credentials_bad.csv: -------------------------------------------------------------------------------- 1 | User name,Password,Access key ID,Secret access key 2 | ,,AKIAIOSFODNN7EXAMPLE,wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 3 | -------------------------------------------------------------------------------- /examples/testdata/aws/credentials_bad.ini: -------------------------------------------------------------------------------- 1 | [default] 2 | aws_access_key_id = AKIAIOSFODNN7EXAMPLE 3 | aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 4 | -------------------------------------------------------------------------------- /examples/testdata/aws/key_arn.txt: -------------------------------------------------------------------------------- 1 | arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f 2 | -------------------------------------------------------------------------------- /examples/testdata/aws/key_arn_bad.txt: -------------------------------------------------------------------------------- 1 | arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012 2 | -------------------------------------------------------------------------------- /examples/testdata/gcp/BUILD.bazel: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | licenses(["notice"]) 4 | 5 | exports_files(srcs = ["credential.json"]) 6 | 7 | filegroup( 8 | name = "credentials", 9 | testonly = 1, 10 | srcs = [ 11 | "credential.json", 12 | "key_name.txt", 13 | ], 14 | ) 15 | 16 | filegroup( 17 | name = "bad_credentials", 18 | testonly = 1, 19 | srcs = [ 20 | "credential_bad.json", 21 | "key_name_bad.txt", 22 | ], 23 | ) 24 | -------------------------------------------------------------------------------- /examples/testdata/gcp/README.md: -------------------------------------------------------------------------------- 1 | This folder contains GCP credentials that are used for testing Tink. 2 | 3 | For security reasons, all credentials in this folder are invalid. 4 | 5 | If you want to run tests that depend on them, please create your own 6 | [Cloud KMS key](https://cloud.google.com/kms/docs/creating-keys), and copy the 7 | credentials to `gcp/credential.json` and the key URI to `gcp/key_name.txt`. 8 | -------------------------------------------------------------------------------- /examples/testdata/gcp/credential.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "service_account", 3 | "project_id": "tink-test-infrastructure", 4 | "private_key_id": "some_bad_private_key_id", 5 | "private_key": "-----BEGIN PRIVATE KEY-----\nMIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMtJlaQD79xGIC28\nowTpj7wkdi34piSubtDKttgC3lL00ioyQf/WMqLnyDWySNufCjhavQ7/sxXQAUCL\n5B3WDwM8+mFqQM2wJB18NBWBSfGOFSMwVQyWv7Y/1AFr+PvNKVlw4RZ4G8VuJzXZ\n9v/+5zyKv8py66sGVoHPI+LGfIprAgMBAAECgYEAxcgX8PVrnrITiKwpJxReJbyL\nxnpOmw2i/zza3BseVzOebjNrhw/NQDWl0qhcvmBjvyR5IGiiwiwXq8bu8CBdhRiE\nw3vKf1iuVOKhH07RB2wvCaGbVlB/p15gYau3sTRn5nej0tjYHX7xa/St/DwPk2H/\nxYGTRhyYtNL6wdtMjYECQQD+LVVJf0rLnxyPADTcz7Wdb+FUX79nWtMlzQOEB09+\nJj4ie0kD0cIvTQFjV3pOsg3uW2khFpjg110TXpJJfPjhAkEAzL7RhhfDdL7Dn2zl\n1orUthcGa2pzEAmg1tGBNb1pOg7LbVHKSa3GOOwyPRsActoyrPw18/fXaJdEfByY\ne9kwywJAB7rHMjH9y01uZ+bgtKpYYo5JcvBqeLEpZKfkaHp0b2ioURIguU4Csr+L\nwEKjxIrjo5ECFHCEe6nw+arRlgyH4QJBAIfQmEn733LEzB0n7npXU2yKb363eSYN\nTPzSsoREZdXWVIjqtWYUeKXvwA+apryJEw5+qwdvwxslJI+zpE6bLusCQE6M1lO9\nN6A3PtQv7Z3XwrEE/sPEVv4M4VHj0YHLs/32UuSXq5taMizKILfis1Stry4WjRHp\nQxEqdLrIkb13NH8=\n-----END PRIVATE KEY-----", 6 | "client_email": "unit-and-integration-testing@tink-test-infrastructure.iam.gserviceaccount.com", 7 | "client_id": "111876397550362269561", 8 | "auth_uri": "https://accounts.google.com/o/oauth2/auth", 9 | "token_uri": "https://accounts.google.com/o/oauth2/token", 10 | "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", 11 | "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/unit-and-integration-testing%40tink-test-infrastructure.iam.gserviceaccount.com" 12 | } 13 | -------------------------------------------------------------------------------- /examples/testdata/gcp/credential_bad.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "service_account", 3 | "project_id": "tink-test-infrastructure", 4 | "private_key_id": "some_bad_private_key_id", 5 | "private_key": "-----BEGIN PRIVATE KEY-----\nMIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMtJlaQD79xGIC28\nowTpj7wkdi34piSubtDKttgC3lL00ioyQf/WMqLnyDWySNufCjhavQ7/sxXQAUCL\n5B3WDwM8+mFqQM2wJB18NBWBSfGOFSMwVQyWv7Y/1AFr+PvNKVlw4RZ4G8VuJzXZ\n9v/+5zyKv8py66sGVoHPI+LGfIprAgMBAAECgYEAxcgX8PVrnrITiKwpJxReJbyL\nxnpOmw2i/zza3BseVzOebjNrhw/NQDWl0qhcvmBjvyR5IGiiwiwXq8bu8CBdhRiE\nw3vKf1iuVOKhH07RB2wvCaGbVlB/p15gYau3sTRn5nej0tjYHX7xa/St/DwPk2H/\nxYGTRhyYtNL6wdtMjYECQQD+LVVJf0rLnxyPADTcz7Wdb+FUX79nWtMlzQOEB09+\nJj4ie0kD0cIvTQFjV3pOsg3uW2khFpjg110TXpJJfPjhAkEAzL7RhhfDdL7Dn2zl\n1orUthcGa2pzEAmg1tGBNb1pOg7LbVHKSa3GOOwyPRsActoyrPw18/fXaJdEfByY\ne9kwywJAB7rHMjH9y01uZ+bgtKpYYo5JcvBqeLEpZKfkaHp0b2ioURIguU4Csr+L\nwEKjxIrjo5ECFHCEe6nw+arRlgyH4QJBAIfQmEn733LEzB0n7npXU2yKb363eSYN\nTPzSsoREZdXWVIjqtWYUeKXvwA+apryJEw5+qwdvwxslJI+zpE6bLusCQE6M1lO9\nN6A3PtQv7Z3XwrEE/sPEVv4M4VHj0YHLs/32UuSXq5taMizKILfis1Stry4WjRHp\nQxEqdLrIkb13NH8=\n-----END PRIVATE KEY-----", 6 | "client_email": "unit-and-integration-testing@tink-test-infrastructure.iam.gserviceaccount.com", 7 | "client_id": "111876397550362269561", 8 | "auth_uri": "https://accounts.google.com/o/oauth2/auth", 9 | "token_uri": "https://accounts.google.com/o/oauth2/token", 10 | "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", 11 | "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/unit-and-integration-testing%40tink-test-infrastructure.iam.gserviceaccount.com" 12 | } 13 | -------------------------------------------------------------------------------- /examples/testdata/gcp/key_name.txt: -------------------------------------------------------------------------------- 1 | projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key 2 | 3 | -------------------------------------------------------------------------------- /examples/testdata/gcp/key_name_bad.txt: -------------------------------------------------------------------------------- 1 | projects/non-existing-project/locations/global/keyRings/some-key-ring/cryptoKeys/aead-key 2 | 3 | -------------------------------------------------------------------------------- /examples/walkthrough/create_keyset.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Example to showcase how to create a keyset.""" 15 | # [START tink_walkthrough_create_keyset] 16 | import tink 17 | from tink import aead 18 | 19 | 20 | def CreateAead128GcmKeyset() -> tink.KeysetHandle: 21 | """Creates a keyset with a single AES128-GCM key and return a handle to it. 22 | 23 | Prerequisites: 24 | - Register AEAD implementations of Tink. 25 | 26 | Returns: 27 | A handle to the created keyset. 28 | 29 | Raises: 30 | tink.TinkError in case of errors. 31 | """ 32 | # Tink provides pre-baked templates. For example, we generate a key template 33 | # for AES128-GCM. 34 | key_template = aead.aead_key_templates.AES128_GCM 35 | # This will generate a new keyset with only *one* key and return a keyset 36 | # handle to it. 37 | return tink.new_keyset_handle(key_template) 38 | 39 | 40 | # [END tink_walkthrough_create_keyset] 41 | -------------------------------------------------------------------------------- /examples/walkthrough/create_keyset_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Test for create_keyset.""" 15 | from absl.testing import absltest 16 | 17 | from tink import aead 18 | 19 | from walkthrough import create_keyset 20 | 21 | 22 | class CreateKeysetTest(absltest.TestCase): 23 | 24 | def test_create_keyset_produces_a_valid_keyset(self): 25 | aead.register() 26 | keyset_handle = create_keyset.CreateAead128GcmKeyset() 27 | # Make sure that we can use this primitive. 28 | aead_primitive = keyset_handle.primitive(aead.Aead) 29 | cleartext = b'Some cleartext' 30 | associated_data = b'Some associated data' 31 | ciphertext = aead_primitive.encrypt(cleartext, associated_data) 32 | self.assertEqual( 33 | aead_primitive.decrypt(ciphertext, associated_data), cleartext) 34 | 35 | 36 | if __name__ == '__main__': 37 | absltest.main() 38 | -------------------------------------------------------------------------------- /examples/walkthrough/load_cleartext_keyset.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Example to showcase how to load a cleartext keyset.""" 15 | # [START tink_walkthrough_load_cleartext_keyset] 16 | import tink 17 | from tink import secret_key_access 18 | 19 | 20 | def LoadKeyset(serialized_keyset: str) -> tink.KeysetHandle: 21 | r"""Loads a JSON-serialized unencrypted keyset and returns a KeysetHandle. 22 | 23 | Prerequisites for this example: 24 | - Create an plaintext keyset in JSON, for example, using Tinkey: 25 | 26 | tinkey create-key --key-template AES256_GCM --out-format json \ 27 | --out keyset.json 28 | 29 | Args: 30 | serialized_keyset: JSON serialized keyset. 31 | 32 | Returns: 33 | A handle to the loaded keyset. 34 | 35 | Raises: 36 | tink.TinkError in case of errors. 37 | """ 38 | return tink.json_proto_keyset_format.parse( 39 | serialized_keyset, secret_key_access.TOKEN 40 | ) 41 | 42 | 43 | # [END tink_walkthrough_load_cleartext_keyset] 44 | -------------------------------------------------------------------------------- /examples/walkthrough/write_cleartext_keyset.py: -------------------------------------------------------------------------------- 1 | # Copyright 2022 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS-IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Example to showcase how to serialize a keyset as a cleartext.""" 15 | # [START tink_walkthrough_write_cleartext_keyset] 16 | from typing import TextIO 17 | 18 | import tink 19 | from tink import secret_key_access 20 | 21 | 22 | def WriteKeyset(keyset: tink.KeysetHandle, text_io_stream: TextIO) -> None: 23 | """Serializes a keyset to JSON-serialized and writes it to text_io_stream. 24 | 25 | Args: 26 | keyset: Handle to a keyset to serialize. 27 | text_io_stream: I/O stream where writng the Keyset to. 28 | 29 | Raises: 30 | tink.TinkError in case of errors. 31 | """ 32 | serialized_keyset = tink.json_proto_keyset_format.serialize( 33 | keyset, secret_key_access.TOKEN 34 | ) 35 | text_io_stream.write(serialized_keyset) 36 | 37 | 38 | # [END tink_walkthrough_write_cleartext_keyset] 39 | -------------------------------------------------------------------------------- /kokoro/release_requirements.in: -------------------------------------------------------------------------------- 1 | twine 2 | -------------------------------------------------------------------------------- /kokoro/testutils/BUILD.bazel: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//:__subpackages__"]) 2 | 3 | licenses(["notice"]) 4 | 5 | sh_binary( 6 | name = "test_utils", 7 | srcs = ["test_utils.sh"], 8 | ) 9 | 10 | sh_binary( 11 | name = "github_release_util", 12 | srcs = ["github_release_util.sh"], 13 | ) 14 | 15 | sh_test( 16 | name = "github_release_util_test", 17 | size = "small", 18 | srcs = ["github_release_util_test.sh"], 19 | args = [ 20 | "$(rlocationpath :github_release_util.sh)", 21 | "$(rlocationpath :test_utils)", 22 | ], 23 | data = [ 24 | ":github_release_util.sh", 25 | ":test_utils", 26 | ], 27 | target_compatible_with = select({ 28 | "@platforms//os:windows": ["@platforms//:incompatible"], 29 | "//conditions:default": [], 30 | }), 31 | ) 32 | -------------------------------------------------------------------------------- /kokoro/testutils/install_protoc.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2022 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | ################################################################################ 16 | 17 | # This scripts installs the protocol buffer compiler at a given version. 18 | # 19 | # NOTEs: 20 | # * If not running on Kokoro, this script will do nothing. 21 | # * This script MUST be sourced to update the environment of the calling 22 | # script. 23 | # 24 | # Usage: 25 | # source ./kokoro/testutils/install_protoc.sh [version] 26 | 27 | ## Per default, use X.29.3. 28 | readonly DEFAULT_PROTOC_VERSION="29.3" 29 | 30 | install_temp_protoc() { 31 | local protoc_version="${1:-${DEFAULT_PROTOC_VERSION}}" 32 | local platform="$(uname | tr '[:upper:]' '[:lower:]')" 33 | local protoc_zip="protoc-${protoc_version}-linux-x86_64.zip" 34 | if [[ "${platform}" == 'darwin' ]]; then 35 | protoc_zip="protoc-${protoc_version}-osx-x86_64.zip" 36 | fi 37 | local protoc_url="https://github.com/protocolbuffers/protobuf/releases/download/v${protoc_version}/${protoc_zip}" 38 | local -r protoc_tmpdir="$(mktemp -dt tink-protoc.XXXXXX)" 39 | ( 40 | cd "${protoc_tmpdir}" 41 | curl -OLsS "${protoc_url}" 42 | unzip "${protoc_zip}" bin/protoc 43 | ) 44 | export PATH="${protoc_tmpdir}/bin:${PATH}" 45 | } 46 | 47 | if [[ -n "${KOKORO_ROOT:-}" ]]; then 48 | install_temp_protoc "$@" 49 | fi 50 | -------------------------------------------------------------------------------- /kokoro/testutils/py_test_container_images.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2023 Google LLC 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | ################################################################################ 16 | 17 | _image_prefix() { 18 | local -r artifact_registry_url="us-docker.pkg.dev" 19 | local -r test_project="tink-test-infrastructure" 20 | local -r artifact_registry_repo="tink-ci-images" 21 | echo "${artifact_registry_url}/${test_project}/${artifact_registry_repo}" 22 | } 23 | 24 | # Images for tink-py testing. 25 | 26 | # Linux x86_64 container image. 27 | readonly TINK_PY_BASE_IMAGE_NAME="linux-tink-py-base" 28 | readonly TINK_PY_BASE_IMAGE_HASH="eb0e710d9e61a238ae193535cf4c06d9b77b27d67392b701db55fba2b0b88223" 29 | readonly TINK_PY_BASE_IMAGE="$(_image_prefix)/${TINK_PY_BASE_IMAGE_NAME}@sha256:${TINK_PY_BASE_IMAGE_HASH}" 30 | 31 | # Linux arm64 container image. 