Skip to content
This repository has been archived by the owner on Apr 17, 2024. It is now read-only.

Commit

Permalink
Encrypt only DEK bytes for envelope encryption.
Browse files Browse the repository at this point in the history 
This changes the envelope encryption in C++ to solely encrypt the key
bytes of the DEK instead of the full KeyData proto. This reduces the
overhead in the envelope encryption and fixes an issue with incompatible
format between C++ and the envelope encryption in Java and Go.

PiperOrigin-RevId: 292406414
  • Loading branch information
@kste @copybara-github
kste authored and copybara-github committed Jan 30, 2020
1 parent e9f42e2 commit 02bdc3e
Show file tree
Hide file tree
Showing 4 changed files with 109 additions and 88 deletions.
76 changes: 39 additions & 37 deletions cc/aead/BUILD.bazel
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ cc_library(
"//:primitive_set",
"//:primitive_wrapper",
"//:registry",
"//proto:tink_cc_proto",
"//subtle:subtle_util_boringssl",
"//util:status",
"//util:statusor",
"//proto:tink_cc_proto",
"@com_google_absl//absl/strings",
],
)
Expand All @@ -38,8 +38,8 @@ cc_library(
":xchacha20_poly1305_key_manager",
"//config:config_util",
"//mac:mac_config",
"//util:status",
"//proto:config_cc_proto",
"//util:status",
"@com_google_absl//absl/base:core_headers",
"@com_google_absl//absl/memory",
],
Expand Down Expand Up @@ -87,6 +87,7 @@ cc_library(
deps = [
"//:aead",
"//:core/key_type_manager",
"//proto:aes_eax_cc_proto",
"//subtle:aes_eax_boringssl",
"//subtle:random",
"//util:constants",
Expand All @@ -95,7 +96,6 @@ cc_library(
"//util:status",
"//util:statusor",
"//util:validation",
"//proto:aes_eax_cc_proto",
"@com_google_absl//absl/strings",
],
)
Expand All @@ -108,6 +108,8 @@ cc_library(
"//:aead",
"//:core/key_type_manager",
"//:key_manager",
"//proto:aes_gcm_cc_proto",
"//proto:tink_cc_proto",
"//subtle:aes_gcm_boringssl",
"//subtle:random",
"//util:constants",
Expand All @@ -117,8 +119,6 @@ cc_library(
"//util:status",
"//util:statusor",
"//util:validation",
"//proto:aes_gcm_cc_proto",
"//proto:tink_cc_proto",
"@com_google_absl//absl/strings",
],
)
Expand All @@ -130,6 +130,9 @@ cc_library(
deps = [
"//:aead",
"//:core/key_type_manager",
"//proto:aes_gcm_siv_cc_proto",
"//proto:common_cc_proto",
"//proto:tink_cc_proto",
"//subtle:aes_gcm_siv_boringssl",
"//subtle:random",
"//util:constants",
Expand All @@ -138,9 +141,6 @@ cc_library(
"//util:status",
"//util:statusor",
"//util:validation",
"//proto:aes_gcm_siv_cc_proto",
"//proto:common_cc_proto",
"//proto:tink_cc_proto",
"@com_google_absl//absl/base",
],
)
Expand All @@ -156,6 +156,9 @@ cc_library(
"//:mac",
"//:registry",
"//mac:hmac_key_manager",
"//proto:aes_ctr_hmac_aead_cc_proto",
"//proto:common_cc_proto",
"//proto:tink_cc_proto",
"//subtle:aes_ctr_boringssl",
"//subtle:encrypt_then_authenticate",
"//subtle:hmac_boringssl",
Expand All @@ -167,9 +170,6 @@ cc_library(
"//util:status",
"//util:statusor",
"//util:validation",
"//proto:aes_ctr_hmac_aead_cc_proto",
"//proto:common_cc_proto",
"//proto:tink_cc_proto",
"@com_google_absl//absl/base",
],
)
Expand All @@ -181,6 +181,7 @@ cc_library(
deps = [
"//:aead",
"//:core/key_type_manager",
"//proto:xchacha20_poly1305_cc_proto",
"//subtle:random",
"//subtle:xchacha20_poly1305_boringssl",
"//util:constants",
Expand All @@ -189,7 +190,6 @@ cc_library(
"//util:status",
"//util:statusor",
"//util:validation",
"//proto:xchacha20_poly1305_cc_proto",
"@com_google_absl//absl/strings",
],
)
Expand All @@ -202,11 +202,11 @@ cc_library(
"//:aead",
"//:core/key_type_manager",
"//:kms_clients",
"//proto:kms_aead_cc_proto",
"//util:constants",
"//util:status",
"//util:statusor",
"//util:validation",
"//proto:kms_aead_cc_proto",
"@com_google_absl//absl/strings",
],
)
Expand All @@ -219,11 +219,12 @@ cc_library(
deps = [
"//:aead",
"//:registry",
"//proto:tink_cc_proto",
"//util:errors",
"//util:protobuf_helper",
"//util:status",
"//util:statusor",
"//proto:tink_cc_proto",
"@com_google_absl//absl/base:endian",
"@com_google_absl//absl/strings",
],
)
Expand All @@ -239,25 +240,24 @@ cc_library(
"//:core/key_type_manager",
"//:kms_client",
"//:kms_clients",
"//proto:kms_envelope_cc_proto",
"//util:constants",
"//util:errors",
"//util:protobuf_helper",
"//util:status",
"//util:statusor",
"//util:validation",
"//proto:kms_envelope_cc_proto",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
],
)


