Define KeyGenConfigFips140_2 C++ object. #tinkApiChange

Also mark this and ConfigFips140_2 as public.

PiperOrigin-RevId: 540737691

6 files changed, 396 insertions, 47 deletions

diff --git a/cc/config/BUILD.bazel b/cc/config/BUILD.bazel
index 6410ccf55..77a02c723 100644
--- a/cc/config/BUILD.bazel
+++ b/cc/config/BUILD.bazel
@@ -52,6 +52,59 @@ cc_library(
     ],
 )
 
+cc_library(
+    name = "fips_140_2",
+    srcs = ["fips_140_2.cc"],
+    hdrs = ["fips_140_2.h"],
+    include_prefix = "tink/config",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//:configuration",
+        "//aead:aead_wrapper",
+        "//aead:aes_ctr_hmac_aead_key_manager",
+        "//aead:aes_gcm_key_manager",
+        "//internal:configuration_impl",
+        "//mac:hmac_key_manager",
+        "//mac:mac_wrapper",
+        "//mac/internal:chunked_mac_wrapper",
+        "//prf:hmac_prf_key_manager",
+        "//prf:prf_set_wrapper",
+        "//signature:ecdsa_sign_key_manager",
+        "//signature:ecdsa_verify_key_manager",
+        "//signature:public_key_sign_wrapper",
+        "//signature:public_key_verify_wrapper",
+        "//signature:rsa_ssa_pkcs1_sign_key_manager",
+        "//signature:rsa_ssa_pkcs1_verify_key_manager",
+        "//signature:rsa_ssa_pss_sign_key_manager",
+        "//signature:rsa_ssa_pss_verify_key_manager",
+        "@com_google_absl//absl/log:check",
+    ],
+)
+
+cc_library(
+    name = "key_gen_fips_140_2",
+    srcs = ["key_gen_fips_140_2.cc"],
+    hdrs = ["key_gen_fips_140_2.h"],
+    include_prefix = "tink/config",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//:key_gen_configuration",
+        "//aead:aes_ctr_hmac_aead_key_manager",
+        "//aead:aes_gcm_key_manager",
+        "//internal:fips_utils",
+        "//internal:key_gen_configuration_impl",
+        "//mac:hmac_key_manager",
+        "//prf:hmac_prf_key_manager",
+        "//signature:ecdsa_sign_key_manager",
+        "//signature:ecdsa_verify_key_manager",
+        "//signature:rsa_ssa_pkcs1_sign_key_manager",
+        "//signature:rsa_ssa_pkcs1_verify_key_manager",
+        "//signature:rsa_ssa_pss_sign_key_manager",
+        "//signature:rsa_ssa_pss_verify_key_manager",
+        "@com_google_absl//absl/log:check",
+    ],
+)
+
 # tests
 
 cc_test(
@@ -104,44 +157,40 @@ cc_test(
     ],
 )
 
-cc_library(
-    name = "fips_140_2",
-    srcs = ["fips_140_2.cc"],
-    hdrs = ["fips_140_2.h"],
-    include_prefix = "tink/config",
+cc_test(
+    name = "fips_140_2_test",
+    srcs = ["fips_140_2_test.cc"],
     deps = [
-        "//:configuration",
-        "//aead:aead_wrapper",
+        ":fips_140_2",
+        "//aead:aead_key_templates",
         "//aead:aes_ctr_hmac_aead_key_manager",
         "//aead:aes_gcm_key_manager",
         "//internal:configuration_impl",
+        "//internal:fips_utils",
+        "//mac:aes_cmac_key_manager",
         "//mac:hmac_key_manager",
-        "//mac:mac_wrapper",
-        "//mac/internal:chunked_mac_wrapper",
         "//prf:hmac_prf_key_manager",
-        "//prf:prf_set_wrapper",
-        "//signature:ecdsa_sign_key_manager",
+        "//proto:tink_cc_proto",
         "//signature:ecdsa_verify_key_manager",
-        "//signature:public_key_sign_wrapper",
-        "//signature:public_key_verify_wrapper",
-        "//signature:rsa_ssa_pkcs1_sign_key_manager",
         "//signature:rsa_ssa_pkcs1_verify_key_manager",
-        "//signature:rsa_ssa_pss_sign_key_manager",
         "//signature:rsa_ssa_pss_verify_key_manager",
-        "@com_google_absl//absl/log:check",
+        "//util:test_keyset_handle",
+        "//util:test_matchers",
+        "//util:test_util",
+        "@com_google_googletest//:gtest_main",
     ],
 )
 
