Request to update import statement

[apoorvmote]

On encryption script following is the import

import (
        ...
    tinkpb "github.com/google/tink/proto/tink_go_proto"
        ...
)

There is no package at path github.com/google/tink/proto/tink_go_proto

My suspect is that package is moved to new path github.com/google/tink/go/proto/tink_go_proto

Same depenancies are wrong in encryption pacakge also

Please fix it.

Also I was able to create public/private key using AWS KMS by modifying gcp_key_gen script. Would you guys want it? I have never created pull request before. Also its not that difficult to use AWS KMS. So do you guys want to create it youself instead? I would really like AWS KMS script for everyone.

[elijahsoria]

Thanks for catching that error, Apoorv! I'll spend some time in the next few days updating the packages on our end and ensure our Tink integration works once again.

AWS integration would be awesome. We only tried GCP during our testing and didn't have time to add AWS support previously, but it would be great to have. If you have time to make a pull request with your changes, I will review it. You can add in the script directly here and I can try creating a PR later on if you don't want to go through the review process yourself. I don't have time to come up with a script on my own at the moment unfortunately.

Thanks again!

[apoorvmote]

I followed PR tutorial on free code camp and created PR on this repo. Please verify it. I created awskms branch that you may want to merge with master.

I do not care about having my own License. I have put placeholder MIT license. You can change it to google open source license if you want. I do care about adding backlink of my website for my contribution. You'd be suprised that 1/3rd of my website traffic comes from github. See if you can accomodate my website link somehow.

I'll spend some time in the next few days updating the packages on our end and ensure our Tink integration works once again.

I know you don't have time and even if you do fix it then still encrypting single file input html to single file output html. What if I have 100 pages that needs encryption or 1,000's. What if you want to integrate this encryption workflow inside CI-CD setup. I know its possible but developers are left to fend for themselves.

Encryption is really important to me, especially encryption at scale and I would like to help out wherever I can. I personally use Hugo SSG to build amp pages. So in perfect world encryption would be part of Hugo library but I don't mind taking the SSG output public folder and loop through files to add encryption. This way its applicable for any static pages output.

[apoorvmote]

To be honest. I absolutely gave up on amp framework. I had already built NextJS SSR as backup plan (nextjs without amp). Then I saw presentation of Tinkey. What sold me was their tagline

Encryption for non crypto people.

So I though even though I have to write my own script it should be doable. They showed how difficult it was with OpenSSL and googles forks of OpenSSL. And how Tinkey solves all the problem. So even if I am first guy to run it on production. I should be ok.

[apoorvmote]

I just fixed the dependencies and encrypted HTML file. But how is this supposed to work?

This is my input (placeholder Lorem Ipsum text)

<section class="paywall" subscriptions-section="content" encrypted>
  <p>
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed feugiat est arcu, ut malesuada turpis consectetur id. Vestibulum ligula lorem, facilisis a urna sit amet, dictum vulputate elit. Ut efficitur tempor faucibus. Morbi in blandit mauris. Vestibulum felis ante, maximus ac vehicula bibendum, aliquet non est. Vivamus at quam malesuada, elementum est non, tempor lorem. Cras lacinia neque at rutrum ullamcorper. Nunc vehicula eleifend lacus a ornare. Morbi erat ante, molestie sed elit nec, tincidunt finibus nunc. Quisque interdum neque posuere, feugiat enim ac, facilisis leo. Vestibulum blandit felis ut purus malesuada pharetra.
  </p>
</section>

Output is as follows

<section class="paywall" subscriptions-section="content" encrypted="">
  <p>
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed feugiat est arcu, ut malesuada turpis consectetur id. Vestibulum ligula lorem, facilisis a urna sit amet, dictum vulputate elit. Ut efficitur tempor faucibus. Morbi in blandit mauris. Vestibulum felis ante, maximus ac vehicula bibendum, aliquet non est. Vivamus at quam malesuada, elementum est non, tempor lorem. Cras lacinia neque at rutrum ullamcorper. Nunc vehicula eleifend lacus a ornare. Morbi erat ante, molestie sed elit nec, tincidunt finibus nunc. Quisque interdum neque posuere, feugiat enim ac, facilisis leo. Vestibulum blandit felis ut purus malesuada pharetra.
  </p>
  <script type="application/octet-stream" ciphertext="">y0sj2cRMQCmtnkLQhQZPrMeStQMGARLDv/wYZVOl6rK3jSETEB5VWhBmqcX5d6fCzRh8IJnAt7g9uYfF6neFl0REKBOyfGOYz1NCk9OlZdUqcFzAZDkfX8hFlW2viYajaLfOAArQZYNvgMjkXysk4DqjMqqZRI62aMVbZFMbnWQArNWR+ZV6d7c5QlxZLper8s/9kDJhT4nH/SaNjpQIMeZ022qI3cU9IuFSRgPrltVjwQ==</script>
</section>

• Shouldn't my original Lorem Ipsum text be removed from output?
• When I deploy webpage and delete class="paywall" or subscription-section="content" from chrome inspect then I can see premium content even with encryption added. How can this be fixed?

