xref: /aosp_15_r20/external/tink/cc/keyset_manager.h (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1*e7b1675dSTing-Kang Chang // Copyright 2017 Google Inc.
2*e7b1675dSTing-Kang Chang //
3*e7b1675dSTing-Kang Chang // Licensed under the Apache License, Version 2.0 (the "License");
4*e7b1675dSTing-Kang Chang // you may not use this file except in compliance with the License.
5*e7b1675dSTing-Kang Chang // You may obtain a copy of the License at
6*e7b1675dSTing-Kang Chang //
7*e7b1675dSTing-Kang Chang //     http://www.apache.org/licenses/LICENSE-2.0
8*e7b1675dSTing-Kang Chang //
9*e7b1675dSTing-Kang Chang // Unless required by applicable law or agreed to in writing, software
10*e7b1675dSTing-Kang Chang // distributed under the License is distributed on an "AS IS" BASIS,
11*e7b1675dSTing-Kang Chang // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*e7b1675dSTing-Kang Chang // See the License for the specific language governing permissions and
13*e7b1675dSTing-Kang Chang // limitations under the License.
14*e7b1675dSTing-Kang Chang //
15*e7b1675dSTing-Kang Chang ///////////////////////////////////////////////////////////////////////////////
16*e7b1675dSTing-Kang Chang #ifndef TINK_KEYSET_MANAGER_H_
17*e7b1675dSTing-Kang Chang #define TINK_KEYSET_MANAGER_H_
18*e7b1675dSTing-Kang Chang 
19*e7b1675dSTing-Kang Chang #include <memory>
20*e7b1675dSTing-Kang Chang 
21*e7b1675dSTing-Kang Chang #include "absl/base/thread_annotations.h"
22*e7b1675dSTing-Kang Chang #include "absl/synchronization/mutex.h"
23*e7b1675dSTing-Kang Chang #include "tink/util/status.h"
24*e7b1675dSTing-Kang Chang #include "tink/util/statusor.h"
25*e7b1675dSTing-Kang Chang #include "proto/tink.pb.h"
26*e7b1675dSTing-Kang Chang 
27*e7b1675dSTing-Kang Chang namespace crypto {
28*e7b1675dSTing-Kang Chang namespace tink {
29*e7b1675dSTing-Kang Chang 
30*e7b1675dSTing-Kang Chang class KeysetHandle;
31*e7b1675dSTing-Kang Chang 
32*e7b1675dSTing-Kang Chang // KeysetManager provides convenience methods for creation of Keysets, and for
33*e7b1675dSTing-Kang Chang // rotating, disabling, enabling, or destroying keys.
34*e7b1675dSTing-Kang Chang // An instance of this class takes care of a single Keyset, that can be
35*e7b1675dSTing-Kang Chang // accessed via GetKeysetHandle()-method.
36*e7b1675dSTing-Kang Chang class KeysetManager {
37*e7b1675dSTing-Kang Chang  public:
38*e7b1675dSTing-Kang Chang   // Constructs a KeysetManager with an empty Keyset.
39*e7b1675dSTing-Kang Chang   KeysetManager() = default;
40*e7b1675dSTing-Kang Chang 
41*e7b1675dSTing-Kang Chang   // Creates a new KeysetManager that contains a Keyset with a single key
42*e7b1675dSTing-Kang Chang   // generated freshly according the specification in 'key_template'.
43*e7b1675dSTing-Kang Chang   static crypto::tink::util::StatusOr<std::unique_ptr<KeysetManager>> New(
44*e7b1675dSTing-Kang Chang       const google::crypto::tink::KeyTemplate& key_template);
45*e7b1675dSTing-Kang Chang 
46*e7b1675dSTing-Kang Chang   // Creates a new KeysetManager that contains a Keyset cloned from
47*e7b1675dSTing-Kang Chang   // the given 'keyset_handle'.
48*e7b1675dSTing-Kang Chang   static crypto::tink::util::StatusOr<std::unique_ptr<KeysetManager>> New(
49*e7b1675dSTing-Kang Chang       const KeysetHandle& keyset_handle);
50*e7b1675dSTing-Kang Chang 
51*e7b1675dSTing-Kang Chang   // Adds to the managed keyset a fresh key generated according to
52*e7b1675dSTing-Kang Chang   // 'keyset_template' and returns the key_id of the added key.
53*e7b1675dSTing-Kang Chang   // The added key has status 'ENABLED'.
