xref: /aosp_15_r20/external/tink/cc/util/fake_kms_client.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1*e7b1675dSTing-Kang Chang // Copyright 2020 Google LLC
2*e7b1675dSTing-Kang Chang //
3*e7b1675dSTing-Kang Chang // Licensed under the Apache License, Version 2.0 (the "License");
4*e7b1675dSTing-Kang Chang // you may not use this file except in compliance with the License.
5*e7b1675dSTing-Kang Chang // You may obtain a copy of the License at
6*e7b1675dSTing-Kang Chang //
7*e7b1675dSTing-Kang Chang //     http://www.apache.org/licenses/LICENSE-2.0
8*e7b1675dSTing-Kang Chang //
9*e7b1675dSTing-Kang Chang // Unless required by applicable law or agreed to in writing, software
10*e7b1675dSTing-Kang Chang // distributed under the License is distributed on an "AS IS" BASIS,
11*e7b1675dSTing-Kang Chang // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*e7b1675dSTing-Kang Chang // See the License for the specific language governing permissions and
13*e7b1675dSTing-Kang Chang // limitations under the License.
14*e7b1675dSTing-Kang Chang //
15*e7b1675dSTing-Kang Chang ///////////////////////////////////////////////////////////////////////////////
16*e7b1675dSTing-Kang Chang #include "tink/util/fake_kms_client.h"
17*e7b1675dSTing-Kang Chang 
18*e7b1675dSTing-Kang Chang #include <fstream>
19*e7b1675dSTing-Kang Chang #include <iostream>
20*e7b1675dSTing-Kang Chang #include <memory>
21*e7b1675dSTing-Kang Chang #include <ostream>
22*e7b1675dSTing-Kang Chang #include <sstream>
23*e7b1675dSTing-Kang Chang #include <string>
24*e7b1675dSTing-Kang Chang #include <utility>
25*e7b1675dSTing-Kang Chang 
26*e7b1675dSTing-Kang Chang #include "absl/status/status.h"
27*e7b1675dSTing-Kang Chang #include "absl/strings/ascii.h"
28*e7b1675dSTing-Kang Chang #include "absl/strings/escaping.h"
29*e7b1675dSTing-Kang Chang #include "absl/strings/match.h"
30*e7b1675dSTing-Kang Chang #include "absl/strings/str_cat.h"
31*e7b1675dSTing-Kang Chang #include "absl/strings/str_split.h"
32*e7b1675dSTing-Kang Chang #include "absl/strings/string_view.h"
33*e7b1675dSTing-Kang Chang #include "tink/aead/aead_key_templates.h"
34*e7b1675dSTing-Kang Chang #include "tink/binary_keyset_reader.h"
35*e7b1675dSTing-Kang Chang #include "tink/binary_keyset_writer.h"
36*e7b1675dSTing-Kang Chang #include "tink/cleartext_keyset_handle.h"
37*e7b1675dSTing-Kang Chang #include "tink/kms_client.h"
38*e7b1675dSTing-Kang Chang #include "tink/util/errors.h"
39*e7b1675dSTing-Kang Chang #include "tink/util/status.h"
40*e7b1675dSTing-Kang Chang #include "tink/util/statusor.h"
41*e7b1675dSTing-Kang Chang 
42*e7b1675dSTing-Kang Chang namespace crypto {
43*e7b1675dSTing-Kang Chang namespace tink {
44*e7b1675dSTing-Kang Chang namespace test {
45*e7b1675dSTing-Kang Chang 
46*e7b1675dSTing-Kang Chang namespace {
47*e7b1675dSTing-Kang Chang 
48*e7b1675dSTing-Kang Chang using crypto::tink::ToStatusF;
49*e7b1675dSTing-Kang Chang using crypto::tink::util::Status;
50*e7b1675dSTing-Kang Chang using crypto::tink::util::StatusOr;
51*e7b1675dSTing-Kang Chang using google::crypto::tink::KeyTemplate;
52*e7b1675dSTing-Kang Chang 
53*e7b1675dSTing-Kang Chang static constexpr char kKeyUriPrefix[] = "fake-kms://";
54*e7b1675dSTing-Kang Chang 
55*e7b1675dSTing-Kang Chang // Returns the encoded keyset contained in 'key_uri'.
