| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| // |
| //////////////////////////////////////////////////////////////////////////////// |
| |
| goog.module('tink.KeysetHandle'); |
| |
| const Aead = goog.require('tink.Aead'); |
| const InvalidArgumentsException = goog.require('tink.exception.InvalidArgumentsException'); |
| const KeyManager = goog.require('tink.KeyManager'); |
| const KeysetReader = goog.require('tink.KeysetReader'); |
| const KeysetWriter = goog.require('tink.KeysetWriter'); |
| const PbKeyMaterialType = goog.require('proto.google.crypto.tink.KeyData.KeyMaterialType'); |
| const PbKeyStatusType = goog.require('proto.google.crypto.tink.KeyStatusType'); |
| const PbKeyTemplate = goog.require('proto.google.crypto.tink.KeyTemplate'); |
| const PbKeyset = goog.require('proto.google.crypto.tink.Keyset'); |
| const PrimitiveSet = goog.require('tink.PrimitiveSet'); |
| const Random = goog.require('tink.subtle.Random'); |
| const Registry = goog.require('tink.Registry'); |
| const SecurityException = goog.require('tink.exception.SecurityException'); |
| const Util = goog.require('tink.Util'); |
| |
| /** |
| * Keyset handle provide abstracted access to Keysets, to limit the exposure of |
| * actual protocol buffers that hold sensitive key material. |
| * |
| * @final |
| */ |
| class KeysetHandle { |
| /** |
| * @param {!PbKeyset} keyset |
| */ |
| constructor(keyset) { |
| Util.validateKeyset(keyset); |
| |
| /** @const @private {!PbKeyset} */ |
| this.keyset_ = keyset; |
| } |
| |
| /** |
| * Creates a KeysetHandle from an encrypted keyset obtained via reader, using |
| * masterKeyAead to decrypt the keyset. |
| * |
| * @param {!KeysetReader} reader |
| * @param {!Aead} masterKeyAead |
| * |
| * @return {!Promise<!KeysetHandle>} |
| */ |
| static async read(reader, masterKeyAead) { |
| // TODO implement |
| throw new SecurityException('KeysetHandle -- read: Not implemented yet.'); |
| } |
| |
| /** |
| * Creates a KeysetHandle from a keyset, obtained via reader, which |
| * must contain no secret key material. |
| * |
| * This can be used to load public keysets or envelope encryption keysets. |
| * Users that need to load cleartext keysets can use CleartextKeysetHandle. |
| * |
| * @param {!KeysetReader} reader |
| * @return {!KeysetHandle} |
| */ |
| static readNoSecret(reader) { |
| if (reader === null) { |
| throw new SecurityException('Reader has to be non-null.'); |
| } |
| const keyset = reader.read(); |
| const keyList = keyset.getKeyList(); |
| for (let key of keyList) { |
| switch (key.getKeyData().getKeyMaterialType()) { |
| case PbKeyMaterialType.ASYMMETRIC_PUBLIC: // fall through |
| case PbKeyMaterialType.REMOTE: |
| continue; |
| } |
| throw new SecurityException('Keyset contains secret key material.'); |
| } |
| return new KeysetHandle(keyset); |
| } |
| |
| /** |
| * Returns a new KeysetHandle that contains a single new key generated |
| * according to keyTemplate. |
| * |
| * @param {!PbKeyTemplate} keyTemplate |
| * |
| * @return {!Promise<!KeysetHandle>} |
| */ |
| static async generateNew(keyTemplate) { |
| // TODO(thaidn): move this to a key manager. |
| const keyset = await KeysetHandle.generateNewKeyset_(keyTemplate); |
| return new KeysetHandle(keyset); |
| } |
| |
| /** |
| * Generates a new Keyset that contains a single new key generated |
| * according to keyTemplate. |
| * |
| * @param {!PbKeyTemplate} keyTemplate |
| * @private |
| * @return {!Promise<!PbKeyset>} |
| */ |
| static async generateNewKeyset_(keyTemplate) { |
| const key = new PbKeyset.Key() |
| .setStatus(PbKeyStatusType.ENABLED) |
| .setOutputPrefixType(keyTemplate.getOutputPrefixType()); |