cc_library(
name = "mock_aead",
hdrs = ["mock_aead.h"],
copts = ["-Iexternal/gtest/include"],
include_prefix = "tink",
visibility = ["//visibility:public"],
copts = ["-Iexternal/gtest/include"],
deps = [
"//:aead",
"@com_google_googletest//:gtest",
Expand All @@ -275,10 +275,10 @@ cc_test(
":aead_wrapper",
"//:aead",
"//:primitive_set",
"//proto:tink_cc_proto",
"//util:status",
"//util:test_matchers",
"//util:test_util",
"//proto:tink_cc_proto",
"@com_google_googletest//:gtest_main",
],
)
Expand Down Expand Up @@ -315,11 +315,11 @@ cc_test(
"//:aead",
"//:crypto_format",
"//:keyset_handle",
"//proto:aes_gcm_cc_proto",
"//proto:tink_cc_proto",
"//util:status",
"//util:test_keyset_handle",
"//util:test_util",
"//proto:aes_gcm_cc_proto",
"//proto:tink_cc_proto",
"@com_google_googletest//:gtest_main",
],
)
Expand All @@ -337,14 +337,14 @@ cc_test(
":aes_gcm_siv_key_manager",
":xchacha20_poly1305_key_manager",
"//:core/key_manager_impl",
"//util:test_matchers",
"//proto:aes_ctr_hmac_aead_cc_proto",
"//proto:aes_eax_cc_proto",
"//proto:aes_gcm_cc_proto",
"//proto:aes_gcm_siv_cc_proto",
"//proto:common_cc_proto",
"//proto:tink_cc_proto",
"//proto:xchacha20_poly1305_cc_proto",
"//util:test_matchers",
"@com_google_googletest//:gtest_main",
],
)
Expand All @@ -357,14 +357,14 @@ cc_test(
deps = [
":aes_eax_key_manager",
"//:aead",
"//subtle:aead_test_util",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"//proto:aes_eax_cc_proto",
"//proto:aes_gcm_cc_proto",
"//proto:common_cc_proto",
"//proto:tink_cc_proto",
"//subtle:aead_test_util",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"@com_google_googletest//:gtest_main",
],
)
Expand All @@ -377,12 +377,12 @@ cc_test(
deps = [
":aes_gcm_key_manager",
"//:aead",
"//proto:aes_gcm_cc_proto",
"//subtle:aead_test_util",
"//util:istream_input_stream",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"//proto:aes_gcm_cc_proto",
"@com_google_googletest//:gtest_main",
],
)
Expand All @@ -395,11 +395,11 @@ cc_test(
deps = [
":aes_gcm_siv_key_manager",
"//:aead",
"//proto:aes_gcm_siv_cc_proto",
"//subtle:aead_test_util",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"//proto:aes_gcm_siv_cc_proto",
"@com_google_googletest//:gtest_main",
],
)
Expand All @@ -413,17 +413,17 @@ cc_test(
":aes_ctr_hmac_aead_key_manager",
"//:config",
"//mac:mac_config",
"//proto:aes_ctr_hmac_aead_cc_proto",
"//proto:aes_gcm_cc_proto",
"//proto:common_cc_proto",
"//proto:tink_cc_proto",
"//subtle",
"//subtle:aead_test_util",
"//subtle:aes_ctr_boringssl",
"//util:enums",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"//proto:aes_ctr_hmac_aead_cc_proto",
"//proto:aes_gcm_cc_proto",
"//proto:common_cc_proto",
"//proto:tink_cc_proto",
"@com_google_googletest//:gtest_main",
],
)
Expand All @@ -436,11 +436,11 @@ cc_test(
deps = [
":xchacha20_poly1305_key_manager",
"//:aead",
"//proto:xchacha20_poly1305_cc_proto",
"//subtle:aead_test_util",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"//proto:xchacha20_poly1305_cc_proto",
"@com_google_googletest//:gtest_main",
],
)
Expand All @@ -455,12 +455,12 @@ cc_test(
"//:aead",
"//:kms_client",
"//:kms_clients",
"//proto:kms_aead_cc_proto",
"//subtle:aead_test_util",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"//util:test_util",
"//proto:kms_aead_cc_proto",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
Expand All @@ -478,11 +478,13 @@ cc_test(
"//:aead",
"//:registry",
"//mac:mac_key_templates",
"//proto:tink_cc_proto",
"//proto:aes_gcm_cc_proto",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"//util:test_util",
"//proto:tink_cc_proto",
"@com_google_absl//absl/base:endian",
"@com_google_absl//absl/memory",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
Expand All @@ -504,14 +506,14 @@ cc_test(
"//:kms_client",
"//:kms_clients",
"//:registry",
"//proto:aes_eax_cc_proto",
"//proto:kms_envelope_cc_proto",
"//proto:tink_cc_proto",
"//subtle:aead_test_util",
"//util:status",
"//util:statusor",
"//util:test_matchers",
"//util:test_util",
"//proto:aes_eax_cc_proto",
"//proto:kms_envelope_cc_proto",
"//proto:tink_cc_proto",
"@com_google_absl//absl/strings",
"@com_google_googletest//:gtest_main",
],
Expand Down
2 changes: 2 additions & 0 deletions cc/aead/CMakeLists.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@ tink_cc_library(
tink::util::statusor
tink::proto::tink_cc_proto
absl::strings
absl::base
)

tink_cc_library(
Expand Down Expand Up @@ -411,6 +412,7 @@ tink_cc_test(
NAME kms_envelope_aead_test
SRCS kms_envelope_aead_test.cc
DEPS
absl::base
absl::memory
absl::strings
tink::aead::aead_config
Expand Down
Loading

0 comments on commit 02bdc3e

Please sign in to comment.