问题内容
我正在尝试使用 Tink 和 HashiCorp Vault 进行加密和解密。当我尝试使用相同的 AEAD 对象在同一会话中加密和解密时,它工作正常。但是,如果我将先前加密运行的结果存储在文件中,然后尝试仅在此文件上运行解密函数,则会遇到错误,提示“在流中找不到密文的匹配密钥。” p>
我附上了代码供参考:
keyUri := "hcvault://my-vault-url.com/transit/keys/my-key2"
vaultClient, err := hcvault.NewClient(keyUri, tlsConfig(), vaultToken())
if err != nil {
log.Fatal(err)
}
kekAEAD, err := vaultClient.GetAEAD(keyUri)
if err != nil {
log.Fatal(err)
}
// Generate a new keyset handle for the primitive we want to use.
newHandle, err := keyset.NewHandle(streamingaead.AES256GCMHKDF1MBKeyTemplate())
if err != nil {
log.Fatal(err)
}
// Choose some associated data. This is the context in which the keyset will be used.
keysetAssociatedData := []byte("keyset encryption example")
// Encrypt the keyset with the KEK AEAD and the associated data.
buf := new(bytes.Buffer)
writer := keyset.NewBinaryWriter(buf)
err = newHandle.WriteWithAssociatedData(writer, kekAEAD, keysetAssociatedData)
if err != nil {
log.Fatal(err)
}
encryptedKeyset := buf.Bytes()
reader := keyset.NewBinaryReader(bytes.NewReader(encryptedKeyset))
handle, err := keyset.ReadWithAssociatedData(reader, kekAEAD, keysetAssociatedData)
if err != nil {
log.Fatal(err)
}
streamingAEAD, err := streamingaead.New(handle)
if err != nil {
log.Fatal(err)
}
outputFilePath := "C:\temp\encryptionOutput6.txt"
inputFilePath := "C:\temp\input.mkv"
EncryptFile(streamingAEAD, inputFilePath, outputFilePath, keysetAssociatedData)
DecryptFile(streamingAEAD, outputFilePath, "c:\temp\f_result.mkv", keysetAssociatedData)
正确答案
经过调查并获得 Tink 开发人员的帮助后,我发现 Tink 目前仅支持 Aead KEK URI。因此,如果您打算使用流机制,则需要将密钥集存储在某处。有关全面的讨论,请参考以下链接:https://github。 com/tink-crypto/tink-go/issues/8
