Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert AeadParameters to KeyTemplate and vice versa #22

Open
beatrausch opened this issue Jan 22, 2024 · 2 comments
Open

Convert AeadParameters to KeyTemplate and vice versa #22

beatrausch opened this issue Jan 22, 2024 · 2 comments

Comments

@beatrausch
Copy link

Is your feature request related to a problem?
We are using the Aead Evenlope encryption. We are planning to store the DEK KeyTemplate with the encrypted data so that we know which template to use for decryption.
What is the intended way to come from an KeyTemplate to the related Parameters?

template = AeadKeyTemplates.createKmsEnvelopeAeadKeyTemplate(reference.getKeyURI(), AeadKeyTemplates.AES128_GCM);

parameters = /* ? */

Aead aead = KmsEnvelopeAead.create(parameters, remoteAead);

What sort of feature would you like to see?
Util method to convert AeadParameters to a KeyTempleate and vice versa

Have you considered any alternative solutions?
We ware not able to figure out how to convert parameters to key templates

Thx, Regards
@tholenst
Copy link
Contributor

Thanks for the report.

There are several ways, in your particular case I would directly create the corresponding parameters object.

    LegacyKmsEnvelopeAeadParameters parameters =
        LegacyKmsEnvelopeAeadParameters.builder()
            .setKekUri(reference.getKeyURI())
            .setDekParsingStrategy(
                LegacyKmsEnvelopeAeadParameters.DekParsingStrategy.ASSUME_AES_GCM)
            .setDekParametersForNewKeys(
                AesGcmParameters.builder()
                    .setIvSizeBytes(12)
                    .setKeySizeBytes(16)
                    .setTagSizeBytes(16)
                    .setVariant(AesGcmParameters.Variant.NO_PREFIX)
                    .build())
            .build();

I know this is more verbose, but it tells you a few things:

  1. For new DEKs we will use the above parameter set.
  2. For old DEKs, we will assume that they are AES GCM keys.

Note that in order for things to work properly they need to fit, but it also is clear that you cannot easily change this.

More generally, it is always possible to convert a com.google.crypto.tink.proto.KeyTemplate into a parameters with TinkProtoParametersFormat.parse(t.toByteArray());

@beatrausch
Copy link
Author

Thx, for the feedback. We will check which approach fits better for us. Probably a piece of documentation would help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tholenst @beatrausch