Skip to content

Instantly share code, notes, and snippets.

@salrashid123

salrashid123/decrypt.go

Last active July 18, 2022 14:21
Show Gist options
  • Save salrashid123/6d6e27a63c791fc3ab059021aa4e12ad to your computer and use it in GitHub Desktop.
Save salrashid123/6d6e27a63c791fc3ab059021aa4e12ad to your computer and use it in GitHub Desktop.
Download ZIP
Decrypt encrypted data for BigQuery SQL column-level encryption https://blog.salrashid.dev/articles/2022/bq_kms/
Raw
decrypt.go
package main
import (
"bytes"
"encoding/base64"
"flag"
"fmt"
"github.com/google/tink/go/aead"
"github.com/google/tink/go/keyset"
"github.com/google/tink/go/core/registry"
"github.com/google/tink/go/integration/gcpkms"
tinkpb "github.com/google/tink/go/proto/tink_go_proto"
)
const ()
var (
keyURI = flag.String("keyURI", "", "KMS Key URI")
encryptedKeySet = flag.String("encryptedKeySet", "", "Encrypted Keyset")
cipherText = flag.String("cipherText", "", "CipherText")
)
func main() {
flag.Parse()
if *keyURI == "" || *encryptedKeySet == "" || *cipherText == "" {
fmt.Printf("--keyURI, --encryptedSetSet or --cipherText must be set")
return
}
gcpClient, err := gcpkms.NewClient("gcp-kms://")
if err != nil {
panic(err)
}
registry.RegisterKMSClient(gcpClient)
backend, err := gcpClient.GetAEAD(*keyURI)
if err != nil {
fmt.Printf("Could not acquire KMS AEAD %v\n", err)
return
}
rda, err := base64.StdEncoding.DecodeString(*encryptedKeySet)
if err != nil {
fmt.Println(err)
return
}
memKeyset := &keyset.MemReaderWriter{
EncryptedKeyset: &tinkpb.EncryptedKeyset{
EncryptedKeyset: rda,
},
}
buf := new(bytes.Buffer)
w := keyset.NewJSONWriter(buf)
if err := w.WriteEncrypted(memKeyset.EncryptedKeyset); err != nil {
fmt.Println(err)
return
}
// the long way to print everything
// var prettyJSON bytes.Buffer
// error := json.Indent(&prettyJSON, buf.Bytes(), "", "\t")
// if error != nil {
// fmt.Println(err)
// return
// }
// fmt.Println()
// fmt.Println("Encrypted Keyset:\n", prettyJSON.String())
// rdd, err := backend.Decrypt(memKeyset.EncryptedKeyset.EncryptedKeyset, []byte(""))
// if err != nil {
// fmt.Println(err)
// return
// }
// fmt.Println()
// fmt.Printf("Decrypted Keyset %s\n", base64.StdEncoding.EncodeToString(rdd))
// ksr := keyset.NewBinaryReader(bytes.NewBuffer(rdd))
// ksaa, err := ksr.Read()
// if err != nil {
// fmt.Println(err)
// return
// }
// handle, err := insecurecleartextkeyset.Read(&keyset.MemReaderWriter{Keyset: ksaa})
// if err != nil {
// fmt.Println(err)
// return
// }
// bufc := new(bytes.Buffer)
// wc := keyset.NewJSONWriter(bufc)
// if err := wc.Write(ksaa); err != nil {
// fmt.Println(err)
// return
// }
// error = json.Indent(&prettyJSON, bufc.Bytes(), "", "\t")
// if error != nil {
// fmt.Println(err)
// return
// }
// fmt.Println()
// fmt.Println("insecurecleartextkeyset Keyset:\n", prettyJSON.String())
// the short way
handle, err := keyset.Read(memKeyset, backend)
if err != nil {
fmt.Println(err)
return
}
dkhh, err := aead.New(handle)
if err != nil {
fmt.Printf("JSON parse error: %v \n", err)
return
}
be, err := base64.StdEncoding.DecodeString(*cipherText)
if err != nil {
fmt.Printf("JSON parse error: %v \n", err)
return
}
apta, err := dkhh.Decrypt(be, []byte("additional_data"))
if err != nil {
fmt.Printf("Error Decrypting %v\n", err)
return
}
fmt.Printf(" Plain text: %s\n", string(apta))
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment