1 // Copyright 2017 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16
17 #include "tink/hybrid/ecies_aead_hkdf_hybrid_decrypt.h"
18
19 #include <memory>
20 #include <string>
21 #include <utility>
22
23 #include "absl/memory/memory.h"
24 #include "absl/status/status.h"
25 #include "tink/hybrid/ecies_aead_hkdf_dem_helper.h"
26 #include "tink/hybrid_decrypt.h"
27 #include "tink/internal/ec_util.h"
28 #include "tink/subtle/ecies_hkdf_recipient_kem_boringssl.h"
29 #include "tink/util/enums.h"
30 #include "tink/util/secret_data.h"
31 #include "tink/util/status.h"
32 #include "proto/ecies_aead_hkdf.pb.h"
33
34 using ::google::crypto::tink::EciesAeadHkdfPrivateKey;
35 using ::google::crypto::tink::EllipticCurveType;
36
37 namespace crypto {
38 namespace tink {
39
40 namespace {
Validate(const EciesAeadHkdfPrivateKey & key)41 util::Status Validate(const EciesAeadHkdfPrivateKey& key) {
42 if (!key.has_public_key() || !key.public_key().has_params() ||
43 key.public_key().x().empty() || key.key_value().empty()) {
44 return util::Status(
45 absl::StatusCode::kInvalidArgument,
46 "Invalid EciesAeadHkdfPublicKey: missing required fields.");
47 }
48
49 if (key.public_key().params().has_kem_params() &&
50 key.public_key().params().kem_params().curve_type() ==
51 EllipticCurveType::CURVE25519) {
52 if (!key.public_key().y().empty()) {
53 return util::Status(
54 absl::StatusCode::kInvalidArgument,
55 "Invalid EciesAeadHkdfPublicKey: has unexpected field.");
56 }
57 } else if (key.public_key().y().empty()) {
58 return util::Status(
59 absl::StatusCode::kInvalidArgument,
60 "Invalid EciesAeadHkdfPublicKey: missing required fields.");
61 }
62 return util::OkStatus();
63 }
64 } // namespace
65
66 // static
New(const EciesAeadHkdfPrivateKey & recipient_key)67 util::StatusOr<std::unique_ptr<HybridDecrypt>> EciesAeadHkdfHybridDecrypt::New(
68 const EciesAeadHkdfPrivateKey& recipient_key) {
69 util::Status status = Validate(recipient_key);
70 if (!status.ok()) return status;
71
72 auto kem_result = subtle::EciesHkdfRecipientKemBoringSsl::New(
73 util::Enums::ProtoToSubtle(
74 recipient_key.public_key().params().kem_params().curve_type()),
75 util::SecretDataFromStringView(recipient_key.key_value()));
76 if (!kem_result.ok()) return kem_result.status();
77
78 auto dem_result = EciesAeadHkdfDemHelper::New(
79 recipient_key.public_key().params().dem_params().aead_dem());
80 if (!dem_result.ok()) return dem_result.status();
81
82 return {absl::WrapUnique(new EciesAeadHkdfHybridDecrypt(
83 recipient_key.public_key().params(), std::move(kem_result).value(),
84 std::move(dem_result).value()))};
85 }
86
Decrypt(absl::string_view ciphertext,absl::string_view context_info) const87 util::StatusOr<std::string> EciesAeadHkdfHybridDecrypt::Decrypt(
88 absl::string_view ciphertext, absl::string_view context_info) const {
89 // Extract KEM-bytes from the ciphertext.
90 auto header_size_result = internal::EcPointEncodingSizeInBytes(
91 util::Enums::ProtoToSubtle(
92 recipient_key_params_.kem_params().curve_type()),
93 util::Enums::ProtoToSubtle(recipient_key_params_.ec_point_format()));
94 if (!header_size_result.ok()) return header_size_result.status();
95 auto header_size = header_size_result.value();
96 if (ciphertext.size() < header_size) {
97 return util::Status(absl::StatusCode::kInvalidArgument,
98 "ciphertext too short");
99 }
100
101 // Use KEM to get a symmetric key.
102 auto symmetric_key_result = recipient_kem_->GenerateKey(
103 absl::string_view(ciphertext).substr(0, header_size),
104 util::Enums::ProtoToSubtle(
105 recipient_key_params_.kem_params().hkdf_hash_type()),
106 recipient_key_params_.kem_params().hkdf_salt(), context_info,
107 dem_helper_->dem_key_size_in_bytes(),
108 util::Enums::ProtoToSubtle(recipient_key_params_.ec_point_format()));
109 if (!symmetric_key_result.ok()) return symmetric_key_result.status();
110 auto symmetric_key = std::move(symmetric_key_result.value());
111
112 // Use the symmetric key to get an AEAD-primitive.
113 auto aead_or_daead_result = dem_helper_->GetAeadOrDaead(symmetric_key);
114 if (!aead_or_daead_result.ok()) return aead_or_daead_result.status();
115 auto aead_or_daead = std::move(aead_or_daead_result.value());
116
117 // Do the actual decryption using the AEAD-primitive.
118 auto decrypt_result =
119 aead_or_daead->Decrypt(ciphertext.substr(header_size), ""); // empty aad
120 if (!decrypt_result.ok()) return decrypt_result.status();
121
122 return decrypt_result.value();
123 }
124
125 } // namespace tink
126 } // namespace crypto
127