32 | readonly TINK_PY_BASE_ARM64_IMAGE_NAME="linux-tink-py-base-arm64" 33 | readonly TINK_PY_BASE_ARM64_IMAGE_HASH="c96f37e417d2b2b1454b2ad78a03c91b23b4f76678d9b5b9adf34b88ac48309f" 34 | readonly TINK_PY_BASE_ARM64_IMAGE="$(_image_prefix)/${TINK_PY_BASE_ARM64_IMAGE_NAME}@sha256:${TINK_PY_BASE_ARM64_IMAGE_HASH}" 35 | 36 | unset -f _image_prefix 37 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [build-system] 2 | requires = ["setuptools"] 3 | build-backend = "setuptools.build_meta" 4 | -------------------------------------------------------------------------------- /requirements.in: -------------------------------------------------------------------------------- 1 | absl-py>=2.1.0 2 | protobuf>=6.30.2 3 | bazel-runfiles>=1.3.0 4 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | # 2 | # This file is autogenerated by pip-compile with Python 3.12 3 | # by the following command: 4 | # 5 | # pip-compile --generate-hashes --output-file=requirements.txt setup.py 6 | # 7 | absl-py==2.1.0 \ 8 | --hash=sha256:526a04eadab8b4ee719ce68f204172ead1027549089702d99b9059f129ff1308 \ 9 | --hash=sha256:7820790efbb316739cde8b4e19357243fc3608a152024288513dd968d7d959ff 10 | # via tink (setup.py) 11 | bazel-runfiles==1.3.0 \ 12 | --hash=sha256:3978fa1c8225686d39aa0d9523860e3e1e6d34297066f7c97ea2eeafc776b097 13 | # via tink (setup.py) 14 | protobuf==6.30.2 \ 15 | --hash=sha256:0eb523c550a66a09a0c20f86dd554afbf4d32b02af34ae53d93268c1f73bc65b \ 16 | --hash=sha256:35c859ae076d8c56054c25b59e5e59638d86545ed6e2b6efac6be0b6ea3ba048 \ 17 | --hash=sha256:4f6c687ae8efae6cf6093389a596548214467778146b7245e886f35e1485315d \ 18 | --hash=sha256:50f32cc9fd9cb09c783ebc275611b4f19dfdfb68d1ee55d2f0c7fa040df96815 \ 19 | --hash=sha256:524afedc03b31b15586ca7f64d877a98b184f007180ce25183d1a5cb230ee72b \ 20 | --hash=sha256:7653c99774f73fe6b9301b87da52af0e69783a2e371e8b599b3e9cb4da4b12b9 \ 21 | --hash=sha256:acec579c39c88bd8fbbacab1b8052c793efe83a0a5bd99db4a31423a25c0a0e2 \ 22 | --hash=sha256:ae86b030e69a98e08c77beab574cbcb9fff6d031d57209f574a5aea1445f4b51 \ 23 | --hash=sha256:b12ef7df7b9329886e66404bef5e9ce6a26b54069d7f7436a0853ccdeb91c103 24 | # via tink (setup.py) 25 | setuptools==80.4.0 \ 26 | --hash=sha256:5a78f61820bc088c8e4add52932ae6b8cf423da2aff268c23f813cfbb13b4006 \ 27 | --hash=sha256:6cdc8cb9a7d590b237dbe4493614a9b75d0559b888047c1f67d49ba50fc3edb2 28 | # Manual 29 | 30 | -------------------------------------------------------------------------------- /requirements_awskms.in: -------------------------------------------------------------------------------- 1 | boto3>=1.37.32 2 | # We need to explicitly add a rule for proto-plus to be able to use protobuf>=5. 3 | proto-plus>=1.26.1 4 | -------------------------------------------------------------------------------- /requirements_gcpkms.in: -------------------------------------------------------------------------------- 1 | google-auth>=2.38.0 2 | google-api-core>=2.24.2 3 | google-cloud-kms>=3.4.1 4 | # We need to explicitly add rules for googleapis_common_protos and grpc-google-iam-v1 5 | # to be able to use protobuf>=6. 6 | googleapis_common_protos>=1.69.2 7 | grpc-google-iam-v1>=0.14.2 8 | -------------------------------------------------------------------------------- /requirements_hcvault.in: -------------------------------------------------------------------------------- 1 | # Hashicorp Vault KMS extension. 2 | hvac>=2.3.0 3 | -------------------------------------------------------------------------------- /testdata/aws/BUILD.bazel: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | licenses(["notice"]) 4 | 5 | filegroup( 6 | name = "credentials", 7 | testonly = 1, 8 | srcs = [ 9 | "credentials.cred", 10 | "credentials.csv", 11 | "credentials.ini", 12 | "key_arn.txt", 13 | ], 14 | ) 15 | 16 | filegroup( 17 | name = "bad_credentials", 18 | testonly = 1, 19 | srcs = [ 20 | "access_keys_bad.csv", 21 | "credentials_bad.csv", 22 | "credentials_bad.ini", 23 | "key_arn_bad.txt", 24 | ], 25 | ) 26 | -------------------------------------------------------------------------------- /testdata/aws/access_keys_bad.csv: -------------------------------------------------------------------------------- 1 | Access key ID,Secret access key 2 | AKIAIOSFODNN7EXAMPLE,wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 3 | -------------------------------------------------------------------------------- /testdata/aws/credentials.cred: -------------------------------------------------------------------------------- 1 | [default] 2 | accessKey = AKIAIIK5X7P3NAHNSNUQ 3 | secretKey = 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 4 | -------------------------------------------------------------------------------- /testdata/aws/credentials.csv: -------------------------------------------------------------------------------- 1 | User name,Password,Access key ID,Secret access key,Console login link 2 | tink-user1,,AKIAIIK5X7P3NAHNSNUQ,c7k55Gw83QlN1gYBhVPEEn1pKV909sxbll8JOvHF,https://235739564943.signin.aws.amazon.com/console 3 | 4 | -------------------------------------------------------------------------------- /testdata/aws/credentials.ini: -------------------------------------------------------------------------------- 1 | [default] 2 | aws_access_key_id = AKIAIIK5X7P3NAHNSNUQ 3 | aws_secret_access_key = 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 4 | -------------------------------------------------------------------------------- /testdata/aws/credentials_bad.csv: -------------------------------------------------------------------------------- 1 | User name,Password,Access key ID,Secret access key 2 | ,,AKIAIOSFODNN7EXAMPLE,wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 3 | -------------------------------------------------------------------------------- /testdata/aws/credentials_bad.ini: -------------------------------------------------------------------------------- 1 | [default] 2 | aws_access_key_id = AKIAIOSFODNN7EXAMPLE 3 | aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 4 | -------------------------------------------------------------------------------- /testdata/aws/key_arn.txt: -------------------------------------------------------------------------------- 1 | arn:aws:kms:us-east-2:235739564943:key/3ee50705-5a82-4f5b-9753-05c4f473922f 2 | -------------------------------------------------------------------------------- /testdata/aws/key_arn_bad.txt: -------------------------------------------------------------------------------- 1 | arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012 2 | -------------------------------------------------------------------------------- /testdata/gcp/BUILD.bazel: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | licenses(["notice"]) 4 | 5 | exports_files(srcs = ["credential.json"]) 6 | 7 | filegroup( 8 | name = "credentials", 9 | testonly = 1, 10 | srcs = [ 11 | "credential.json", 12 | "key_name.txt", 13 | ], 14 | ) 15 | 16 | filegroup( 17 | name = "bad_credentials", 18 | testonly = 1, 19 | srcs = [ 20 | "credential_bad.json", 21 | "key_name_bad.txt", 22 | ], 23 | ) 24 | -------------------------------------------------------------------------------- /testdata/gcp/README.md: -------------------------------------------------------------------------------- 1 | This folder contains GCP credentials that are used for testing Tink. 2 | 3 | For security reasons, all credentials in this folder are invalid. 4 | 5 | If you want to run tests that depend on them, please create your own 6 | [Cloud KMS key](https://cloud.google.com/kms/docs/creating-keys), and copy the 7 | credentials to `gcp/credential.json` and the key URI to `gcp/key_name.txt`. 8 | -------------------------------------------------------------------------------- /testdata/gcp/credential.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "service_account", 3 | "project_id": "tink-test-infrastructure", 4 | "private_key_id": "some_bad_private_key_id", 5 | "private_key": "-----BEGIN PRIVATE KEY-----\nMIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMtJlaQD79xGIC28\nowTpj7wkdi34piSubtDKttgC3lL00ioyQf/WMqLnyDWySNufCjhavQ7/sxXQAUCL\n5B3WDwM8+mFqQM2wJB18NBWBSfGOFSMwVQyWv7Y/1AFr+PvNKVlw4RZ4G8VuJzXZ\n9v/+5zyKv8py66sGVoHPI+LGfIprAgMBAAECgYEAxcgX8PVrnrITiKwpJxReJbyL\nxnpOmw2i/zza3BseVzOebjNrhw/NQDWl0qhcvmBjvyR5IGiiwiwXq8bu8CBdhRiE\nw3vKf1iuVOKhH07RB2wvCaGbVlB/p15gYau3sTRn5nej0tjYHX7xa/St/DwPk2H/\nxYGTRhyYtNL6wdtMjYECQQD+LVVJf0rLnxyPADTcz7Wdb+FUX79nWtMlzQOEB09+\nJj4ie0kD0cIvTQFjV3pOsg3uW2khFpjg110TXpJJfPjhAkEAzL7RhhfDdL7Dn2zl\n1orUthcGa2pzEAmg1tGBNb1pOg7LbVHKSa3GOOwyPRsActoyrPw18/fXaJdEfByY\ne9kwywJAB7rHMjH9y01uZ+bgtKpYYo5JcvBqeLEpZKfkaHp0b2ioURIguU4Csr+L\nwEKjxIrjo5ECFHCEe6nw+arRlgyH4QJBAIfQmEn733LEzB0n7npXU2yKb363eSYN\nTPzSsoREZdXWVIjqtWYUeKXvwA+apryJEw5+qwdvwxslJI+zpE6bLusCQE6M1lO9\nN6A3PtQv7Z3XwrEE/sPEVv4M4VHj0YHLs/32UuSXq5taMizKILfis1Stry4WjRHp\nQxEqdLrIkb13NH8=\n-----END PRIVATE KEY-----", 6 | "client_email": "unit-and-integration-testing@tink-test-infrastructure.iam.gserviceaccount.com", 7 | "client_id": "111876397550362269561", 8 | "auth_uri": "https://accounts.google.com/o/oauth2/auth", 9 | "token_uri": "https://accounts.google.com/o/oauth2/token", 10 | "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", 11 | "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/unit-and-integration-testing%40tink-test-infrastructure.iam.gserviceaccount.com" 12 | } 13 | -------------------------------------------------------------------------------- /testdata/gcp/credential_bad.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": "service_account", 3 | "project_id": "tink-test-infrastructure", 4 | "private_key_id": "some_bad_private_key_id", 5 | "private_key": "-----BEGIN PRIVATE KEY-----\nMIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMtJlaQD79xGIC28\nowTpj7wkdi34piSubtDKttgC3lL00ioyQf/WMqLnyDWySNufCjhavQ7/sxXQAUCL\n5B3WDwM8+mFqQM2wJB18NBWBSfGOFSMwVQyWv7Y/1AFr+PvNKVlw4RZ4G8VuJzXZ\n9v/+5zyKv8py66sGVoHPI+LGfIprAgMBAAECgYEAxcgX8PVrnrITiKwpJxReJbyL\nxnpOmw2i/zza3BseVzOebjNrhw/NQDWl0qhcvmBjvyR5IGiiwiwXq8bu8CBdhRiE\nw3vKf1iuVOKhH07RB2wvCaGbVlB/p15gYau3sTRn5nej0tjYHX7xa/St/DwPk2H/\nxYGTRhyYtNL6wdtMjYECQQD+LVVJf0rLnxyPADTcz7Wdb+FUX79nWtMlzQOEB09+\nJj4ie0kD0cIvTQFjV3pOsg3uW2khFpjg110TXpJJfPjhAkEAzL7RhhfDdL7Dn2zl\n1orUthcGa2pzEAmg1tGBNb1pOg7LbVHKSa3GOOwyPRsActoyrPw18/fXaJdEfByY\ne9kwywJAB7rHMjH9y01uZ+bgtKpYYo5JcvBqeLEpZKfkaHp0b2ioURIguU4Csr+L\nwEKjxIrjo5ECFHCEe6nw+arRlgyH4QJBAIfQmEn733LEzB0n7npXU2yKb363eSYN\nTPzSsoREZdXWVIjqtWYUeKXvwA+apryJEw5+qwdvwxslJI+zpE6bLusCQE6M1lO9\nN6A3PtQv7Z3XwrEE/sPEVv4M4VHj0YHLs/32UuSXq5taMizKILfis1Stry4WjRHp\nQxEqdLrIkb13NH8=\n-----END PRIVATE KEY-----", 6 | "client_email": "unit-and-integration-testing@tink-test-infrastructure.iam.gserviceaccount.com", 7 | "client_id": "111876397550362269561", 8 | "auth_uri": "https://accounts.google.com/o/oauth2/auth", 9 | "token_uri": "https://accounts.google.com/o/oauth2/token", 10 | "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", 11 | "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/unit-and-integration-testing%40tink-test-infrastructure.iam.gserviceaccount.com" 12 | } 13 | -------------------------------------------------------------------------------- /testdata/gcp/key_name.txt: -------------------------------------------------------------------------------- 1 | projects/tink-test-infrastructure/locations/global/keyRings/unit-and-integration-testing/cryptoKeys/aead-key 2 | 3 | -------------------------------------------------------------------------------- /testdata/gcp/key_name_bad.txt: -------------------------------------------------------------------------------- 1 | projects/non-existing-project/locations/global/keyRings/some-key-ring/cryptoKeys/aead-key 2 | 3 | -------------------------------------------------------------------------------- /tink/_insecure_keyset_handle.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Internal-only module that gives access to the proto keyset.""" 15 | 16 | from tink.proto import tink_pb2 17 | from tink import _keyset_handle 18 | from tink import _secret_key_access 19 | from tink import core 20 | 21 | 22 | def from_proto_keyset( 23 | keyset: tink_pb2.Keyset, token: core.KeyAccess 24 | ) -> _keyset_handle.KeysetHandle: 25 | if not isinstance(token, _secret_key_access.SecretKeyAccess): 26 | raise core.TinkError('no secret access.') 27 | return _keyset_handle.KeysetHandle._create(keyset) # pylint: disable=protected-access 28 | 29 | 30 | def to_proto_keyset( 31 | keyset_handle: _keyset_handle.KeysetHandle, token: core.KeyAccess 32 | ) -> tink_pb2.Keyset: 33 | if not isinstance(token, _secret_key_access.SecretKeyAccess): 34 | raise core.TinkError('no secret access.') 35 | return keyset_handle._keyset # pylint: disable=protected-access 36 | -------------------------------------------------------------------------------- /tink/_kms_clients_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Tests for kms_clients.""" 16 | 17 | from absl.testing import absltest 18 | import tink 19 | from tink import _kms_clients 20 | from tink import aead 21 | from tink import tink_config 22 | 23 | 24 | def setUpModule(): 25 | tink_config.register() 26 | 27 | 28 | class FakeClient(_kms_clients.KmsClient): 29 | 30 | def __init__(self, key_uri): 31 | self.key_uri = key_uri 32 | 33 | def does_support(self, key_uri: str) -> bool: 34 | return key_uri == self.key_uri 35 | 36 | def get_aead(self, key_uri: str) -> aead.Aead: 37 | raise ValueError('unknown key_uri') 38 | 39 | 40 | class KmsClientsTest(absltest.TestCase): 41 | 42 | def test_register_get_and_reset_kms_clients(self): 43 | client1 = FakeClient('key_uri1') 44 | client2 = FakeClient('key_uri2') 45 | client3 = FakeClient('key_uri3') 46 | tink.register_kms_client(client1) 47 | tink.register_kms_client(client2) 48 | tink.register_kms_client(client3) 49 | 50 | # returns the first registered client that supports the uri. 51 | self.assertEqual(tink.kms_client_from_uri('key_uri1'), client1) 52 | self.assertEqual(tink.kms_client_from_uri('key_uri2'), client2) 53 | with self.assertRaises(tink.TinkError): 54 | tink.kms_client_from_uri('unknown') 55 | 56 | _kms_clients.reset_kms_clients() 57 | with self.assertRaises(tink.TinkError): 58 | tink.kms_client_from_uri('key_uri1') 59 | 60 | 61 | if __name__ == '__main__': 62 | absltest.main() 63 | -------------------------------------------------------------------------------- /tink/_secret_key_access.