1*e7b1675dSTing-Kang Chang# Copyright 2022 Google LLC 2*e7b1675dSTing-Kang Chang# 3*e7b1675dSTing-Kang Chang# Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang# you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang# You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang# 7*e7b1675dSTing-Kang Chang# http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang# 9*e7b1675dSTing-Kang Chang# Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang# distributed under the License is distributed on an "AS-IS" BASIS, 11*e7b1675dSTing-Kang Chang# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang# See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang# limitations under the License. 14*e7b1675dSTing-Kang Chang"""A basic example for using the signature API.""" 15*e7b1675dSTing-Kang Chang# [START signature-basic-example] 16*e7b1675dSTing-Kang Changimport tink 17*e7b1675dSTing-Kang Changfrom tink import cleartext_keyset_handle 18*e7b1675dSTing-Kang Changfrom tink import signature 19*e7b1675dSTing-Kang Chang 20*e7b1675dSTing-Kang Chang 21*e7b1675dSTing-Kang Changdef example(): 22*e7b1675dSTing-Kang Chang """Sign and verify using digital signatures.""" 23*e7b1675dSTing-Kang Chang # Register the signature key managers. This is needed to create 24*e7b1675dSTing-Kang Chang # PublicKeySign and PublicKeyVerify primitives later. 25*e7b1675dSTing-Kang Chang signature.register() 26*e7b1675dSTing-Kang Chang 27*e7b1675dSTing-Kang Chang # A private keyset created with 28*e7b1675dSTing-Kang Chang # "tinkey create-keyset --key-template=ECDSA_P256 --out private_keyset.cfg". 29*e7b1675dSTing-Kang Chang # Note that this keyset has the secret key information in cleartext. 30*e7b1675dSTing-Kang Chang private_keyset = r"""{ 31*e7b1675dSTing-Kang Chang "key": [{ 32*e7b1675dSTing-Kang Chang "keyData": { 33*e7b1675dSTing-Kang Chang "keyMaterialType": 34*e7b1675dSTing-Kang Chang "ASYMMETRIC_PRIVATE", 35*e7b1675dSTing-Kang Chang "typeUrl": 36*e7b1675dSTing-Kang Chang "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey", 37*e7b1675dSTing-Kang Chang "value": 38*e7b1675dSTing-Kang Chang "EkwSBggDEAIYAhogEiSZ9u2nDtvZuDgWgGsVTIZ5/V08N4ycUspTX0RYRrkiIHpEwHxQd1bImkyMvV2bqtUbgMh5uPSTdnUEGrPXdt56GiEA3iUi+CRN71qy0fOCK66xAW/IvFyjOGtxjppRhSFUneo=" 39*e7b1675dSTing-Kang Chang }, 40*e7b1675dSTing-Kang Chang "keyId": 611814836, 41*e7b1675dSTing-Kang Chang "outputPrefixType": "TINK", 42*e7b1675dSTing-Kang Chang "status": "ENABLED" 43*e7b1675dSTing-Kang Chang }], 44*e7b1675dSTing-Kang Chang "primaryKeyId": 611814836 45*e7b1675dSTing-Kang Chang }""" 46*e7b1675dSTing-Kang Chang 47*e7b1675dSTing-Kang Chang # The corresponding public keyset created with 48*e7b1675dSTing-Kang Chang # "tinkey create-public-keyset --in private_keyset.cfg" 49*e7b1675dSTing-Kang Chang public_keyset = r"""{ 50*e7b1675dSTing-Kang Chang "key": [{ 51*e7b1675dSTing-Kang Chang "keyData": { 52*e7b1675dSTing-Kang Chang "keyMaterialType": 53*e7b1675dSTing-Kang Chang "ASYMMETRIC_PUBLIC", 54*e7b1675dSTing-Kang Chang "typeUrl": 55*e7b1675dSTing-Kang Chang "type.googleapis.com/google.crypto.tink.EcdsaPublicKey", 56*e7b1675dSTing-Kang Chang "value": 57*e7b1675dSTing-Kang Chang "EgYIAxACGAIaIBIkmfbtpw7b2bg4FoBrFUyGef1dPDeMnFLKU19EWEa5IiB6RMB8UHdWyJpMjL1dm6rVG4DIebj0k3Z1BBqz13beeg==" 58*e7b1675dSTing-Kang Chang }, 59*e7b1675dSTing-Kang Chang "keyId": 611814836, 60*e7b1675dSTing-Kang Chang "outputPrefixType": "TINK", 61*e7b1675dSTing-Kang Chang "status": "ENABLED" 62*e7b1675dSTing-Kang Chang }], 63*e7b1675dSTing-Kang Chang "primaryKeyId": 611814836 64*e7b1675dSTing-Kang Chang }""" 65*e7b1675dSTing-Kang Chang 66*e7b1675dSTing-Kang Chang # Create a keyset handle from the cleartext keyset in the previous 67*e7b1675dSTing-Kang Chang # step. The keyset handle provides abstract access to the underlying keyset to 68*e7b1675dSTing-Kang Chang # limit the exposure of accessing the raw key material. WARNING: In practice, 69*e7b1675dSTing-Kang Chang # it is unlikely you will want to use a cleartext_keyset_handle, as it implies 70*e7b1675dSTing-Kang Chang # that your key material is passed in cleartext which is a security risk. 71*e7b1675dSTing-Kang Chang private_keyset_handle = cleartext_keyset_handle.read( 72*e7b1675dSTing-Kang Chang tink.JsonKeysetReader(private_keyset)) 73*e7b1675dSTing-Kang Chang 74*e7b1675dSTing-Kang Chang # Retrieve the PublicKeySign primitive we want to use from the keyset 75*e7b1675dSTing-Kang Chang # handle. 76*e7b1675dSTing-Kang Chang sign_primitive = private_keyset_handle.primitive(signature.PublicKeySign) 77*e7b1675dSTing-Kang Chang 78*e7b1675dSTing-Kang Chang # Use the primitive to sign a message. In this case the primary key of the 79*e7b1675dSTing-Kang Chang # keyset will be used (which is also the only key in this example). 80*e7b1675dSTing-Kang Chang sig = sign_primitive.sign(b'msg') 81*e7b1675dSTing-Kang Chang 82*e7b1675dSTing-Kang Chang # Create a keyset handle from the keyset containing the public key. Because 83*e7b1675dSTing-Kang Chang # this keyset does not contain any secrets, we can use 84*e7b1675dSTing-Kang Chang # `tink.read_no_secret_keyset_handle`. 85*e7b1675dSTing-Kang Chang public_keyset_handle = tink.read_no_secret_keyset_handle( 86*e7b1675dSTing-Kang Chang tink.JsonKeysetReader(public_keyset)) 87*e7b1675dSTing-Kang Chang 88*e7b1675dSTing-Kang Chang # Retrieve the PublicKeyVerify primitive we want to use from the keyset 89*e7b1675dSTing-Kang Chang # handle. 90*e7b1675dSTing-Kang Chang verify_primitive = public_keyset_handle.primitive(signature.PublicKeyVerify) 91*e7b1675dSTing-Kang Chang 92*e7b1675dSTing-Kang Chang # Use the primitive to verify that `sig` is valid signature for the message. 93*e7b1675dSTing-Kang Chang # Verify finds the correct key in the keyset. If no key is found or 94*e7b1675dSTing-Kang Chang # verification fails, it raises an error. 95*e7b1675dSTing-Kang Chang verify_primitive.verify(sig, b'msg') 96*e7b1675dSTing-Kang Chang 97*e7b1675dSTing-Kang Chang # Note that we can also get the public keyset handle from the private keyset 98*e7b1675dSTing-Kang Chang # handle. The verification works the same as above. 99*e7b1675dSTing-Kang Chang public_keyset_handle2 = private_keyset_handle.public_keyset_handle() 100*e7b1675dSTing-Kang Chang verify_primitive2 = public_keyset_handle2.primitive(signature.PublicKeyVerify) 101*e7b1675dSTing-Kang Chang verify_primitive2.verify(sig, b'msg') 102*e7b1675dSTing-Kang Chang # [END signature-basic-example] 103