1// Copyright 2020 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14// 15/////////////////////////////////////////////////////////////////////////////// 16 17// Package services is implements gRPC services for testing_api. 18package services 19 20import ( 21 "bytes" 22 "context" 23 "errors" 24 25 "github.com/google/tink/go/aead" 26 "github.com/google/tink/go/daead" 27 "github.com/google/tink/go/hybrid" 28 "github.com/google/tink/go/insecurecleartextkeyset" 29 "github.com/google/tink/go/jwt" 30 "github.com/google/tink/go/keyset" 31 "github.com/google/tink/go/mac" 32 "github.com/google/tink/go/prf" 33 "github.com/google/tink/go/signature" 34 "github.com/google/tink/go/streamingaead" 35 tinkpb "github.com/google/tink/go/proto/tink_go_proto" 36 pb "github.com/google/tink/testing/go/protos/testing_api_go_grpc" 37 38 "google.golang.org/protobuf/proto" 39) 40 41// KeysetService implements the Keyset testing service. 42type KeysetService struct { 43 Templates map[string]*tinkpb.KeyTemplate 44 pb.KeysetServer 45} 46 47func (s *KeysetService) GetTemplate(ctx context.Context, req *pb.KeysetTemplateRequest) (*pb.KeysetTemplateResponse, error) { 48 if s.Templates == nil { 49 s.Templates = map[string]*tinkpb.KeyTemplate{ 50 "AES128_GCM": aead.AES128GCMKeyTemplate(), 51 "AES256_GCM": aead.AES256GCMKeyTemplate(), 52 "AES256_GCM_RAW": aead.AES256GCMNoPrefixKeyTemplate(), 53 "AES128_GCM_SIV": aead.AES128GCMSIVKeyTemplate(), 54 "AES256_GCM_SIV": aead.AES256GCMSIVKeyTemplate(), 55 "AES256_GCM_SIV_RAW": aead.AES256GCMSIVNoPrefixKeyTemplate(), 56 "AES128_CTR_HMAC_SHA256": aead.AES128CTRHMACSHA256KeyTemplate(), 57 "AES256_CTR_HMAC_SHA256": aead.AES256CTRHMACSHA256KeyTemplate(), 58 "CHACHA20_POLY1305": aead.ChaCha20Poly1305KeyTemplate(), 59 "XCHACHA20_POLY1305": aead.XChaCha20Poly1305KeyTemplate(), 60 "AES256_SIV": daead.AESSIVKeyTemplate(), 61 "AES128_CTR_HMAC_SHA256_4KB": streamingaead.AES128CTRHMACSHA256Segment4KBKeyTemplate(), 62 "AES128_CTR_HMAC_SHA256_1MB": streamingaead.AES128CTRHMACSHA256Segment1MBKeyTemplate(), 63 "AES256_CTR_HMAC_SHA256_4KB": streamingaead.AES256CTRHMACSHA256Segment4KBKeyTemplate(), 64 "AES256_CTR_HMAC_SHA256_1MB": streamingaead.AES256CTRHMACSHA256Segment1MBKeyTemplate(), 65 "AES128_GCM_HKDF_4KB": streamingaead.AES128GCMHKDF4KBKeyTemplate(), 66 "AES128_GCM_HKDF_1MB": streamingaead.AES128GCMHKDF1MBKeyTemplate(), 67 "AES256_GCM_HKDF_4KB": streamingaead.AES256GCMHKDF4KBKeyTemplate(), 68 "AES256_GCM_HKDF_1MB": streamingaead.AES256GCMHKDF1MBKeyTemplate(), 69 "ECIES_P256_HKDF_HMAC_SHA256_AES128_GCM": hybrid.ECIESHKDFAES128GCMKeyTemplate(), 70 "ECIES_P256_HKDF_HMAC_SHA256_AES128_CTR_HMAC_SHA256": hybrid.ECIESHKDFAES128CTRHMACSHA256KeyTemplate(), 71 "DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM": hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Key_Template(), 72 "DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_RAW": hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_128_GCM_Raw_Key_Template(), 73 "DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_256_GCM": hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_256_GCM_Key_Template(), 74 "DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_256_GCM_RAW": hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_AES_256_GCM_Raw_Key_Template(), 75 "DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_CHACHA20_POLY1305": hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_CHACHA20_POLY1305_Key_Template(), 