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Gives access to secret Tink keys and keysets. 15 | 16 | WARNING 17 | 18 | Reading or writing secret keys is a bad practice, usage of this API should be 19 | restricted. 20 | """ 21 | 22 | from tink import core 23 | 24 | 25 | class SecretKeyAccess(core.KeyAccess): 26 | """An access token that gives access to all keys.""" 27 | pass 28 | 29 | 30 | TOKEN = SecretKeyAccess() 31 | -------------------------------------------------------------------------------- /tink/aead/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Aead package.""" 16 | 17 | from tink.aead import _aead 18 | from tink.aead import _aead_key_manager 19 | from tink.aead import _aead_key_templates as aead_key_templates 20 | from tink.aead import _kms_envelope_aead 21 | 22 | 23 | Aead = _aead.Aead 24 | AeadCcToPyWrapper = _aead_key_manager.AeadCcToPyWrapper 25 | register = _aead_key_manager.register 26 | KmsEnvelopeAead = _kms_envelope_aead.KmsEnvelopeAead 27 | -------------------------------------------------------------------------------- /tink/cc/cc_hpke_config.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/cc_hpke_config.h" 18 | 19 | #include 20 | 21 | #include "tink/hybrid/hpke_config.h" 22 | 23 | namespace crypto { 24 | namespace tink { 25 | 26 | absl::Status CcHpkeConfigRegister() { return RegisterHpke(); } 27 | 28 | } // namespace tink 29 | } // namespace crypto 30 | -------------------------------------------------------------------------------- /tink/cc/cc_hpke_config.h: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_CC_HPKE_CONFIG_H_ 18 | #define TINK_PYTHON_TINK_CC_CC_HPKE_CONFIG_H_ 19 | 20 | #include "absl/status/status.h" 21 | 22 | namespace crypto { 23 | namespace tink { 24 | 25 | absl::Status CcHpkeConfigRegister(); 26 | 27 | } // namespace tink 28 | } // namespace crypto 29 | 30 | #endif // TINK_PYTHON_TINK_CC_CC_HPKE_CONFIG_H_ 31 | -------------------------------------------------------------------------------- /tink/cc/cc_jwt_config.h: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_CC_JWT_CONFIG_H_ 18 | #define TINK_PYTHON_TINK_CC_CC_JWT_CONFIG_H_ 19 | 20 | #include "absl/status/status.h" 21 | 22 | namespace crypto { 23 | namespace tink { 24 | 25 | absl::Status CcJwtConfigRegister(); 26 | 27 | } // namespace tink 28 | } // namespace crypto 29 | 30 | #endif // TINK_PYTHON_TINK_CC_CC_JWT_CONFIG_H_ 31 | -------------------------------------------------------------------------------- /tink/cc/cc_streaming_aead_wrappers_test.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/cc_streaming_aead_wrappers.h" 18 | 19 | #include 20 | 21 | #include "gtest/gtest.h" 22 | #include "tink/cc/test_util.h" 23 | 24 | namespace crypto { 25 | namespace tink { 26 | namespace { 27 | 28 | using crypto::tink::test::DummyStreamingAead; 29 | 30 | TEST(CcStreamingAeadWrappersTest, BasicNewCcEncryptingStream) { 31 | DummyStreamingAead dummy_saead = DummyStreamingAead("Some streaming AEAD"); 32 | std::unique_ptr output = 33 | absl::make_unique(); 34 | 35 | auto result = 36 | NewCcEncryptingStream(&dummy_saead, "associated data", std::move(output)); 37 | 38 | EXPECT_TRUE(result.status().ok()); 39 | } 40 | 41 | TEST(CcStreamingAeadWrappersTest, BasicNewCcDecryptingStream) { 42 | DummyStreamingAead dummy_saead = DummyStreamingAead("Some streaming AEAD"); 43 | std::unique_ptr input = 44 | absl::make_unique("data"); 45 | 46 | auto result = 47 | NewCcDecryptingStream(&dummy_saead, "associated data", std::move(input)); 48 | 49 | EXPECT_TRUE(result.status().ok()); 50 | } 51 | 52 | } // namespace 53 | } // namespace tink 54 | } // namespace crypto 55 | -------------------------------------------------------------------------------- /tink/cc/cc_tink_config.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/cc_tink_config.h" 18 | 19 | #include 20 | 21 | #include "absl/status/status.h" 22 | #include "tink/config/tink_config.h" 23 | #include "tink/cc/pybind/tink_exception.h" 24 | 25 | namespace crypto { 26 | namespace tink { 27 | 28 | void CcTinkConfigRegister() { 29 | absl::Status result = TinkConfig::Register(); 30 | if (!result.ok()) { 31 | throw pybind11::google_tink::TinkException(result); 32 | } 33 | } 34 | 35 | } // namespace tink 36 | } // namespace crypto 37 | -------------------------------------------------------------------------------- /tink/cc/cc_tink_config.h: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_CC_TINK_CONFIG_H_ 18 | #define TINK_PYTHON_TINK_CC_CC_TINK_CONFIG_H_ 19 | 20 | #include "tink/util/status.h" 21 | #include "tink/registry.h" 22 | 23 | namespace crypto { 24 | namespace tink { 25 | 26 | void CcTinkConfigRegister(); 27 | 28 | } // namespace tink 29 | } // namespace crypto 30 | 31 | #endif // TINK_PYTHON_TINK_CC_CC_TINK_CONFIG_H_ 32 | -------------------------------------------------------------------------------- /tink/cc/input_stream_adapter.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/input_stream_adapter.h" 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #include "absl/status/statusor.h" 24 | #include "absl/strings/string_view.h" 25 | 26 | namespace crypto { 27 | namespace tink { 28 | 29 | absl::StatusOr InputStreamAdapter::Read(int64_t size) { 30 | const void* buffer; 31 | auto next_result = stream_->Next(&buffer); 32 | if (!next_result.ok()) return next_result.status(); 33 | int available = next_result.value(); 34 | int read_count = 35 | size < 0 ? available : std::min(static_cast(available), size); 36 | if (read_count < available) stream_->BackUp(available - read_count); 37 | return std::string( 38 | absl::string_view(static_cast(buffer), read_count)); 39 | } 40 | 41 | } // namespace tink 42 | } // namespace crypto 43 | -------------------------------------------------------------------------------- /tink/cc/input_stream_adapter.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_INPUT_STREAM_ADAPTER_H_ 18 | #define TINK_PYTHON_TINK_CC_INPUT_STREAM_ADAPTER_H_ 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include "absl/status/statusor.h" 26 | #include "tink/input_stream.h" 27 | 28 | namespace crypto { 29 | namespace tink { 30 | 31 | // Adapts an InputStream for use in Python. 32 | class InputStreamAdapter { 33 | public: 34 | explicit InputStreamAdapter(std::unique_ptr stream) 35 | : stream_(std::move(stream)) {} 36 | 37 | // Reads at most 'size' bytes from the underlying InputStream using only one 38 | // call to Next(). 39 | // If size is negative, all bytes that Next() gives are returned. 40 | // Returns OUT_OF_RANGE status if the stream is already at EOF. 41 | absl::StatusOr Read(int64_t size); 42 | 43 | private: 44 | std::unique_ptr stream_; 45 | }; 46 | 47 | } // namespace tink 48 | } // namespace crypto 49 | 50 | #endif // TINK_PYTHON_TINK_CC_INPUT_STREAM_ADAPTER_H_ 51 | -------------------------------------------------------------------------------- /tink/cc/output_stream_adapter.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/output_stream_adapter.h" 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #include "absl/log/check.h" 24 | #include "absl/status/status.h" 25 | #include "absl/status/statusor.h" 26 | #include "absl/strings/string_view.h" 27 | 28 | namespace crypto { 29 | namespace tink { 30 | 31 | absl::StatusOr OutputStreamAdapter::Write(absl::string_view data) { 32 | void* buffer; 33 | int64_t written = 0; 34 | while (written < data.size()) { 35 | auto next_result = stream_->Next(&buffer); 36 | if (!next_result.ok()) return next_result.status(); 37 | int available = next_result.value(); 38 | int write_count = 39 | std::min(available, static_cast(data.size() - written)); 40 | memcpy(buffer, data.data() + written, write_count); 41 | if (write_count < available) stream_->BackUp(available - write_count); 42 | written += write_count; 43 | } 44 | CHECK(written == data.size()); 45 | return written; 46 | } 47 | 48 | absl::Status OutputStreamAdapter::Close() { return stream_->Close(); } 49 | 50 | } // namespace tink 51 | } // namespace crypto 52 | -------------------------------------------------------------------------------- /tink/cc/output_stream_adapter.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_OUTPUT_STREAM_ADAPTER_H_ 18 | #define TINK_PYTHON_TINK_CC_OUTPUT_STREAM_ADAPTER_H_ 19 | 20 | #include 21 | #include 22 | #include 23 | 24 | #include "absl/status/status.h" 25 | #include "absl/status/statusor.h" 26 | #include "absl/strings/string_view.h" 27 | #include "tink/output_stream.h" 28 | 29 | namespace crypto { 30 | namespace tink { 31 | 32 | // Adapts an OutputStream for use in Python. 33 | class OutputStreamAdapter { 34 | public: 35 | explicit OutputStreamAdapter(std::unique_ptr stream) 36 | : stream_(std::move(stream)) {} 37 | 38 | // Writes 'data' to the underlying OutputStream and returns the number of 39 | // bytes written, which may be less than size of 'data'. 40 | // It repeatedly calls Next() as long as it returns positive values. This 41 | // ensures that in the usual case when we can write all of 'data' the user can 42 | // call Write() once and no unnecessary copies are made. 43 | absl::StatusOr Write(absl::string_view data); 44 | 45 | // Closes the underlying OutputStream. 46 | absl::Status Close(); 47 | 48 | private: 49 | std::unique_ptr stream_; 50 | }; 51 | 52 | } // namespace tink 53 | } // namespace crypto 54 | 55 | #endif // TINK_PYTHON_TINK_CC_OUTPUT_STREAM_ADAPTER_H_ 56 | -------------------------------------------------------------------------------- /tink/cc/pybind/aead.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_AEAD_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_AEAD_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterAead(pybind11::module* module); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_AEAD_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_hpke_config.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/pybind/cc_hpke_config.h" 18 | 19 | #include 20 | 21 | #include "pybind11/pybind11.h" 22 | #include "tink/cc/cc_hpke_config.h" 23 | #include "tink/cc/pybind/tink_exception.h" 24 | 25 | namespace crypto { 26 | namespace tink { 27 | 28 | using pybind11::google_tink::TinkException; 29 | 30 | void PybindRegisterCcHpkeConfig(pybind11::module* module) { 31 | namespace py = pybind11; 32 | py::module& m = *module; 33 | m.def("register_hpke", []() -> void { 34 | absl::Status result = CcHpkeConfigRegister(); 35 | if (!result.ok()) { 36 | throw TinkException(result); 37 | } 38 | }); 39 | } 40 | 41 | } // namespace tink 42 | } // namespace crypto 43 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_hpke_config.h: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_CC_HPKE_CONFIG_H_ 18 | #define TINK_PYTHON_TINK_CC_PYBIND_CC_HPKE_CONFIG_H_ 19 | 20 | #include "pybind11/pybind11.h" 21 | 22 | namespace crypto { 23 | namespace tink { 24 | 25 | void PybindRegisterCcHpkeConfig(pybind11::module* m); 26 | 27 | } // namespace tink 28 | } // namespace crypto 29 | 30 | #endif // TINK_PYTHON_TINK_CC_PYBIND_CC_HPKE_CONFIG_H_ 31 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_jwt_config.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/pybind/cc_jwt_config.h" 18 | 19 | #include 20 | 21 | #include "pybind11/pybind11.h" 22 | #include "tink/cc/cc_jwt_config.h" 23 | #include "tink/cc/pybind/tink_exception.h" 24 | 25 | namespace crypto { 26 | namespace tink { 27 | 28 | using pybind11::google_tink::TinkException; 29 | 30 | void PybindRegisterCcJwtConfig(pybind11::module* module) { 31 | namespace py = pybind11; 32 | py::module& m = *module; 33 | m.def("register_jwt", []() -> void { 34 | absl::Status result = CcJwtConfigRegister(); 35 | if (!result.ok()) { 36 | throw TinkException(result); 37 | } 38 | }); 39 | } 40 | 41 | } // namespace tink 42 | } // namespace crypto 43 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_jwt_config.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_CC_JWT_CONFIG_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_CC_JWT_CONFIG_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterCcJwtConfig(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | #endif // TINK_PYTHON_TINK_CC_PYBIND_CC_JWT_CONFIG_H_ 29 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_key_manager.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_CC_KEY_MANAGER_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_CC_KEY_MANAGER_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterCcKeyManager(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_CC_KEY_MANAGER_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_streaming_aead_wrappers.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_CC_STREAMING_AEAD_WRAPPERS_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_CC_STREAMING_AEAD_WRAPPERS_H_ 18 | #include "pybind11/pybind11.h" 19 | 20 | namespace crypto { 21 | namespace tink { 22 | 23 | void PybindRegisterCcStreamingAeadWrappers(pybind11::module* m); 24 | 25 | } // namespace tink 26 | } // namespace crypto 27 | 28 | #endif // TINK_PYTHON_TINK_CC_PYBIND_CC_STREAMING_AEAD_WRAPPERS_H_ 29 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_tink_config.