56*e7b1675dSTing-Kang Chang // If 'key_uri' does not refer to an fake KMS key, returns an empty string.
GetEncodedKeyset(absl::string_view key_uri)57*e7b1675dSTing-Kang Chang std::string GetEncodedKeyset(absl::string_view key_uri) {
58*e7b1675dSTing-Kang Chang   if (!absl::StartsWithIgnoreCase(key_uri, kKeyUriPrefix)) return "";
59*e7b1675dSTing-Kang Chang   return std::string(key_uri.substr(std::string(kKeyUriPrefix).length()));
60*e7b1675dSTing-Kang Chang }
61*e7b1675dSTing-Kang Chang 
62*e7b1675dSTing-Kang Chang }  // namespace
63*e7b1675dSTing-Kang Chang 
64*e7b1675dSTing-Kang Chang 
65*e7b1675dSTing-Kang Chang // static
New(absl::string_view key_uri,absl::string_view credentials_path)66*e7b1675dSTing-Kang Chang StatusOr<std::unique_ptr<FakeKmsClient>> FakeKmsClient::New(
67*e7b1675dSTing-Kang Chang     absl::string_view key_uri, absl::string_view credentials_path) {
68*e7b1675dSTing-Kang Chang   std::unique_ptr<FakeKmsClient> client(new FakeKmsClient());
69*e7b1675dSTing-Kang Chang 
70*e7b1675dSTing-Kang Chang   if (!key_uri.empty()) {
71*e7b1675dSTing-Kang Chang     client->encoded_keyset_ = GetEncodedKeyset(key_uri);
72*e7b1675dSTing-Kang Chang     if (client->encoded_keyset_.empty()) {
73*e7b1675dSTing-Kang Chang       return ToStatusF(absl::StatusCode::kInvalidArgument,
74*e7b1675dSTing-Kang Chang                        "Key '%s' not supported", key_uri);
75*e7b1675dSTing-Kang Chang     }
76*e7b1675dSTing-Kang Chang   }
77*e7b1675dSTing-Kang Chang   return std::move(client);
78*e7b1675dSTing-Kang Chang }
79*e7b1675dSTing-Kang Chang 
DoesSupport(absl::string_view key_uri) const80*e7b1675dSTing-Kang Chang bool FakeKmsClient::DoesSupport(absl::string_view key_uri) const {
81*e7b1675dSTing-Kang Chang   if (!encoded_keyset_.empty()) {
82*e7b1675dSTing-Kang Chang     return encoded_keyset_ == GetEncodedKeyset(key_uri);
83*e7b1675dSTing-Kang Chang   }
84*e7b1675dSTing-Kang Chang   return !GetEncodedKeyset(key_uri).empty();
85*e7b1675dSTing-Kang Chang }
86*e7b1675dSTing-Kang Chang 
GetAead(absl::string_view key_uri) const87*e7b1675dSTing-Kang Chang StatusOr<std::unique_ptr<Aead>> FakeKmsClient::GetAead(
88*e7b1675dSTing-Kang Chang     absl::string_view key_uri) const {
89*e7b1675dSTing-Kang Chang   if (!DoesSupport(key_uri)) {
90*e7b1675dSTing-Kang Chang     if (!encoded_keyset_.empty()) {
91*e7b1675dSTing-Kang Chang       return ToStatusF(absl::StatusCode::kInvalidArgument,
92*e7b1675dSTing-Kang Chang                        "This client is bound to a different key, and cannot "
93*e7b1675dSTing-Kang Chang                        "use key '%s'.",
94*e7b1675dSTing-Kang Chang                        key_uri);
95*e7b1675dSTing-Kang Chang     } else {
96*e7b1675dSTing-Kang Chang       return ToStatusF(absl::StatusCode::kInvalidArgument,
97*e7b1675dSTing-Kang Chang                        "This client does not support key '%s'.", key_uri);
98*e7b1675dSTing-Kang Chang     }
99*e7b1675dSTing-Kang Chang   }
100*e7b1675dSTing-Kang Chang   std::string keyset;
101*e7b1675dSTing-Kang Chang   if (!absl::WebSafeBase64Unescape(GetEncodedKeyset(key_uri), &keyset)) {
102*e7b1675dSTing-Kang Chang     return util::Status(absl::StatusCode::kInvalidArgument, "Invalid Keyset");
