Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to access individual keys inside a keyset #23

Open
Diniboy1123 opened this issue Dec 3, 2024 · 1 comment
Open

Ability to access individual keys inside a keyset #23

Diniboy1123 opened this issue Dec 3, 2024 · 1 comment
Assignees
@morambro

Comments

@Diniboy1123
Copy link

Diniboy1123 commented Dec 3, 2024
edited
Loading

Help us help you

Tell us more about
your Tink deployment.

Is your feature request related to a problem?

I have a really simple code which generates a hybrid keyset:

privateKeyHandle, err := keyset.NewHandle(hybrid.ECIESHKDFAES128GCMKeyTemplate())
if err != nil {
	log.Fatalf("Error generating private key: %v", err)
}
publicKeyHandle, err := privateKeyHandle.Public()
if err != nil {
	log.Fatalf("Error extracting public key: %v", err)
}

I am no cryptographer by any means, but if I understood correctly, this thing uses ECDH over NIST P-256 so there is an underlying ecdh keypair... I get the idea that you don't want to expose the private component unencrypted, but would it be possible to get back the public key as a regular crypto.PublicKey cast? I am working with an API that expects me to send the public key as a SubjectPublicKeyInfo, so I would need the key in ASN.1 format. I haven't found a way to access the ECDH key alone.

What sort of feature would you like to see?

I would love to have a way that exposes the individual properties or at least the KEM public key as a raw, crypto.PublicKey compatible format so I don't have to reinvent the wheel whenever I want to work with tink and its hybrid encryption. Or at least a SubjectPublicKeyInfo compatible API.

Have you considered any alternative solutions?

I haven't found any way to accomplish my goal, but if there is any (even dirty) workaround, I would be happy to know.

Would you like to add additional context?

It seems that publicKeyHandle.Primitives() contains an ECIESAEADHKDFHybridEncrypt entry where I can use entry.Primitive.publicKey from a debugger and get the parameters I need, but its unfortunately not exported...

It looks like the java version also has it exported: https://github.com/tink-crypto/tink-java/blob/9659b062322ff4a23892018e6a3d0c8e1f74a428/src/main/java/com/google/crypto/tink/subtle/EllipticCurves.java#L758
@morambro
Copy link
Contributor

morambro commented Dec 6, 2024

Hi Diniboy1123, from the next release we add APIs to extract key.Keys from a keyset.Handle, but unfortunately not for hybrid keys yet, only aead and signature keys. Hopefully, support for hybrid keys will become available in a subsequent release.

@morambro morambro self-assigned this Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@morambro morambro

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@morambro @Diniboy1123