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/pybind/cc_tink_config.h" 18 | 19 | #include "pybind11/pybind11.h" 20 | #include "tink/cc/cc_tink_config.h" 21 | 22 | namespace crypto { 23 | namespace tink { 24 | 25 | void PybindRegisterCcTinkConfig(pybind11::module* module) { 26 | namespace py = pybind11; 27 | py::module& m = *module; 28 | m.def("register", CcTinkConfigRegister); 29 | } 30 | 31 | } // namespace tink 32 | } // namespace crypto 33 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_tink_config.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_CC_TINK_CONFIG_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_CC_TINK_CONFIG_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterCcTinkConfig(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | #endif // TINK_PYTHON_TINK_CC_PYBIND_CC_TINK_CONFIG_H_ 29 | -------------------------------------------------------------------------------- /tink/cc/pybind/cc_tink_config_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Tests for tink.python.cc.pybind.cc_tink_config.""" 16 | 17 | from absl.testing import absltest 18 | from tink.cc.pybind import tink_bindings 19 | 20 | 21 | class CcTinkConfigTest(absltest.TestCase): 22 | 23 | def test_register(self): 24 | tink_bindings.register() 25 | 26 | 27 | if __name__ == '__main__': 28 | absltest.main() 29 | -------------------------------------------------------------------------------- /tink/cc/pybind/deterministic_aead.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_DETERMINISTIC_AEAD_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_DETERMINISTIC_AEAD_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterDeterministicAead(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_DETERMINISTIC_AEAD_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/hybrid_decrypt.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/pybind/hybrid_decrypt.h" 18 | 19 | #include 20 | #include 21 | 22 | #include "absl/status/statusor.h" 23 | #include "pybind11/pybind11.h" 24 | #include "tink/hybrid_decrypt.h" 25 | #include "tink/cc/pybind/tink_exception.h" 26 | 27 | namespace crypto { 28 | namespace tink { 29 | 30 | using pybind11::google_tink::TinkException; 31 | 32 | void PybindRegisterHybridDecrypt(pybind11::module* module) { 33 | namespace py = pybind11; 34 | py::module& m = *module; 35 | 36 | 37 | // TODO(b/146492561): Reduce the number of complicated lambdas. 38 | py::class_(m, "HybridDecrypt") 39 | .def( 40 | "decrypt", 41 | [](const HybridDecrypt& self, const py::bytes& ciphertext, 42 | const py::bytes& context_info) -> py::bytes { 43 | // TODO(b/145925674) 44 | absl::StatusOr decrypt_result = self.Decrypt( 45 | std::string(ciphertext), std::string(context_info)); 46 | if (!decrypt_result.ok()) { 47 | throw TinkException(decrypt_result.status()); 48 | } 49 | return *std::move(decrypt_result); 50 | }, 51 | py::arg("ciphertext"), py::arg("context_info")); 52 | } 53 | 54 | } // namespace tink 55 | } // namespace crypto 56 | -------------------------------------------------------------------------------- /tink/cc/pybind/hybrid_decrypt.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_HYBRID_DECRYPT_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_HYBRID_DECRYPT_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterHybridDecrypt(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_HYBRID_DECRYPT_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/hybrid_encrypt.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/pybind/hybrid_encrypt.h" 18 | 19 | #include 20 | #include 21 | 22 | #include "absl/status/statusor.h" 23 | #include "pybind11/pybind11.h" 24 | #include "tink/hybrid_encrypt.h" 25 | #include "tink/cc/pybind/tink_exception.h" 26 | 27 | namespace crypto { 28 | namespace tink { 29 | 30 | using pybind11::google_tink::TinkException; 31 | 32 | void PybindRegisterHybridEncrypt(pybind11::module* module) { 33 | namespace py = pybind11; 34 | py::module& m = *module; 35 | 36 | // TODO(b/146492561): Reduce the number of complicated lambdas. 37 | py::class_(m, "HybridEncrypt") 38 | .def( 39 | "encrypt", 40 | [](const HybridEncrypt& self, const py::bytes& plaintext, 41 | const py::bytes& context_info) -> py::bytes { 42 | // TODO(b/145925674) 43 | absl::StatusOr encrypt_result = 44 | self.Encrypt(std::string(plaintext), std::string(context_info)); 45 | if (!encrypt_result.ok()) { 46 | throw TinkException(encrypt_result.status()); 47 | } 48 | return *std::move(encrypt_result); 49 | }, 50 | py::arg("plaintext"), py::arg("context_info")); 51 | } 52 | 53 | } // namespace tink 54 | } // namespace crypto 55 | -------------------------------------------------------------------------------- /tink/cc/pybind/hybrid_encrypt.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_HYBRID_ENCRYPT_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_HYBRID_ENCRYPT_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterHybridEncrypt(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_HYBRID_ENCRYPT_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/import_helper.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/pybind/import_helper.h" 18 | 19 | #include 20 | #include 21 | 22 | #include "absl/strings/str_cat.h" 23 | 24 | 25 | 26 | namespace crypto { 27 | namespace tink { 28 | 29 | void ImportTinkPythonModule(const std::string& relative_import_path) { 30 | std::string full_path = "tink"; 31 | if (!relative_import_path.empty()) { 32 | absl::StrAppend(&full_path, ".", relative_import_path); 33 | } 34 | pybind11::module::import(full_path.c_str()); 35 | } 36 | 37 | } // namespace tink 38 | } // namespace crypto 39 | -------------------------------------------------------------------------------- /tink/cc/pybind/import_helper.h: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_IMPORT_HELPER_H_ 18 | #define TINK_PYTHON_TINK_CC_PYBIND_IMPORT_HELPER_H_ 19 | 20 | #include 21 | 22 | namespace crypto { 23 | namespace tink { 24 | 25 | // relative_import_path is relative to the tink directory, e.g., 26 | // "python.cc.pybind.cc_key_manager". The absolute import path to the 27 | // tink directory is determined via a define in import_helper.cc. 28 | void ImportTinkPythonModule(const std::string& relative_import_path); 29 | 30 | } // namespace tink 31 | } // namespace crypto 32 | 33 | #endif // TINK_PYTHON_TINK_CC_PYBIND_IMPORT_HELPER_H_ 34 | -------------------------------------------------------------------------------- /tink/cc/pybind/input_stream_adapter.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_INPUT_STREAM_ADAPTER_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_INPUT_STREAM_ADAPTER_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterInputStreamAdapter(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_INPUT_STREAM_ADAPTER_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/mac.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_MAC_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_MAC_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterMac(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_MAC_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/output_stream_adapter.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #include "tink/cc/pybind/output_stream_adapter.h" 17 | 18 | #include 19 | #include 20 | #include 21 | 22 | #include "pybind11/pybind11.h" 23 | #include "tink/cc/output_stream_adapter.h" 24 | #include "tink/cc/pybind/tink_exception.h" 25 | 26 | namespace crypto { 27 | namespace tink { 28 | 29 | using pybind11::google_tink::TinkException; 30 | 31 | void PybindRegisterOutputStreamAdapter(pybind11::module* module) { 32 | namespace py = pybind11; 33 | py::module& m = *module; 34 | 35 | // TODO(b/146492561): Reduce the number of complicated lambdas. 36 | py::class_(m, "OutputStreamAdapter") 37 | .def( 38 | "write", 39 | [](OutputStreamAdapter* self, const py::bytes& data) -> int64_t { 40 | absl::StatusOr result = self->Write(std::string(data)); 41 | if (!result.ok()) { 42 | throw TinkException(result.status()); 43 | } 44 | return *std::move(result); 45 | }, 46 | py::arg("data")) 47 | .def("close", [](OutputStreamAdapter* self) -> void { 48 | absl::Status result = self->Close(); 49 | if (!result.ok()) { 50 | throw TinkException(result); 51 | } 52 | }); 53 | } 54 | 55 | } // namespace tink 56 | } // namespace crypto 57 | -------------------------------------------------------------------------------- /tink/cc/pybind/output_stream_adapter.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_OUTPUT_STREAM_ADAPTER_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_OUTPUT_STREAM_ADAPTER_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterOutputStreamAdapter(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_OUTPUT_STREAM_ADAPTER_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/prf.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_PRF_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_PRF_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterPrf(pybind11::module* module); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_PRF_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/public_key_sign.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_PUBLIC_KEY_SIGN_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_PUBLIC_KEY_SIGN_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterPublicKeySign(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_PUBLIC_KEY_SIGN_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/public_key_verify.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_PUBLIC_KEY_VERIFY_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_PUBLIC_KEY_VERIFY_H_ 18 | #include "pybind11/pybind11.h" 19 | 20 | namespace crypto { 21 | namespace tink { 22 | 23 | void PybindRegisterPublicKeyVerify(pybind11::module* m); 24 | 25 | } // namespace tink 26 | } // namespace crypto 27 | 28 | #endif // TINK_PYTHON_TINK_CC_PYBIND_PUBLIC_KEY_VERIFY_H_ 29 | -------------------------------------------------------------------------------- /tink/cc/pybind/python_file_object_adapter.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_PYTHON_FILE_OBJECT_ADAPTER_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_PYTHON_FILE_OBJECT_ADAPTER_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterPythonFileObjectAdapter(pybind11::module* m); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_PYTHON_FILE_OBJECT_ADAPTER_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/streaming_aead.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #include "tink/cc/pybind/streaming_aead.h" 18 | 19 | #include "pybind11/pybind11.h" 20 | #include "tink/streaming_aead.h" 21 | 22 | namespace crypto { 23 | namespace tink { 24 | 25 | void PybindRegisterStreamingAead(pybind11::module* module) { 26 | namespace py = pybind11; 27 | py::module& m = *module; 28 | 29 | namespace py = pybind11; 30 | 31 | py::class_( 32 | m, "StreamingAead", 33 | "Interface for streaming authenticated encryption with associated data. " 34 | "Streaming encryption is typically used for encrypting large plaintexts " 35 | "such as large files. This interface supports a streaming interface for " 36 | "symmetric encryption with authentication. The underlying encryption " 37 | "modes " 38 | "are selected so that partial plaintext can be obtained fast by " 39 | "decrypting " 40 | "and authenticating just a part of the ciphertext.") 41 | 42 | // Intentionally empty. 43 | // 44 | // The wrapped CC primitive's only purpose is to be stored as a member 45 | // variable and later be passed to a wrapper function (which sidesteps 46 | // wrapped an OutputStream). Therefore Python doesn't need to know about 47 | // its methods, just that it exists. 48 | ; // NOLINT 49 | } 50 | 51 | } // namespace tink 52 | } // namespace crypto 53 | -------------------------------------------------------------------------------- /tink/cc/pybind/streaming_aead.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_STREAMING_AEAD_H_ 17 | #define TINK_PYTHON_TINK_CC_PYBIND_STREAMING_AEAD_H_ 18 | 19 | #include "pybind11/pybind11.h" 20 | 21 | namespace crypto { 22 | namespace tink { 23 | 24 | void PybindRegisterStreamingAead(pybind11::module* module); 25 | 26 | } // namespace tink 27 | } // namespace crypto 28 | 29 | #endif // TINK_PYTHON_TINK_CC_PYBIND_STREAMING_AEAD_H_ 30 | -------------------------------------------------------------------------------- /tink/cc/pybind/tink_exception.h: -------------------------------------------------------------------------------- 1 | // Copyright 2022 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_PYBIND_TINK_EXCEPTION_H_ 18 | #define TINK_PYTHON_TINK_CC_PYBIND_TINK_EXCEPTION_H_ 19 | 20 | #include 21 | #include 22 | #include 23 | 24 | #include "absl/status/status.h" 25 | 26 | namespace pybind11 { 27 | namespace google_tink { 28 | 29 | class TinkException : public std::exception { 30 | public: 31 | explicit TinkException(const absl::Status& status) 32 | : error_code_(static_cast(status.code())), 33 | what_(status.ToString()) {} 34 | 35 | int error_code() const { 36 | return error_code_; 37 | } 38 | 39 | const char* what() const noexcept override { 40 | return what_.c_str(); 41 | } 42 | 43 | private: 44 | int error_code_; 45 | std::string what_; 46 | }; 47 | 48 | } // namespace google_tink 49 | } // namespace pybind11 50 | 51 | #endif // TINK_PYTHON_TINK_CC_PYBIND_TINK_EXCEPTION_H_ 52 | -------------------------------------------------------------------------------- /tink/cc/python_file_object_adapter.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | #ifndef TINK_PYTHON_TINK_CC_PYTHON_FILE_OBJECT_ADAPTER_H_ 18 | #define TINK_PYTHON_TINK_CC_PYTHON_FILE_OBJECT_ADAPTER_H_ 19 | 20 | #include 21 | 22 | #include "absl/status/status.h" 23 | #include "absl/status/statusor.h" 24 | #include "absl/strings/string_view.h" 25 | 26 | namespace crypto { 27 | namespace tink { 28 | 29 | // Adapts a Python file object for use in C++. 30 | // This is wrapped with pybind and implemented in Python. 31 | class PythonFileObjectAdapter { 32 | public: 33 | // Writes 'data' to the underlying Python file object and returns the number 34 | // of bytes written, which can be less than the size of 'data'. 