github.com/trustbloc/kms-go@v1.1.2/crypto/tinkcrypto/primitive/composite/ecdh/ecdh.go (about) 1 /* 2 Copyright SecureKey Technologies Inc. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 // Package ecdh provides implementations of payload encryption using ECDH-ES/1PU KW key wrapping with AEAD primitives. 8 // 9 // The functionality of ecdh Encryption is represented as a pair of 10 // primitives (interfaces): 11 // 12 // -ECDHEncrypt for encryption of data and aad for a given cek (recipients cek wrapping is not done in this primitive) 13 // 14 // -ECDHDecrypt for decryption of data for a given cek and returning decrypted plaintext 15 // 16 // Example: 17 // 18 // package main 19 // 20 // import ( 21 // "bytes" 22 // 23 // "github.com/google/tink/go/keyset" 24 // 25 // "github.com/trustbloc/kms-go/crypto/tinkcrypto/primitive/composite" 26 // "github.com/trustbloc/kms-go/crypto/tinkcrypto/primitive/composite/ecdh" 27 // ) 28 // 29 // func main() { 30 // // create recipient side keyset handle 31 // recKH, err := keyset.NewHandle(ecdh.NISTP256ECDHKWKeyTemplate()) 32 // if err != nil { 33 // //handle error 34 // } 35 // 36 // // extract recipient public keyset handle and key 37 // recPubKH, err := recKH.Public() 38 // if err != nil { 39 // //handle error 40 // } 41 // 42 // buf := new(bytes.Buffer) 43 // pubKeyWriter := ecdh.NewWriter(buf) 44 // err = recPubKH.WriteWithNoSecrets(pubKeyWriter) 45 // if err != nil { 46 // //handle error 47 // } 48 // // ecPubKey represents a recipient public key that can be used to wrap cek 49 // ecPubKey := new(composite.VerificationMethod) 50 // err := json.Unmarshal(buf.Bytes(), ecPubKey) 51 // 52 // // see pkg/crypto/tinkcrypto to see how you can wrap a shared secret (cek) 53 // 54 // // once a cek is created create an ECDH KH that can be used to encrypt plaintext as follows 55 // // for AES256GCM content encryption using a NIST P key for cek wrapping as an example 56 // kt := ecdh.KeyTemplateForECDHPrimitiveWithCEK(cek, true, ecdh.AES256GCM) 57 // 58 // kh, err := keyset.NewHandle(kt) 59 // if err != nil { 60 // // handle error 61 // } 62 // 63 // pubKH, err := kh.Public() 64 // if err != nil { 65 // // handle error 66 // } 67 // 68 // // finally get the encryption primitive from the public key handle created above 69 // e:= ecdh.NewECDHEncrypt(pubKH) 70 // 71 // // and now encrypt using e 72 // ct, err = e.Encrypt([]byte("secret message"), []byte("some aad")) 73 // if err != nil { 74 // // handle error 75 // } 76 // 77 // // to decrypt, recreate kh for the cek (once unwrapped from pkg/crypto) 78 // // for AES256GCM content encryption using a NIST P key for cek wrapping to match the encryption template above 79 // kt = ecdh.KeyTemplateForECDHPrimitiveWithCEK(cek, true, ecdh.AES256GCM) 80 // 81 // kh, err = keyset.NewHandle(kt) 82 // if err != nil { 83 // // handle error 84 // } 85 // 86 // // get the decryption primtive for kh 87 // d := ecdh.NewECDHDecrypt(kh) 88 // 89 // // and decrypt 90 // pt, err := d.Decrypt(ct) 91 // if err != nil { 92 // // handle error 93 // } 94 // } 95 package ecdh 96 97 import ( 98 "fmt" 99 100 "github.com/google/tink/go/core/registry" 101 ) 102 103 // TODO - find a better way to setup tink than init. 104 // nolint: gochecknoinits 105 func init() { 106 // TODO - avoid the tink registry singleton. 107 err := registry.RegisterKeyManager(newECDHNISTPAESPrivateKeyManager()) 108 if err != nil { 109 panic(fmt.Sprintf("ecdh.init() failed: %v", err)) 110 } 111 112 err = registry.RegisterKeyManager(newECDHNISTPAESPublicKeyManager()) 113 if err != nil { 114 panic(fmt.Sprintf("ecdh.init() failed: %v", err)) 115 } 116 117 err = registry.RegisterKeyManager(newX25519ECDHKWPrivateKeyManager()) 118 if err != nil { 119 panic(fmt.Sprintf("ecdh.init() failed: %v", err)) 120 } 121 122 err = registry.RegisterKeyManager(newX25519ECDHKWPublicKeyManager()) 123 if err != nil { 124 panic(fmt.Sprintf("ecdh.init() failed: %v", err)) 125 } 126 }