| const keyId = KeysetHandle.generateNewKeyId_(); |
| key.setKeyId(keyId); |
| const keyData = await Registry.newKeyData(keyTemplate); |
| key.setKeyData(keyData); |
| const keyset = new PbKeyset(); |
| keyset.addKey(key); |
| keyset.setPrimaryKeyId(keyId); |
| return keyset; |
| } |
| |
| /** |
| * Generates a new random key ID. |
| * |
| * @private |
| * @return {number} The key ID. |
| */ |
| static generateNewKeyId_() { |
| const bytes = Random.randBytes(4); |
| let value = 0; |
| for (let i = 0; i < bytes.length; i++) { |
| value += (bytes[i] & 0xFF) << (i * 8); |
| } |
| // Make sure the key ID is a positive integer smaller than 2^32. |
| return Math.abs(value) % 2 ** 32; |
| }; |
| |
| |
| /** |
| * Returns a primitive that uses key material from this keyset handle. If |
| * opt_customKeyManager is defined then the provided key manager is used to |
| * instantiate primitives. Otherwise key manager from Registry is used. |
| * |
| * @template P |
| * |
| * @param {!Object} primitiveType |
| * @param {?KeyManager.KeyManager<P>=} opt_customKeyManager |
| * |
| * @return {!Promise<!P>} |
| */ |
| async getPrimitive(primitiveType, opt_customKeyManager) { |
| if (!primitiveType) { |
| throw new InvalidArgumentsException('primitive type must be non-null'); |
| } |
| const primitiveSet = |
| await this.getPrimitiveSet_(primitiveType, opt_customKeyManager); |
| return Registry.wrap(primitiveSet); |
| } |
| |
| /** |
| * Creates a set of primitives corresponding to the keys with status Enabled |
| * in the given keysetHandle, assuming all the correspoding key managers are |
| * present (keys with status different from Enabled are skipped). If provided |
| * uses customKeyManager instead of registered key managers for keys supported |
| * by the customKeyManager. |
| * |
| * @template P |
| * @private |
| * |
| * @param {!Object} primitiveType |
| * @param {?KeyManager.KeyManager<P>=} opt_customKeyManager |
| * |
| * @return {!Promise.<!PrimitiveSet.PrimitiveSet<P>>} |
| */ |
| async getPrimitiveSet_(primitiveType, opt_customKeyManager) { |
| const primitiveSet = new PrimitiveSet.PrimitiveSet(primitiveType); |
| const keys = this.keyset_.getKeyList(); |
| const keysLength = keys.length; |
| for (let i = 0; i < keysLength; i++) { |
| const key = keys[i]; |
| if (key.getStatus() === PbKeyStatusType.ENABLED) { |
| const keyData = key.getKeyData(); |
| if (!keyData) { |
| throw new SecurityException('Key data has to be non null.'); |
| } |
| let primitive; |
| if (opt_customKeyManager && |
| opt_customKeyManager.getKeyType() === keyData.getTypeUrl()) { |
| primitive = |
| await opt_customKeyManager.getPrimitive(primitiveType, keyData); |
| } else { |
| primitive = await Registry.getPrimitive(primitiveType, keyData); |
| } |
| const entry = primitiveSet.addPrimitive(primitive, key); |
| if (key.getKeyId() === this.keyset_.getPrimaryKeyId()) { |
| primitiveSet.setPrimary(entry); |
| } |
| } |
| } |
| return primitiveSet; |
| } |
| |
| |
| /** |
| * Encrypts the underlying keyset with the provided masterKeyAead wnd writes |
| * the resulting encryptedKeyset to the given writer which must be non-null. |
| * |
| * @param {!KeysetWriter} writer |
| * @param {!Aead} masterKeyAead |
| * |
| */ |
| async write(writer, masterKeyAead) { |
| // TODO implement |
| throw new SecurityException('KeysetHandle -- write: Not implemented yet.'); |
| } |
| |
| /** |
| * Returns the keyset held by this KeysetHandle. |
| * |
| * @package |
| * @return {!PbKeyset} |
| */ |
| getKeyset() { |
| return this.keyset_; |
| } |
| } |
| |
| goog.exportSymbol('tink.KeysetHandle', KeysetHandle); |
| exports = KeysetHandle; |