 cc_test(
-    name = "fips_140_2_test",
-    srcs = ["fips_140_2_test.cc"],
+    name = "key_gen_fips_140_2_test",
+    srcs = ["key_gen_fips_140_2_test.cc"],
     deps = [
-        ":fips_140_2",
+        ":key_gen_fips_140_2",
         "//aead:aead_key_templates",
         "//aead:aes_ctr_hmac_aead_key_manager",
         "//aead:aes_gcm_key_manager",
-        "//internal:configuration_impl",
         "//internal:fips_utils",
+        "//internal:key_gen_configuration_impl",
         "//mac:aes_cmac_key_manager",
         "//mac:hmac_key_manager",
         "//prf:hmac_prf_key_manager",
@@ -149,9 +198,7 @@ cc_test(
         "//signature:ecdsa_verify_key_manager",
         "//signature:rsa_ssa_pkcs1_verify_key_manager",
         "//signature:rsa_ssa_pss_verify_key_manager",
-        "//util:test_keyset_handle",
         "//util:test_matchers",
-        "//util:test_util",
         "@com_google_googletest//:gtest_main",
     ],
 )
diff --git a/cc/config/CMakeLists.txt b/cc/config/CMakeLists.txt
index 6a47520d6..f3c086ed1 100644
--- a/cc/config/CMakeLists.txt
+++ b/cc/config/CMakeLists.txt
@@ -40,6 +40,55 @@ tink_cc_library(
     tink::util::status
 )
 
+tink_cc_library(
+  NAME fips_140_2
+  SRCS
+    fips_140_2.cc
+    fips_140_2.h
+  DEPS
+    absl::check
+    tink::core::configuration
+    tink::aead::aead_wrapper
+    tink::aead::aes_ctr_hmac_aead_key_manager
+    tink::aead::aes_gcm_key_manager
+    tink::internal::configuration_impl
+    tink::mac::hmac_key_manager
+    tink::mac::mac_wrapper
+    tink::mac::internal::chunked_mac_wrapper
+    tink::prf::hmac_prf_key_manager
+    tink::prf::prf_set_wrapper
+    tink::signature::ecdsa_sign_key_manager
+    tink::signature::ecdsa_verify_key_manager
+    tink::signature::public_key_sign_wrapper
+    tink::signature::public_key_verify_wrapper
+    tink::signature::rsa_ssa_pkcs1_sign_key_manager
+    tink::signature::rsa_ssa_pkcs1_verify_key_manager
+    tink::signature::rsa_ssa_pss_sign_key_manager
+    tink::signature::rsa_ssa_pss_verify_key_manager
+)
+
+tink_cc_library(
+  NAME key_gen_fips_140_2
+  SRCS
+    key_gen_fips_140_2.cc
+    key_gen_fips_140_2.h
+  DEPS
+    absl::check
+    tink::core::key_gen_configuration
+    tink::aead::aes_ctr_hmac_aead_key_manager
+    tink::aead::aes_gcm_key_manager
+    tink::internal::fips_utils
+    tink::internal::key_gen_configuration_impl
+    tink::mac::hmac_key_manager
+    tink::prf::hmac_prf_key_manager
+    tink::signature::ecdsa_sign_key_manager
+    tink::signature::ecdsa_verify_key_manager
+    tink::signature::rsa_ssa_pkcs1_sign_key_manager
+    tink::signature::rsa_ssa_pkcs1_verify_key_manager
+    tink::signature::rsa_ssa_pss_sign_key_manager
+    tink::signature::rsa_ssa_pss_verify_key_manager
+)
+
 # tests
 
 tink_cc_test(
@@ -88,53 +137,48 @@ tink_cc_test(
     tink::util::test_matchers
 )
 
