1// Copyright 2018 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15//////////////////////////////////////////////////////////////////////////////// 16 17package aead 18 19import ( 20 "errors" 21 "fmt" 22 23 "google.golang.org/protobuf/proto" 24 "github.com/google/tink/go/aead/subtle" 25 "github.com/google/tink/go/keyset" 26 subtleMac "github.com/google/tink/go/mac/subtle" 27 "github.com/google/tink/go/subtle/random" 28 ctrpb "github.com/google/tink/go/proto/aes_ctr_go_proto" 29 aeadpb "github.com/google/tink/go/proto/aes_ctr_hmac_aead_go_proto" 30 commonpb "github.com/google/tink/go/proto/common_go_proto" 31 hmacpb "github.com/google/tink/go/proto/hmac_go_proto" 32 tinkpb "github.com/google/tink/go/proto/tink_go_proto" 33) 34 35const ( 36 aesCTRHMACAEADKeyVersion = 0 37 aesCTRHMACAEADTypeURL = "type.googleapis.com/google.crypto.tink.AesCtrHmacAeadKey" 38 minHMACKeySizeInBytes = 16 39 minTagSizeInBytes = 10 40) 41 42// common errors 43var errInvalidAESCTRHMACAEADKey = fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid key") 44var errInvalidAESCTRHMACAEADKeyFormat = fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid key format") 45 46// aesCTRHMACAEADKeyManager is an implementation of KeyManager interface. 47// It generates new AESCTRHMACAEADKey keys and produces new instances of EncryptThenAuthenticate subtle. 48type aesCTRHMACAEADKeyManager struct{} 49 50// Primitive creates an AEAD for the given serialized AESCTRHMACAEADKey proto. 51func (km *aesCTRHMACAEADKeyManager) Primitive(serializedKey []byte) (interface{}, error) { 52 if len(serializedKey) == 0 { 53 return nil, errInvalidAESCTRHMACAEADKey 54 } 55 key := new(aeadpb.AesCtrHmacAeadKey) 56 if err := proto.Unmarshal(serializedKey, key); err != nil { 57 return nil, errInvalidAESCTRHMACAEADKey 58 } 59 if err := km.validateKey(key); err != nil { 60 return nil, err 61 } 62 63 ctr, err := subtle.NewAESCTR(key.AesCtrKey.KeyValue, int(key.AesCtrKey.Params.IvSize)) 64 if err != nil { 65 return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: cannot create new primitive: %v", err) 66 } 67 68 hmacKey := key.HmacKey 69 hmac, err := subtleMac.NewHMAC(hmacKey.Params.Hash.String(), hmacKey.KeyValue, hmacKey.Params.TagSize) 70 if err != nil { 71 return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: cannot create mac primitive, error: %v", err) 72 } 73 74 aead, err := subtle.NewEncryptThenAuthenticate(ctr, hmac, int(hmacKey.Params.TagSize)) 75 if err != nil { 76 return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: cannot create encrypt then authenticate primitive, error: %v", err) 77 } 78 return aead, nil 79} 80 81// NewKey creates a new key according to the given serialized AesCtrHmacAeadKeyFormat. 82func (km *aesCTRHMACAEADKeyManager) NewKey(serializedKeyFormat []byte) (proto.Message, error) { 83 if len(serializedKeyFormat) == 0 { 84 return nil, errInvalidAESCTRHMACAEADKeyFormat 85 } 86 keyFormat := new(aeadpb.AesCtrHmacAeadKeyFormat) 87 if err := proto.Unmarshal(serializedKeyFormat, keyFormat); err != nil { 88 return nil, errInvalidAESCTRHMACAEADKeyFormat 89 } 90 if err := km.validateKeyFormat(keyFormat); err != nil { 91 return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid key format: %v", err) 92 } 93 return &aeadpb.AesCtrHmacAeadKey{ 94 Version: aesCTRHMACAEADKeyVersion, 95 AesCtrKey: &ctrpb.AesCtrKey{ 96 Version: aesCTRHMACAEADKeyVersion, 97 KeyValue: random.GetRandomBytes(keyFormat.AesCtrKeyFormat.KeySize), 98 Params: keyFormat.AesCtrKeyFormat.Params, 99 }, 100 HmacKey: &hmacpb.HmacKey{ 101 Version: aesCTRHMACAEADKeyVersion, 102 KeyValue: random.GetRandomBytes(keyFormat.HmacKeyFormat.KeySize), 103 Params: keyFormat.HmacKeyFormat.Params, 104 }, 105 }, nil 106} 107 108// NewKeyData creates a new KeyData according to specification in the given serialized 109// AesCtrHmacAeadKeyFormat. 