35 | virtual absl::StatusOr Write(absl::string_view data) = 0; 36 | 37 | // Closes the underlying Python file object. 38 | virtual absl::Status Close() = 0; 39 | 40 | // Reads at most 'size' bytes from the underlying Python file object. Returns 41 | // UNKNOWN status with error message that contains "EOFError" if the file 42 | // object is alreday at EOF. 43 | virtual absl::StatusOr Read(int size) = 0; 44 | 45 | virtual ~PythonFileObjectAdapter() {} 46 | }; 47 | 48 | } // namespace tink 49 | } // namespace crypto 50 | 51 | #endif // TINK_PYTHON_TINK_CC_PYTHON_FILE_OBJECT_ADAPTER_H_ 52 | -------------------------------------------------------------------------------- /tink/cleartext_keyset_handle.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """CleartextKeysetHandle module. 15 | 16 | WARNING 17 | 18 | Reading or writing cleartext keysets is a bad practice, usage of this API 19 | should be restricted. Users can read encrypted keysets using 20 | tink.read_keyset_handle. 21 | """ 22 | 23 | from tink.proto import tink_pb2 24 | import tink 25 | 26 | 27 | def from_keyset(keyset: tink_pb2.Keyset) -> tink.KeysetHandle: 28 | """Create a KeysetHandle from a keyset.""" 29 | return tink.KeysetHandle._create(keyset) # pylint: disable=protected-access 30 | 31 | 32 | def read(keyset_reader: tink.KeysetReader) -> tink.KeysetHandle: 33 | """Create a KeysetHandle from a keyset_reader.""" 34 | keyset = keyset_reader.read() 35 | return tink.KeysetHandle._create(keyset) # pylint: disable=protected-access 36 | 37 | 38 | def write(keyset_writer: tink.KeysetWriter, 39 | keyset_handle: tink.KeysetHandle) -> None: 40 | """Serializes and writes the keyset.""" 41 | keyset_writer.write(keyset_handle._keyset) # pylint: disable=protected-access 42 | -------------------------------------------------------------------------------- /tink/core/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Core package.""" 16 | 17 | from tink.proto import tink_pb2 18 | from tink.core import _crypto_format 19 | from tink.core import _key_manager 20 | from tink.core import _primitive_set 21 | from tink.core import _primitive_wrapper 22 | from tink.core import _registry 23 | from tink.core import _tink_error 24 | 25 | 26 | KeyManager = _key_manager.KeyManager 27 | PrivateKeyManager = _key_manager.PrivateKeyManager 28 | 29 | KeyManagerCcToPyWrapper = _key_manager.KeyManagerCcToPyWrapper 30 | PrivateKeyManagerCcToPyWrapper = _key_manager.PrivateKeyManagerCcToPyWrapper 31 | 32 | Registry = _registry.Registry 33 | 34 | TinkError = _tink_error.TinkError 35 | use_tink_errors = _tink_error.use_tink_errors 36 | 37 | new_primitive_set = _primitive_set.new_primitive_set 38 | PrimitiveSet = _primitive_set.PrimitiveSet 39 | PrimitiveWrapper = _primitive_wrapper.PrimitiveWrapper 40 | 41 | crypto_format = _crypto_format 42 | 43 | 44 | class KeyAccess: 45 | """Base class for access tokens for Tink Keys.""" 46 | pass 47 | -------------------------------------------------------------------------------- /tink/core/_crypto_format.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Constants and convenience methods for the outputs handled by Tink.""" 16 | 17 | import struct 18 | 19 | from tink.proto import tink_pb2 20 | from tink.core import _tink_error 21 | 22 | TINK_START_BYTE = b'\x01' 23 | LEGACY_START_BYTE = b'\x00' 24 | RAW_PREFIX_SIZE = 0 25 | NON_RAW_PREFIX_SIZE = 5 26 | TINK_PREFIX_SIZE = NON_RAW_PREFIX_SIZE 27 | RAW_PREFIX = b'' 28 | 29 | 30 | def output_prefix(key: tink_pb2.Keyset.Key) -> bytes: 31 | """Generates the prefix for the outputs handled by the specified key.""" 32 | if key.output_prefix_type == tink_pb2.TINK: 33 | return struct.pack('>cL', TINK_START_BYTE, key.key_id) 34 | elif (key.output_prefix_type == tink_pb2.CRUNCHY or 35 | key.output_prefix_type == tink_pb2.LEGACY): 36 | return struct.pack('>cL', LEGACY_START_BYTE, key.key_id) 37 | elif key.output_prefix_type == tink_pb2.RAW: 38 | return b'' 39 | else: 40 | raise _tink_error.TinkError( 41 | 'The given key has invalid OutputPrefixType {}.'.format( 42 | key.output_prefix_type)) 43 | -------------------------------------------------------------------------------- /tink/core/_primitive_wrapper.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Basic interface for wrapping a primitive.""" 16 | 17 | import abc 18 | from typing import Generic, Type, TypeVar 19 | 20 | from tink.core import _primitive_set 21 | 22 | 23 | B = TypeVar('B') 24 | P = TypeVar('P') 25 | 26 | 27 | class PrimitiveWrapper(Generic[B, P], metaclass=abc.ABCMeta): 28 | """Basic interface for wrapping a primitive. 29 | 30 | A PrimitiveSet can be wrapped by a single primitive in order to fulfill a 31 | cryptographic task. This is done by the PrimitiveWrapper. Whenever a new 32 | primitive type is added to Tink, the user should define a new PrimitiveWrapper 33 | and register it by calling registry.registerPrimitiveWrapper(). 34 | 35 | The primitive of type B is wrapped into a primitive of type P. In most cases, 36 | B and P are the same. 37 | """ 38 | 39 | @abc.abstractmethod 40 | def wrap(self, pset: _primitive_set.PrimitiveSet) -> P: 41 | """Wraps a PrimitiveSet and returns a single primitive instance.""" 42 | raise NotImplementedError() 43 | 44 | @abc.abstractmethod 45 | def primitive_class(self) -> Type[P]: 46 | """Returns the class of the primitive produced by the wrapper.""" 47 | raise NotImplementedError() 48 | 49 | def input_primitive_class(self) -> Type[B]: 50 | """Returns the class of the primitive that gets wrapped.""" 51 | raise NotImplementedError() 52 | -------------------------------------------------------------------------------- /tink/core/_tink_error.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """This module defines basic exceptions in Tink.""" 16 | 17 | from tink.cc.pybind import tink_bindings 18 | 19 | KNOWN_STATUS_NOT_OK_TYPES = (tink_bindings.PythonTinkException,) 20 | 21 | 22 | def register_status_not_ok_type(status_not_ok_type): 23 | global KNOWN_STATUS_NOT_OK_TYPES 24 | if status_not_ok_type not in KNOWN_STATUS_NOT_OK_TYPES: 25 | assert issubclass(status_not_ok_type, Exception) 26 | KNOWN_STATUS_NOT_OK_TYPES += (status_not_ok_type,) 27 | 28 | 29 | def use_tink_errors(func): 30 | """Transforms StatusNotOk errors into TinkErrors.""" 31 | 32 | def wrapper(*args, **kwargs): 33 | try: 34 | return func(*args, **kwargs) 35 | except KNOWN_STATUS_NOT_OK_TYPES as e: 36 | raise TinkError(e) 37 | return wrapper 38 | 39 | 40 | class TinkError(Exception): 41 | """Common exception in Tink.""" 42 | -------------------------------------------------------------------------------- /tink/daead/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Deterministic aead package.""" 16 | 17 | from tink.daead import _deterministic_aead 18 | from tink.daead import _deterministic_aead_key_manager 19 | from tink.daead import _deterministic_aead_key_templates as deterministic_aead_key_templates 20 | 21 | 22 | DeterministicAead = _deterministic_aead.DeterministicAead 23 | register = _deterministic_aead_key_manager.register 24 | -------------------------------------------------------------------------------- /tink/daead/_deterministic_aead_key_templates.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Pre-generated KeyTemplate for DeterministicAead. 16 | 17 | One can use these templates to generate a new tink_pb2.Keyset with 18 | tink_pb2.KeysetHandle. To generate a new keyset that contains a single 19 | tink_pb2.HmacKey, one can do: 20 | handle = keyset_handle.KeysetHandle(aead_key_templates.AES128_EAX). 21 | """ 22 | 23 | import warnings 24 | 25 | from tink.proto import aes_siv_pb2 26 | from tink.proto import tink_pb2 27 | 28 | 29 | _AES_SIV_KEY_TYPE_URL = 'type.googleapis.com/google.crypto.tink.AesSivKey' 30 | 31 | 32 | def _create_aes_siv_key_template(key_size: int) -> tink_pb2.KeyTemplate: 33 | """Creates an AES EAX KeyTemplate, and fills in its values.""" 34 | key_format = aes_siv_pb2.AesSivKeyFormat( 35 | key_size=key_size, 36 | ) 37 | key_template = tink_pb2.KeyTemplate( 38 | type_url=_AES_SIV_KEY_TYPE_URL, 39 | output_prefix_type=tink_pb2.TINK, 40 | value=key_format.SerializeToString(), 41 | ) 42 | return key_template 43 | 44 | 45 | AES256_SIV = _create_aes_siv_key_template(key_size=64) 46 | 47 | 48 | # Deprecated. Use the predefined constant AES256_SIV instead. 49 | def create_aes_siv_key_template(key_size: int) -> tink_pb2.KeyTemplate: 50 | warnings.warn('The "create_aes_siv_key_template" function is deprecated.', 51 | DeprecationWarning, 2) 52 | return _create_aes_siv_key_template(key_size) 53 | -------------------------------------------------------------------------------- /tink/daead/_deterministic_aead_key_templates_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Tests for tink.python.tink.deterministic_aead_key_templates.""" 16 | 17 | from absl.testing import absltest 18 | from absl.testing import parameterized 19 | from tink.proto import aes_siv_pb2 20 | from tink.proto import tink_pb2 21 | from tink import daead 22 | 23 | 24 | class DeterministicAeadKeyTemplatesTest(parameterized.TestCase): 25 | 26 | def test_create_aes_siv_key_template(self): 27 | # Intentionally using 'weird' or invalid values for parameters, 28 | # to test that the function correctly puts them in the resulting template. 29 | template = None 30 | with self.assertWarns(DeprecationWarning): 31 | template = ( 32 | daead.deterministic_aead_key_templates.create_aes_siv_key_template( 33 | key_size=42)) 34 | self.assertEqual('type.googleapis.com/google.crypto.tink.AesSivKey', 35 | template.type_url) 36 | self.assertEqual(tink_pb2.TINK, template.output_prefix_type) 37 | key_format = aes_siv_pb2.AesSivKeyFormat() 38 | key_format.ParseFromString(template.value) 39 | self.assertEqual(42, key_format.key_size) 40 | 41 | if __name__ == '__main__': 42 | absltest.main() 43 | -------------------------------------------------------------------------------- /tink/hybrid/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Hybrid package.""" 16 | 17 | from tink.hybrid import _hybrid_decrypt 18 | from tink.hybrid import _hybrid_encrypt 19 | from tink.hybrid import _hybrid_key_manager 20 | from tink.hybrid import _hybrid_key_templates as hybrid_key_templates 21 | 22 | 23 | HybridDecrypt = _hybrid_decrypt.HybridDecrypt 24 | HybridEncrypt = _hybrid_encrypt.HybridEncrypt 25 | register = _hybrid_key_manager.register 26 | -------------------------------------------------------------------------------- /tink/integration/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /tink/integration/awskms/BUILD.bazel: -------------------------------------------------------------------------------- 1 | load("@rules_python//python:defs.bzl", "py_test") 2 | load("@tink_py_pip_deps//:requirements.bzl", "requirement") 3 | 4 | package(default_visibility = ["//:__subpackages__"]) 5 | 6 | py_library( 7 | name = "awskms", 8 | srcs = ["__init__.py"], 9 | srcs_version = "PY3", 10 | visibility = ["//visibility:public"], 11 | deps = [ 12 | ":_aws_kms_client", 13 | ], 14 | ) 15 | 16 | py_library( 17 | name = "_aws_kms_client", 18 | srcs = ["_aws_kms_client.py"], 19 | srcs_version = "PY3", 20 | deps = [ 21 | "//tink:tink_python", 22 | "//tink/aead", 23 | "//tink/core", 24 | requirement("boto3"), 25 | ], 26 | ) 27 | 28 | py_test( 29 | name = "_aws_kms_client_test", 30 | srcs = ["_aws_kms_client_test.py"], 31 | data = [ 32 | "//testdata/aws:bad_credentials", 33 | "//testdata/aws:credentials", 34 | ], 35 | srcs_version = "PY3", 36 | deps = [ 37 | ":_aws_kms_client", 38 | ":awskms", 39 | "//tink:tink_python", 40 | "//tink/testing:helper", 41 | requirement("absl-py"), 42 | requirement("boto3"), 43 | ], 44 | ) 45 | 46 | py_test( 47 | name = "_aws_kms_integration_test", 48 | srcs = ["_aws_kms_integration_test.py"], 49 | data = [ 50 | "//testdata/aws:bad_credentials", 51 | "//testdata/aws:credentials", 52 | ], 53 | srcs_version = "PY3", 54 | # This test require valid AWS KMS credentials so we set it as `manual`. 55 | tags = ["manual"], 56 | deps = [ 57 | ":awskms", 58 | "//tink:tink_python", 59 | "//tink/aead", 60 | "//tink/testing:helper", 61 | requirement("absl-py"), 62 | requirement("boto3"), 63 | ], 64 | ) 65 | -------------------------------------------------------------------------------- /tink/integration/awskms/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """AWS KMS integration package.""" 15 | 16 | try: 17 | # pylint: disable=g-import-not-at-top 18 | from tink.integration.awskms import _aws_kms_client 19 | except ImportError as import_error: 20 | raise ImportError( 21 | 'Error importing the Tink AWS KMS module; did you forget to install the' 22 | ' `tink[awskms]` extras?' 23 | ) from import_error 24 | 25 | AwsKmsClient = _aws_kms_client.AwsKmsClient 26 | 27 | new_client = _aws_kms_client.new_client 28 | -------------------------------------------------------------------------------- /tink/integration/gcpkms/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """GCP KMS package.""" 16 | 17 | try: 18 | # pylint: disable=g-import-not-at-top 19 | from tink.integration.gcpkms import _gcp_kms_client 20 | except ImportError as import_error: 21 | raise ImportError( 22 | 'Error importing the Tink Google Cloud KMS module; did you forget to' 23 | ' install the `tink[gcpkms]` extras?' 