我正在尝试使用Tink和HashiCorp Vault进行加密和解密。当我尝试使用相同的AEAD对象在同一会话中进行加密和解密时,它可以正常工作。但是,如果我将上一次加密运行的结果存储在一个文件中,然后尝试仅在此文件上运行解密函数,则会遇到错误,提示“No matching key found for the ciphetext in the stream”。
我附上了代码以供参考:
keyUri := "hcvault://my-vault-url.com/transit/keys/my-key2"
vaultClient, err := hcvault.NewClient(keyUri, tlsConfig(), vaultToken())
if err != nil {
log.Fatal(err)
}
kekAEAD, err := vaultClient.GetAEAD(keyUri)
if err != nil {
log.Fatal(err)
}
// Generate a new keyset handle for the primitive we want to use.
newHandle, err := keyset.NewHandle(streamingaead.AES256GCMHKDF1MBKeyTemplate())
if err != nil {
log.Fatal(err)
}
// Choose some associated data. This is the context in which the keyset will be used.
keysetAssociatedData := []byte("keyset encryption example")
// Encrypt the keyset with the KEK AEAD and the associated data.
buf := new(bytes.Buffer)
writer := keyset.NewBinaryWriter(buf)
err = newHandle.WriteWithAssociatedData(writer, kekAEAD, keysetAssociatedData)
if err != nil {
log.Fatal(err)
}
encryptedKeyset := buf.Bytes()
reader := keyset.NewBinaryReader(bytes.NewReader(encryptedKeyset))
handle, err := keyset.ReadWithAssociatedData(reader, kekAEAD, keysetAssociatedData)
if err != nil {
log.Fatal(err)
}
streamingAEAD, err := streamingaead.New(handle)
if err != nil {
log.Fatal(err)
}
outputFilePath := "C:\\temp\\encryptionOutput6.txt"
inputFilePath := "C:\\temp\\input.mkv"
EncryptFile(streamingAEAD, inputFilePath, outputFilePath, keysetAssociatedData)
DecryptFile(streamingAEAD, outputFilePath, "c:\\temp\\f_result.mkv", keysetAssociatedData)字符串
1条答案
按热度按时间fnx2tebb1#
经过调查和Tink开发人员的帮助,我发现Tink目前只支持Aead KEK URI。因此,如果您打算使用流式传输机制,则需要将密钥集存储在某个地方。有关详细讨论,请参阅以下链接:https://github.com/tink-crypto/tink-go/issues/8