1 // Copyright 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/aead/kms_envelope_aead.h"
18
19 #include <stdint.h>
20
21 #include <memory>
22 #include <string>
23 #include <utility>
24
25 #include "absl/base/internal/endian.h"
26 #include "absl/status/status.h"
27 #include "absl/strings/str_cat.h"
28 #include "absl/strings/string_view.h"
29 #include "tink/aead.h"
30 #include "tink/aead/internal/aead_util.h"
31 #include "tink/registry.h"
32 #include "tink/util/status.h"
33 #include "tink/util/statusor.h"
34 #include "proto/tink.pb.h"
35
36 namespace crypto {
37 namespace tink {
38
39 namespace {
40
41 const int kEncryptedDekPrefixSize = 4;
42 const char* kEmptyAssociatedData = "";
43
44 // Constructs a ciphertext of KMS envelope encryption.
45 // The format of the ciphertext is the following:
46 // 4-byte-prefix | encrypted_dek | encrypted_plaintext
47 // where 4-byte-prefix is the length of encrypted_dek in big-endian format
48 // (for compatibility with Java)
GetEnvelopeCiphertext(absl::string_view encrypted_dek,absl::string_view encrypted_plaintext)49 std::string GetEnvelopeCiphertext(absl::string_view encrypted_dek,
50 absl::string_view encrypted_plaintext) {
51 uint8_t enc_dek_size[kEncryptedDekPrefixSize];
52 absl::big_endian::Store32(enc_dek_size, encrypted_dek.size());
53 return absl::StrCat(std::string(reinterpret_cast<const char*>(enc_dek_size),
54 kEncryptedDekPrefixSize),
55 encrypted_dek, encrypted_plaintext);
56 }
57
58 } // namespace
59
60 // static
New(const google::crypto::tink::KeyTemplate & dek_template,std::unique_ptr<Aead> remote_aead)61 util::StatusOr<std::unique_ptr<Aead>> KmsEnvelopeAead::New(
62 const google::crypto::tink::KeyTemplate& dek_template,
63 std::unique_ptr<Aead> remote_aead) {
64 if (!internal::IsSupportedKmsEnvelopeAeadDekKeyType(
65 dek_template.type_url())) {
66 return util::Status(absl::StatusCode::kInvalidArgument,
67 "unsupported key type");
68 }
69 if (remote_aead == nullptr) {
70 return util::Status(absl::StatusCode::kInvalidArgument,
71 "remote_aead must be non-null");
72 }
73 auto km_result = Registry::get_key_manager<Aead>(dek_template.type_url());
74 if (!km_result.ok()) return km_result.status();
75 std::unique_ptr<Aead> envelope_aead(
76 new KmsEnvelopeAead(dek_template, std::move(remote_aead)));
77 return std::move(envelope_aead);
78 }
79
Encrypt(absl::string_view plaintext,absl::string_view associated_data) const80 util::StatusOr<std::string> KmsEnvelopeAead::Encrypt(
81 absl::string_view plaintext, absl::string_view associated_data) const {
82 // Generate DEK.
83 auto dek_result = Registry::NewKeyData(dek_template_);
84 if (!dek_result.ok()) return dek_result.status();
85 auto dek = std::move(dek_result.value());
86
87 // Wrap DEK key values with remote.
88 auto dek_encrypt_result =
89 remote_aead_->Encrypt(dek->value(), kEmptyAssociatedData);
90 if (!dek_encrypt_result.ok()) return dek_encrypt_result.status();
91
92 // Encrypt plaintext using DEK.
93 auto aead_result = Registry::GetPrimitive<Aead>(*dek);
94 if (!aead_result.ok()) return aead_result.status();
95 auto aead = std::move(aead_result.value());
96 auto encrypt_result = aead->Encrypt(plaintext, associated_data);
97 if (!encrypt_result.ok()) return encrypt_result.status();
98
99 // Build and return ciphertext.
100 return GetEnvelopeCiphertext(dek_encrypt_result.value(),
101 encrypt_result.value());
102 }
103
Decrypt(absl::string_view ciphertext,absl::string_view associated_data) const104 util::StatusOr<std::string> KmsEnvelopeAead::Decrypt(
105 absl::string_view ciphertext, absl::string_view associated_data) const {
106 // Parse the ciphertext.
107 if (ciphertext.size() < kEncryptedDekPrefixSize) {
108 return util::Status(absl::StatusCode::kInvalidArgument,
109 "ciphertext too short");
110 }
111 auto enc_dek_size = absl::big_endian::Load32(
112 reinterpret_cast<const uint8_t*>(ciphertext.data()));
113 if (enc_dek_size > ciphertext.size() - kEncryptedDekPrefixSize ||
114 enc_dek_size < 0) {
115 return util::Status(absl::StatusCode::kInvalidArgument,
116 "invalid ciphertext");
117 }
118 // Decrypt the DEK with remote.
119 auto dek_decrypt_result = remote_aead_->Decrypt(
120 ciphertext.substr(kEncryptedDekPrefixSize, enc_dek_size),
121 kEmptyAssociatedData);
122 if (!dek_decrypt_result.ok()) {
123 return util::Status(absl::StatusCode::kInvalidArgument,
124 absl::StrCat("invalid ciphertext: ",
125 dek_decrypt_result.status().message()));
126 }
127
128 // Create AEAD from DEK.
129 google::crypto::tink::KeyData dek;
130 dek.set_type_url(dek_template_.type_url());
131 dek.set_value(dek_decrypt_result.value());
132 dek.set_key_material_type(google::crypto::tink::KeyData::SYMMETRIC);
133
134 // Encrypt plaintext using DEK.
135 auto aead_result = Registry::GetPrimitive<Aead>(dek);
136 if (!aead_result.ok()) return aead_result.status();
137 auto aead = std::move(aead_result.value());
138 return aead->Decrypt(
139 ciphertext.substr(kEncryptedDekPrefixSize + enc_dek_size),
140 associated_data);
141 }
142
143 } // namespace tink
144 } // namespace crypto
145