24 | ) from import_error 25 | 26 | GcpKmsClient = _gcp_kms_client.GcpKmsClient 27 | -------------------------------------------------------------------------------- /tink/integration/hcvault/BUILD.bazel: -------------------------------------------------------------------------------- 1 | load("@rules_python//python:defs.bzl", "py_test") 2 | load("@tink_py_pip_deps//:requirements.bzl", "requirement") 3 | 4 | package(default_visibility = ["//:__subpackages__"]) 5 | 6 | py_library( 7 | name = "hcvault", 8 | srcs = ["__init__.py"], 9 | srcs_version = "PY3", 10 | visibility = ["//visibility:public"], 11 | deps = [ 12 | ":_hcvault_kms_aead", 13 | ], 14 | ) 15 | 16 | py_library( 17 | name = "_hcvault_kms_aead", 18 | srcs = ["_hcvault_kms_aead.py"], 19 | srcs_version = "PY3", 20 | deps = [ 21 | "//tink:tink_python", 22 | "//tink/aead", 23 | "//tink/aead:_kms_aead_key_manager", 24 | "//tink/core", 25 | requirement("hvac"), 26 | ], 27 | ) 28 | 29 | py_test( 30 | name = "_hcvault_kms_aead_test", 31 | srcs = ["_hcvault_kms_aead_test.py"], 32 | srcs_version = "PY3", 33 | deps = [ 34 | ":hcvault", 35 | ":_hcvault_kms_aead", 36 | "//tink:tink_python", 37 | "//tink/testing:helper", 38 | requirement("absl-py"), 39 | ], 40 | ) 41 | 42 | py_test( 43 | name = "_hcvault_kms_integration_test", 44 | srcs = ["_hcvault_kms_integration_test.py"], 45 | srcs_version = "PY3", 46 | # This test require valid HashiCorp vault credentials so we set it as `manual`. 47 | tags = ["manual"], 48 | deps = [ 49 | ":hcvault", 50 | "//tink:tink_python", 51 | "//tink/aead", 52 | "//tink/aead:_kms_aead_key_manager", 53 | "//tink/testing:helper", 54 | requirement("absl-py"), 55 | ], 56 | ) 57 | -------------------------------------------------------------------------------- /tink/integration/hcvault/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """HashiCorp Vault KMS integration package.""" 15 | 16 | try: 17 | # pylint: disable=g-import-not-at-top 18 | from tink.integration.hcvault import _hcvault_kms_aead 19 | except ImportError as import_error: 20 | raise ImportError( 21 | 'Error importing the Tink HashiCorp Vault KMS module; did you forget to' 22 | ' install the `tink[hcvault]` extras?' 23 | ) from import_error 24 | 25 | new_aead = _hcvault_kms_aead.new_aead 26 | -------------------------------------------------------------------------------- /tink/internal/BUILD.bazel: -------------------------------------------------------------------------------- 1 | load("@rules_python//python:defs.bzl", "py_library", "py_test") 2 | load("@tink_py_pip_deps//:requirements.bzl", "requirement") 3 | 4 | package(default_visibility = ["//:__subpackages__"]) 5 | 6 | licenses(["notice"]) 7 | 8 | py_library( 9 | name = "big_integer_util", 10 | srcs = ["big_integer_util.py"], 11 | srcs_version = "PY3", 12 | ) 13 | 14 | py_test( 15 | name = "big_integer_util_test", 16 | srcs = ["big_integer_util_test.py"], 17 | srcs_version = "PY3", 18 | deps = [ 19 | ":big_integer_util", 20 | requirement("absl-py"), 21 | ], 22 | ) 23 | -------------------------------------------------------------------------------- /tink/internal/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /tink/internal/big_integer_util.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """This module contains some utility functions for big integers.""" 15 | 16 | 17 | def num_to_bytes(n: int) -> bytes: 18 | """Converts a non-negative n into an unsigned big integer in big-endian.""" 19 | if n < 0: 20 | raise OverflowError("number can't be negative") 21 | if n == 0: 22 | return b'\x00' 23 | return n.to_bytes((n.bit_length() + 7) // 8, byteorder='big') 24 | -------------------------------------------------------------------------------- /tink/internal/big_integer_util_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for big_integer_util.""" 15 | 16 | from absl.testing import absltest 17 | from absl.testing import parameterized 18 | 19 | from tink.internal import big_integer_util 20 | 21 | 22 | class BigIntegerUtilTest(parameterized.TestCase): 23 | 24 | def test_bytes_to_num(self): 25 | for i in range(100000): 26 | big_int_bytes = big_integer_util.num_to_bytes(i) 27 | self.assertEqual(int.from_bytes(big_int_bytes, byteorder='big'), i) 28 | 29 | @parameterized.named_parameters( 30 | ('0', 0, b'\x00'), ('255', 255, b'\xff'), ('256', 256, b'\x01\x00'), 31 | ('65535', 65535, b'\xff\xff'), ('65536', 65536, b'\x01\x00\x00'), 32 | ('65537', 65537, b'\x01\x00\x01'), ('65538', 65538, b'\x01\x00\x02'), 33 | ('16909060', 16909060, b'\x01\x02\x03\x04')) 34 | def test_num_to_bytes(self, number, expected): 35 | self.assertEqual(big_integer_util.num_to_bytes(number), expected) 36 | 37 | def test_num_to_bytes_minus_one_overflow(self): 38 | with self.assertRaises(OverflowError): 39 | big_integer_util.num_to_bytes(-1) 40 | 41 | 42 | if __name__ == '__main__': 43 | absltest.main() 44 | -------------------------------------------------------------------------------- /tink/jwt/_json_util_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for tink.python.tink.jwt._json_util.""" 15 | 16 | from absl.testing import absltest 17 | 18 | from tink.jwt import _json_util 19 | from tink.jwt import _jwt_error 20 | 21 | 22 | class JwtFormatTest(absltest.TestCase): 23 | 24 | def test_json_dumps(self): 25 | self.assertEqual( 26 | _json_util.json_dumps({'a': ['b', 1, True, None]}), 27 | '{"a":["b",1,true,null]}') 28 | 29 | def test_json_loads(self): 30 | self.assertEqual( 31 | _json_util.json_loads('{"a":["b",1,true,null]}'), 32 | {'a': ['b', 1, True, None]}) 33 | with self.assertRaises(_jwt_error.JwtInvalidError): 34 | _json_util.json_loads('{invalid') 35 | 36 | def test_json_loads_duplidate_entries_fails(self): 37 | with self.assertRaises(_jwt_error.JwtInvalidError): 38 | _json_util.json_loads('{"a":"a1", "a":"a2"}') 39 | 40 | def test_json_loads_with_invalid_utf16(self): 41 | with self.assertRaises(_jwt_error.JwtInvalidError): 42 | _json_util.json_loads(u'{"a":{"b":{"c":"\\uD834"}}}') 43 | with self.assertRaises(_jwt_error.JwtInvalidError): 44 | _json_util.json_loads(u'{"\\uD834":"b"}') 45 | with self.assertRaises(_jwt_error.JwtInvalidError): 46 | _json_util.json_loads(u'{"a":["a",{"b":["c","\\uD834"]}]}') 47 | 48 | 49 | if __name__ == '__main__': 50 | absltest.main() 51 | -------------------------------------------------------------------------------- /tink/jwt/_jwt_error.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Defines an Invalid JWT Error.""" 15 | 16 | from tink import core 17 | 18 | 19 | class JwtInvalidError(core.TinkError): 20 | pass 21 | -------------------------------------------------------------------------------- /tink/jwt/_jwt_public_key_sign.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Interface for JwtPublicKeySign.""" 15 | 16 | import abc 17 | from typing import Optional 18 | 19 | from tink.jwt import _raw_jwt 20 | 21 | 22 | class JwtPublicKeySign(metaclass=abc.ABCMeta): 23 | """Interface for creating a signed JWT. 24 | 25 | Sees RFC 7519 and RFC 7515. Security guarantees: similar to PublicKeySign. 26 | """ 27 | 28 | @abc.abstractmethod 29 | def sign_and_encode(self, raw_jwt: _raw_jwt.RawJwt) -> str: 30 | """Computes a signature and encodes the token. 31 | 32 | Args: 33 | raw_jwt: The RawJwt token to be signed and encoded. 34 | 35 | Returns: 36 | The signed token encoded in the JWS compact serialization format. 37 | Raises: 38 | tink.TinkError if the operation fails. 39 | """ 40 | raise NotImplementedError() 41 | 42 | 43 | class JwtPublicKeySignInternal(metaclass=abc.ABCMeta): 44 | """Internal interface for creating a signed JWT. 45 | 46 | "kid" is an optional value that is set by the wrapper for keys with output 47 | prefix TINK, and it is set to None for output prefix RAW. 48 | """ 49 | 50 | @abc.abstractmethod 51 | def sign_and_encode_with_kid(self, token: _raw_jwt.RawJwt, 52 | kid: Optional[str]) -> str: 53 | raise NotImplementedError() 54 | -------------------------------------------------------------------------------- /tink/mac/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Mac package.""" 15 | 16 | from tink.mac import _mac 17 | from tink.mac import _mac_key_manager 18 | from tink.mac import _mac_key_templates as mac_key_templates 19 | 20 | 21 | Mac = _mac.Mac 22 | register = _mac_key_manager.register 23 | -------------------------------------------------------------------------------- /tink/mac/_mac.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """This module defines the interface for MACs (Message Authentication Codes).""" 15 | 16 | import abc 17 | 18 | 19 | class Mac(metaclass=abc.ABCMeta): 20 | """Interface for MACs (Message Authentication Codes). 21 | 22 | This interface should be used for authentication only, and not for other 23 | purposes (e.g., it should not be used to generate pseudorandom bytes). 24 | """ 25 | 26 | @abc.abstractmethod 27 | def compute_mac(self, data: bytes) -> bytes: 28 | """Computes the message authentication code (MAC) for data. 29 | 30 | Args: 31 | data: bytes, the input data. 32 | Returns: 33 | The resulting MAC as bytes. 34 | Raises: 35 | google3.third_party.tink.python.tink.tink_error.TinkError if the 36 | computation fails. 37 | """ 38 | raise NotImplementedError() 39 | 40 | @abc.abstractmethod 41 | def verify_mac(self, mac_value: bytes, data: bytes) -> None: 42 | """Verifies if mac is a correct authentication code (MAC) for data. 43 | 44 | Args: 45 | mac_value: bytes. The mac to be checked. 46 | data: bytes. The data to be checked. 47 | Raises: 48 | google3.third_party.tink.python.tink.tink_error.TinkError if the 49 | verification fails. 50 | """ 51 | raise NotImplementedError() 52 | -------------------------------------------------------------------------------- /tink/mac/_mac_key_manager.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Python wrapper of the wrapped C++ MAC key manager.""" 15 | 16 | from tink import core 17 | from tink.cc.pybind import tink_bindings 18 | from tink.mac import _mac 19 | from tink.mac import _mac_wrapper 20 | 21 | 22 | class _MacCcToPyWrapper(_mac.Mac): 23 | """Transforms C++ Mac primitive into a Python primitive.""" 24 | 25 | def __init__(self, cc_primitive: tink_bindings.Mac): 26 | self._cc_mac = cc_primitive 27 | 28 | @core.use_tink_errors 29 | def compute_mac(self, data: bytes) -> bytes: 30 | return self._cc_mac.compute_mac(data) 31 | 32 | @core.use_tink_errors 33 | def verify_mac(self, mac_value: bytes, data: bytes) -> None: 34 | self._cc_mac.verify_mac(mac_value, data) 35 | 36 | 37 | def register(): 38 | tink_bindings.register() 39 | 40 | for key_type_identifier in ('HmacKey', 'AesCmacKey',): 41 | type_url = 'type.googleapis.com/google.crypto.tink.' + key_type_identifier 42 | key_manager = core.KeyManagerCcToPyWrapper( 43 | tink_bindings.MacKeyManager.from_cc_registry(type_url), _mac.Mac, 44 | _MacCcToPyWrapper) 45 | core.Registry.register_key_manager(key_manager, new_key_allowed=True) 46 | core.Registry.register_primitive_wrapper(_mac_wrapper.MacWrapper()) 47 | -------------------------------------------------------------------------------- /tink/prf/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """PrfSet package.""" 15 | 16 | from tink.prf import _prf_key_manager 17 | from tink.prf import _prf_key_templates as prf_key_templates 18 | from tink.prf import _prf_set 19 | 20 | Prf = _prf_set.Prf 21 | PrfSet = _prf_set.PrfSet 22 | register = _prf_key_manager.register 23 | -------------------------------------------------------------------------------- /tink/prf/_prf_key_manager.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Python wrapper of the wrapped C++ PRF Set key manager.""" 16 | 17 | from tink import core 18 | from tink.cc.pybind import tink_bindings 19 | from tink.prf import _prf_set 20 | from tink.prf import _prf_set_wrapper 21 | 22 | 23 | class PrfCcToPyWrapper(_prf_set.Prf): 24 | """Transforms C++ Prf primitive into a Python Prf primitive.""" 25 | 26 | def __init__(self, cc_primitive: tink_bindings.Prf): 27 | self._cc_primitive = cc_primitive 28 | 29 | @core.use_tink_errors 30 | def compute(self, input_data: bytes, output_length: int) -> bytes: 31 | return self._cc_primitive.compute(input_data, output_length) 32 | 33 | 34 | def register() -> None: 35 | """Registers all PrfSet key managers and PrfSet wrapper in the Registry.""" 36 | tink_bindings.register() 37 | for ident in ( 38 | 'AesCmacPrfKey', 39 | 'HmacPrfKey', 40 | 'HkdfPrfKey', 41 | ): 42 | type_url = 'type.googleapis.com/google.crypto.tink.{}'.format(ident) 43 | key_manager = core.KeyManagerCcToPyWrapper( 44 | tink_bindings.PrfKeyManager.from_cc_registry(type_url), 45 | _prf_set.Prf, PrfCcToPyWrapper) 46 | core.Registry.register_key_manager(key_manager, new_key_allowed=True) 47 | core.Registry.register_primitive_wrapper(_prf_set_wrapper.PrfSetWrapper()) 48 | -------------------------------------------------------------------------------- /tink/proto/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /tink/proto/aes_cmac.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_cmac_go_proto"; 24 | 25 | message AesCmacParams { 26 | uint32 tag_size = 1; 27 | } 28 | 29 | // key_type: type.googleapis.com/google.crypto.tink.AesCmacKey 30 | message AesCmacKey { 31 | uint32 version = 1; 32 | bytes key_value = 2; // Placeholder for ctype and debug_redact. 33 | AesCmacParams params = 3; 34 | } 35 | 36 | message AesCmacKeyFormat { 37 | uint32 key_size = 1; 38 | AesCmacParams params = 2; 39 | } 40 | -------------------------------------------------------------------------------- /tink/proto/aes_cmac_prf.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_cmac_prf_go_proto"; 24 | 25 | // key_type: type.googleapis.com/google.crypto.tink.AesCmacPrfKey 26 | message AesCmacPrfKey { 27 | uint32 version = 1; 28 | bytes key_value = 2; // Placeholder for ctype and debug_redact. 29 | } 30 | 31 | message AesCmacPrfKeyFormat { 32 | uint32 version = 2; 33 | uint32 key_size = 1; 34 | } 35 | -------------------------------------------------------------------------------- /tink/proto/aes_ctr.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_ctr_go_proto"; 24 | 25 | message AesCtrParams { 26 | uint32 iv_size = 1; 27 | } 28 | 29 | message AesCtrKeyFormat { 30 | AesCtrParams params = 1; 31 | uint32 key_size = 2; 32 | } 33 | 34 | // key_type: type.googleapis.com/google.crypto.tink.AesCtrKey 35 | message AesCtrKey { 36 | uint32 version = 1; 37 | AesCtrParams params = 2; 38 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 39 | } 40 | -------------------------------------------------------------------------------- /tink/proto/aes_ctr_hmac_aead.