cc/aead/kms_envelope_aead.h - third_party/tink - Git at Google

 // Copyright 2019 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ///////////////////////////////////////////////////////////////////////////////

 #ifndef TINK_AEAD_KMS_ENVELOPE_AEAD_H_
 #define TINK_AEAD_KMS_ENVELOPE_AEAD_H_

 #include <memory>
 #include <string>
 #include <utility>

 #include "absl/strings/string_view.h"
 #include "tink/aead.h"
 #include "tink/util/status.h"
 #include "tink/util/statusor.h"
 #include "proto/tink.pb.h"

 namespace crypto {
 namespace tink {

 // An implementation of KMS Envelope AEAD encryption
 // (https://cloud.google.com/kms/docs/data-encryption-keys).
 //
 // In envelope encryption user generates a data encryption key (DEK) locally,
 // encrypts data with DEK, sends DEK to a KMS to be encrypted (with a key
 // managed by KMS), and stores encrypted DEK with encrypted data; at a later
 // point user can retrieve encrypted data and DEK, use KMS to decrypt DEK,
 // and use decrypted DEK to decrypt the data.
 //
 // The ciphertext structure is as follows:
 //  - Length of encrypted DEK: 4 bytes (big endian)
 //  - Encrypted DEK: variable length that is equal to the value
 //    specified in the last 4 bytes.
 //  - AEAD payload: variable length.
 class KmsEnvelopeAead : public Aead {
  public:
   static crypto::tink::util::StatusOr<std::unique_ptr<Aead>> New(
       const google::crypto::tink::KeyTemplate& dek_template,
       std::unique_ptr<Aead> remote_aead);

   crypto::tink::util::StatusOr<std::string> Encrypt(
       absl::string_view plaintext,
       absl::string_view associated_data) const override;

   crypto::tink::util::StatusOr<std::string> Decrypt(
       absl::string_view ciphertext,
       absl::string_view associated_data) const override;

   ~KmsEnvelopeAead() override = default;

  private:
   KmsEnvelopeAead(const google::crypto::tink::KeyTemplate& dek_template,
                   std::unique_ptr<Aead> remote_aead) :
       dek_template_(dek_template), remote_aead_(std::move(remote_aead)) {}

   google::crypto::tink::KeyTemplate dek_template_;
   std::unique_ptr<Aead> remote_aead_;
 };

 }  // namespace tink
 }  // namespace crypto

 #endif  // TINK_AEAD_KMS_ENVELOPE_AEAD_H_
	// Copyright 2019 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	///////////////////////////////////////////////////////////////////////////////

	#ifndef TINK_AEAD_KMS_ENVELOPE_AEAD_H_
	#define TINK_AEAD_KMS_ENVELOPE_AEAD_H_

	#include <memory>
	#include <string>
	#include <utility>

	#include "absl/strings/string_view.h"
	#include "tink/aead.h"
	#include "tink/util/status.h"
	#include "tink/util/statusor.h"
	#include "proto/tink.pb.h"

	namespace crypto {
	namespace tink {

	// An implementation of KMS Envelope AEAD encryption
	// (https://cloud.google.com/kms/docs/data-encryption-keys).
	//
	// In envelope encryption user generates a data encryption key (DEK) locally,
	// encrypts data with DEK, sends DEK to a KMS to be encrypted (with a key
	// managed by KMS), and stores encrypted DEK with encrypted data; at a later
	// point user can retrieve encrypted data and DEK, use KMS to decrypt DEK,
	// and use decrypted DEK to decrypt the data.
	//
	// The ciphertext structure is as follows:
	// - Length of encrypted DEK: 4 bytes (big endian)
	// - Encrypted DEK: variable length that is equal to the value
	// specified in the last 4 bytes.
	// - AEAD payload: variable length.
	class KmsEnvelopeAead : public Aead {
	public:
	static crypto::tink::util::StatusOr<std::unique_ptr<Aead>> New(
	const google::crypto::tink::KeyTemplate& dek_template,
	std::unique_ptr<Aead> remote_aead);

	crypto::tink::util::StatusOr<std::string> Encrypt(
	absl::string_view plaintext,
	absl::string_view associated_data) const override;

	crypto::tink::util::StatusOr<std::string> Decrypt(
	absl::string_view ciphertext,
	absl::string_view associated_data) const override;

	~KmsEnvelopeAead() override = default;

	private:
	KmsEnvelopeAead(const google::crypto::tink::KeyTemplate& dek_template,
	std::unique_ptr<Aead> remote_aead) :
	dek_template_(dek_template), remote_aead_(std::move(remote_aead)) {}

	google::crypto::tink::KeyTemplate dek_template_;
	std::unique_ptr<Aead> remote_aead_;
	};

	} // namespace tink
	} // namespace crypto

	#endif // TINK_AEAD_KMS_ENVELOPE_AEAD_H_