xref: /aosp_15_r20/external/tink/cc/aead/kms_envelope_aead.h (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #ifndef TINK_AEAD_KMS_ENVELOPE_AEAD_H_
18 #define TINK_AEAD_KMS_ENVELOPE_AEAD_H_
19 
20 #include <memory>
21 #include <string>
22 #include <utility>
23 
24 #include "absl/strings/string_view.h"
25 #include "tink/aead.h"
26 #include "tink/util/status.h"
27 #include "tink/util/statusor.h"
28 #include "proto/tink.pb.h"
29 
30 namespace crypto {
31 namespace tink {
32 
33 // An implementation of KMS Envelope AEAD encryption
34 // (https://cloud.google.com/kms/docs/data-encryption-keys).
35 //
36 // In envelope encryption user generates a data encryption key (DEK) locally,
37 // encrypts data with DEK, sends DEK to a KMS to be encrypted (with a key
38 // managed by KMS), and stores encrypted DEK with encrypted data; at a later
39 // point user can retrieve encrypted data and DEK, use KMS to decrypt DEK,
40 // and use decrypted DEK to decrypt the data.
41 //
42 // The ciphertext structure is as follows:
43 //  - Length of encrypted DEK: 4 bytes (big endian)
44 //  - Encrypted DEK: variable length that is equal to the value
45 //    specified in the last 4 bytes.
46 //  - AEAD payload: variable length.
47 class KmsEnvelopeAead : public Aead {
48  public:
49   static crypto::tink::util::StatusOr<std::unique_ptr<Aead>> New(
50       const google::crypto::tink::KeyTemplate& dek_template,
51       std::unique_ptr<Aead> remote_aead);
52 
53   crypto::tink::util::StatusOr<std::string> Encrypt(
54       absl::string_view plaintext,
55       absl::string_view associated_data) const override;
56 
57   crypto::tink::util::StatusOr<std::string> Decrypt(
58       absl::string_view ciphertext,
59       absl::string_view associated_data) const override;
60 
61   ~KmsEnvelopeAead() override = default;
62 
63  private:
KmsEnvelopeAead(const google::crypto::tink::KeyTemplate & dek_template,std::unique_ptr<Aead> remote_aead)64   KmsEnvelopeAead(const google::crypto::tink::KeyTemplate& dek_template,
65                   std::unique_ptr<Aead> remote_aead) :
66       dek_template_(dek_template), remote_aead_(std::move(remote_aead)) {}
67 
68   google::crypto::tink::KeyTemplate dek_template_;
69   std::unique_ptr<Aead> remote_aead_;
70 };
71 
72 }  // namespace tink
73 }  // namespace crypto
74 
75 #endif  // TINK_AEAD_KMS_ENVELOPE_AEAD_H_
76