76 "DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_CHACHA20_POLY1305_RAW": hybrid.DHKEM_X25519_HKDF_SHA256_HKDF_SHA256_CHACHA20_POLY1305_Raw_Key_Template(), 77 "AES_CMAC": mac.AESCMACTag128KeyTemplate(), 78 "HMAC_SHA256_128BITTAG": mac.HMACSHA256Tag128KeyTemplate(), 79 "HMAC_SHA256_256BITTAG": mac.HMACSHA256Tag256KeyTemplate(), 80 "HMAC_SHA512_256BITTAG": mac.HMACSHA512Tag256KeyTemplate(), 81 "HMAC_SHA512_512BITTAG": mac.HMACSHA512Tag512KeyTemplate(), 82 "ECDSA_P256": signature.ECDSAP256KeyTemplate(), 83 "ECDSA_P256_RAW": signature.ECDSAP256RawKeyTemplate(), 84 "ECDSA_P384_SHA384": signature.ECDSAP384SHA384KeyTemplate(), 85 "ECDSA_P384_SHA512": signature.ECDSAP384SHA512KeyTemplate(), 86 "ECDSA_P521": signature.ECDSAP521KeyTemplate(), 87 "ED25519": signature.ED25519KeyTemplate(), 88 "RSA_SSA_PKCS1_3072_SHA256_F4": signature.RSA_SSA_PKCS1_3072_SHA256_F4_Key_Template(), 89 "RSA_SSA_PKCS1_4096_SHA512_F4": signature.RSA_SSA_PKCS1_4096_SHA512_F4_Key_Template(), 90 "RSA_SSA_PSS_3072_SHA256_SHA256_32_F4": signature.RSA_SSA_PSS_3072_SHA256_32_F4_Key_Template(), 91 "RSA_SSA_PSS_4096_SHA512_SHA512_64_F4": signature.RSA_SSA_PSS_4096_SHA512_64_F4_Key_Template(), 92 "AES_CMAC_PRF": prf.AESCMACPRFKeyTemplate(), 93 "HMAC_SHA256_PRF": prf.HMACSHA256PRFKeyTemplate(), 94 "HMAC_SHA512_PRF": prf.HMACSHA512PRFKeyTemplate(), 95 "HKDF_SHA256": prf.HKDFSHA256PRFKeyTemplate(), 96 "JWT_HS256": jwt.HS256Template(), 97 "JWT_HS256_RAW": jwt.RawHS256Template(), 98 "JWT_HS384": jwt.HS384Template(), 99 "JWT_HS384_RAW": jwt.RawHS384Template(), 100 "JWT_HS512": jwt.HS512Template(), 101 "JWT_HS512_RAW": jwt.RawHS512Template(), 102 "JWT_ES256": jwt.ES256Template(), 103 "JWT_ES256_RAW": jwt.RawES256Template(), 104 "JWT_ES384": jwt.ES384Template(), 105 "JWT_ES384_RAW": jwt.RawES384Template(), 106 "JWT_ES512": jwt.ES512Template(), 107 "JWT_ES512_RAW": jwt.RawES512Template(), 108 "JWT_RS256_2048_F4": jwt.RS256_2048_F4_Key_Template(), 109 "JWT_RS256_2048_F4_RAW": jwt.RawRS256_2048_F4_Key_Template(), 110 "JWT_RS256_3072_F4": jwt.RS256_3072_F4_Key_Template(), 111 "JWT_RS256_3072_F4_RAW": jwt.RawRS256_3072_F4_Key_Template(), 112 "JWT_RS384_3072_F4": jwt.RS384_3072_F4_Key_Template(), 113 "JWT_RS384_3072_F4_RAW": jwt.RawRS384_3072_F4_Key_Template(), 114 "JWT_RS512_4096_F4": jwt.RS512_4096_F4_Key_Template(), 115 "JWT_RS512_4096_F4_RAW": jwt.RawRS512_4096_F4_Key_Template(), 116 "JWT_PS256_2048_F4": jwt.PS256_2048_F4_Key_Template(), 117 "JWT_PS256_2048_F4_RAW": jwt.RawPS256_2048_F4_Key_Template(), 118 "JWT_PS256_3072_F4": jwt.PS256_3072_F4_Key_Template(), 119 "JWT_PS256_3072_F4_RAW": jwt.RawPS256_3072_F4_Key_Template(), 120 "JWT_PS384_3072_F4": jwt.PS384_3072_F4_Key_Template(), 121 "JWT_PS384_3072_F4_RAW": jwt.RawPS384_3072_F4_Key_Template(), 122 "JWT_PS512_4096_F4": jwt.PS512_4096_F4_Key_Template(), 123 "JWT_PS512_4096_F4_RAW": jwt.RawPS512_4096_F4_Key_Template(), 124 } 125 } 126 template, success := s.Templates[req.GetTemplateName()] 127 if success && template != nil { 128 d, err := proto.Marshal(template) 129 if err != nil { 130 return &pb.KeysetTemplateResponse{ 131 Result: &pb.KeysetTemplateResponse_Err{err.Error()}}, nil 132 } 133 return &pb.KeysetTemplateResponse{ 134 Result: &pb.KeysetTemplateResponse_KeyTemplate{d}}, nil 135 } 136 return &pb.KeysetTemplateResponse{ 137 Result: &pb.KeysetTemplateResponse_Err{"key template not found"}}, nil 138} 139 