1# Copyright 2019 Google LLC 2# 3# Licensed under the Apache License, Version 2.0 (the "License"); 4# you may not use this file except in compliance with the License. 5# You may obtain a copy of the License at 6# 7# http://www.apache.org/licenses/LICENSE-2.0 8# 9# Unless required by applicable law or agreed to in writing, software 10# distributed under the License is distributed on an "AS IS" BASIS, 11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12# See the License for the specific language governing permissions and 13# limitations under the License. 14 15"""HybridDecrypt wrapper.""" 16 17from typing import Type 18from absl import logging 19 20from tink import core 21from tink.hybrid import _hybrid_decrypt 22from tink.hybrid import _hybrid_encrypt 23 24 25class _WrappedHybridDecrypt(_hybrid_decrypt.HybridDecrypt): 26 """Implements HybridDecrypt for a set of HybridDecrypt primitives.""" 27 28 def __init__(self, pset: core.PrimitiveSet): 29 self._primitive_set = pset 30 31 def decrypt(self, ciphertext: bytes, context_info: bytes) -> bytes: 32 if len(ciphertext) > core.crypto_format.NON_RAW_PREFIX_SIZE: 33 prefix = ciphertext[:core.crypto_format.NON_RAW_PREFIX_SIZE] 34 ciphertext_no_prefix = ciphertext[core.crypto_format.NON_RAW_PREFIX_SIZE:] 35 for entry in self._primitive_set.primitive_from_identifier(prefix): 36 try: 37 return entry.primitive.decrypt(ciphertext_no_prefix, 38 context_info) 39 except core.TinkError as e: 40 logging.info( 41 'ciphertext prefix matches a key, but cannot decrypt: %s', e) 42 # Let's try all RAW keys. 43 for entry in self._primitive_set.raw_primitives(): 44 try: 45 return entry.primitive.decrypt(ciphertext, context_info) 46 except core.TinkError as e: 47 pass 48 # nothing works. 49 raise core.TinkError('Decryption failed.') 50 51 52class HybridDecryptWrapper(core.PrimitiveWrapper[_hybrid_decrypt.HybridDecrypt, 53 _hybrid_decrypt.HybridDecrypt] 54 ): 55 """HybridDecryptWrapper is the PrimitiveWrapper for HybridDecrypt. 56 57 The returned primitive works with a keyset (rather than a single key). To 58 decrypt, the primitive uses the prefix of the ciphertext to efficiently select 59 the right key in the set. If the keys associated with the prefix do not work, 60 the primitive tries all keys with OutputPrefixType RAW. 61 """ 62 63 def wrap(self, 64 pset: core.PrimitiveSet) -> _hybrid_decrypt.HybridDecrypt: 65 return _WrappedHybridDecrypt(pset) 66 67 def primitive_class(self) -> Type[_hybrid_decrypt.HybridDecrypt]: 68 return _hybrid_decrypt.HybridDecrypt 69 70 def input_primitive_class(self) -> Type[_hybrid_decrypt.HybridDecrypt]: 71 return _hybrid_decrypt.HybridDecrypt 72 73 74class _WrappedHybridEncrypt(_hybrid_encrypt.HybridEncrypt): 75 """Implements HybridEncrypt for a set of HybridEncrypt primitives.""" 76 77 def __init__(self, pset: core.PrimitiveSet): 78 self._primitive_set = pset 79 80 def encrypt(self, plaintext: bytes, context_info: bytes) -> bytes: 81 if not self._primitive_set.primary(): 82 raise core.TinkError('keyset without primary key') 83 primary = self._primitive_set.primary() 84 return primary.identifier + primary.primitive.encrypt( 85 plaintext, context_info) 86 87 88class HybridEncryptWrapper(core.PrimitiveWrapper[_hybrid_encrypt.HybridEncrypt, 89 _hybrid_encrypt.HybridEncrypt] 90 ): 91 """HybridEncryptWrapper is the PrimitiveWrapper for HybridEncrypt. 92 93 The returned primitive works with a keyset (rather than a single key). To 94 encrypt a plaintext, it uses the primary key in the keyset, and prepends to 95 the ciphertext a certain prefix associated with the primary key. 96 """ 97 98 def wrap(self, 99 pset: core.PrimitiveSet) -> _hybrid_encrypt.HybridEncrypt: 100 return _WrappedHybridEncrypt(pset) 101 102 def primitive_class(self) -> Type[_hybrid_encrypt.HybridEncrypt]: 103 return _hybrid_encrypt.HybridEncrypt 104 105 def input_primitive_class(self) -> Type[_hybrid_encrypt.HybridEncrypt]: 106 return _hybrid_encrypt.HybridEncrypt 107