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | import "tink/proto/aes_ctr.proto"; 22 | import "tink/proto/hmac.proto"; 23 | 24 | option java_package = "com.google.crypto.tink.proto"; 25 | option java_multiple_files = true; 26 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_ctr_hmac_aead_go_proto"; 27 | 28 | message AesCtrHmacAeadKeyFormat { 29 | AesCtrKeyFormat aes_ctr_key_format = 1; 30 | HmacKeyFormat hmac_key_format = 2; 31 | } 32 | 33 | // key_type: type.googleapis.com/google.crypto.tink.AesCtrHmacAeadKey 34 | message AesCtrHmacAeadKey { 35 | uint32 version = 1; 36 | AesCtrKey aes_ctr_key = 2; 37 | HmacKey hmac_key = 3; 38 | } 39 | -------------------------------------------------------------------------------- /tink/proto/aes_ctr_hmac_streaming.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | import "tink/proto/common.proto"; 22 | import "tink/proto/hmac.proto"; 23 | 24 | option java_package = "com.google.crypto.tink.proto"; 25 | option java_multiple_files = true; 26 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_ctr_hmac_streaming_go_proto"; 27 | 28 | message AesCtrHmacStreamingParams { 29 | uint32 ciphertext_segment_size = 1; 30 | uint32 derived_key_size = 2; // size of AES-CTR keys derived for each segment 31 | HashType hkdf_hash_type = 3; // hash function for key derivation via HKDF 32 | HmacParams hmac_params = 4; // params for authentication tags 33 | } 34 | 35 | message AesCtrHmacStreamingKeyFormat { 36 | uint32 version = 3; 37 | AesCtrHmacStreamingParams params = 1; 38 | uint32 key_size = 2; // size of the main key (aka. "ikm", input key material) 39 | } 40 | 41 | // key_type: type.googleapis.com/google.crypto.tink.AesCtrHmacStreamingKey 42 | message AesCtrHmacStreamingKey { 43 | uint32 version = 1; 44 | AesCtrHmacStreamingParams params = 2; 45 | bytes key_value = 3 ; // Placeholder for multi-line ctype and debug_redact. // the main key, aka. "ikm", input key material 46 | } 47 | -------------------------------------------------------------------------------- /tink/proto/aes_eax.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_eax_go_proto"; 24 | 25 | // only allowing tag size in bytes = 16 26 | message AesEaxParams { 27 | // possible value is 12 or 16 bytes. 28 | uint32 iv_size = 1; 29 | } 30 | 31 | message AesEaxKeyFormat { 32 | AesEaxParams params = 1; 33 | uint32 key_size = 2; 34 | } 35 | 36 | // key_type: type.googleapis.com/google.crypto.tink.AesEaxKey 37 | message AesEaxKey { 38 | uint32 version = 1; 39 | AesEaxParams params = 2; 40 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 41 | } 42 | -------------------------------------------------------------------------------- /tink/proto/aes_gcm_hkdf_streaming.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | // Definitions for streaming encryption using AES-GCM 18 | // with HKDF as key derivation function. 19 | syntax = "proto3"; 20 | 21 | package google.crypto.tink; 22 | 23 | import "tink/proto/common.proto"; 24 | 25 | option java_package = "com.google.crypto.tink.proto"; 26 | option java_multiple_files = true; 27 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_gcm_hkdf_streaming_go_proto"; 28 | 29 | message AesGcmHkdfStreamingParams { 30 | uint32 ciphertext_segment_size = 1; 31 | uint32 derived_key_size = 2; // size of AES-GCM keys derived for each segment 32 | HashType hkdf_hash_type = 3; 33 | } 34 | 35 | message AesGcmHkdfStreamingKeyFormat { 36 | uint32 version = 3; 37 | AesGcmHkdfStreamingParams params = 1; 38 | uint32 key_size = 2; // size of the main key (aka. "ikm", input key material) 39 | } 40 | 41 | // key_type: type.googleapis.com/google.crypto.tink.AesGcmHkdfStreamingKey 42 | message AesGcmHkdfStreamingKey { 43 | uint32 version = 1; 44 | AesGcmHkdfStreamingParams params = 2; 45 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 46 | } 47 | -------------------------------------------------------------------------------- /tink/proto/aes_gcm_siv.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_gcm_siv_go_proto"; 24 | 25 | // The only allowed IV size is 12 bytes and tag size is 16 bytes. 26 | // Thus, accept no params. 27 | message AesGcmSivKeyFormat { 28 | uint32 key_size = 2; 29 | uint32 version = 1; 30 | } 31 | 32 | // key_type: type.googleapis.com/google.crypto.tink.AesGcmSivKey 33 | message AesGcmSivKey { 34 | uint32 version = 1; 35 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 36 | } 37 | -------------------------------------------------------------------------------- /tink/proto/aes_siv.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/aes_siv_go_proto"; 24 | 25 | // Tink implements RFC 5297 (https://www.rfc-editor.org/rfc/rfc5297) for 26 | // AES-SIV, putting the SIV/Tag at the beginning of the ciphertext. 27 | // 28 | // While the RFC 5297 supports a list of associated datas, Tink only supports 29 | // exactly one associated data, which corresponds to a list with one element in 30 | // RFC 5297. An empty associated data is a list with one empty element, and not 31 | // an empty list. 32 | 33 | message AesSivKeyFormat { 34 | // Only valid value is: 64. 35 | uint32 key_size = 1; 36 | uint32 version = 2; 37 | } 38 | 39 | // key_type: type.googleapis.com/google.crypto.tink.AesSivKey 40 | message AesSivKey { 41 | uint32 version = 1; 42 | // First half is AES-CTR key, second is AES-SIV. 43 | bytes key_value = 2; // Placeholder for ctype and debug_redact. 44 | } 45 | -------------------------------------------------------------------------------- /tink/proto/chacha20_poly1305.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/chacha20_poly1305_go_proto"; 24 | 25 | message ChaCha20Poly1305KeyFormat {} 26 | 27 | // key_type: type.googleapis.com/google.crypto.tink.ChaCha20Poly1305. 28 | // This key type actually implements ChaCha20Poly1305 as described 29 | // at https://tools.ietf.org/html/rfc7539#section-2.8. 30 | message ChaCha20Poly1305Key { 31 | uint32 version = 1; 32 | bytes key_value = 2; // Placeholder for ctype and debug_redact. 33 | } 34 | -------------------------------------------------------------------------------- /tink/proto/common.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | // Definitions for common cryptographic enum types. 18 | syntax = "proto3"; 19 | 20 | package google.crypto.tink; 21 | 22 | option java_package = "com.google.crypto.tink.proto"; 23 | option java_multiple_files = true; 24 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/common_go_proto"; 25 | 26 | enum EllipticCurveType { 27 | UNKNOWN_CURVE = 0; 28 | NIST_P256 = 2; 29 | NIST_P384 = 3; 30 | NIST_P521 = 4; 31 | CURVE25519 = 5; 32 | } 33 | 34 | enum EcPointFormat { 35 | UNKNOWN_FORMAT = 0; 36 | UNCOMPRESSED = 1; 37 | COMPRESSED = 2; 38 | // Like UNCOMPRESSED but without the \x04 prefix. Crunchy uses this format. 39 | // DO NOT USE unless you are a Crunchy user moving to Tink. 40 | DO_NOT_USE_CRUNCHY_UNCOMPRESSED = 3; 41 | } 42 | 43 | enum HashType { 44 | UNKNOWN_HASH = 0; 45 | SHA1 = 1; // Using SHA1 for digital signature is deprecated but HMAC-SHA1 is 46 | // fine. 47 | SHA384 = 2; 48 | SHA256 = 3; 49 | SHA512 = 4; 50 | SHA224 = 5; 51 | } 52 | -------------------------------------------------------------------------------- /tink/proto/ed25519.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | // Definitions for Ed25519 Digital Signature Algorithm. 18 | // See https://ed25519.cr.yp.to/ed25519-20110926.pdf and 19 | // https://tools.ietf.org/html/rfc8032. 20 | syntax = "proto3"; 21 | 22 | package google.crypto.tink; 23 | 24 | option java_package = "com.google.crypto.tink.proto"; 25 | option java_multiple_files = true; 26 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/ed25519_go_proto"; 27 | 28 | message Ed25519KeyFormat { 29 | uint32 version = 1; 30 | } 31 | 32 | // key_type: type.googleapis.com/google.crypto.tink.Ed25519PublicKey 33 | message Ed25519PublicKey { 34 | // Required. 35 | uint32 version = 1; 36 | // The public key is 32 bytes, encoded according to 37 | // https://tools.ietf.org/html/rfc8032#section-5.1.2. 38 | // Required. 39 | bytes key_value = 2; // Placeholder for ctype. 40 | } 41 | 42 | // key_type: type.googleapis.com/google.crypto.tink.Ed25519PrivateKey 43 | message Ed25519PrivateKey { 44 | // Required. 45 | uint32 version = 1; 46 | // The private key is 32 bytes of cryptographically secure random data. 47 | // See https://tools.ietf.org/html/rfc8032#section-5.1.5. 48 | // Required. 49 | bytes key_value = 2; // Placeholder for ctype and debug_redact. 50 | // The corresponding public key. 51 | Ed25519PublicKey public_key = 3; 52 | } 53 | -------------------------------------------------------------------------------- /tink/proto/empty.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/empty_go_proto"; 24 | 25 | message Empty {} 26 | -------------------------------------------------------------------------------- /tink/proto/hkdf_prf.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | import "tink/proto/common.proto"; 22 | 23 | option java_package = "com.google.crypto.tink.proto"; 24 | option java_multiple_files = true; 25 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/hkdf_prf_proto"; 26 | 27 | message HkdfPrfParams { 28 | HashType hash = 1; 29 | // Optional. 30 | // 31 | // An unspecified or zero-length value is equivalent to a sequence of zeros 32 | // (0x00) with a length equal to the output size of hash. 33 | // 34 | // See https://rfc-editor.org/rfc/rfc5869. 35 | bytes salt = 2; 36 | } 37 | 38 | message HkdfPrfKey { 39 | uint32 version = 1; 40 | HkdfPrfParams params = 2; 41 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 42 | } 43 | 44 | message HkdfPrfKeyFormat { 45 | HkdfPrfParams params = 1; 46 | uint32 key_size = 2; 47 | uint32 version = 3; 48 | } 49 | -------------------------------------------------------------------------------- /tink/proto/hmac.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | import "tink/proto/common.proto"; 22 | 23 | option java_package = "com.google.crypto.tink.proto"; 24 | option java_multiple_files = true; 25 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/hmac_go_proto"; 26 | 27 | message HmacParams { 28 | HashType hash = 1; // HashType is an enum. 29 | uint32 tag_size = 2; 30 | } 31 | 32 | // key_type: type.googleapis.com/google.crypto.tink.HmacKey 33 | message HmacKey { 34 | uint32 version = 1; 35 | HmacParams params = 2; 36 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 37 | } 38 | 39 | message HmacKeyFormat { 40 | HmacParams params = 1; 41 | uint32 key_size = 2; 42 | uint32 version = 3; 43 | } 44 | -------------------------------------------------------------------------------- /tink/proto/hmac_prf.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | import "tink/proto/common.proto"; 22 | 23 | option java_package = "com.google.crypto.tink.proto"; 24 | option java_multiple_files = true; 25 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/hmac_prf_go_proto"; 26 | 27 | message HmacPrfParams { 28 | HashType hash = 1; // HashType is an enum. 29 | } 30 | 31 | // key_type: type.googleapis.com/google.crypto.tink.HmacPrfKey 32 | message HmacPrfKey { 33 | uint32 version = 1; 34 | HmacPrfParams params = 2; 35 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 36 | } 37 | 38 | message HmacPrfKeyFormat { 39 | HmacPrfParams params = 1; 40 | uint32 key_size = 2; 41 | uint32 version = 3; 42 | } 43 | -------------------------------------------------------------------------------- /tink/proto/jwt_hmac.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2020 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/jwt_hmac_go_proto"; 24 | 25 | // See https://datatracker.ietf.org/doc/html/rfc7518#section-3.2 26 | enum JwtHmacAlgorithm { 27 | HS_UNKNOWN = 0; 28 | HS256 = 1; // HMAC using SHA-256 29 | HS384 = 2; // HMAC using SHA-384 30 | HS512 = 3; // HMAC using SHA-512 31 | } 32 | 33 | // key_type: type.googleapis.com/google.crypto.tink.JwtHmacKey 34 | message JwtHmacKey { 35 | uint32 version = 1; 36 | JwtHmacAlgorithm algorithm = 2; 37 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 38 | 39 | // Optional, custom kid header value to be used with "RAW" keys. 40 | // "TINK" keys with this value set will be rejected. 41 | message CustomKid { 42 | string value = 1; 43 | } 44 | CustomKid custom_kid = 4; 45 | } 46 | 47 | message JwtHmacKeyFormat { 48 | uint32 version = 1; 49 | JwtHmacAlgorithm algorithm = 2; 50 | uint32 key_size = 3; 51 | } 52 | -------------------------------------------------------------------------------- /tink/proto/kms_aead.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/kms_aead_go_proto"; 24 | 25 | message KmsAeadKeyFormat { 26 | // Required. 27 | // The location of a KMS key. 28 | // With Google Cloud KMS, valid values have this format: 29 | // gcp-kms://projects/*/locations/*/keyRings/*/cryptoKeys/*. 30 | // With AWS KMS, valid values have this format: 31 | // aws-kms://arn:aws:kms:::key/ 32 | string key_uri = 1; 33 | } 34 | 35 | // There is no actual key material in the key. 36 | message KmsAeadKey { 37 | uint32 version = 1; 38 | // The key format also contains the params. 39 | KmsAeadKeyFormat params = 2; 40 | } 41 | -------------------------------------------------------------------------------- /tink/proto/kms_envelope.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2017 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | import "tink/proto/tink.proto"; 22 | 23 | option java_package = "com.google.crypto.tink.proto"; 24 | option java_multiple_files = true; 25 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/kms_envelope_go_proto"; 26 | 27 | message KmsEnvelopeAeadKeyFormat { 28 | // Required. 29 | // The location of the KEK in a remote KMS. 30 | // With Google Cloud KMS, valid values have this format: 31 | // gcp-kms://projects/*/locations/*/keyRings/*/cryptoKeys/*. 