1*e7b1675dSTing-Kang Chang // Copyright 2019 Google LLC
2*e7b1675dSTing-Kang Chang //
3*e7b1675dSTing-Kang Chang // Licensed under the Apache License, Version 2.0 (the "License");
4*e7b1675dSTing-Kang Chang // you may not use this file except in compliance with the License.
5*e7b1675dSTing-Kang Chang // You may obtain a copy of the License at
6*e7b1675dSTing-Kang Chang //
7*e7b1675dSTing-Kang Chang // http://www.apache.org/licenses/LICENSE-2.0
8*e7b1675dSTing-Kang Chang //
9*e7b1675dSTing-Kang Chang // Unless required by applicable law or agreed to in writing, software
10*e7b1675dSTing-Kang Chang // distributed under the License is distributed on an "AS IS" BASIS,
11*e7b1675dSTing-Kang Chang // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*e7b1675dSTing-Kang Chang // See the License for the specific language governing permissions and
13*e7b1675dSTing-Kang Chang // limitations under the License.
14*e7b1675dSTing-Kang Chang //
15*e7b1675dSTing-Kang Chang ///////////////////////////////////////////////////////////////////////////////
16*e7b1675dSTing-Kang Chang
17*e7b1675dSTing-Kang Chang #include "tink/aead/kms_envelope_aead.h"
18*e7b1675dSTing-Kang Chang
19*e7b1675dSTing-Kang Chang #include <stdint.h>
20*e7b1675dSTing-Kang Chang
21*e7b1675dSTing-Kang Chang #include <memory>
22*e7b1675dSTing-Kang Chang #include <string>
23*e7b1675dSTing-Kang Chang #include <utility>
24*e7b1675dSTing-Kang Chang
25*e7b1675dSTing-Kang Chang #include "absl/base/internal/endian.h"
26*e7b1675dSTing-Kang Chang #include "absl/status/status.h"
27*e7b1675dSTing-Kang Chang #include "absl/strings/str_cat.h"
28*e7b1675dSTing-Kang Chang #include "absl/strings/string_view.h"
29*e7b1675dSTing-Kang Chang #include "tink/aead.h"
30*e7b1675dSTing-Kang Chang #include "tink/aead/internal/aead_util.h"
31*e7b1675dSTing-Kang Chang #include "tink/registry.h"
32*e7b1675dSTing-Kang Chang #include "tink/util/status.h"
33*e7b1675dSTing-Kang Chang #include "tink/util/statusor.h"
34*e7b1675dSTing-Kang Chang #include "proto/tink.pb.h"
35*e7b1675dSTing-Kang Chang
36*e7b1675dSTing-Kang Chang namespace crypto {
37*e7b1675dSTing-Kang Chang namespace tink {
38*e7b1675dSTing-Kang Chang
39*e7b1675dSTing-Kang Chang namespace {
40*e7b1675dSTing-Kang Chang
41*e7b1675dSTing-Kang Chang const int kEncryptedDekPrefixSize = 4;
42*e7b1675dSTing-Kang Chang const char* kEmptyAssociatedData = "";
43*e7b1675dSTing-Kang Chang
44*e7b1675dSTing-Kang Chang // Constructs a ciphertext of KMS envelope encryption.
