diff options
author | cinlin <cinlin@google.com> | 2023-06-15 17:44:06 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2023-06-15 17:45:06 -0700 |
commit | 8089d30aabc84adf708aff279456793434cf4844 (patch) | |
tree | e5d875951e1c0d1a8e092b3a674bd470e65268f5 /cc/config | |
parent | a5f46c3e1327e9ecc474d9bb4222124da4b59096 (diff) | |
download | tink-8089d30aabc84adf708aff279456793434cf4844.tar.gz |
Define KeyGenConfigFips140_2 C++ object. #tinkApiChange
Also mark this and ConfigFips140_2 as public.
PiperOrigin-RevId: 540737691
Diffstat (limited to 'cc/config')
-rw-r--r-- | cc/config/BUILD.bazel | 91 | ||||
-rw-r--r-- | cc/config/CMakeLists.txt | 86 | ||||
-rw-r--r-- | cc/config/fips_140_2.h | 8 | ||||
-rw-r--r-- | cc/config/key_gen_fips_140_2.cc | 96 | ||||
-rw-r--r-- | cc/config/key_gen_fips_140_2.h | 33 | ||||
-rw-r--r-- | cc/config/key_gen_fips_140_2_test.cc | 129 |
6 files changed, 396 insertions, 47 deletions
diff --git a/cc/config/BUILD.bazel b/cc/config/BUILD.bazel index 6410ccf55..77a02c723 100644 --- a/cc/config/BUILD.bazel +++ b/cc/config/BUILD.bazel @@ -52,6 +52,59 @@ cc_library( ], ) +cc_library( + name = "fips_140_2", + srcs = ["fips_140_2.cc"], + hdrs = ["fips_140_2.h"], + include_prefix = "tink/config", + visibility = ["//visibility:public"], + deps = [ + "//:configuration", + "//aead:aead_wrapper", + "//aead:aes_ctr_hmac_aead_key_manager", + "//aead:aes_gcm_key_manager", + "//internal:configuration_impl", + "//mac:hmac_key_manager", + "//mac:mac_wrapper", + "//mac/internal:chunked_mac_wrapper", + "//prf:hmac_prf_key_manager", + "//prf:prf_set_wrapper", + "//signature:ecdsa_sign_key_manager", + "//signature:ecdsa_verify_key_manager", + "//signature:public_key_sign_wrapper", + "//signature:public_key_verify_wrapper", + "//signature:rsa_ssa_pkcs1_sign_key_manager", + "//signature:rsa_ssa_pkcs1_verify_key_manager", + "//signature:rsa_ssa_pss_sign_key_manager", + "//signature:rsa_ssa_pss_verify_key_manager", + "@com_google_absl//absl/log:check", + ], +) + +cc_library( + name = "key_gen_fips_140_2", + srcs = ["key_gen_fips_140_2.cc"], + hdrs = ["key_gen_fips_140_2.h"], + include_prefix = "tink/config", + visibility = ["//visibility:public"], + deps = [ + "//:key_gen_configuration", + "//aead:aes_ctr_hmac_aead_key_manager", + "//aead:aes_gcm_key_manager", + "//internal:fips_utils", + "//internal:key_gen_configuration_impl", + "//mac:hmac_key_manager", + "//prf:hmac_prf_key_manager", + "//signature:ecdsa_sign_key_manager", + "//signature:ecdsa_verify_key_manager", + "//signature:rsa_ssa_pkcs1_sign_key_manager", + "//signature:rsa_ssa_pkcs1_verify_key_manager", + "//signature:rsa_ssa_pss_sign_key_manager", + "//signature:rsa_ssa_pss_verify_key_manager", + "@com_google_absl//absl/log:check", + ], +) + # tests cc_test( @@ -104,44 +157,40 @@ cc_test( ], ) -cc_library( - name = "fips_140_2", - srcs = ["fips_140_2.cc"], - hdrs = ["fips_140_2.h"], - include_prefix = "tink/config", +cc_test( + name = "fips_140_2_test", + srcs = ["fips_140_2_test.cc"], deps = [ - "//:configuration", - "//aead:aead_wrapper", + ":fips_140_2", + "//aead:aead_key_templates", "//aead:aes_ctr_hmac_aead_key_manager", "//aead:aes_gcm_key_manager", "//internal:configuration_impl", + "//internal:fips_utils", + "//mac:aes_cmac_key_manager", "//mac:hmac_key_manager", - "//mac:mac_wrapper", - "//mac/internal:chunked_mac_wrapper", "//prf:hmac_prf_key_manager", - "//prf:prf_set_wrapper", - "//signature:ecdsa_sign_key_manager", + "//proto:tink_cc_proto", "//signature:ecdsa_verify_key_manager", - "//signature:public_key_sign_wrapper", - "//signature:public_key_verify_wrapper", - "//signature:rsa_ssa_pkcs1_sign_key_manager", "//signature:rsa_ssa_pkcs1_verify_key_manager", - "//signature:rsa_ssa_pss_sign_key_manager", "//signature:rsa_ssa_pss_verify_key_manager", - "@com_google_absl//absl/log:check", + "//util:test_keyset_handle", + "//util:test_matchers", + "//util:test_util", + "@com_google_googletest//:gtest_main", ], ) cc_test( - name = "fips_140_2_test", - srcs = ["fips_140_2_test.cc"], + name = "key_gen_fips_140_2_test", + srcs = ["key_gen_fips_140_2_test.cc"], deps = [ - ":fips_140_2", + ":key_gen_fips_140_2", "//aead:aead_key_templates", "//aead:aes_ctr_hmac_aead_key_manager", "//aead:aes_gcm_key_manager", - "//internal:configuration_impl", "//internal:fips_utils", + "//internal:key_gen_configuration_impl", "//mac:aes_cmac_key_manager", "//mac:hmac_key_manager", "//prf:hmac_prf_key_manager", @@ -149,9 +198,7 @@ cc_test( "//signature:ecdsa_verify_key_manager", "//signature:rsa_ssa_pkcs1_verify_key_manager", "//signature:rsa_ssa_pss_verify_key_manager", - "//util:test_keyset_handle", "//util:test_matchers", - "//util:test_util", "@com_google_googletest//:gtest_main", ], ) diff --git a/cc/config/CMakeLists.txt b/cc/config/CMakeLists.txt index 6a47520d6..f3c086ed1 100644 --- a/cc/config/CMakeLists.txt +++ b/cc/config/CMakeLists.txt @@ -40,6 +40,55 @@ tink_cc_library( tink::util::status ) +tink_cc_library( + NAME fips_140_2 + SRCS + fips_140_2.cc + fips_140_2.h + DEPS + absl::check + tink::core::configuration + tink::aead::aead_wrapper + tink::aead::aes_ctr_hmac_aead_key_manager + tink::aead::aes_gcm_key_manager + tink::internal::configuration_impl + tink::mac::hmac_key_manager + tink::mac::mac_wrapper + tink::mac::internal::chunked_mac_wrapper + tink::prf::hmac_prf_key_manager + tink::prf::prf_set_wrapper + tink::signature::ecdsa_sign_key_manager + tink::signature::ecdsa_verify_key_manager + tink::signature::public_key_sign_wrapper + tink::signature::public_key_verify_wrapper + tink::signature::rsa_ssa_pkcs1_sign_key_manager + tink::signature::rsa_ssa_pkcs1_verify_key_manager + tink::signature::rsa_ssa_pss_sign_key_manager + tink::signature::rsa_ssa_pss_verify_key_manager +) + +tink_cc_library( + NAME key_gen_fips_140_2 + SRCS + key_gen_fips_140_2.cc + key_gen_fips_140_2.h + DEPS + absl::check + tink::core::key_gen_configuration + tink::aead::aes_ctr_hmac_aead_key_manager + tink::aead::aes_gcm_key_manager + tink::internal::fips_utils + tink::internal::key_gen_configuration_impl + tink::mac::hmac_key_manager + tink::prf::hmac_prf_key_manager + tink::signature::ecdsa_sign_key_manager + tink::signature::ecdsa_verify_key_manager + tink::signature::rsa_ssa_pkcs1_sign_key_manager + tink::signature::rsa_ssa_pkcs1_verify_key_manager + tink::signature::rsa_ssa_pss_sign_key_manager + tink::signature::rsa_ssa_pss_verify_key_manager +) + # tests tink_cc_test( @@ -88,53 +137,48 @@ tink_cc_test( tink::util::test_matchers ) -tink_cc_library( - NAME fips_140_2 +tink_cc_test( + NAME fips_140_2_test SRCS - fips_140_2.cc - fips_140_2.h + fips_140_2_test.cc DEPS - absl::check - tink::core::configuration - tink::aead::aead_wrapper + tink::config::fips_140_2 + gmock + tink::aead::aead_key_templates tink::aead::aes_ctr_hmac_aead_key_manager tink::aead::aes_gcm_key_manager tink::internal::configuration_impl + tink::internal::fips_utils + tink::mac::aes_cmac_key_manager tink::mac::hmac_key_manager - tink::mac::mac_wrapper - tink::mac::internal::chunked_mac_wrapper tink::prf::hmac_prf_key_manager - tink::prf::prf_set_wrapper - tink::signature::ecdsa_sign_key_manager tink::signature::ecdsa_verify_key_manager - tink::signature::public_key_sign_wrapper - tink::signature::public_key_verify_wrapper - tink::signature::rsa_ssa_pkcs1_sign_key_manager tink::signature::rsa_ssa_pkcs1_verify_key_manager - tink::signature::rsa_ssa_pss_sign_key_manager tink::signature::rsa_ssa_pss_verify_key_manager + tink::util::test_keyset_handle + tink::util::test_matchers + tink::util::test_util + tink::proto::tink_cc_proto ) tink_cc_test( - NAME fips_140_2_test + NAME key_gen_fips_140_2_test SRCS - fips_140_2_test.cc + key_gen_fips_140_2_test.cc DEPS - tink::config::fips_140_2 + tink::config::key_gen_fips_140_2 gmock tink::aead::aead_key_templates tink::aead::aes_ctr_hmac_aead_key_manager tink::aead::aes_gcm_key_manager - tink::internal::configuration_impl tink::internal::fips_utils + tink::internal::key_gen_configuration_impl tink::mac::aes_cmac_key_manager tink::mac::hmac_key_manager tink::prf::hmac_prf_key_manager tink::signature::ecdsa_verify_key_manager tink::signature::rsa_ssa_pkcs1_verify_key_manager tink::signature::rsa_ssa_pss_verify_key_manager - tink::util::test_keyset_handle tink::util::test_matchers - tink::util::test_util tink::proto::tink_cc_proto ) diff --git a/cc/config/fips_140_2.h b/cc/config/fips_140_2.h index ae4b93d48..24fa9b1a1 100644 --- a/cc/config/fips_140_2.h +++ b/cc/config/fips_140_2.h @@ -12,7 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. // -/////////////////////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////////////////////// #ifndef TINK_CONFIG_FIPS_140_2_H_ #define TINK_CONFIG_FIPS_140_2_H_ @@ -22,9 +22,9 @@ namespace crypto { namespace tink { -// Allows primitive generation using FIPS 140-2-compliant key types. Importing -// this Configuration restricts Tink to FIPS globally and requires BoringSSL to -// be built with the BoringCrypto module. +// Configuration used to generate primitives using FIPS 140-2-compliant key +// types. Importing this Configuration restricts Tink to FIPS globally and +// requires BoringSSL to be built with the BoringCrypto module. const Configuration& ConfigFips140_2(); } // namespace tink diff --git a/cc/config/key_gen_fips_140_2.cc b/cc/config/key_gen_fips_140_2.cc new file mode 100644 index 000000000..8734411bc --- /dev/null +++ b/cc/config/key_gen_fips_140_2.cc @@ -0,0 +1,96 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include "tink/config/key_gen_fips_140_2.h" + +#include "absl/log/check.h" +#include "tink/aead/aes_ctr_hmac_aead_key_manager.h" +#include "tink/aead/aes_gcm_key_manager.h" +#include "tink/internal/fips_utils.h" +#include "tink/internal/key_gen_configuration_impl.h" +#include "tink/key_gen_configuration.h" +#include "tink/mac/hmac_key_manager.h" +#include "tink/prf/hmac_prf_key_manager.h" +#include "tink/signature/ecdsa_verify_key_manager.h" +#include "tink/signature/rsa_ssa_pkcs1_sign_key_manager.h" +#include "tink/signature/rsa_ssa_pkcs1_verify_key_manager.h" +#include "tink/signature/rsa_ssa_pss_sign_key_manager.h" +#include "tink/signature/rsa_ssa_pss_verify_key_manager.h" +#include "tink/signature/ecdsa_sign_key_manager.h" + +namespace crypto { +namespace tink { +namespace { + +util::Status RegisterMac(KeyGenConfiguration& config) { + return internal::KeyGenConfigurationImpl::RegisterKeyTypeManager( + absl::make_unique<HmacKeyManager>(), config); +} + +util::Status RegisterAead(KeyGenConfiguration& config) { + util::Status status = + internal::KeyGenConfigurationImpl::RegisterKeyTypeManager( + absl::make_unique<AesCtrHmacAeadKeyManager>(), config); + if (!status.ok()) { + return status; + } + return internal::KeyGenConfigurationImpl::RegisterKeyTypeManager( + absl::make_unique<AesGcmKeyManager>(), config); +} + +util::Status RegisterPrf(KeyGenConfiguration& config) { + return internal::KeyGenConfigurationImpl::RegisterKeyTypeManager( + absl::make_unique<HmacPrfKeyManager>(), config); +} + +util::Status RegisterSignature(KeyGenConfiguration& config) { + util::Status status = + internal::KeyGenConfigurationImpl::RegisterAsymmetricKeyManagers( + absl::make_unique<EcdsaSignKeyManager>(), + absl::make_unique<EcdsaVerifyKeyManager>(), config); + if (!status.ok()) { + return status; + } + status = internal::KeyGenConfigurationImpl::RegisterAsymmetricKeyManagers( + absl::make_unique<RsaSsaPssSignKeyManager>(), + absl::make_unique<RsaSsaPssVerifyKeyManager>(), config); + if (!status.ok()) { + return status; + } + return internal::KeyGenConfigurationImpl::RegisterAsymmetricKeyManagers( + absl::make_unique<RsaSsaPkcs1SignKeyManager>(), + absl::make_unique<RsaSsaPkcs1VerifyKeyManager>(), config); +} + +} // namespace + +const KeyGenConfiguration& KeyGenConfigFips140_2() { + static const KeyGenConfiguration* instance = [] { + internal::SetFipsRestricted(); + + static KeyGenConfiguration* config = new KeyGenConfiguration(); + CHECK_OK(RegisterMac(*config)); + CHECK_OK(RegisterAead(*config)); + CHECK_OK(RegisterPrf(*config)); + CHECK_OK(RegisterSignature(*config)); + + return config; + }(); + return *instance; +} + +} // namespace tink +} // namespace crypto diff --git a/cc/config/key_gen_fips_140_2.h b/cc/config/key_gen_fips_140_2.h new file mode 100644 index 000000000..e5ccc6a5e --- /dev/null +++ b/cc/config/key_gen_fips_140_2.h @@ -0,0 +1,33 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#ifndef TINK_CONFIG_KEY_GEN_FIPS_140_2_H_ +#define TINK_CONFIG_KEY_GEN_FIPS_140_2_H_ + +#include "tink/key_gen_configuration.h" + +namespace crypto { +namespace tink { + +// KeyGenConfiguration used to generate keys using using FIPS 140-2-compliant +// key types. Importing this KeyGenConfiguration restricts Tink to FIPS globally +// and requires BoringSSL to be built with the BoringCrypto module. +const KeyGenConfiguration& KeyGenConfigFips140_2(); + +} // namespace tink +} // namespace crypto + +#endif // TINK_CONFIG_KEY_GEN_FIPS_140_2_H_ diff --git a/cc/config/key_gen_fips_140_2_test.cc b/cc/config/key_gen_fips_140_2_test.cc new file mode 100644 index 000000000..9e92a09ba --- /dev/null +++ b/cc/config/key_gen_fips_140_2_test.cc @@ -0,0 +1,129 