xref: /aosp_15_r20/external/tink/cc/mac/hmac_key_manager.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2017 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #include "tink/mac/hmac_key_manager.h"
18 
19 #include <map>
20 #include <string>
21 
22 #include "absl/status/status.h"
23 #include "absl/strings/string_view.h"
24 #include "tink/mac.h"
25 #include "tink/subtle/hmac_boringssl.h"
26 #include "tink/subtle/random.h"
27 #include "tink/util/enums.h"
28 #include "tink/util/errors.h"
29 #include "tink/util/input_stream_util.h"
30 #include "tink/util/protobuf_helper.h"
31 #include "tink/util/status.h"
32 #include "tink/util/statusor.h"
33 #include "tink/util/validation.h"
34 #include "proto/common.pb.h"
35 #include "proto/hmac.pb.h"
36 #include "proto/tink.pb.h"
37 
38 namespace crypto {
39 namespace tink {
40 
41 using crypto::tink::util::Enums;
42 using crypto::tink::util::Status;
43 using crypto::tink::util::StatusOr;
44 using google::crypto::tink::HashType;
45 using google::crypto::tink::HmacKey;
46 using google::crypto::tink::HmacKeyFormat;
47 using google::crypto::tink::HmacParams;
48 
49 namespace {
50 
51 constexpr int kMinKeySizeInBytes = 16;
52 constexpr int kMinTagSizeInBytes = 10;
53 
54 }  // namespace
55 
CreateKey(const HmacKeyFormat & hmac_key_format) const56 StatusOr<HmacKey> HmacKeyManager::CreateKey(
57     const HmacKeyFormat& hmac_key_format) const {
58   HmacKey hmac_key;
59   hmac_key.set_version(get_version());
60   *(hmac_key.mutable_params()) = hmac_key_format.params();
61   hmac_key.set_key_value(
62       subtle::Random::GetRandomBytes(hmac_key_format.key_size()));
63   return hmac_key;
64 }
65 
DeriveKey(const HmacKeyFormat & hmac_key_format,InputStream * input_stream) const66 StatusOr<HmacKey> HmacKeyManager::DeriveKey(
67     const HmacKeyFormat& hmac_key_format, InputStream* input_stream) const {
68   crypto::tink::util::Status status =
69       ValidateVersion(hmac_key_format.version(), get_version());
70   if (!status.ok()) return status;
71 
72   crypto::tink::util::StatusOr<std::string> randomness =
73       ReadBytesFromStream(hmac_key_format.key_size(), input_stream);
74   if (!randomness.ok()) {
75     if (randomness.status().code() == absl::StatusCode::kOutOfRange) {
76       return crypto::tink::util::Status(
77           absl::StatusCode::kInvalidArgument,
78           "Could not get enough pseudorandomness from input stream");
79     }
80     return randomness.status();
81   }
82 
83   HmacKey hmac_key;
84   hmac_key.set_version(get_version());
85   *(hmac_key.mutable_params()) = hmac_key_format.params();
86   hmac_key.set_key_value(randomness.value());
87   return hmac_key;
88 }
89 
ValidateParams(const HmacParams & params) const90 Status HmacKeyManager::ValidateParams(const HmacParams& params) const {
91   if (params.tag_size() < kMinTagSizeInBytes) {
92     return ToStatusF(absl::StatusCode::kInvalidArgument,
93                      "Invalid HmacParams: tag_size %d is too small.",
94                      params.tag_size());
95   }
96   std::map<HashType, uint32_t> max_tag_size = {{HashType::SHA1, 20},
97                                                {HashType::SHA224, 28},
98                                                {HashType::SHA256, 32},
99                                                {HashType::SHA384, 48},
100                                                {HashType::SHA512, 64}};
101   if (max_tag_size.find(params.hash()) == max_tag_size.end()) {
102     return ToStatusF(absl::StatusCode::kInvalidArgument,
103                      "Invalid HmacParams: HashType '%s' not supported.",
104                      Enums::HashName(params.hash()));
105   } else {
106     if (params.tag_size() > max_tag_size[params.hash()]) {
107       return ToStatusF(
108           absl::StatusCode::kInvalidArgument,
109           "Invalid HmacParams: tag_size %d is too big for HashType '%s'.",
110           params.tag_size(), Enums::HashName(params.hash()));
111     }
112   }
113   return util::OkStatus();
114 }
115 
ValidateKey(const HmacKey & key) const116 Status HmacKeyManager::ValidateKey(const HmacKey& key) const {
117   Status status = ValidateVersion(key.version(), get_version());
118   if (!status.ok()) return status;
119   if (key.key_value().size() < kMinKeySizeInBytes) {
120     return util::Status(absl::StatusCode::kInvalidArgument,
121                         "Invalid HmacKey: key_value is too short.");
122   }
123   return ValidateParams(key.params());
124 }
125 
126 // static
ValidateKeyFormat(const HmacKeyFormat & key_format) const127 Status HmacKeyManager::ValidateKeyFormat(
128     const HmacKeyFormat& key_format) const {
129   if (key_format.key_size() < kMinKeySizeInBytes) {
130     return util::Status(absl::StatusCode::kInvalidArgument,
131                         "Invalid HmacKeyFormat: key_size is too small.");
132   }
133   return ValidateParams(key_format.params());
134 }
135 
136 }  // namespace tink
137 }  // namespace crypto
138