45*e7b1675dSTing-Kang Chang // The format of the ciphertext is the following:
46*e7b1675dSTing-Kang Chang // 4-byte-prefix | encrypted_dek | encrypted_plaintext
47*e7b1675dSTing-Kang Chang // where 4-byte-prefix is the length of encrypted_dek in big-endian format
48*e7b1675dSTing-Kang Chang // (for compatibility with Java)
GetEnvelopeCiphertext(absl::string_view encrypted_dek,absl::string_view encrypted_plaintext)49*e7b1675dSTing-Kang Chang std::string GetEnvelopeCiphertext(absl::string_view encrypted_dek,
50*e7b1675dSTing-Kang Chang absl::string_view encrypted_plaintext) {
51*e7b1675dSTing-Kang Chang uint8_t enc_dek_size[kEncryptedDekPrefixSize];
52*e7b1675dSTing-Kang Chang absl::big_endian::Store32(enc_dek_size, encrypted_dek.size());
53*e7b1675dSTing-Kang Chang return absl::StrCat(std::string(reinterpret_cast<const char*>(enc_dek_size),
54*e7b1675dSTing-Kang Chang kEncryptedDekPrefixSize),
55*e7b1675dSTing-Kang Chang encrypted_dek, encrypted_plaintext);
56*e7b1675dSTing-Kang Chang }
57*e7b1675dSTing-Kang Chang
58*e7b1675dSTing-Kang Chang } // namespace
59*e7b1675dSTing-Kang Chang
60*e7b1675dSTing-Kang Chang // static
New(const google::crypto::tink::KeyTemplate & dek_template,std::unique_ptr<Aead> remote_aead)61*e7b1675dSTing-Kang Chang util::StatusOr<std::unique_ptr<Aead>> KmsEnvelopeAead::New(
62*e7b1675dSTing-Kang Chang const google::crypto::tink::KeyTemplate& dek_template,
63*e7b1675dSTing-Kang Chang std::unique_ptr<Aead> remote_aead) {
64*e7b1675dSTing-Kang Chang if (!internal::IsSupportedKmsEnvelopeAeadDekKeyType(
65*e7b1675dSTing-Kang Chang dek_template.type_url())) {
66*e7b1675dSTing-Kang Chang return util::Status(absl::StatusCode::kInvalidArgument,
67*e7b1675dSTing-Kang Chang "unsupported key type");
68*e7b1675dSTing-Kang Chang }
69*e7b1675dSTing-Kang Chang if (remote_aead == nullptr) {
70*e7b1675dSTing-Kang Chang return util::Status(absl::StatusCode::kInvalidArgument,
71*e7b1675dSTing-Kang Chang "remote_aead must be non-null");
72*e7b1675dSTing-Kang Chang }
73*e7b1675dSTing-Kang Chang auto km_result = Registry::get_key_manager<Aead>(dek_template.type_url());
74*e7b1675dSTing-Kang Chang if (!km_result.ok()) return km_result.status();
75*e7b1675dSTing-Kang Chang std::unique_ptr<Aead> envelope_aead(
76*e7b1675dSTing-Kang Chang new KmsEnvelopeAead(dek_template, std::move(remote_aead)));
77*e7b1675dSTing-Kang Chang return std::move(envelope_aead);
78*e7b1675dSTing-Kang Chang }
79*e7b1675dSTing-Kang Chang
Encrypt(absl::string_view plaintext,absl::string_view associated_data) const80*e7b1675dSTing-Kang Chang util::StatusOr<std::string> KmsEnvelopeAead::Encrypt(
81*e7b1675dSTing-Kang Chang absl::string_view plaintext, absl::string_view associated_data) const {
82*e7b1675dSTing-Kang Chang // Generate DEK.
83*e7b1675dSTing-Kang Chang auto dek_result = Registry::NewKeyData(dek_template_);
84*e7b1675dSTing-Kang Chang if (!dek_result.ok()) return dek_result.status();
85*e7b1675dSTing-Kang Chang auto dek = std::move(dek_result.value());
86*e7b1675dSTing-Kang Chang
87*e7b1675dSTing-Kang Chang // Wrap DEK key values with remote.
88*e7b1675dSTing-Kang Chang auto dek_encrypt_result =
89*e7b1675dSTing-Kang Chang remote_aead_->Encrypt(dek->value(), kEmptyAssociatedData);
90*e7b1675dSTing-Kang Chang if (!dek_encrypt_result.ok()) return dek_encrypt_result.status();
91*e7b1675dSTing-Kang Chang
92*e7b1675dSTing-Kang Chang // Encrypt plaintext using DEK.
93*e7b1675dSTing-Kang Chang auto aead_result = Registry::GetPrimitive<Aead>(*dek);
94*e7b1675dSTing-Kang Chang if (!aead_result.ok()) return aead_result.status();
95*e7b1675dSTing-Kang Chang auto aead = std::move(aead_result.value());
96*e7b1675dSTing-Kang Chang auto encrypt_result = aead->Encrypt(plaintext, associated_data);
97*e7b1675dSTing-Kang Chang if (!encrypt_result.ok()) return encrypt_result.status();
98*e7b1675dSTing-Kang Chang
99*e7b1675dSTing-Kang Chang // Build and return ciphertext.
