1// Copyright 2019 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15//////////////////////////////////////////////////////////////////////////////// 16 17package signature_test 18 19// [START signature-example] 20 21import ( 22 "bytes" 23 "fmt" 24 "log" 25 26 "github.com/google/tink/go/insecurecleartextkeyset" 27 "github.com/google/tink/go/keyset" 28 "github.com/google/tink/go/signature" 29) 30 31func Example() { 32 // A private keyset created with 33 // "tinkey create-keyset --key-template=ECDSA_P256 --out private_keyset.cfg". 34 // Note that this keyset has the secret key information in cleartext. 35 privateJSONKeyset := `{ 36 "key": [{ 37 "keyData": { 38 "keyMaterialType": 39 "ASYMMETRIC_PRIVATE", 40 "typeUrl": 41 "type.googleapis.com/google.crypto.tink.EcdsaPrivateKey", 42 "value": 43 "EkwSBggDEAIYAhogEiSZ9u2nDtvZuDgWgGsVTIZ5/V08N4ycUspTX0RYRrkiIHpEwHxQd1bImkyMvV2bqtUbgMh5uPSTdnUEGrPXdt56GiEA3iUi+CRN71qy0fOCK66xAW/IvFyjOGtxjppRhSFUneo=" 44 }, 45 "keyId": 611814836, 46 "outputPrefixType": "TINK", 47 "status": "ENABLED" 48 }], 49 "primaryKeyId": 611814836 50 }` 51 52 // The corresponding public keyset created with 53 // "tinkey create-public-keyset --in private_keyset.cfg" 54 publicJSONKeyset := `{ 55 "key": [{ 56 "keyData": { 57 "keyMaterialType": 58 "ASYMMETRIC_PUBLIC", 59 "typeUrl": 60 "type.googleapis.com/google.crypto.tink.EcdsaPublicKey", 61 "value": 62 "EgYIAxACGAIaIBIkmfbtpw7b2bg4FoBrFUyGef1dPDeMnFLKU19EWEa5IiB6RMB8UHdWyJpMjL1dm6rVG4DIebj0k3Z1BBqz13beeg==" 63 }, 64 "keyId": 611814836, 65 "outputPrefixType": "TINK", 66 "status": "ENABLED" 67 }], 68 "primaryKeyId": 611814836 69 }` 70 71 // Create a keyset handle from the cleartext private keyset in the previous 72 // step. The keyset handle provides abstract access to the underlying keyset to 73 // limit the access of the raw key material. WARNING: In practice, 74 // it is unlikely you will want to use a insecurecleartextkeyset, as it implies 75 // that your key material is passed in cleartext, which is a security risk. 76 // Consider encrypting it with a remote key in Cloud KMS, AWS KMS or HashiCorp Vault. 77 // See https://github.com/google/tink/blob/master/docs/GOLANG-HOWTO.md#storing-and-loading-existing-keysets. 78 privateKeysetHandle, err := insecurecleartextkeyset.Read( 79 keyset.NewJSONReader(bytes.NewBufferString(privateJSONKeyset))) 80 if err != nil { 81 log.Fatal(err) 82 } 83 84 // Retrieve the Signer primitive from privateKeysetHandle. 85 signer, err := signature.NewSigner(privateKeysetHandle) 86 if err != nil { 87 log.Fatal(err) 88 } 89 90 // Use the primitive to sign a message. In this case, the primary key of the 91 // keyset will be used (which is also the only key in this example). 92 data := []byte("data") 93 sig, err := signer.Sign(data) 94 if err != nil { 95 log.Fatal(err) 96 } 97 98 // Create a keyset handle from the keyset containing the public key. Because the 99 // public keyset does not contain any secrets, we can use [keyset.ReadWithNoSecrets]. 100 publicKeysetHandle, err := keyset.ReadWithNoSecrets( 101 keyset.NewJSONReader(bytes.NewBufferString(publicJSONKeyset))) 102 if err != nil { 103 log.Fatal(err) 104 } 105 106 // Retrieve the Verifier primitive from publicKeysetHandle. 107 verifier, err := signature.NewVerifier(publicKeysetHandle) 108 if err != nil { 109 log.Fatal(err) 110 } 111 112 if err = verifier.Verify(sig, data); err != nil { 113 log.Fatal(err) 114 } 115 fmt.Printf("sig is valid") 116 // Output: sig is valid 117} 118 119// [END signature-example] 120