140func (s *KeysetService) Generate(ctx context.Context, req *pb.KeysetGenerateRequest) (*pb.KeysetGenerateResponse, error) { 141 template := &tinkpb.KeyTemplate{} 142 err := proto.Unmarshal(req.Template, template) 143 if err != nil { 144 return &pb.KeysetGenerateResponse{ 145 Result: &pb.KeysetGenerateResponse_Err{err.Error()}}, nil 146 } 147 handle, err := keyset.NewHandle(template) 148 if err != nil { 149 return &pb.KeysetGenerateResponse{ 150 Result: &pb.KeysetGenerateResponse_Err{err.Error()}}, nil 151 } 152 buf := new(bytes.Buffer) 153 writer := keyset.NewBinaryWriter(buf) 154 err = insecurecleartextkeyset.Write(handle, writer) 155 if err != nil { 156 return &pb.KeysetGenerateResponse{ 157 Result: &pb.KeysetGenerateResponse_Err{err.Error()}}, nil 158 } 159 return &pb.KeysetGenerateResponse{ 160 Result: &pb.KeysetGenerateResponse_Keyset{buf.Bytes()}}, nil 161} 162 163func (s *KeysetService) Public(ctx context.Context, req *pb.KeysetPublicRequest) (*pb.KeysetPublicResponse, error) { 164 reader := keyset.NewBinaryReader(bytes.NewReader(req.PrivateKeyset)) 165 privateHandle, err := insecurecleartextkeyset.Read(reader) 166 if err != nil { 167 return &pb.KeysetPublicResponse{ 168 Result: &pb.KeysetPublicResponse_Err{err.Error()}}, nil 169 } 170 publicHandle, err := privateHandle.Public() 171 if err != nil { 172 return &pb.KeysetPublicResponse{ 173 Result: &pb.KeysetPublicResponse_Err{err.Error()}}, nil 174 } 175 buf := new(bytes.Buffer) 176 writer := keyset.NewBinaryWriter(buf) 177 err = insecurecleartextkeyset.Write(publicHandle, writer) 178 if err != nil { 179 return &pb.KeysetPublicResponse{ 180 Result: &pb.KeysetPublicResponse_Err{err.Error()}}, nil 181 } 182 return &pb.KeysetPublicResponse{ 183 Result: &pb.KeysetPublicResponse_PublicKeyset{buf.Bytes()}}, nil 184} 185 186func (s *KeysetService) ToJson(ctx context.Context, req *pb.KeysetToJsonRequest) (*pb.KeysetToJsonResponse, error) { 187 reader := keyset.NewBinaryReader(bytes.NewReader(req.Keyset)) 188 handle, err := insecurecleartextkeyset.Read(reader) 189 if err != nil { 190 return &pb.KeysetToJsonResponse{ 191 Result: &pb.KeysetToJsonResponse_Err{err.Error()}}, nil 192 } 193 buf := new(bytes.Buffer) 194 writer := keyset.NewJSONWriter(buf) 195 if err := insecurecleartextkeyset.Write(handle, writer); err != nil { 196 return &pb.KeysetToJsonResponse{ 197 Result: &pb.KeysetToJsonResponse_Err{err.Error()}}, nil 198 } 199 return &pb.KeysetToJsonResponse{ 200 Result: &pb.KeysetToJsonResponse_JsonKeyset{buf.String()}}, nil 201} 202 203func (s *KeysetService) FromJson(ctx context.Context, req *pb.KeysetFromJsonRequest) (*pb.KeysetFromJsonResponse, error) { 204 reader := keyset.NewJSONReader(bytes.NewBufferString(req.JsonKeyset)) 205 handle, err := insecurecleartextkeyset.Read(reader) 206 if err != nil { 207 return &pb.KeysetFromJsonResponse{ 208 Result: &pb.KeysetFromJsonResponse_Err{err.Error()}}, nil 209 } 210 buf := new(bytes.Buffer) 211 writer := keyset.NewBinaryWriter(buf) 212 if err := insecurecleartextkeyset.Write(handle, writer); err != nil { 213 return &pb.KeysetFromJsonResponse{ 214 Result: &pb.KeysetFromJsonResponse_Err{err.Error()}}, nil 215 } 216 return &pb.KeysetFromJsonResponse{ 217 Result: &pb.KeysetFromJsonResponse_Keyset{buf.Bytes()}}, nil 218} 219 220func (s *KeysetService) WriteEncrypted(ctx context.Context, req *pb.KeysetWriteEncryptedRequest) (*pb.KeysetWriteEncryptedResponse, error) { 