Package com.google.crypto.tink.aead

Class LegacyKmsAeadKey

  • public final class LegacyKmsAeadKey
extends AeadKey
    Describes an Aead backed by a KMS.

    The KMS is specified by getParameters().getKeyUri(). When creating an Aead from this object, Tink looks an KmsClient in the global table of KmsClients. This means that the key is inappropriate in cases where there are multiple KMS backends or multiple credentials in a binary. Because of this, we recommend to create the Aead directly from the KmsClient you need.

    • Method Detail

      • create

        public static LegacyKmsAeadKey create​(LegacyKmsAeadParameters parameters,
                                      @Nullable
                                      java.lang.Integer idRequirement)
                               throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException

      • getOutputPrefix

        public Bytes getOutputPrefix()
        Description copied from class: AeadKey
        Returns a Bytes instance which is prefixed to the ciphertext.

        In order to make key rotation more efficient, Tink allows every Aead key to be prefixed with a sequence of bytes. When decrypting data, only keys with matching prefix have to be tried.

        Note that a priori, the output prefix may not be unique in a keyset (i.e., different keys in a keyset may have the same prefix or, one prefix may be a prefix of the other). To avoid this, built in Tink keys use the convention that the prefix is either '0x00' or '0x01'. See the Tink keys for details.

        Specified by:
        getOutputPrefix in class AeadKey

      • getIdRequirementOrNull

        public java.lang.Integer getIdRequirementOrNull()
        Description copied from class: Key
        Returns null if this key has no id requirement, otherwise the required id.

        Some keys, when they are in a keyset, are required to have a certain ID to work properly. This comes from the fact that Tink in some cases prefixes ciphertexts or signatures with the string 0x01<id>, where the ID is encoded in big endian (see the documentation of the key type for details), in which case the key requires a certain ID.

        Specified by:
        getIdRequirementOrNull in class Key

      • equalsKey

        public boolean equalsKey​(Key o)
        Description copied from class: Key
        Returns true if the key is guaranteed to be equal to other.

        Implementations are required to do this in constant time.

        Note: this is allowed to return false even if two keys are guaranteed to represent the same function, but are represented differently. For example, a key is allowed to internally store the number of zero-bytes used as padding when a large number is represented as a byte array, and use this in the comparison.

        Note: Tink Key objects should typically not override hashCode (because it could risk leaking key material). Hence, they typically also should not override equals.

        Specified by:
        equalsKey in class Key