// Copyright 2018 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // //////////////////////////////////////////////////////////////////////////////// package aead import ( "errors" "fmt" "google.golang.org/protobuf/proto" "github.com/google/tink/go/aead/subtle" "github.com/google/tink/go/keyset" subtleMac "github.com/google/tink/go/mac/subtle" "github.com/google/tink/go/subtle/random" ctrpb "github.com/google/tink/go/proto/aes_ctr_go_proto" aeadpb "github.com/google/tink/go/proto/aes_ctr_hmac_aead_go_proto" commonpb "github.com/google/tink/go/proto/common_go_proto" hmacpb "github.com/google/tink/go/proto/hmac_go_proto" tinkpb "github.com/google/tink/go/proto/tink_go_proto" ) const ( aesCTRHMACAEADKeyVersion = 0 aesCTRHMACAEADTypeURL = "type.googleapis.com/google.crypto.tink.AesCtrHmacAeadKey" minHMACKeySizeInBytes = 16 minTagSizeInBytes = 10 ) // common errors var errInvalidAESCTRHMACAEADKey = fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid key") var errInvalidAESCTRHMACAEADKeyFormat = fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid key format") // aesCTRHMACAEADKeyManager is an implementation of KeyManager interface. // It generates new AESCTRHMACAEADKey keys and produces new instances of EncryptThenAuthenticate subtle. type aesCTRHMACAEADKeyManager struct{} // Primitive creates an AEAD for the given serialized AESCTRHMACAEADKey proto. func (km *aesCTRHMACAEADKeyManager) Primitive(serializedKey []byte) (interface{}, error) { if len(serializedKey) == 0 { return nil, errInvalidAESCTRHMACAEADKey } key := new(aeadpb.AesCtrHmacAeadKey) if err := proto.Unmarshal(serializedKey, key); err != nil { return nil, errInvalidAESCTRHMACAEADKey } if err := km.validateKey(key); err != nil { return nil, err } ctr, err := subtle.NewAESCTR(key.AesCtrKey.KeyValue, int(key.AesCtrKey.Params.IvSize)) if err != nil { return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: cannot create new primitive: %v", err) } hmacKey := key.HmacKey hmac, err := subtleMac.NewHMAC(hmacKey.Params.Hash.String(), hmacKey.KeyValue, hmacKey.Params.TagSize) if err != nil { return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: cannot create mac primitive, error: %v", err) } aead, err := subtle.NewEncryptThenAuthenticate(ctr, hmac, int(hmacKey.Params.TagSize)) if err != nil { return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: cannot create encrypt then authenticate primitive, error: %v", err) } return aead, nil } // NewKey creates a new key according to the given serialized AesCtrHmacAeadKeyFormat. func (km *aesCTRHMACAEADKeyManager) NewKey(serializedKeyFormat []byte) (proto.Message, error) { if len(serializedKeyFormat) == 0 { return nil, errInvalidAESCTRHMACAEADKeyFormat } keyFormat := new(aeadpb.AesCtrHmacAeadKeyFormat) if err := proto.Unmarshal(serializedKeyFormat, keyFormat); err != nil { return nil, errInvalidAESCTRHMACAEADKeyFormat } if err := km.validateKeyFormat(keyFormat); err != nil { return nil, fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid key format: %v", err) } return &aeadpb.AesCtrHmacAeadKey{ Version: aesCTRHMACAEADKeyVersion, AesCtrKey: &ctrpb.AesCtrKey{ Version: aesCTRHMACAEADKeyVersion, KeyValue: random.GetRandomBytes(keyFormat.AesCtrKeyFormat.KeySize), Params: keyFormat.AesCtrKeyFormat.Params, }, HmacKey: &hmacpb.HmacKey{ Version: aesCTRHMACAEADKeyVersion, KeyValue: random.GetRandomBytes(keyFormat.HmacKeyFormat.KeySize), Params: keyFormat.HmacKeyFormat.Params, }, }, nil } // NewKeyData