examples/python/envelope/envelope.py - third_party/tink - Git at Google

 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS-IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 """A command-line utility for envelope encryption with GCP.

 It requires 5 arguments:
   mode: Can be "encrypt" or "decrypt" to encrypt/decrypt the input to the
         output.
   gcp-credentials: Name of the file with the GCP credentials in JSON.
   key-uri: The key-uri used for envelope encryption.
   input-file: Read the input from this file.
   output-file: Write the result to this file.
 """

 from __future__ import absolute_import
 from __future__ import division
 # Placeholder for import for type annotations
 from __future__ import print_function

 from absl import app
 from absl import logging

 import tink
 from tink import aead
 from tink.integration import gcpkms


 def main(argv):
   if len(argv) != 6:
     raise app.UsageError(
         'Expected 5 arguments, got %d.\n'
         'Usage: %s gcp-credentials key-uri input-file output-file [decrypt]' %
         (len(argv) - 1, argv[0]))

   mode = argv[1]
   gcp_credentials = argv[2]
   key_uri = argv[3]
   input_file_path = argv[4]
   output_file_path = argv[5]

   # Initialise Tink.
   try:
     aead.register()
   except tink.TinkError as e:
     logging.error('Error initialising Tink: %s', e)
     return 1

   # Read the GCP credentials and setup client
   try:
     gcp_client = gcpkms.GcpKmsClient(key_uri, gcp_credentials)
     gcp_aead = gcp_client.get_aead(key_uri)
   except tink.TinkError as e:
     logging.error('Error initializing GCP client: %s', e)
     return 1

   # Create envelope AEAD primitive using AES256 GCM for encrypting the data
   try:
     key_template = aead.aead_key_templates.AES256_GCM
     env_aead = aead.KmsEnvelopeAead(key_template, gcp_aead)
   except tink.TinkError as e:
     logging.error('Error creating primitive: %s', e)
     return 1

   with open(input_file_path, 'rb') as input_file:
     input_data = input_file.read()
     if mode == 'decrypt':
       output_data = env_aead.decrypt(input_data, b'envelope_example')
     elif mode == 'encrypt':
       output_data = env_aead.encrypt(input_data, b'envelope_example')
     else:
       logging.error(
           'Error mode not supported. Please choose "encrypt" or "decrypt".')
       return 1

     with open(output_file_path, 'wb') as output_file:
       output_file.write(output_data)

 if __name__ == '__main__':
   app.run(main)
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS-IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	"""A command-line utility for envelope encryption with GCP.

	It requires 5 arguments:
	mode: Can be "encrypt" or "decrypt" to encrypt/decrypt the input to the
	output.
	gcp-credentials: Name of the file with the GCP credentials in JSON.
	key-uri: The key-uri used for envelope encryption.
	input-file: Read the input from this file.
	output-file: Write the result to this file.
	"""

	from __future__ import absolute_import
	from __future__ import division
	# Placeholder for import for type annotations
	from __future__ import print_function

	from absl import app
	from absl import logging

	import tink
	from tink import aead
	from tink.integration import gcpkms


	def main(argv):
	if len(argv) != 6:
	raise app.UsageError(
	'Expected 5 arguments, got %d.\n'
	'Usage: %s gcp-credentials key-uri input-file output-file [decrypt]' %
	(len(argv) - 1, argv[0]))

	mode = argv[1]
	gcp_credentials = argv[2]
	key_uri = argv[3]
	input_file_path = argv[4]
	output_file_path = argv[5]

	# Initialise Tink.
	try:
	aead.register()
	except tink.TinkError as e:
	logging.error('Error initialising Tink: %s', e)
	return 1

	# Read the GCP credentials and setup client
	try:
	gcp_client = gcpkms.GcpKmsClient(key_uri, gcp_credentials)
	gcp_aead = gcp_client.get_aead(key_uri)
	except tink.TinkError as e:
	logging.error('Error initializing GCP client: %s', e)
	return 1

	# Create envelope AEAD primitive using AES256 GCM for encrypting the data
	try:
	key_template = aead.aead_key_templates.AES256_GCM
	env_aead = aead.KmsEnvelopeAead(key_template, gcp_aead)
	except tink.TinkError as e:
	logging.error('Error creating primitive: %s', e)
	return 1

	with open(input_file_path, 'rb') as input_file:
	input_data = input_file.read()
	if mode == 'decrypt':
	output_data = env_aead.decrypt(input_data, b'envelope_example')
	elif mode == 'encrypt':
	output_data = env_aead.encrypt(input_data, b'envelope_example')
	else:
	logging.error(
	'Error mode not supported. Please choose "encrypt" or "decrypt".')
	return 1

	with open(output_file_path, 'wb') as output_file:
	output_file.write(output_data)

	if __name__ == '__main__':
	app.run(main)