221 masterReader := keyset.NewBinaryReader(bytes.NewReader(req.GetMasterKeyset())) 222 masterHandle, err := insecurecleartextkeyset.Read(masterReader) 223 if err != nil { 224 return &pb.KeysetWriteEncryptedResponse{ 225 Result: &pb.KeysetWriteEncryptedResponse_Err{err.Error()}}, nil 226 } 227 masterAead, err := aead.New(masterHandle) 228 if err != nil { 229 return &pb.KeysetWriteEncryptedResponse{ 230 Result: &pb.KeysetWriteEncryptedResponse_Err{err.Error()}}, nil 231 } 232 233 reader := keyset.NewBinaryReader(bytes.NewReader(req.GetKeyset())) 234 handle, err := insecurecleartextkeyset.Read(reader) 235 if err != nil { 236 return &pb.KeysetWriteEncryptedResponse{ 237 Result: &pb.KeysetWriteEncryptedResponse_Err{err.Error()}}, nil 238 } 239 240 buf := new(bytes.Buffer) 241 var writer keyset.Writer 242 if req.GetKeysetWriterType() == pb.KeysetWriterType_KEYSET_WRITER_BINARY { 243 writer = keyset.NewBinaryWriter(buf) 244 } else if req.GetKeysetWriterType() == pb.KeysetWriterType_KEYSET_WRITER_JSON { 245 writer = keyset.NewJSONWriter(buf) 246 } else { 247 return nil, errors.New("unknown keyset writer type") 248 } 249 if req.GetAssociatedData() != nil { 250 err = handle.WriteWithAssociatedData(writer, masterAead, req.GetAssociatedData().GetValue()) 251 } else { 252 err = handle.Write(writer, masterAead) 253 } 254 if err != nil { 255 return &pb.KeysetWriteEncryptedResponse{ 256 Result: &pb.KeysetWriteEncryptedResponse_Err{err.Error()}}, nil 257 } 258 return &pb.KeysetWriteEncryptedResponse{ 259 Result: &pb.KeysetWriteEncryptedResponse_EncryptedKeyset{buf.Bytes()}}, nil 260} 261 262func (s *KeysetService) ReadEncrypted(ctx context.Context, req *pb.KeysetReadEncryptedRequest) (*pb.KeysetReadEncryptedResponse, error) { 263 masterReader := keyset.NewBinaryReader(bytes.NewReader(req.GetMasterKeyset())) 264 masterHandle, err := insecurecleartextkeyset.Read(masterReader) 265 if err != nil { 266 return &pb.KeysetReadEncryptedResponse{ 267 Result: &pb.KeysetReadEncryptedResponse_Err{err.Error()}}, nil 268 } 269 masterAead, err := aead.New(masterHandle) 270 if err != nil { 271 return &pb.KeysetReadEncryptedResponse{ 272 Result: &pb.KeysetReadEncryptedResponse_Err{err.Error()}}, nil 273 } 274 275 var reader keyset.Reader 276 if req.GetKeysetReaderType() == pb.KeysetReaderType_KEYSET_READER_BINARY { 277 reader = keyset.NewBinaryReader(bytes.NewReader(req.GetEncryptedKeyset())) 278 } else if req.GetKeysetReaderType() == pb.KeysetReaderType_KEYSET_READER_JSON { 279 reader = keyset.NewJSONReader(bytes.NewReader(req.GetEncryptedKeyset())) 280 } else { 281 return nil, errors.New("unknown keyset reader type") 282 } 283 var handle *keyset.Handle 284 if req.GetAssociatedData() != nil { 285 handle, err = keyset.ReadWithAssociatedData(reader, masterAead, req.GetAssociatedData().GetValue()) 286 } else { 287 handle, err = keyset.Read(reader, masterAead) 288 } 289 if err != nil { 290 return &pb.KeysetReadEncryptedResponse{ 291 Result: &pb.KeysetReadEncryptedResponse_Err{err.Error()}}, nil 292 } 293 294 buf := new(bytes.Buffer) 295 writer := keyset.NewBinaryWriter(buf) 296 if err := insecurecleartextkeyset.Write(handle, writer); err != nil { 297 return &pb.KeysetReadEncryptedResponse{ 298 Result: &pb.KeysetReadEncryptedResponse_Err{err.Error()}}, nil 299 } 300 return &pb.KeysetReadEncryptedResponse{ 301 Result: &pb.KeysetReadEncryptedResponse_Keyset{buf.Bytes()}}, nil 302} 303