Configurations, i.e., a collection of key types and their corresponding key managers supported * by a specific run-time environment enable control of Tink setup via JSON-formatted config files * that determine which key types are supported, and provide a mechanism for deprecation of * obsolete/outdated cryptographic schemes (see config.proto for more * info). * *
{@code
* RegistryConfig registryConfig = ...;
* Config.register(registryConfig);
* }
*
* @since 1.0.0
*/
public final class Config {
/** Returns a {@link KeyTypeEntry} for Tink key types with the specified properties. */
public static KeyTypeEntry getTinkKeyTypeEntry(
String catalogueName,
String primitiveName,
String keyProtoName,
int keyManagerVersion,
boolean newKeyAllowed) {
return KeyTypeEntry.newBuilder()
.setPrimitiveName(primitiveName)
.setTypeUrl("type.googleapis.com/google.crypto.tink." + keyProtoName)
.setKeyManagerVersion(keyManagerVersion)
.setNewKeyAllowed(newKeyAllowed)
.setCatalogueName(catalogueName)
.build();
}
/**
* Tries to register key managers according to the specification in {@code config}.
*
* @throws GeneralSecurityException if cannot register this config with the {@link Registry}. This
* usually happens when either {@code config} contains any {@link KeyTypeEntry} that is
* already registered or the Registry cannot find any {@link
* com.google.crypto.tink.KeyManager} or {@link com.google.crypto.tink.Catalogue} that can
* handle the entry. In both cases the error message should show how to resolve it.
*/
public static void register(RegistryConfig config) throws GeneralSecurityException {
for (KeyTypeEntry entry : config.getEntryList()) {
registerKeyType(entry);
}
}
/**
* Tries to register a key manager according to the specification in {@code entry}.
*
* @throws GeneralSecurityException if cannot register this config with the {@link Registry}. This
* usually happens when {@code entry} is already registered or the Registry cannot find any
* {@link com.google.crypto.tink.KeyManager} or {@link com.google.crypto.tink.Catalogue} that
* can handle the entry. In both cases the error message should show how to resolve it.
*/
public static void registerKeyType(KeyTypeEntry entry) throws GeneralSecurityException {
validate(entry);
// Catalogues are no longer supported; we simply return on those catalogues which have been
// removed, as the key managers will be registered already.
if (entry.getCatalogueName().equals("TinkAead")
|| entry.getCatalogueName().equals("TinkMac")
|| entry.getCatalogueName().equals("TinkHybridDecrypt")
|| entry.getCatalogueName().equals("TinkHybridEncrypt")
|| entry.getCatalogueName().equals("TinkPublicKeySign")
|| entry.getCatalogueName().equals("TinkPublicKeyVerify")
|| entry.getCatalogueName().equals("TinkStreamingAead")
|| entry.getCatalogueName().equals("TinkDeterministicAead")) {
return;
}
Catalogue catalogue = Registry.getCatalogue(entry.getCatalogueName());
MutablePrimitiveRegistry.globalInstance()
.registerPrimitiveWrapper(catalogue.getPrimitiveWrapper());
KeyManager keyManager =
catalogue.getKeyManager(
entry.getTypeUrl(), entry.getPrimitiveName(), entry.getKeyManagerVersion());
Registry.registerKeyManager(keyManager, entry.getNewKeyAllowed());
}
private static void validate(KeyTypeEntry entry) throws GeneralSecurityException {
if (entry.getTypeUrl().isEmpty()) {
throw new GeneralSecurityException("Missing type_url.");
}
if (entry.getPrimitiveName().isEmpty()) {
throw new GeneralSecurityException("Missing primitive_name.");
}
if (entry.getCatalogueName().isEmpty()) {
throw new GeneralSecurityException("Missing catalogue_name.");
}
}
private Config() {}
}