-tink_cc_library(
-  NAME fips_140_2
+tink_cc_test(
+  NAME fips_140_2_test
   SRCS
-    fips_140_2.cc
-    fips_140_2.h
+    fips_140_2_test.cc
   DEPS
-    absl::check
-    tink::core::configuration
-    tink::aead::aead_wrapper
+    tink::config::fips_140_2
+    gmock
+    tink::aead::aead_key_templates
     tink::aead::aes_ctr_hmac_aead_key_manager
     tink::aead::aes_gcm_key_manager
     tink::internal::configuration_impl
+    tink::internal::fips_utils
+    tink::mac::aes_cmac_key_manager
     tink::mac::hmac_key_manager
-    tink::mac::mac_wrapper
-    tink::mac::internal::chunked_mac_wrapper
     tink::prf::hmac_prf_key_manager
-    tink::prf::prf_set_wrapper
-    tink::signature::ecdsa_sign_key_manager
     tink::signature::ecdsa_verify_key_manager
-    tink::signature::public_key_sign_wrapper
-    tink::signature::public_key_verify_wrapper
-    tink::signature::rsa_ssa_pkcs1_sign_key_manager
     tink::signature::rsa_ssa_pkcs1_verify_key_manager
-    tink::signature::rsa_ssa_pss_sign_key_manager
     tink::signature::rsa_ssa_pss_verify_key_manager
+    tink::util::test_keyset_handle
+    tink::util::test_matchers
+    tink::util::test_util
+    tink::proto::tink_cc_proto
 )
 
 tink_cc_test(
-  NAME fips_140_2_test
+  NAME key_gen_fips_140_2_test
   SRCS
-    fips_140_2_test.cc
+    key_gen_fips_140_2_test.cc
   DEPS
-    tink::config::fips_140_2
+    tink::config::key_gen_fips_140_2
     gmock
     tink::aead::aead_key_templates
     tink::aead::aes_ctr_hmac_aead_key_manager
     tink::aead::aes_gcm_key_manager
-    tink::internal::configuration_impl
     tink::internal::fips_utils
+    tink::internal::key_gen_configuration_impl
     tink::mac::aes_cmac_key_manager
     tink::mac::hmac_key_manager
     tink::prf::hmac_prf_key_manager
     tink::signature::ecdsa_verify_key_manager
     tink::signature::rsa_ssa_pkcs1_verify_key_manager
     tink::signature::rsa_ssa_pss_verify_key_manager
-    tink::util::test_keyset_handle
     tink::util::test_matchers
-    tink::util::test_util
     tink::proto::tink_cc_proto
 )
diff --git a/cc/config/fips_140_2.h b/cc/config/fips_140_2.h
index ae4b93d48..24fa9b1a1 100644
--- a/cc/config/fips_140_2.h
+++ b/cc/config/fips_140_2.h
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
-///////////////////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////////////////////
 
 #ifndef TINK_CONFIG_FIPS_140_2_H_
 #define TINK_CONFIG_FIPS_140_2_H_
@@ -22,9 +22,9 @@
 namespace crypto {
 namespace tink {
 
-// Allows primitive generation using FIPS 140-2-compliant key types. Importing
-// this Configuration restricts Tink to FIPS globally and requires BoringSSL to
-// be built with the BoringCrypto module.
+// Configuration used to generate primitives using FIPS 140-2-compliant key
+// types. Importing this Configuration restricts Tink to FIPS globally and
+// requires BoringSSL to be built with the BoringCrypto module.
 const Configuration& ConfigFips140_2();
 