54*e7b1675dSTing-Kang Chang   crypto::tink::util::StatusOr<uint32_t> Add(
55*e7b1675dSTing-Kang Chang       const google::crypto::tink::KeyTemplate& key_template)
56*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
57*e7b1675dSTing-Kang Chang 
58*e7b1675dSTing-Kang Chang   // Adds to the managed keyset a fresh key generated according to
59*e7b1675dSTing-Kang Chang   // 'keyset_template', sets the new key as the primary,
60*e7b1675dSTing-Kang Chang   // and returns the key_id of the added key.
61*e7b1675dSTing-Kang Chang   // The key that was primary prior to rotation remains 'ENABLED'.
62*e7b1675dSTing-Kang Chang   crypto::tink::util::StatusOr<uint32_t> Rotate(
63*e7b1675dSTing-Kang Chang       const google::crypto::tink::KeyTemplate& key_template)
64*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
65*e7b1675dSTing-Kang Chang 
66*e7b1675dSTing-Kang Chang   // Sets the status of the specified key to 'ENABLED'.
67*e7b1675dSTing-Kang Chang   // Succeeds only if before the call the specified key
68*e7b1675dSTing-Kang Chang   // has status 'DISABLED' or 'ENABLED'.
69*e7b1675dSTing-Kang Chang   crypto::tink::util::Status Enable(uint32_t key_id)
70*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
71*e7b1675dSTing-Kang Chang 
72*e7b1675dSTing-Kang Chang   // Sets the status of the specified key to 'DISABLED'.
73*e7b1675dSTing-Kang Chang   // Succeeds only if before the call the specified key
74*e7b1675dSTing-Kang Chang   // is not primary and has status 'DISABLED' or 'ENABLED'.
75*e7b1675dSTing-Kang Chang   crypto::tink::util::Status Disable(uint32_t key_id)
76*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
77*e7b1675dSTing-Kang Chang 
78*e7b1675dSTing-Kang Chang   // Sets the status of the specified key to 'DESTROYED',
79*e7b1675dSTing-Kang Chang   // and removes the corresponding key material, if any.
80*e7b1675dSTing-Kang Chang   // Succeeds only if before the call the specified key
81*e7b1675dSTing-Kang Chang   // is not primary and has status 'DISABLED', or 'ENABLED',
82*e7b1675dSTing-Kang Chang   // or 'DESTROYED'.
83*e7b1675dSTing-Kang Chang   crypto::tink::util::Status Destroy(uint32_t key_id)
84*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
85*e7b1675dSTing-Kang Chang 
86*e7b1675dSTing-Kang Chang   // Removes the specifed key from the managed keyset.
87*e7b1675dSTing-Kang Chang   // Succeeds only if the specified key is not primary.
88*e7b1675dSTing-Kang Chang   // After deletion the keyset contains one key fewer.
89*e7b1675dSTing-Kang Chang   crypto::tink::util::Status Delete(uint32_t key_id)
90*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
91*e7b1675dSTing-Kang Chang 
92*e7b1675dSTing-Kang Chang   // Sets the specified key as the primary.
93*e7b1675dSTing-Kang Chang   // Succeeds only if the specified key is 'ENABLED'.
94*e7b1675dSTing-Kang Chang   crypto::tink::util::Status SetPrimary(uint32_t key_id)
95*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
96*e7b1675dSTing-Kang Chang 
97*e7b1675dSTing-Kang Chang   // Returns the count of all keys in the keyset.
98*e7b1675dSTing-Kang Chang   int KeyCount() const;
99*e7b1675dSTing-Kang Chang 
100*e7b1675dSTing-Kang Chang   // Returns a handle with a copy of the managed keyset.
101*e7b1675dSTing-Kang Chang   std::unique_ptr<KeysetHandle> GetKeysetHandle()
102*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
103*e7b1675dSTing-Kang Chang 
104*e7b1675dSTing-Kang Chang  private:
105*e7b1675dSTing-Kang Chang   crypto::tink::util::StatusOr<uint32_t> Add(
106*e7b1675dSTing-Kang Chang       const google::crypto::tink::KeyTemplate& key_template, bool as_primary)
107*e7b1675dSTing-Kang Chang       ABSL_LOCKS_EXCLUDED(keyset_mutex_);
108*e7b1675dSTing-Kang Chang 
109*e7b1675dSTing-Kang Chang   mutable absl::Mutex keyset_mutex_;
110*e7b1675dSTing-Kang Chang   google::crypto::tink::Keyset keyset_ ABSL_GUARDED_BY(keyset_mutex_);
111*e7b1675dSTing-Kang Chang };
112*e7b1675dSTing-Kang Chang 
113*e7b1675dSTing-Kang Chang }  // namespace tink
114*e7b1675dSTing-Kang Chang }  // namespace crypto
115*e7b1675dSTing-Kang Chang 
116*e7b1675dSTing-Kang Chang #endif  // TINK_KEYSET_MANAGER_H_
117