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include "tink/config/key_gen_fips_140_2.h" + +#include <memory> + +#include "gmock/gmock.h" +#include "gtest/gtest.h" +#include "tink/aead/aead_key_templates.h" +#include "tink/aead/aes_ctr_hmac_aead_key_manager.h" +#include "tink/aead/aes_gcm_key_manager.h" +#include "tink/internal/fips_utils.h" +#include "tink/internal/key_gen_configuration_impl.h" +#include "tink/mac/aes_cmac_key_manager.h" +#include "tink/mac/hmac_key_manager.h" +#include "tink/prf/hmac_prf_key_manager.h" +#include "tink/signature/ecdsa_verify_key_manager.h" +#include "tink/signature/rsa_ssa_pkcs1_verify_key_manager.h" +#include "tink/signature/rsa_ssa_pss_verify_key_manager.h" +#include "tink/util/test_matchers.h" +#include "proto/tink.pb.h" + +namespace crypto { +namespace tink { +namespace { + +using ::crypto::tink::test::IsOk; +using ::crypto::tink::test::StatusIs; +using ::google::crypto::tink::KeyData; +using ::google::crypto::tink::KeyTemplate; + +class KeyGenFips1402Test : public testing::Test { + protected: + void TearDown() override { internal::UnSetFipsRestricted(); } +}; + +TEST_F(KeyGenFips1402Test, KeyGenConfigFips1402) { + if (!internal::IsFipsEnabledInSsl()) { + GTEST_SKIP() << "Only test in FIPS mode"; + } + + EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(HmacKeyManager().get_key_type()), + IsOk()); + EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(AesCtrHmacAeadKeyManager().get_key_type()), + IsOk()); + EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(AesGcmKeyManager().get_key_type()), + IsOk()); + EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(HmacPrfKeyManager().get_key_type()), + IsOk()); + EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(EcdsaVerifyKeyManager().get_key_type()), + IsOk()); + EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(RsaSsaPssVerifyKeyManager().get_key_type()), + IsOk()); + EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(RsaSsaPkcs1VerifyKeyManager().get_key_type()), + IsOk()); +} + +TEST_F(KeyGenFips1402Test, KeyGenConfigFips1402FailsInNonFipsMode) { + if (internal::IsFipsEnabledInSsl()) { + GTEST_SKIP() << "Only test in non-FIPS mode"; + } + + EXPECT_DEATH_IF_SUPPORTED( + KeyGenConfigFips140_2(), + "BoringSSL not built with the BoringCrypto module."); +} + +TEST_F(KeyGenFips1402Test, NonFipsTypeNotPresent) { + if (!internal::IsFipsEnabledInSsl()) { + GTEST_SKIP() << "Only test in FIPS mode"; + } + + EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(AesCmacKeyManager().get_key_type()) + .status(), + StatusIs(absl::StatusCode::kNotFound)); +} + +TEST_F(KeyGenFips1402Test, NewKeyData) { + if (!internal::IsFipsEnabledInSsl()) { + GTEST_SKIP() << "Only test in FIPS mode"; + } + + // TODO(b/265705174): Replace with KeysetHandle::GenerateNew once that takes a + // config parameter. + KeyTemplate templ = AeadKeyTemplates::Aes128Gcm(); + util::StatusOr<internal::KeyTypeInfoStore::Info*> info = + internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore( + KeyGenConfigFips140_2()) + .Get(templ.type_url()); + ASSERT_THAT(info, IsOk()); + + util::StatusOr<std::unique_ptr<KeyData>> key_data = + (*info)->key_factory().NewKeyData(templ.value()); + EXPECT_THAT(key_data, IsOk()); +} + +} // namespace +} // namespace tink +} // namespace crypto |