xref: /aosp_15_r20/external/tink/go/insecurecleartextkeyset/insecurecleartextkeyset.go (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1// Copyright 2019 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14//
15////////////////////////////////////////////////////////////////////////////////
16
17// Package insecurecleartextkeyset provides methods to read or write cleartext
18// keyset material.
19//
20// This package contains dangerous functions, and is separate from the rest of
21// Tink so that its usage can be restricted and audited.
22package insecurecleartextkeyset
23
24import (
25	"errors"
26
27	"github.com/google/tink/go/internal"
28	"github.com/google/tink/go/keyset"
29	tinkpb "github.com/google/tink/go/proto/tink_go_proto"
30)
31
32var (
33	keysetHandle   = internal.KeysetHandle.(func(*tinkpb.Keyset, ...keyset.Option) (*keyset.Handle, error))
34	keysetMaterial = internal.KeysetMaterial.(func(*keyset.Handle) *tinkpb.Keyset)
35
36	errInvalidKeyset = errors.New("insecurecleartextkeyset: invalid keyset")
37	errInvalidHandle = errors.New("insecurecleartextkeyset: invalid handle")
38	errInvalidReader = errors.New("insecurecleartextkeyset: invalid reader")
39	errInvalidWriter = errors.New("insecurecleartextkeyset: invalid writer")
40)
41
42// Read creates a keyset.Handle from a cleartext keyset obtained via r.
43func Read(r keyset.Reader, opts ...keyset.Option) (*keyset.Handle, error) {
44	if r == nil {
45		return nil, errInvalidReader
46	}
47	ks, err := r.Read()
48	if err != nil || ks == nil || len(ks.Key) == 0 {
49		return nil, errInvalidKeyset
50	}
51	return keysetHandle(ks, opts...)
52}
53
54// Write exports the keyset from handle to the given writer w without encrypting it.
55//
56// Storing secret key material in an unencrypted fashion is dangerous. If
57// feasible, you should use [keyset.Handle.Write] instead.
58func Write(handle *keyset.Handle, w keyset.Writer) error {
59	if handle == nil {
60		return errInvalidHandle
61	}
62	if w == nil {
63		return errInvalidWriter
64	}
65	return w.Write(KeysetMaterial(handle))
66}
67
68// KeysetMaterial returns the key material contained in a keyset.Handle.
69func KeysetMaterial(handle *keyset.Handle) *tinkpb.Keyset {
70	return keysetMaterial(handle)
71}
72
73// KeysetHandle creates a keyset.Handle from cleartext key material.
74//
75// Callers should verify that the returned *keyset.Handle isn't nil.
76//
77// Deprecated: Use [Read] instead with a serialized keyset.
78//
79//	sks, err := proto.Marshal(ks)
80//	if err != nil {
81//		return err
82//	}
83//	h, err := insecurecleartextkeyset.Read(keyset.NewBinaryReader(bytes.NewBuffer(sks)))
84//	if err != nil {
85//		return err
86//	}
87func KeysetHandle(ks *tinkpb.Keyset) *keyset.Handle {
88	kh, err := keysetHandle(ks)
89	if err != nil {
90		// this *keyset.Handle can only return errors when *keyset.Option arguments
91		// are provided. To maintain backwards compatibility and avoid panic, it returns
92		// a nil value if an error happens.
93		return nil
94	}
95	return kh
96}
97