In the output HTML file at the bottom of head following script is added

<head>
  ...
  <script type="application/json" cryptokeys="">{
"google.com":"AH+P/AbDWhJUwsKRepcjiQtbAUKA3zKrqCAz8a1VThRPJswRzFZE8H9qGrH35yGpDFgMUCR+Moyrxvt1f4fuSV2TR5fgwftU+VkdG67LVxXMacEegYUY16LvRTyqDT452AQVQ7HZTQd8UnUq0E9nCExpM4MYPQX44sADb2DVJRkowOqTLvbd6YgLvCNdgJEJ+kHLe4j40aerAWvxuDGhUhf+V7xvhqJur4ogWsb+ln8lpA==",
 "local":"AXW5Nb8E9kEZn1KzGbZbQik4q3Kl0tOKWdmmPIxZ1W8ylf+55H5j6j+X6wZvgkSchcaTj2m+Nir0dJPYMERlU3zS/GzMbSR8Wfm7hiDqLLXNtlGNWtoVkMaEMt7glFnBywyoUqacYiz+4GjFpAz0BZ27gx779eBvbuGvbA36Ci6O2BknWqpifAvlyeMmqZ1vh2NYkxZEeZUGLSgVfJ/jWiWUZ2PLgo47StHVrmnF/SSuQEA="
    }
  </script>
</head>

And I do receive local key at authorize endpoint.

console.log(event.queryStringParameters)

And log I get is as follows

{
  ...
  crypt: 'AXW5Nb8E9kEZn1KzGbZbQik4q3Kl0tOKWdmmPIxZ1W8ylf+55H5j6j+X6wZvgkSchcaTj2m+Nir0dJPYMERlU3zS/GzMbSR8Wfm7hiDqLLXNtlGNWtoVkMaEMt7glFnBywyoUqacYiz+4GjFpAz0BZ27gx779eBvbuGvbA36Ci6O2BknWqpifAvlyeMmqZ1vh2NYkxZEeZUGLSgVfJ/jWiWUZ2PLgo47StHVrmnF/SSuQEA=',
...  
}

Now I am using serverless lambda from AWS for auth endpoint that's written in NodeJS 12.x. However I am profficient in golang 1.x lambda also. So how do I decode at lambda with either NodeJS or golang?

[elijahsoria]

• Shouldn't my original Lorem Ipsum text be removed from output?

Yes it should. Not removing it is a bug in the script which I will have to fix. You can remove all content within the <section> tag that is outside of the <script> and it should work as expected.

• When I deploy webpage and delete class="paywall" or subscription-section="content" from chrome inspect then I can see premium content even with encryption added. How can this be fixed?

If you remove the unencrypted portion of the section, is it still there? subscription-section="content" (and encrypted) must be included in the <section> tag in order for AMP to serve the document correctly.

Now I am using serverless lambda from AWS for auth endpoint that's written in NodeJS 12.x. However I am profficient in golang 1.x lambda also. So how do I decode at lambda with either NodeJS or golang?

The keys are base64 encoded, so you will have to decode it server side in order to authenticate the request. A general overview of how to integrate encryption into your authorizer can be found here. Unfortunately I don't have any example servers to share, just the overview.

[apoorvmote]

I am still waiting for PR to get merged. :worried:

I came up with idea that I think you should suggest in tutorials or maybe Readme file.

I understand that encryption needs to be done one file at a time. So even if I had 100's of files to encrypt then do them one at a time and put them in static/public folder. The folder in any framework that is designated for publishing files as is. Without any modification. That is how I am publishing scs/public.json public key from static folder. This will require some manual fidgeting with navigation to add links to encrypted files instead of automatically generating from any framework.

So this is Request for comments I think :thinking:. Let me know how you feel about it.

[apoorvmote]

@elijahsoria Thank you for merging my PR. But I am really looking forward to updates you have in the pipeline. It looks like big rewrite of encryption script not just fixing proto dependency.

[elijahsoria]

@apoorvmote I tried to replicate the bug that the script didn't remove the original text from the encrypted output but I wasn't able to. Do you have a sample input that caused this behavior?

[apoorvmote]

@elijahsoria I just ran it again and it has both normal text and encrypted text. You can see input.html and output.html on github gist. Search for for section class="paywall" subscriptions-section="content" encrypted in both input and output.

Few caveats.

• The input.html is minified before encryption
• I copied encryption package & updated proto and uploaded at https://github.com/apoorvmote/encryption and imported for encryption.

[elijahsoria]

Sorry, closed accidentally.

[elijahsoria]

@apoorvmote The latest PR should fix the issue. I ran it with your input and was able to get a correctly formatted output. Let me know if that is all! Thanks again for working on this!

[apoorvmote]

@elijahsoria I ran the test. And it works perfectly :ok_hand:. So this perticular issue is completely resolved :partying_face:. Not that it matters but I tested with newly updated go 1.15.7 and it works.

Now I will work on decrypting the key :key: at the authorizer with lambda function written :writing_hand: in golang. I may need help with that. But if all goes well then I would like to publish example here. If you will have it.

Literally same time you merged the PR; AWS SDK for Golang V2 became generally available. Supposed to be big improvement over V1. And of course go 1.15.7 also released same time.

[elijahsoria]

Of course. Glad everything is going well!