32 | // With AWS KMS, valid values have this format: 33 | // aws-kms://arn:aws:kms:::key/ 34 | string kek_uri = 1; 35 | // Key template of the Data Encryption Key, e.g., AesCtrHmacAeadKeyFormat. 36 | // Required. 37 | KeyTemplate dek_template = 2; 38 | } 39 | 40 | // There is no actual key material in the key. 41 | message KmsEnvelopeAeadKey { 42 | uint32 version = 1; 43 | // The key format also contains the params. 44 | KmsEnvelopeAeadKeyFormat params = 2; 45 | } 46 | -------------------------------------------------------------------------------- /tink/proto/ml_dsa.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | /////////////////////////////////////////////////////////////////////////////// 16 | 17 | // Protos for Module-Lattice Digital Signature Algorithm (ML-DSA). 18 | // See https://csrc.nist.gov/pubs/fips/204/final. 19 | syntax = "proto3"; 20 | 21 | package google.crypto.tink; 22 | 23 | option java_package = "com.google.crypto.tink.proto"; 24 | option java_multiple_files = true; 25 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/ml_dsa_proto"; 26 | 27 | enum MlDsaInstance { 28 | ML_DSA_UNKNOWN_INSTANCE = 0; 29 | ML_DSA_65 = 1; 30 | } 31 | 32 | message MlDsaParams { 33 | // Required. 34 | MlDsaInstance ml_dsa_instance = 1; 35 | } 36 | 37 | message MlDsaKeyFormat { 38 | // Required. 39 | uint32 version = 1; 40 | // Required. 41 | MlDsaParams params = 2; 42 | } 43 | 44 | // key_type: type.googleapis.com/google.crypto.tink.MlDsaPublicKey 45 | message MlDsaPublicKey { 46 | // Required. 47 | uint32 version = 1; 48 | // Required. 49 | bytes key_value = 2; 50 | // Required. 51 | MlDsaParams params = 3; 52 | } 53 | 54 | // key_type: type.googleapis.com/google.crypto.tink.MlDsaPrivateKey 55 | message MlDsaPrivateKey { 56 | // Required. 57 | uint32 version = 1; 58 | // Required. Note that this contains the seed used to generate the private 59 | // key, not the private key itself. 60 | bytes key_value = 2; 61 | // The corresponding public key. 62 | MlDsaPublicKey public_key = 3; 63 | } 64 | -------------------------------------------------------------------------------- /tink/proto/prf_based_deriver.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | import "tink/proto/tink.proto"; 22 | 23 | option java_package = "com.google.crypto.tink.proto"; 24 | option java_multiple_files = true; 25 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/prf_based_deriver_go_proto"; 26 | 27 | message PrfBasedDeriverParams { 28 | KeyTemplate derived_key_template = 1; 29 | } 30 | 31 | message PrfBasedDeriverKeyFormat { 32 | KeyTemplate prf_key_template = 1; 33 | PrfBasedDeriverParams params = 2; 34 | } 35 | 36 | // key_type: type.googleapis.com/google.crypto.tink.PrfBasedDeriverKey 37 | message PrfBasedDeriverKey { 38 | uint32 version = 1; 39 | KeyData prf_key = 2; 40 | PrfBasedDeriverParams params = 3; 41 | } 42 | -------------------------------------------------------------------------------- /tink/proto/test_proto.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2021 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | syntax = "proto3"; 17 | 18 | package google.crypto.tink; 19 | 20 | option java_package = "com.google.crypto.tink.proto"; 21 | option java_multiple_files = true; 22 | 23 | message TestProto { 24 | uint64 num = 1; 25 | bytes str = 2; // Placeholder for ctype. 26 | } 27 | 28 | message NestedTestProto { 29 | TestProto a = 1; 30 | TestProto b = 2; 31 | uint64 num = 3; 32 | bytes str = 4; // Placeholder for ctype. 33 | } 34 | 35 | message TestProtoWithoutCtype { 36 | bytes str = 1; 37 | } 38 | -------------------------------------------------------------------------------- /tink/proto/x_aes_gcm.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2024 Google LLC 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/x_aes_gcm_go_proto"; 24 | 25 | message XAesGcmParams { 26 | // Must be at least 8 bytes and at most 12 bytes. 27 | uint32 salt_size = 1; 28 | } 29 | 30 | message XAesGcmKeyFormat { 31 | uint32 version = 1; 32 | reserved 2; 33 | XAesGcmParams params = 3; 34 | } 35 | 36 | // key_type: type.googleapis.com/google.crypto.tink.XAesGcmKey 37 | message XAesGcmKey { 38 | uint32 version = 1; 39 | XAesGcmParams params = 2; 40 | bytes key_value = 3; 41 | } 42 | -------------------------------------------------------------------------------- /tink/proto/xchacha20_poly1305.proto: -------------------------------------------------------------------------------- 1 | // Copyright 2018 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | 17 | syntax = "proto3"; 18 | 19 | package google.crypto.tink; 20 | 21 | option java_package = "com.google.crypto.tink.proto"; 22 | option java_multiple_files = true; 23 | option go_package = "github.com/tink-crypto/tink-go/v2/proto/xchacha20_poly1305_go_proto"; 24 | 25 | message XChaCha20Poly1305KeyFormat { 26 | uint32 version = 1; 27 | } 28 | 29 | // key_type: type.googleapis.com/google.crypto.tink.XChaCha20Poly1305Key 30 | message XChaCha20Poly1305Key { 31 | uint32 version = 1; 32 | bytes key_value = 3; // Placeholder for ctype and debug_redact. 33 | } 34 | -------------------------------------------------------------------------------- /tink/secret_key_access.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Gives access to secret Tink keys and keysets. 15 | 16 | WARNING 17 | 18 | Reading or writing secret keys is a bad practice, usage of this API should be 19 | restricted. 20 | """ 21 | 22 | from tink import _secret_key_access 23 | 24 | SecretKeyAccess = _secret_key_access.SecretKeyAccess 25 | TOKEN = _secret_key_access.TOKEN 26 | -------------------------------------------------------------------------------- /tink/secret_key_access_import_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2023 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for secret_key_access.""" 15 | 16 | from absl.testing import absltest 17 | 18 | import tink 19 | from tink import aead 20 | from tink import daead 21 | from tink import hybrid 22 | from tink import jwt 23 | from tink import mac 24 | from tink import prf 25 | from tink import signature 26 | from tink import streaming_aead 27 | 28 | 29 | class SecretKeyAccessImportTest(absltest.TestCase): 30 | 31 | def test_tink_secret_key_access_not_imported(self): 32 | _ = tink 33 | _ = aead 34 | _ = daead 35 | _ = hybrid 36 | _ = jwt 37 | _ = mac 38 | _ = prf 39 | _ = signature 40 | _ = streaming_aead 41 | self.assertFalse(hasattr(tink, "secret_key_access")) 42 | 43 | 44 | if __name__ == "__main__": 45 | absltest.main() 46 | -------------------------------------------------------------------------------- /tink/secret_key_access_test.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """Tests for secret_key_access.""" 15 | 16 | from absl.testing import absltest 17 | 18 | import tink 19 | from tink import secret_key_access 20 | 21 | 22 | class OtherKeyAccess(tink.KeyAccess): 23 | pass 24 | 25 | 26 | class SecretKeyAccessTest(absltest.TestCase): 27 | 28 | def test_has_secret_access(self): 29 | self.assertTrue( 30 | tink.has_secret_key_access(secret_key_access.TOKEN)) 31 | 32 | def test_public_key_access_does_not_have_secret_access(self): 33 | self.assertFalse( 34 | tink.has_secret_key_access(tink.PUBLIC_KEY_ACCESS_TOKEN)) 35 | 36 | def test_other_key_access_does_not_have_secret_access(self): 37 | other_token = OtherKeyAccess() 38 | self.assertFalse(tink.has_secret_key_access(other_token)) 39 | 40 | 41 | if __name__ == '__main__': 42 | absltest.main() 43 | -------------------------------------------------------------------------------- /tink/signature/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Signature package.""" 16 | 17 | from tink.signature import _public_key_sign 18 | from tink.signature import _public_key_verify 19 | from tink.signature import _signature_key_manager 20 | from tink.signature import _signature_key_templates as signature_key_templates 21 | 22 | 23 | PublicKeySign = _public_key_sign.PublicKeySign 24 | PublicKeyVerify = _public_key_verify.PublicKeyVerify 25 | register = _signature_key_manager.register 26 | -------------------------------------------------------------------------------- /tink/signature/_public_key_sign.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Interface for PublicKeySign.""" 16 | 17 | import abc 18 | 19 | 20 | class PublicKeySign(metaclass=abc.ABCMeta): 21 | """Interface for public key signing. 22 | 23 | Digital Signatures provide functionality of signing data and verification of 24 | the signatures. They are represented by a pair of primitives (interfaces) 25 | 'PublicKeySign' for signing of data, and 'PublicKeyVerify' for verification 26 | of signatures. Implementations of these interfaces are secure against 27 | adaptive chosen-message attacks. Signing data ensures the authenticity and 28 | the integrity of that data, but not its secrecy. 29 | """ 30 | 31 | @abc.abstractmethod 32 | def sign(self, data: bytes) -> bytes: 33 | """Computes the signature for data. 34 | 35 | Args: 36 | data: bytes, the input data. 37 | Returns: 38 | The signature as bytes. 39 | """ 40 | raise NotImplementedError() 41 | -------------------------------------------------------------------------------- /tink/signature/_public_key_verify.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Interface for PublicKeyVerify.""" 16 | 17 | import abc 18 | 19 | 20 | class PublicKeyVerify(metaclass=abc.ABCMeta): 21 | """Interface for public key verifying. 22 | 23 | Digital Signatures provide functionality of signing data and verification of 24 | the signatures. They are represented by a pair of primitives (interfaces) 25 | 'PublicKeySign' for signing of data, and 'PublicKeyVerify' for verification 26 | of signatures. Implementations of these interfaces are secure against 27 | adaptive chosen-message attacks. Signing data ensures the authenticity and 28 | the integrity of that data, but not its secrecy. 29 | """ 30 | 31 | @abc.abstractmethod 32 | def verify(self, signature: bytes, data: bytes) -> bytes: 33 | """Verifies that signature is a digital signature for data. 34 | 35 | Args: 36 | signature: The signature bytes to be checked. 37 | data: The data bytes to be checked. 38 | 39 | Raises: 40 | tink.TinkError if the verification fails. 41 | """ 42 | raise NotImplementedError() 43 | -------------------------------------------------------------------------------- /tink/streaming_aead/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """StreamingAead package.""" 16 | 17 | from tink.streaming_aead import _streaming_aead 18 | from tink.streaming_aead import _streaming_aead_key_manager 19 | from tink.streaming_aead import _streaming_aead_key_templates as streaming_aead_key_templates 20 | 21 | 22 | StreamingAead = _streaming_aead.StreamingAead 23 | register = _streaming_aead_key_manager.register 24 | -------------------------------------------------------------------------------- /tink/testing/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | -------------------------------------------------------------------------------- /tink/testing/fake_kms.py: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | """A client for Fake KMS.""" 15 | 16 | import base64 17 | from typing import Optional 18 | 19 | import tink 20 | from tink import aead 21 | from tink import secret_key_access 22 | 23 | 24 | FAKE_KMS_PREFIX = 'fake-kms://' 25 | 26 | 27 | class FakeKmsClient(tink.KmsClient): 28 | """A fake KMS client.""" 29 | 30 | def __init__(self, key_uri: Optional[str] = None): 31 | if not key_uri: 32 | self._key_uri = None 33 | elif key_uri.startswith(FAKE_KMS_PREFIX): 34 | self._key_uri = key_uri 35 | else: 36 | raise tink.TinkError('invalid key URI') 37 | 38 | def does_support(self, key_uri: str) -> bool: 39 | if not key_uri.startswith(FAKE_KMS_PREFIX): 40 | return False 41 | if not self._key_uri: 42 | return True 43 | return key_uri == self._key_uri 44 | 45 | def get_aead(self, key_uri: str) -> aead.Aead: 46 | if not key_uri.startswith(FAKE_KMS_PREFIX): 47 | raise tink.TinkError('invalid key URI') 48 | key_id = key_uri[len(FAKE_KMS_PREFIX) :] 49 | serialized_key = base64.urlsafe_b64decode(key_id.encode('utf-8') + b'===') 50 | handle = tink.proto_keyset_format.parse( 51 | serialized_key, secret_key_access.TOKEN 52 | ) 53 | return handle.primitive(aead.Aead) 54 | 55 | 56 | def register_client(key_uri=None, credentials_path=None) -> None: 57 | """Registers a fake KMS client.""" 58 | _ = credentials_path 59 | tink.register_kms_client(FakeKmsClient(key_uri)) 60 | -------------------------------------------------------------------------------- /tink/tink_config.py: -------------------------------------------------------------------------------- 1 | # Copyright 2019 Google LLC 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | """Static methods for handling of Tink configurations.""" 16 | 17 | from tink import aead 18 | from tink import daead 19 | from tink import hybrid 20 | from tink import mac 21 | from tink import prf 22 | from tink import signature 23 | from tink import streaming_aead 24 | 25 | 26 | def register(): 27 | aead.register() 28 | daead.register() 29 | hybrid.register() 30 | mac.register() 31 | prf.register() 32 | signature.register() 33 | streaming_aead.register() 34 | -------------------------------------------------------------------------------- /tools/BUILD.bazel: -------------------------------------------------------------------------------- 1 | package(default_visibility = ["//visibility:public"]) 2 | 3 | licenses(["notice"]) 4 | -------------------------------------------------------------------------------- /tools/distribution/requirements.in: -------------------------------------------------------------------------------- 1 | build 2 | delocate 3 | pip 4 | setuptools 5 | wheel 6 | --------------------------------------------------------------------------------