xref: /aosp_15_r20/external/tink/cc/keyset_manager.h (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2017 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 #ifndef TINK_KEYSET_MANAGER_H_
17 #define TINK_KEYSET_MANAGER_H_
18 
19 #include <memory>
20 
21 #include "absl/base/thread_annotations.h"
22 #include "absl/synchronization/mutex.h"
23 #include "tink/util/status.h"
24 #include "tink/util/statusor.h"
25 #include "proto/tink.pb.h"
26 
27 namespace crypto {
28 namespace tink {
29 
30 class KeysetHandle;
31 
32 // KeysetManager provides convenience methods for creation of Keysets, and for
33 // rotating, disabling, enabling, or destroying keys.
34 // An instance of this class takes care of a single Keyset, that can be
35 // accessed via GetKeysetHandle()-method.
36 class KeysetManager {
37  public:
38   // Constructs a KeysetManager with an empty Keyset.
39   KeysetManager() = default;
40 
41   // Creates a new KeysetManager that contains a Keyset with a single key
42   // generated freshly according the specification in 'key_template'.
43   static crypto::tink::util::StatusOr<std::unique_ptr<KeysetManager>> New(
44       const google::crypto::tink::KeyTemplate& key_template);
45 
46   // Creates a new KeysetManager that contains a Keyset cloned from
47   // the given 'keyset_handle'.
48   static crypto::tink::util::StatusOr<std::unique_ptr<KeysetManager>> New(
49       const KeysetHandle& keyset_handle);
50 
51   // Adds to the managed keyset a fresh key generated according to
52   // 'keyset_template' and returns the key_id of the added key.
53   // The added key has status 'ENABLED'.
54   crypto::tink::util::StatusOr<uint32_t> Add(
55       const google::crypto::tink::KeyTemplate& key_template)
56       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
57 
58   // Adds to the managed keyset a fresh key generated according to
59   // 'keyset_template', sets the new key as the primary,
60   // and returns the key_id of the added key.
61   // The key that was primary prior to rotation remains 'ENABLED'.
62   crypto::tink::util::StatusOr<uint32_t> Rotate(
63       const google::crypto::tink::KeyTemplate& key_template)
64       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
65 
66   // Sets the status of the specified key to 'ENABLED'.
67   // Succeeds only if before the call the specified key
68   // has status 'DISABLED' or 'ENABLED'.
69   crypto::tink::util::Status Enable(uint32_t key_id)
70       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
71 
72   // Sets the status of the specified key to 'DISABLED'.
73   // Succeeds only if before the call the specified key
74   // is not primary and has status 'DISABLED' or 'ENABLED'.
75   crypto::tink::util::Status Disable(uint32_t key_id)
76       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
77 
78   // Sets the status of the specified key to 'DESTROYED',
79   // and removes the corresponding key material, if any.
80   // Succeeds only if before the call the specified key
81   // is not primary and has status 'DISABLED', or 'ENABLED',
82   // or 'DESTROYED'.
83   crypto::tink::util::Status Destroy(uint32_t key_id)
84       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
85 
86   // Removes the specifed key from the managed keyset.
87   // Succeeds only if the specified key is not primary.
88   // After deletion the keyset contains one key fewer.
89   crypto::tink::util::Status Delete(uint32_t key_id)
90       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
91 
92   // Sets the specified key as the primary.
93   // Succeeds only if the specified key is 'ENABLED'.
94   crypto::tink::util::Status SetPrimary(uint32_t key_id)
95       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
96 
97   // Returns the count of all keys in the keyset.
98   int KeyCount() const;
99 
100   // Returns a handle with a copy of the managed keyset.
101   std::unique_ptr<KeysetHandle> GetKeysetHandle()
102       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
103 
104  private:
105   crypto::tink::util::StatusOr<uint32_t> Add(
106       const google::crypto::tink::KeyTemplate& key_template, bool as_primary)
107       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
108 
109   mutable absl::Mutex keyset_mutex_;
110   google::crypto::tink::Keyset keyset_ ABSL_GUARDED_BY(keyset_mutex_);
111 };
112 
113 }  // namespace tink
114 }  // namespace crypto
115 
116 #endif  // TINK_KEYSET_MANAGER_H_
117