public final class KeysetHandle extends Object
Keyset, to limit the exposure of actual
protocol buffers that hold sensitive key material.
This class allows reading and writing encrypted keysets. Users that want to read or write can
use the restricted API CleartextKeysetHandle. Users can also load keysets that don't
contain any secret key material with NoSecretKeysetHandle.
| Modifier and Type | Method and Description |
|---|---|
static void |
assertEnoughEncryptedKeyMaterial(com.google.crypto.tink.proto.EncryptedKeyset keyset)
Validates that an encrypted keyset contains enough key material to build a keyset on.
|
static void |
assertEnoughKeyMaterial(com.google.crypto.tink.proto.Keyset keyset)
Validates that a keyset handle contains enough key material to build a keyset on.
|
static KeysetHandle |
generateNew(com.google.crypto.tink.proto.KeyTemplate keyTemplate)
Deprecated.
This method takes a KeyTemplate proto, which is an internal implementation detail.
Please use the generateNew method that takes a
KeyTemplate POJO. |
static KeysetHandle |
generateNew(KeyTemplate keyTemplate)
Generates a new
KeysetHandle that contains a single fresh key generated according to
keyTemplate. |
com.google.crypto.tink.proto.KeysetInfo |
getKeysetInfo() |
<P> P |
getPrimitive(Class<P> classObject)
Returns a primitive from this keyset, using the global registry to create resources creating
the primitive.
|
<P> P |
getPrimitive(KeyManager<P> customKeyManager,
Class<P> classObject)
Returns a primitive from this keyset, using the given
customKeyManager and the global
registry to get resources creating the primitive. |
KeysetHandle |
getPublicKeysetHandle()
If the managed keyset contains private keys, returns a
KeysetHandle of the public keys. |
static KeysetHandle |
read(KeysetReader reader,
Aead masterKey)
Tries to create a
KeysetHandle from an encrypted keyset obtained via reader. |
static KeysetHandle |
readNoSecret(byte[] serialized)
Tries to create a
KeysetHandle from a serialized keyset which contains no secret key
material. |
static KeysetHandle |
readNoSecret(KeysetReader reader)
Tries to create a
KeysetHandle from a keyset, obtained via reader, which
contains no secret key material. |
String |
toString()
Extracts and returns the string representation of the
KeysetInfo of the managed keyset. |
void |
write(KeysetWriter keysetWriter,
Aead masterKey)
Serializes, encrypts with
masterKey and writes the keyset to outputStream. |
void |
writeNoSecret(KeysetWriter writer)
Tries to write to
writer this keyset which must not contain any secret key material. |
public com.google.crypto.tink.proto.KeysetInfo getKeysetInfo()
KeysetInfo that doesn't contain actual key
material.@Deprecated public static final KeysetHandle generateNew(com.google.crypto.tink.proto.KeyTemplate keyTemplate) throws GeneralSecurityException
KeyTemplate POJO.KeysetHandle that contains a single fresh key generated according to
keyTemplate.GeneralSecurityException - if the key template is invalid.public static final KeysetHandle generateNew(KeyTemplate keyTemplate) throws GeneralSecurityException
KeysetHandle that contains a single fresh key generated according to
keyTemplate.GeneralSecurityException - if the key template is invalid.public static final KeysetHandle read(KeysetReader reader, Aead masterKey) throws GeneralSecurityException, IOException
KeysetHandle from an encrypted keyset obtained via reader.
Users that need to load cleartext keysets can use CleartextKeysetHandle.
KeysetHandle from encryptedKeysetProto that was encrypted with
masterKeyGeneralSecurityException - if cannot decrypt the keyset or it doesn't contain encrypted
key materialIOExceptionpublic static final KeysetHandle readNoSecret(KeysetReader reader) throws GeneralSecurityException, IOException
KeysetHandle from a keyset, obtained via reader, which
contains no secret key material.
This can be used to load public keysets or envelope encryption keysets. Users that need to
load cleartext keysets can use CleartextKeysetHandle.
KeysetHandle from serialized that is a serialized KeysetGeneralSecurityExceptionIOExceptionpublic static final KeysetHandle readNoSecret(byte[] serialized) throws GeneralSecurityException
KeysetHandle from a serialized keyset which contains no secret key
material.
This can be used to load public keysets or envelope encryption keysets. Users that need to
load cleartext keysets can use CleartextKeysetHandle.
KeysetHandle from serialized that is a serialized KeysetGeneralSecurityExceptionpublic void write(KeysetWriter keysetWriter, Aead masterKey) throws GeneralSecurityException, IOException
masterKey and writes the keyset to outputStream.GeneralSecurityExceptionIOExceptionpublic void writeNoSecret(KeysetWriter writer) throws GeneralSecurityException, IOException
writer this keyset which must not contain any secret key material.
This can be used to persist public keysets or envelope encryption keysets. Users that need
to persist cleartext keysets can use CleartextKeysetHandle.
GeneralSecurityException - if the keyset contains any secret key materialIOExceptionpublic KeysetHandle getPublicKeysetHandle() throws GeneralSecurityException
KeysetHandle of the public keys.GenernalSecurityException - if the managed keyset is null or if it contains any
non-private keys.GeneralSecurityExceptionpublic String toString()
KeysetInfo of the managed keyset.public static void assertEnoughKeyMaterial(com.google.crypto.tink.proto.Keyset keyset)
throws GeneralSecurityException
GeneralSecurityExceptionpublic static void assertEnoughEncryptedKeyMaterial(com.google.crypto.tink.proto.EncryptedKeyset keyset)
throws GeneralSecurityException
GeneralSecurityExceptionpublic <P> P getPrimitive(Class<P> classObject) throws GeneralSecurityException
GeneralSecurityExceptionpublic <P> P getPrimitive(KeyManager<P> customKeyManager, Class<P> classObject) throws GeneralSecurityException
customKeyManager and the global
registry to get resources creating the primitive. The given keyManager will take precedence
when creating primitives over the globally registered keyManagers.GeneralSecurityException