110// It should be used solely by the key management API. 111func (km *aesCTRHMACAEADKeyManager) NewKeyData(serializedKeyFormat []byte) (*tinkpb.KeyData, error) { 112 key, err := km.NewKey(serializedKeyFormat) 113 if err != nil { 114 return nil, err 115 } 116 serializedKey, err := proto.Marshal(key) 117 if err != nil { 118 return nil, err 119 } 120 return &tinkpb.KeyData{ 121 TypeUrl: km.TypeURL(), 122 Value: serializedKey, 123 KeyMaterialType: tinkpb.KeyData_SYMMETRIC, 124 }, nil 125} 126 127// DoesSupport indicates if this key manager supports the given key type. 128func (km *aesCTRHMACAEADKeyManager) DoesSupport(typeURL string) bool { 129 return typeURL == aesCTRHMACAEADTypeURL 130} 131 132// TypeURL returns the key type of keys managed by this key manager. 133func (km *aesCTRHMACAEADKeyManager) TypeURL() string { 134 return aesCTRHMACAEADTypeURL 135} 136 137// validateKey validates the given AesCtrHmacAeadKey proto. 138func (km *aesCTRHMACAEADKeyManager) validateKey(key *aeadpb.AesCtrHmacAeadKey) error { 139 if err := keyset.ValidateKeyVersion(key.Version, aesCTRHMACAEADKeyVersion); err != nil { 140 return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err) 141 } 142 if err := keyset.ValidateKeyVersion(key.AesCtrKey.Version, aesCTRHMACAEADKeyVersion); err != nil { 143 return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err) 144 } 145 if err := keyset.ValidateKeyVersion(key.HmacKey.Version, aesCTRHMACAEADKeyVersion); err != nil { 146 return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err) 147 } 148 // Validate AesCtrKey. 149 keySize := uint32(len(key.AesCtrKey.KeyValue)) 150 if err := subtle.ValidateAESKeySize(keySize); err != nil { 151 return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err) 152 } 153 params := key.AesCtrKey.Params 154 if params.IvSize < subtle.AESCTRMinIVSize || params.IvSize > 16 { 155 return errors.New("aes_ctr_hmac_aead_key_manager: invalid AesCtrHmacAeadKey: IV size out of range") 156 } 157 return nil 158} 159 160// validateKeyFormat validates the given AesCtrHmacAeadKeyFormat proto. 161func (km *aesCTRHMACAEADKeyManager) validateKeyFormat(format *aeadpb.AesCtrHmacAeadKeyFormat) error { 162 // Validate AesCtrKeyFormat. 163 if err := subtle.ValidateAESKeySize(format.AesCtrKeyFormat.KeySize); err != nil { 164 return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %s", err) 165 } 166 if format.AesCtrKeyFormat.Params.IvSize < subtle.AESCTRMinIVSize || format.AesCtrKeyFormat.Params.IvSize > 16 { 167 return errors.New("aes_ctr_hmac_aead_key_manager: invalid AesCtrHmacAeadKeyFormat: IV size out of range") 168 } 169 170 // Validate HmacKeyFormat. 171 hmacKeyFormat := format.HmacKeyFormat 172 if hmacKeyFormat.KeySize < minHMACKeySizeInBytes { 173 return errors.New("aes_ctr_hmac_aead_key_manager: HMAC KeySize is too small") 174 } 175 if hmacKeyFormat.Params.TagSize < minTagSizeInBytes { 176 return fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid HmacParams: TagSize %d is too small", hmacKeyFormat.Params.TagSize) 177 } 178 179 maxTagSize := map[commonpb.HashType]uint32{ 180 commonpb.HashType_SHA1: 20, 181 commonpb.HashType_SHA224: 28, 182 commonpb.HashType_SHA256: 32, 183 commonpb.HashType_SHA384: 48, 184 commonpb.HashType_SHA512: 64} 185 186 tagSize, ok := maxTagSize[hmacKeyFormat.Params.Hash] 187 if !ok { 188 return fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid HmacParams: HashType %q not supported", 189 hmacKeyFormat.Params.Hash) 190 } 191 if hmacKeyFormat.Params.TagSize > tagSize { 192 return fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid HmacParams: tagSize %d is too big for HashType %q", 193 hmacKeyFormat.Params.TagSize, hmacKeyFormat.Params.Hash) 194 } 195 196 return nil 197} 198