creates a new KeyData according to specification in the given serialized // AesCtrHmacAeadKeyFormat. // It should be used solely by the key management API. func (km *aesCTRHMACAEADKeyManager) NewKeyData(serializedKeyFormat []byte) (*tinkpb.KeyData, error) { key, err := km.NewKey(serializedKeyFormat) if err != nil { return nil, err } serializedKey, err := proto.Marshal(key) if err != nil { return nil, err } return &tinkpb.KeyData{ TypeUrl: km.TypeURL(), Value: serializedKey, KeyMaterialType: tinkpb.KeyData_SYMMETRIC, }, nil } // DoesSupport indicates if this key manager supports the given key type. func (km *aesCTRHMACAEADKeyManager) DoesSupport(typeURL string) bool { return typeURL == aesCTRHMACAEADTypeURL } // TypeURL returns the key type of keys managed by this key manager. func (km *aesCTRHMACAEADKeyManager) TypeURL() string { return aesCTRHMACAEADTypeURL } // validateKey validates the given AesCtrHmacAeadKey proto. func (km *aesCTRHMACAEADKeyManager) validateKey(key *aeadpb.AesCtrHmacAeadKey) error { if err := keyset.ValidateKeyVersion(key.Version, aesCTRHMACAEADKeyVersion); err != nil { return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err) } if err := keyset.ValidateKeyVersion(key.AesCtrKey.Version, aesCTRHMACAEADKeyVersion); err != nil { return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err) } if err := keyset.ValidateKeyVersion(key.HmacKey.Version, aesCTRHMACAEADKeyVersion); err != nil { return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err) } // Validate AesCtrKey. keySize := uint32(len(key.AesCtrKey.KeyValue)) if err := subtle.ValidateAESKeySize(keySize); err != nil { return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %v", err) } params := key.AesCtrKey.Params if params.IvSize < subtle.AESCTRMinIVSize || params.IvSize > 16 { return errors.New("aes_ctr_hmac_aead_key_manager: invalid AesCtrHmacAeadKey: IV size out of range") } return nil } // validateKeyFormat validates the given AesCtrHmacAeadKeyFormat proto. func (km *aesCTRHMACAEADKeyManager) validateKeyFormat(format *aeadpb.AesCtrHmacAeadKeyFormat) error { // Validate AesCtrKeyFormat. if err := subtle.ValidateAESKeySize(format.AesCtrKeyFormat.KeySize); err != nil { return fmt.Errorf("aes_ctr_hmac_aead_key_manager: %s", err) } if format.AesCtrKeyFormat.Params.IvSize < subtle.AESCTRMinIVSize || format.AesCtrKeyFormat.Params.IvSize > 16 { return errors.New("aes_ctr_hmac_aead_key_manager: invalid AesCtrHmacAeadKeyFormat: IV size out of range") } // Validate HmacKeyFormat. hmacKeyFormat := format.HmacKeyFormat if hmacKeyFormat.KeySize < minHMACKeySizeInBytes { return errors.New("aes_ctr_hmac_aead_key_manager: HMAC KeySize is too small") } if hmacKeyFormat.Params.TagSize < minTagSizeInBytes { return fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid HmacParams: TagSize %d is too small", hmacKeyFormat.Params.TagSize) } maxTagSize := map[commonpb.HashType]uint32{ commonpb.HashType_SHA1: 20, commonpb.HashType_SHA224: 28, commonpb.HashType_SHA256: 32, commonpb.HashType_SHA384: 48, commonpb.HashType_SHA512: 64} tagSize, ok := maxTagSize[hmacKeyFormat.Params.Hash] if !ok { return fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid HmacParams: HashType %q not supported", hmacKeyFormat.Params.Hash) } if hmacKeyFormat.Params.TagSize > tagSize { return fmt.Errorf("aes_ctr_hmac_aead_key_manager: invalid HmacParams: tagSize %d is too big for HashType %q", hmacKeyFormat.Params.TagSize, hmacKeyFormat.Params.Hash) } return nil }