Update HelloWorld example.

- Don't register KMS client.
- Rename parameter to "keyset encryption key uri".
- Remove "encrypt" and "decrypt" functions. They create a new keyset handle every time they are called which should be avoided.
- The "getKeysetHandle" function creates a new keyset if there is non, and loads it otherwise. I think this is bad pattern we should avoid. In this example, I think it's better to just fail if the keyset exists, and have two functions that do these two steps.

PiperOrigin-RevId: 560686600
Change-Id: I57256693530d1bd1c98172074e16182859b658fb

Author: juergw

examples/maven/src/main/java/com/helloworld/HelloWorld.java

@@ -18,7 +18,7 @@
 
 import com.google.crypto.tink.Aead;
 import com.google.crypto.tink.KeysetHandle;
-import com.google.crypto.tink.KmsClients;
+import com.google.crypto.tink.KmsClient;
 import com.google.crypto.tink.TinkJsonProtoKeysetFormat;
 import com.google.crypto.tink.aead.AeadConfig;
 import com.google.crypto.tink.aead.PredefinedAeadParameters;
@@ -29,7 +29,6 @@
 import java.nio.file.Paths;
 import java.security.GeneralSecurityException;
 import java.util.Arrays;
-import java.util.Optional;
 
 /**
  * Encrypts a string
@@ -44,36 +43,25 @@ public final class HelloWorld {
 
   private static void usage() {
     System.out.println(
-        "Usage: mvn exec:java -Dexec.args=\"<keyset file> <credentials path> <master key uri>\"");
+        "Usage: mvn exec:java -Dexec.args=\""
+            + "<keyset file> <credentials path> <keyset encryption key uri>\"");
   }
 
-  /** Loads a KeysetHandle from {@code keyset} or generate a new one if it doesn't exist. */
-  private static KeysetHandle getKeysetHandle(Path keysetPath, String masterKeyUri)
+  /** Creates a new keyset with one AEAD key, and write it encrypted to disk. */
+  private static void createAndWriteEncryptedKeyset(Path keysetPath, Aead keysetEncryptionAead)
       throws GeneralSecurityException, IOException {
-    Aead masterKeyAead = KmsClients.get(masterKeyUri).getAead(masterKeyUri);
-    if (Files.exists(keysetPath)) {
-      return TinkJsonProtoKeysetFormat.parseEncryptedKeyset(
-          new String(Files.readAllBytes(keysetPath), UTF_8), masterKeyAead, new byte[0]);
-    }
     KeysetHandle handle = KeysetHandle.generateNew(PredefinedAeadParameters.AES128_GCM);
     String serializedEncryptedKeyset =
-        TinkJsonProtoKeysetFormat.serializeEncryptedKeyset(handle, masterKeyAead, new byte[0]);
+        TinkJsonProtoKeysetFormat.serializeEncryptedKeyset(
+            handle, keysetEncryptionAead, new byte[0]);
     Files.write(keysetPath, serializedEncryptedKeyset.getBytes(UTF_8));
-    return handle;
   }
 
-  private static byte[] encrypt(Path keyset, String masterKeyUri, byte[] plaintext)
-      throws Exception {
-    KeysetHandle keysetHandle = getKeysetHandle(keyset, masterKeyUri);
-    Aead aead = keysetHandle.getPrimitive(Aead.class);
-    return aead.encrypt(plaintext, associatedData);
-  }
-
-  private static byte[] decrypt(Path keyset, String masterKeyUri, byte[] ciphertext)
-      throws Exception {
-    KeysetHandle keysetHandle = getKeysetHandle(keyset, masterKeyUri);
-    Aead aead = keysetHandle.getPrimitive(Aead.class);
-    return aead.decrypt(ciphertext, associatedData);
+  /** Reads an encrypted keyset from disk. */
+  private static KeysetHandle readEncryptedKeyset(Path keysetPath, Aead keysetEncryptionAead)
+      throws GeneralSecurityException, IOException {
+    return TinkJsonProtoKeysetFormat.parseEncryptedKeyset(
+        new String(Files.readAllBytes(keysetPath), UTF_8), keysetEncryptionAead, new byte[0]);
   }
 
   public static void main(String[] args) throws Exception {
@@ -82,17 +70,28 @@ public static void main(String[] args) throws Exception {
       System.exit(1);
     }
 
-    Path keysetFile = Paths.get(args[0]);
+    Path keysetPath = Paths.get(args[0]);
     Path credentialsPath = Paths.get(args[1]);
-    String masterKeyUri = args[2];
+    String keysetEncryptionKeyUri = args[2];
 
     // Register all AEAD key types with the Tink runtime.
     AeadConfig.register();
-    AwsKmsClient.register(Optional.of(masterKeyUri), Optional.of(credentialsPath.toString()));
 
-    byte[] ciphertext = encrypt(keysetFile, masterKeyUri, plaintext);
-    byte[] decrypted = decrypt(keysetFile, masterKeyUri, ciphertext);
+    KmsClient client = new AwsKmsClient().withCredentials(credentialsPath.toString());
+    Aead keysetEncryptionAead = client.getAead(keysetEncryptionKeyUri);
+
+    if (Files.exists(keysetPath)) {
+      System.out.println("keyset file already exists");
+      System.exit(1);
+    }
+
+    createAndWriteEncryptedKeyset(keysetPath, keysetEncryptionAead);
+
+    KeysetHandle keysetHandle = readEncryptedKeyset(keysetPath, keysetEncryptionAead);
+    Aead aead = keysetHandle.getPrimitive(Aead.class);
 
+    byte[] ciphertext = aead.encrypt(plaintext, associatedData);
+    byte[] decrypted = aead.decrypt(ciphertext, associatedData);
     if (!Arrays.equals(decrypted, plaintext)) {
       System.out.println("Decryption failed");
       System.exit(1);