tink-crypto
Convert AeadParameters to KeyTemplate and vice versa
Is your feature request related to a problem?
We are using the Aead Evenlope encryption. We are planning to store the DEK KeyTemplate with the encrypted data so that we know which template to use for decryption.
What is the intended way to come from an KeyTemplate to the related Parameters?
template = AeadKeyTemplates.createKmsEnvelopeAeadKeyTemplate(reference.getKeyURI(), AeadKeyTemplates.AES128_GCM);
parameters = /* ? */
Aead aead = KmsEnvelopeAead.create(parameters, remoteAead);
What sort of feature would you like to see?
Util method to convert AeadParameters to a KeyTempleate and vice versa
Have you considered any alternative solutions? We ware not able to figure out how to convert parameters to key templates
Thx, Regards
Thanks for the report.
There are several ways, in your particular case I would directly create the corresponding parameters object.
LegacyKmsEnvelopeAeadParameters parameters =
LegacyKmsEnvelopeAeadParameters.builder()
.setKekUri(reference.getKeyURI())
.setDekParsingStrategy(
LegacyKmsEnvelopeAeadParameters.DekParsingStrategy.ASSUME_AES_GCM)
.setDekParametersForNewKeys(
AesGcmParameters.builder()
.setIvSizeBytes(12)
.setKeySizeBytes(16)
.setTagSizeBytes(16)
.setVariant(AesGcmParameters.Variant.NO_PREFIX)
.build())
.build();
I know this is more verbose, but it tells you a few things:
- For new DEKs we will use the above parameter set.
- For old DEKs, we will assume that they are AES GCM keys.
Note that in order for things to work properly they need to fit, but it also is clear that you cannot easily change this.
More generally, it is always possible to convert a com.google.crypto.tink.proto.KeyTemplate into a parameters with TinkProtoParametersFormat.parse(t.toByteArray());
Thx, for the feedback. We will check which approach fits better for us. Probably a piece of documentation would help?