-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathmain.go
More file actions
102 lines (85 loc) · 3.29 KB
/
Copy pathmain.go
File metadata and controls
102 lines (85 loc) · 3.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
// Copyright Chainify Group LTD. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// This example demonstrates how to use the AWS Encryption SDK for Go with a
// custom key provider.
//
// # Don't use this implementation in production
//
// [myprovider.MyProvider] and underlying mykey.MyKey implementations using
// base64 encoding for demonstration purposes only.
package main
import (
"context"
"fmt"
"github.com/chainifynet/aws-encryption-sdk-go-tests/example/customKeyProvider/myprovider"
"github.com/chainifynet/aws-encryption-sdk-go/pkg/client"
"github.com/chainifynet/aws-encryption-sdk-go/pkg/materials"
)
func main() {
// KeyIDs to use for encryption and decryption
keyID1 := "myKey1"
keyID2 := "myKey2"
keyIDs := []string{keyID1, keyID2}
// an encryption context to be associated with the encrypted data
encryptionContext := map[string]string{
"Year": "2023",
"User": "Alice",
"Purpose": "testing",
}
// data to encrypt
secretData := []byte("secret data to encrypt")
// setup Encryption SDK client with default configuration
sdkClient := client.NewClient()
// setup Custom Key provider
keyProvider, err := myprovider.NewMyProvider("myProviderID", keyIDs...)
if err != nil {
panic(err) // handle error
}
// setup crypto materials manager
cmm, err := materials.NewDefault(keyProvider)
if err != nil {
panic(err) // handle error
}
// Warning: This example is for demonstration purposes only.
// Do not use myprovider.MyProvider to encrypt data in production.
// encrypt the secret data:
encrypted, header, err := sdkClient.Encrypt(context.TODO(), secretData, encryptionContext, cmm)
if err != nil {
panic(err) // handle error
}
fmt.Printf("encrypted data key count: %d\n", header.EncryptedDataKeyCount())
fmt.Printf("encrypted encryption context: %v\n", header.AADData().EncryptionContext())
// for each original master key, create a Custom Key Provider that only lists
// that key, and use that provider to create corresponding CMM, and then decrypt
// the "encrypted" message using that CMM.
for i, keyID := range keyIDs {
// create a Custom Key Provider that only lists the current key
provider, err := myprovider.NewMyProvider("myProviderID", keyID)
if err != nil {
panic(err) // handle error
}
// create a CMM that only uses the provider with the current key
cmmWithOneKey, err := materials.NewDefault(provider)
if err != nil {
panic(err) // handle error
}
// decrypt the "encrypted" message using the CMM with the current key
decrypted, decHeader, err := sdkClient.Decrypt(context.TODO(), encrypted, cmmWithOneKey)
if err != nil {
panic(err) // handle error
}
// verify that "decrypted" encryption context in header has the same keys and values
// as the original encryption context before using "decrypted" data.
decryptionContext := decHeader.AADData().EncryptionContext()
for k, v := range encryptionContext {
if decryptionContext[k] != v {
panic("decrypted encryption context does not match with the original encryption context")
}
}
fmt.Printf("decrypted data using key %d: %s\n", i+1, decrypted)
// verify that "decrypted" plaintext is identical to the original secret data
if string(decrypted) != string(secretData) {
panic("decrypted data does not match with the original data")
}
}
}