 }  // namespace tink
diff --git a/cc/config/key_gen_fips_140_2.cc b/cc/config/key_gen_fips_140_2.cc
new file mode 100644
index 000000000..8734411bc
--- /dev/null
+++ b/cc/config/key_gen_fips_140_2.cc
@@ -0,0 +1,96 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#include "tink/config/key_gen_fips_140_2.h"
+
+#include "absl/log/check.h"
+#include "tink/aead/aes_ctr_hmac_aead_key_manager.h"
+#include "tink/aead/aes_gcm_key_manager.h"
+#include "tink/internal/fips_utils.h"
+#include "tink/internal/key_gen_configuration_impl.h"
+#include "tink/key_gen_configuration.h"
+#include "tink/mac/hmac_key_manager.h"
+#include "tink/prf/hmac_prf_key_manager.h"
+#include "tink/signature/ecdsa_verify_key_manager.h"
+#include "tink/signature/rsa_ssa_pkcs1_sign_key_manager.h"
+#include "tink/signature/rsa_ssa_pkcs1_verify_key_manager.h"
+#include "tink/signature/rsa_ssa_pss_sign_key_manager.h"
+#include "tink/signature/rsa_ssa_pss_verify_key_manager.h"
+#include "tink/signature/ecdsa_sign_key_manager.h"
+
+namespace crypto {
+namespace tink {
+namespace {
+
+util::Status RegisterMac(KeyGenConfiguration& config) {
+  return internal::KeyGenConfigurationImpl::RegisterKeyTypeManager(
+      absl::make_unique<HmacKeyManager>(), config);
+}
+
+util::Status RegisterAead(KeyGenConfiguration& config) {
+  util::Status status =
+      internal::KeyGenConfigurationImpl::RegisterKeyTypeManager(
+          absl::make_unique<AesCtrHmacAeadKeyManager>(), config);
+  if (!status.ok()) {
+    return status;
+  }
+  return internal::KeyGenConfigurationImpl::RegisterKeyTypeManager(
+      absl::make_unique<AesGcmKeyManager>(), config);
+}
+
+util::Status RegisterPrf(KeyGenConfiguration& config) {
+  return internal::KeyGenConfigurationImpl::RegisterKeyTypeManager(
+      absl::make_unique<HmacPrfKeyManager>(), config);
+}
+
+util::Status RegisterSignature(KeyGenConfiguration& config) {
+  util::Status status =
+      internal::KeyGenConfigurationImpl::RegisterAsymmetricKeyManagers(
+          absl::make_unique<EcdsaSignKeyManager>(),
+          absl::make_unique<EcdsaVerifyKeyManager>(), config);
+  if (!status.ok()) {
+    return status;
+  }
+  status = internal::KeyGenConfigurationImpl::RegisterAsymmetricKeyManagers(
+      absl::make_unique<RsaSsaPssSignKeyManager>(),
+      absl::make_unique<RsaSsaPssVerifyKeyManager>(), config);
+  if (!status.ok()) {
+    return status;
+  }
+  return internal::KeyGenConfigurationImpl::RegisterAsymmetricKeyManagers(
+      absl::make_unique<RsaSsaPkcs1SignKeyManager>(),
+      absl::make_unique<RsaSsaPkcs1VerifyKeyManager>(), config);
+}
+
+}  // namespace
+
+const KeyGenConfiguration& KeyGenConfigFips140_2() {
+  static const KeyGenConfiguration* instance = [] {
+    internal::SetFipsRestricted();
+
+    static KeyGenConfiguration* config = new KeyGenConfiguration();
+    CHECK_OK(RegisterMac(*config));
+    CHECK_OK(RegisterAead(*config));
+    CHECK_OK(RegisterPrf(*config));
+    CHECK_OK(RegisterSignature(*config));
+
+    return config;
+  }();
+  return *instance;
+}
+
+}  // namespace tink
+}  // namespace crypto
diff --git a/cc/config/key_gen_fips_140_2.h b/cc/config/key_gen_fips_140_2.h
new file mode 100644
index 000000000..e5ccc6a5e
--- /dev/null
+++ b/cc/config/key_gen_fips_140_2.h
@@ -0,0 +1,33 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#ifndef TINK_CONFIG_KEY_GEN_FIPS_140_2_H_
+#define TINK_CONFIG_KEY_GEN_FIPS_140_2_H_
+
+#include "tink/key_gen_configuration.h"
+
+namespace crypto {
+namespace tink {
+
+// KeyGenConfiguration used to generate keys using using FIPS 140-2-compliant
+// key types. Importing this KeyGenConfiguration restricts Tink to FIPS globally
+// and requires BoringSSL to be built with the BoringCrypto module.
+const KeyGenConfiguration& KeyGenConfigFips140_2();
+
+}  // namespace tink
+}  // namespace crypto
+
+#endif  // TINK_CONFIG_KEY_GEN_FIPS_140_2_H_
diff --git a/cc/config/key_gen_fips_140_2_test.cc b/cc/config/key_gen_fips_140_2_test.cc
new file mode 100644
index 000000000..9e92a09ba
--- /dev/null
+++ b/cc/config/key_gen_fips_140_2_test.cc
@@ -0,0 +1,129 @@