103*e7b1675dSTing-Kang Chang   }
104*e7b1675dSTing-Kang Chang   auto reader_result = BinaryKeysetReader::New(keyset);
105*e7b1675dSTing-Kang Chang   if (!reader_result.ok()) {
106*e7b1675dSTing-Kang Chang     return reader_result.status();
107*e7b1675dSTing-Kang Chang   }
108*e7b1675dSTing-Kang Chang   auto handle_result =
109*e7b1675dSTing-Kang Chang       CleartextKeysetHandle::Read(std::move(reader_result.value()));
110*e7b1675dSTing-Kang Chang   if (!handle_result.ok()) {
111*e7b1675dSTing-Kang Chang     return handle_result.status();
112*e7b1675dSTing-Kang Chang   }
113*e7b1675dSTing-Kang Chang   return handle_result.value()->GetPrimitive<crypto::tink::Aead>();
114*e7b1675dSTing-Kang Chang }
115*e7b1675dSTing-Kang Chang 
RegisterNewClient(absl::string_view key_uri,absl::string_view credentials_path)116*e7b1675dSTing-Kang Chang Status FakeKmsClient::RegisterNewClient(absl::string_view key_uri,
117*e7b1675dSTing-Kang Chang                                         absl::string_view credentials_path) {
118*e7b1675dSTing-Kang Chang   auto client_result = FakeKmsClient::New(key_uri, credentials_path);
119*e7b1675dSTing-Kang Chang   if (!client_result.ok()) {
120*e7b1675dSTing-Kang Chang     return client_result.status();
121*e7b1675dSTing-Kang Chang   }
122*e7b1675dSTing-Kang Chang 
123*e7b1675dSTing-Kang Chang   return KmsClients::Add(std::move(client_result.value()));
124*e7b1675dSTing-Kang Chang }
125*e7b1675dSTing-Kang Chang 
CreateFakeKeyUri()126*e7b1675dSTing-Kang Chang StatusOr<std::string> FakeKmsClient::CreateFakeKeyUri() {
127*e7b1675dSTing-Kang Chang   // The key_uri contains an encoded keyset with a new Aes128Gcm key.
128*e7b1675dSTing-Kang Chang   const KeyTemplate& key_template = AeadKeyTemplates::Aes128Gcm();
129*e7b1675dSTing-Kang Chang   auto handle_result = KeysetHandle::GenerateNew(key_template);
130*e7b1675dSTing-Kang Chang   if (!handle_result.ok()) {
131*e7b1675dSTing-Kang Chang     return handle_result.status();
132*e7b1675dSTing-Kang Chang   }
133*e7b1675dSTing-Kang Chang   std::stringbuf keyset;
134*e7b1675dSTing-Kang Chang   auto writer_result =
135*e7b1675dSTing-Kang Chang       BinaryKeysetWriter::New(absl::make_unique<std::ostream>(&keyset));
136*e7b1675dSTing-Kang Chang   if (!writer_result.ok()) {
137*e7b1675dSTing-Kang Chang     return writer_result.status();
138*e7b1675dSTing-Kang Chang   }
139*e7b1675dSTing-Kang Chang   auto status = CleartextKeysetHandle::Write(writer_result.value().get(),
140*e7b1675dSTing-Kang Chang                                              *handle_result.value());
141*e7b1675dSTing-Kang Chang   if (!status.ok()) {
142*e7b1675dSTing-Kang Chang     return status;
143*e7b1675dSTing-Kang Chang   }
144*e7b1675dSTing-Kang Chang   std::string encoded_keyset;
145*e7b1675dSTing-Kang Chang   absl::WebSafeBase64Escape(keyset.str(), &encoded_keyset);
146*e7b1675dSTing-Kang Chang   return absl::StrCat(kKeyUriPrefix, encoded_keyset);
147*e7b1675dSTing-Kang Chang }
148*e7b1675dSTing-Kang Chang 
149*e7b1675dSTing-Kang Chang }  // namespace test
150*e7b1675dSTing-Kang Chang }  // namespace tink
151*e7b1675dSTing-Kang Chang }  // namespace crypto
152