public final class LegacyKmsEnvelopeAeadParameters extends AeadParameters
LegacyKmsEnvelopeAeadKey.
Usage of this key type is not recommended. Instead, we recommend to implement the idea of this class manually:
Aead object for your KMS with an
appropriate Tink extension (typically using a subclass of KmsClient).
KmsEnvelopeAead.create(com.google.crypto.tink.aead.AeadParameters, com.google.crypto.tink.Aead).
LegacyKmsEnvelopeAeadKey, when the corresponding Aead is
created, Tink looks up the KmsClient in a global registry. This registry needs to store
all the credentials and all the information. This is inappropriate in many situations.
dekParametersForNewKeys or the dekParsingStrategy
for the same remote key. In more details, the ciphertext contains a Tink key proto of newly
generated key, but not the type URL. This means that if a user reuses the same remote Key with a
different key type, it will be parsed with the wrong one.
Also, Tink does note compare the parameters of the parsed key with the parameters specified in
dekParametersForNewKeys. For example, if the dekParametersForNewKeys is specified
as AES_128_GCM in one binary, and AES_256_GCM in another binary, communication between the
binaries succeeds in both directions.
Some KMS have malleable ciphertexts. This means that the Aeads corresponding to these keys may be malleable. See https://developers.google.com/tink/issues/envelope-aead-malleability
| Modifier and Type | Class and Description |
|---|---|
static class |
LegacyKmsEnvelopeAeadParameters.Builder
Builder for
LegacyKmsEnvelopeAeadParameters. |
static class |
LegacyKmsEnvelopeAeadParameters.DekParsingStrategy
Specifies how the DEK in received ciphertexts are parsed.
|
static class |
LegacyKmsEnvelopeAeadParameters.Variant
Describes how the prefix is computed.
|
| Modifier and Type | Method and Description |
|---|---|
static LegacyKmsEnvelopeAeadParameters.Builder |
builder() |
boolean |
equals(Object o) |
AeadParameters |
getDekParametersForNewKeys()
Parameters used when creating new keys.
|
LegacyKmsEnvelopeAeadParameters.DekParsingStrategy |
getDekParsingStrategy()
Returns the type URL which is used when parsing encrypted keys.
|
String |
getKekUri()
Returns the URI with the key of the remote AEAD used.
|
LegacyKmsEnvelopeAeadParameters.Variant |
getVariant() |
int |
hashCode() |
boolean |
hasIdRequirement()
Returns true if a key created with the parameters in this object has to have a certain ID when
it is in a keyset.
|
String |
toString() |
public static LegacyKmsEnvelopeAeadParameters.Builder builder()
public String getKekUri()
public LegacyKmsEnvelopeAeadParameters.Variant getVariant()
public boolean hasIdRequirement()
ParametersIn Tink, certain keys change their behavior depending on the key id (for example, an Aead object can prefix the ciphertext with the big endian encoding of the key id). If this is
the case, such a key should require a unique id in Key.getIdRequirementOrNull() and
return true here.
hasIdRequirement in class Parameterspublic LegacyKmsEnvelopeAeadParameters.DekParsingStrategy getDekParsingStrategy()
See "Known Issues" section above.
public AeadParameters getDekParametersForNewKeys()