100*e7b1675dSTing-Kang Chang return GetEnvelopeCiphertext(dek_encrypt_result.value(),
101*e7b1675dSTing-Kang Chang encrypt_result.value());
102*e7b1675dSTing-Kang Chang }
103*e7b1675dSTing-Kang Chang
Decrypt(absl::string_view ciphertext,absl::string_view associated_data) const104*e7b1675dSTing-Kang Chang util::StatusOr<std::string> KmsEnvelopeAead::Decrypt(
105*e7b1675dSTing-Kang Chang absl::string_view ciphertext, absl::string_view associated_data) const {
106*e7b1675dSTing-Kang Chang // Parse the ciphertext.
107*e7b1675dSTing-Kang Chang if (ciphertext.size() < kEncryptedDekPrefixSize) {
108*e7b1675dSTing-Kang Chang return util::Status(absl::StatusCode::kInvalidArgument,
109*e7b1675dSTing-Kang Chang "ciphertext too short");
110*e7b1675dSTing-Kang Chang }
111*e7b1675dSTing-Kang Chang auto enc_dek_size = absl::big_endian::Load32(
112*e7b1675dSTing-Kang Chang reinterpret_cast<const uint8_t*>(ciphertext.data()));
113*e7b1675dSTing-Kang Chang if (enc_dek_size > ciphertext.size() - kEncryptedDekPrefixSize ||
114*e7b1675dSTing-Kang Chang enc_dek_size < 0) {
115*e7b1675dSTing-Kang Chang return util::Status(absl::StatusCode::kInvalidArgument,
116*e7b1675dSTing-Kang Chang "invalid ciphertext");
117*e7b1675dSTing-Kang Chang }
118*e7b1675dSTing-Kang Chang // Decrypt the DEK with remote.
119*e7b1675dSTing-Kang Chang auto dek_decrypt_result = remote_aead_->Decrypt(
120*e7b1675dSTing-Kang Chang ciphertext.substr(kEncryptedDekPrefixSize, enc_dek_size),
121*e7b1675dSTing-Kang Chang kEmptyAssociatedData);
122*e7b1675dSTing-Kang Chang if (!dek_decrypt_result.ok()) {
123*e7b1675dSTing-Kang Chang return util::Status(absl::StatusCode::kInvalidArgument,
124*e7b1675dSTing-Kang Chang absl::StrCat("invalid ciphertext: ",
125*e7b1675dSTing-Kang Chang dek_decrypt_result.status().message()));
126*e7b1675dSTing-Kang Chang }
127*e7b1675dSTing-Kang Chang
128*e7b1675dSTing-Kang Chang // Create AEAD from DEK.
129*e7b1675dSTing-Kang Chang google::crypto::tink::KeyData dek;
130*e7b1675dSTing-Kang Chang dek.set_type_url(dek_template_.type_url());
131*e7b1675dSTing-Kang Chang dek.set_value(dek_decrypt_result.value());
132*e7b1675dSTing-Kang Chang dek.set_key_material_type(google::crypto::tink::KeyData::SYMMETRIC);
133*e7b1675dSTing-Kang Chang
134*e7b1675dSTing-Kang Chang // Encrypt plaintext using DEK.
135*e7b1675dSTing-Kang Chang auto aead_result = Registry::GetPrimitive<Aead>(dek);
136*e7b1675dSTing-Kang Chang if (!aead_result.ok()) return aead_result.status();
137*e7b1675dSTing-Kang Chang auto aead = std::move(aead_result.value());
138*e7b1675dSTing-Kang Chang return aead->Decrypt(
139*e7b1675dSTing-Kang Chang ciphertext.substr(kEncryptedDekPrefixSize + enc_dek_size),
140*e7b1675dSTing-Kang Chang associated_data);
141*e7b1675dSTing-Kang Chang }
142*e7b1675dSTing-Kang Chang
143*e7b1675dSTing-Kang Chang } // namespace tink
144*e7b1675dSTing-Kang Chang } // namespace crypto
145