+// Copyright 2023 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+#include "tink/config/key_gen_fips_140_2.h"
+
+#include <memory>
+
+#include "gmock/gmock.h"
+#include "gtest/gtest.h"
+#include "tink/aead/aead_key_templates.h"
+#include "tink/aead/aes_ctr_hmac_aead_key_manager.h"
+#include "tink/aead/aes_gcm_key_manager.h"
+#include "tink/internal/fips_utils.h"
+#include "tink/internal/key_gen_configuration_impl.h"
+#include "tink/mac/aes_cmac_key_manager.h"
+#include "tink/mac/hmac_key_manager.h"
+#include "tink/prf/hmac_prf_key_manager.h"
+#include "tink/signature/ecdsa_verify_key_manager.h"
+#include "tink/signature/rsa_ssa_pkcs1_verify_key_manager.h"
+#include "tink/signature/rsa_ssa_pss_verify_key_manager.h"
+#include "tink/util/test_matchers.h"
+#include "proto/tink.pb.h"
+
+namespace crypto {
+namespace tink {
+namespace {
+
+using ::crypto::tink::test::IsOk;
+using ::crypto::tink::test::StatusIs;
+using ::google::crypto::tink::KeyData;
+using ::google::crypto::tink::KeyTemplate;
+
+class KeyGenFips1402Test : public testing::Test {
+ protected:
+  void TearDown() override { internal::UnSetFipsRestricted(); }
+};
+
+TEST_F(KeyGenFips1402Test, KeyGenConfigFips1402) {
+  if (!internal::IsFipsEnabledInSsl()) {
+    GTEST_SKIP() << "Only test in FIPS mode";
+  }
+
+  EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+                  KeyGenConfigFips140_2())
+                  .Get(HmacKeyManager().get_key_type()),
+              IsOk());
+  EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+                  KeyGenConfigFips140_2())
+                  .Get(AesCtrHmacAeadKeyManager().get_key_type()),
+              IsOk());
+  EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+                  KeyGenConfigFips140_2())
+                  .Get(AesGcmKeyManager().get_key_type()),
+              IsOk());
+  EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+                  KeyGenConfigFips140_2())
+                  .Get(HmacPrfKeyManager().get_key_type()),
+              IsOk());
+  EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+                  KeyGenConfigFips140_2())
+                  .Get(EcdsaVerifyKeyManager().get_key_type()),
+              IsOk());
+  EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+                  KeyGenConfigFips140_2())
+                  .Get(RsaSsaPssVerifyKeyManager().get_key_type()),
+              IsOk());
+  EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+                  KeyGenConfigFips140_2())
+                  .Get(RsaSsaPkcs1VerifyKeyManager().get_key_type()),
+              IsOk());
+}
+
+TEST_F(KeyGenFips1402Test, KeyGenConfigFips1402FailsInNonFipsMode) {
+  if (internal::IsFipsEnabledInSsl()) {
+    GTEST_SKIP() << "Only test in non-FIPS mode";
+  }
+
+  EXPECT_DEATH_IF_SUPPORTED(
+      KeyGenConfigFips140_2(),
+      "BoringSSL not built with the BoringCrypto module.");
+}
+
+TEST_F(KeyGenFips1402Test, NonFipsTypeNotPresent) {
+  if (!internal::IsFipsEnabledInSsl()) {
+    GTEST_SKIP() << "Only test in FIPS mode";
+  }
+
+  EXPECT_THAT(internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+                  KeyGenConfigFips140_2())
+                  .Get(AesCmacKeyManager().get_key_type())
+                  .status(),
+              StatusIs(absl::StatusCode::kNotFound));
+}
+
+TEST_F(KeyGenFips1402Test, NewKeyData) {
+  if (!internal::IsFipsEnabledInSsl()) {
+    GTEST_SKIP() << "Only test in FIPS mode";
+  }
+
+  // TODO(b/265705174): Replace with KeysetHandle::GenerateNew once that takes a
+  // config parameter.
+  KeyTemplate templ = AeadKeyTemplates::Aes128Gcm();
+  util::StatusOr<internal::KeyTypeInfoStore::Info*> info =
+      internal::KeyGenConfigurationImpl::GetKeyTypeInfoStore(
+          KeyGenConfigFips140_2())
+          .Get(templ.type_url());
+  ASSERT_THAT(info, IsOk());
+
+  util::StatusOr<std::unique_ptr<KeyData>> key_data =
+      (*info)->key_factory().NewKeyData(templ.value());
+  EXPECT_THAT(key_data, IsOk());
+}
+
+}  // namespace
+}  // namespace tink
+}  // namespace crypto