search

tink-crypto / tink

Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
https://developers.google.com/tink
Apache License 2.0
13.5k stars 1.18k forks source link

Wrap keyset with DeterministicAead #650

Closed ghost closed 1 year ago

ghost commented 1 year ago

The keyset handle does not support AES SIV DeterministicAead to write a keyset

juergw commented 1 year ago

Yes, this is currently not supported, and we currently don't have plans to add it.

But you can implement this yourself, if you first serialize the keyset, and then encrypt it using a DeterministicAead. In Java, this would be:

byte[] serializedKeyset = TinkProtoKeysetFormat.serializeKeyset(keysetHandle, InsecureSecretKeyAccess.get()); DeterministicAead daead = keysetEncryptionKeysetHandle.getPrimitive(DeterministicAead.class); byte[] encryptedKeyset = daead.encryptDeterministically(serializedKeyset, associatedData);

Other language would be similar, but you'll need to use the CleartextKeysetHandle and the BinaryKeysetWriter.