xref: /aosp_15_r20/external/tink/go/aead/aes_gcm_siv_key_manager.go (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1// Copyright 2018 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15////////////////////////////////////////////////////////////////////////////////
16
17package aead
18
19import (
20	"fmt"
21
22	"google.golang.org/protobuf/proto"
23	"github.com/google/tink/go/aead/subtle"
24	"github.com/google/tink/go/core/registry"
25	"github.com/google/tink/go/keyset"
26	"github.com/google/tink/go/subtle/random"
27	gcmsivpb "github.com/google/tink/go/proto/aes_gcm_siv_go_proto"
28	tinkpb "github.com/google/tink/go/proto/tink_go_proto"
29)
30
31const (
32	aesGCMSIVKeyVersion = 0
33	aesGCMSIVTypeURL    = "type.googleapis.com/google.crypto.tink.AesGcmSivKey"
34)
35
36// common errors
37var errInvalidAESGCMSIVKey = fmt.Errorf("aes_gcm_siv_key_manager: invalid key")
38var errInvalidAESGCMSIVKeyFormat = fmt.Errorf("aes_gcm_siv_key_manager: invalid key format")
39
40// aesGCMSIVKeyManager is an implementation of KeyManager interface.
41// It generates new AESGCMSIVKey keys and produces new instances of AESGCMSIV subtle.
42type aesGCMSIVKeyManager struct{}
43
44// Assert that aesGCMSIVKeyManager implements the KeyManager interface.
45var _ registry.KeyManager = (*aesGCMSIVKeyManager)(nil)
46
47// Primitive creates an AESGCMSIV subtle for the given serialized AESGCMSIVKey proto.
48func (km *aesGCMSIVKeyManager) Primitive(serializedKey []byte) (interface{}, error) {
49	if len(serializedKey) == 0 {
50		return nil, errInvalidAESGCMSIVKey
51	}
52	key := new(gcmsivpb.AesGcmSivKey)
53	if err := proto.Unmarshal(serializedKey, key); err != nil {
54		return nil, errInvalidAESGCMSIVKey
55	}
56	if err := km.validateKey(key); err != nil {
57		return nil, err
58	}
59	ret, err := subtle.NewAESGCMSIV(key.KeyValue)
60	if err != nil {
61		return nil, fmt.Errorf("aes_gcm_siv_key_manager: cannot create new primitive: %s", err)
62	}
63	return ret, nil
64}
65
66// NewKey creates a new key according to specification the given serialized AESGCMSIVKeyFormat.
67func (km *aesGCMSIVKeyManager) NewKey(serializedKeyFormat []byte) (proto.Message, error) {
68	if len(serializedKeyFormat) == 0 {
69		return nil, errInvalidAESGCMSIVKeyFormat
70	}
71	keyFormat := new(gcmsivpb.AesGcmSivKeyFormat)
72	if err := proto.Unmarshal(serializedKeyFormat, keyFormat); err != nil {
73		return nil, errInvalidAESGCMSIVKeyFormat
74	}
75	if err := km.validateKeyFormat(keyFormat); err != nil {
76		return nil, fmt.Errorf("aes_gcm_siv_key_manager: invalid key format: %s", err)
77	}
78	keyValue := random.GetRandomBytes(keyFormat.KeySize)
79	return &gcmsivpb.AesGcmSivKey{
80		Version:  aesGCMSIVKeyVersion,
81		KeyValue: keyValue,
82	}, nil
83}
84
85// NewKeyData creates a new KeyData according to specification in the given serialized
86// AESGCMSIVKeyFormat.
87// It should be used solely by the key management API.
88func (km *aesGCMSIVKeyManager) NewKeyData(serializedKeyFormat []byte) (*tinkpb.KeyData, error) {
89	key, err := km.NewKey(serializedKeyFormat)
90	if err != nil {
91		return nil, err
92	}
93	serializedKey, err := proto.Marshal(key)
94	if err != nil {
95		return nil, err
96	}
97	return &tinkpb.KeyData{
98		TypeUrl:         aesGCMSIVTypeURL,
99		Value:           serializedKey,
100		KeyMaterialType: tinkpb.KeyData_SYMMETRIC,
101	}, nil
102}
103
104// DoesSupport indicates if this key manager supports the given key type.
105func (km *aesGCMSIVKeyManager) DoesSupport(typeURL string) bool {
106	return typeURL == aesGCMSIVTypeURL
107}
108
109// TypeURL returns the key type of keys managed by this key manager.
110func (km *aesGCMSIVKeyManager) TypeURL() string {
111	return aesGCMSIVTypeURL
112}
113
114// validateKey validates the given AESGCMSIVKey.
115func (km *aesGCMSIVKeyManager) validateKey(key *gcmsivpb.AesGcmSivKey) error {
116	err := keyset.ValidateKeyVersion(key.Version, aesGCMSIVKeyVersion)
117	if err != nil {
118		return fmt.Errorf("aes_gcm_siv_key_manager: %s", err)
119	}
120	keySize := uint32(len(key.KeyValue))
121	if err := subtle.ValidateAESKeySize(keySize); err != nil {
122		return fmt.Errorf("aes_gcm_siv_key_manager: %s", err)
123	}
124	return nil
125}
126
127// validateKeyFormat validates the given AESGCMSIVKeyFormat.
128func (km *aesGCMSIVKeyManager) validateKeyFormat(format *gcmsivpb.AesGcmSivKeyFormat) error {
129	if err := subtle.ValidateAESKeySize(format.KeySize); err != nil {
130		return fmt.Errorf("aes_gcm_siv_key_manager: %s", err)
131	}
132	return nil
133}
134