How to use one of the ENABLED keyId from multi key keySet file?

tink-crypto / tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.

https://developers.google.com/tink

Apache License 2.0

13.5k stars 1.18k forks source link

How to use one of the ENABLED keyId from multi key keySet file? #567

Closed xmlking closed 2 years ago

xmlking commented 2 years ago

if I have a multiple active keys in a keyset, how do I specify which KeyId I want to use to encrypt using Aead API?

{
    "primaryKeyId": 1268760993,
    "key": [
        {
            "keyData": {
                "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
                "value": "aaaaaa",
                "keyMaterialType": "SYMMETRIC"
            },
            "status": "ENABLED",
            "keyId": 1268760993,
            "outputPrefixType": "TINK"
        },
        {
            "keyData": {
                "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey",
                "value": "bbbbb",
                "keyMaterialType": "SYMMETRIC"
            },
            "status": "ENABLED",
            "keyId": 851085696,
            "outputPrefixType": "TINK"
        }
    ]
}

morambro commented 2 years ago

Hi @xmlking sorry for not replying earlier. One way to do so is for example in C++ using the KeysetManager API; to use a key with ID keyId:

Call KeysetManager::SetKeyId(keyId)
Get a KeysetManager::GetKeysetHandle()
Get a (wrapped) primitive with KeysetHandle::GetPrimitive()

The wrapped primitive (in this case AeadSetWrapper) will encrypt with the primary key, and decrypt with the key whose ID is set as a prefix of the ciphertext.

morambro commented 2 years ago

I am going to close this issue. Feel free to reopen it if you have further questions!