Package com.google.crypto.tink.keyderivation.internal

Class PrfBasedDeriverKeyManager

  • All Implemented Interfaces:
    KeyManager<java.lang.Void>
    public final class PrfBasedDeriverKeyManager
extends java.lang.Object
implements KeyManager<java.lang.Void>
    com.google.crypto.tink.internal.KeyTypeManager for PrfBasedDeriverKey.

    This is implemented directly as a KeyManager. Usually, we use LegacyKeyManagerImpl to provide an implementation of a KeyManager based on the individual registries based on the key objects. However, at the moment for key derivation this does not work.

    The reason is that the KeysetHandle still generates new keys by going through the KeyManagers (instead of going directly to the key creation registry). I don't want to change this right now -- it would require some fallback code which is always brittle.

    Unfortunately, implement the required behavior of the KeyManager based on the KeyCreation registry is not generic.

    Usually, the behavior of the key manager is simply this: assume that the input to generateNewKey() is a serialization with OutputPrefixType = RAW, and build the corresponding parameter serialization. Then, parse this, and give this to the key creation registry.

    For key creation, the behavior is slightly different: the serialization of key derivation parameters has been defined to always satisfy that the outer OutputPrefixType is equal to the one given in the proto PrfBasedDeriverKeyFormat, field prf_key_template. Hence we cannot assume raw -- instead, we have to parse it and use this one.

    Similar things hold for the creating a primitive from a Key -- but here Tink already uses the PrimitiveCreationRegistry fully, so we don't need to worry about it here. Instead, we just throw when these functions are called.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean doesSupport​(java.lang.String typeUrl)
      Returns true iff this KeyManager supports key type identified by typeUrl.
      java.lang.String getKeyType()
      Returns the type URL that identifies the key type of keys managed by this KeyManager.
      java.lang.Void getPrimitive​(com.google.protobuf.ByteString serializedKey)
      Constructs an instance of P for the key given in serializedKey, which must be a serialized key protocol buffer handled by this manager.
      java.lang.Void getPrimitive​(com.google.protobuf.MessageLite key)
      Constructs an instance of P for the key given in key.
      java.lang.Class<java.lang.Void> getPrimitiveClass()
      Returns the primitive class object of the P.
      int getVersion()
      Returns the version number of this KeyManager.
      com.google.protobuf.MessageLite newKey​(com.google.protobuf.ByteString serializedKeyFormat)
      Generates a new key according to specification in serializedKeyFormat, which must be a serialized key format protocol buffer handled by this manager.
      com.google.protobuf.MessageLite newKey​(com.google.protobuf.MessageLite keyFormat)
      Generates a new key according to specification in keyFormat.
      com.google.crypto.tink.proto.KeyData newKeyData​(com.google.protobuf.ByteString serializedKeyFormat)
      Generates a new KeyData according to specification in serializedKeyFormat.
      static void register​(boolean newKeyAllowed)  

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • getPrimitive

        public java.lang.Void getPrimitive​(com.google.protobuf.ByteString serializedKey)
                            throws java.security.GeneralSecurityException
        Description copied from interface: KeyManager
        Constructs an instance of P for the key given in serializedKey, which must be a serialized key protocol buffer handled by this manager.

        For primitives of type Mac, Aead, PublicKeySign, PublicKeyVerify, DeterministicAead, HybridEncrypt, and HybridDecrypt this should be a primitive which ignores the output prefix and assumes "RAW".

        Specified by:
        getPrimitive in interface KeyManager<java.lang.Void>
        Returns:
        the new constructed P
        Throws:
        java.security.GeneralSecurityException - if the key given in serializedKey is corrupted or not supported

      • getPrimitive

        public final java.lang.Void getPrimitive​(com.google.protobuf.MessageLite key)
                                  throws java.security.GeneralSecurityException
        Description copied from interface: KeyManager
        Constructs an instance of P for the key given in key.

        For primitives of type Mac, Aead, PublicKeySign, PublicKeyVerify, DeterministicAead, HybridEncrypt, and HybridDecrypt this should be a primitive which ignores the output prefix and assumes "RAW".

        This method is not used by Tink. It does not need to be implemented.

        Specified by:
        getPrimitive in interface KeyManager<java.lang.Void>
        Returns:
        the new constructed P
        Throws:
        java.security.GeneralSecurityException - if the key given in key is corrupted or not supported

      • newKey

        public final com.google.protobuf.MessageLite newKey​(com.google.protobuf.ByteString serializedKeyFormat)
                                             throws java.security.GeneralSecurityException
        Description copied from interface: KeyManager
        Generates a new key according to specification in serializedKeyFormat, which must be a serialized key format protocol buffer handled by this manager.

        This method is not used by Tink anymore. It does not need to be implemented.

        Specified by:
        newKey in interface KeyManager<java.lang.Void>
        Returns:
        the new generated key
        Throws:
        java.security.GeneralSecurityException - if the specified format is wrong or not supported

      • newKey

        public final com.google.protobuf.MessageLite newKey​(com.google.protobuf.MessageLite keyFormat)
                                             throws java.security.GeneralSecurityException
        Description copied from interface: KeyManager
        Generates a new key according to specification in keyFormat.

        This method is only used by Registry.newKey which is deprecated and not used by Tink anymore. This method does not need to be implemented.

        Specified by:
        newKey in interface KeyManager<java.lang.Void>
        Returns:
        the new generated key
        Throws:
        java.security.GeneralSecurityException - if the specified format is wrong or not supported

      • doesSupport

        public final boolean doesSupport​(java.lang.String typeUrl)
        Description copied from interface: KeyManager
        Returns true iff this KeyManager supports key type identified by typeUrl.

        This method is not used by Tink anymore. It does not need to be implemented.

        Specified by:
        doesSupport in interface KeyManager<java.lang.Void>

      • getKeyType

        public final java.lang.String getKeyType()
        Description copied from interface: KeyManager
        Returns the type URL that identifies the key type of keys managed by this KeyManager.
        Specified by:
        getKeyType in interface KeyManager<java.lang.Void>

      • getVersion

        public int getVersion()
        Description copied from interface: KeyManager
        Returns the version number of this KeyManager.

        This method is not used by Tink anymore. It does not need to be implemented.

        Specified by:
        getVersion in interface KeyManager<java.lang.Void>

      • newKeyData

        public final com.google.crypto.tink.proto.KeyData newKeyData​(com.google.protobuf.ByteString serializedKeyFormat)
                                                      throws java.security.GeneralSecurityException
        Description copied from interface: KeyManager
        Generates a new KeyData according to specification in serializedKeyFormat.
        Specified by:
        newKeyData in interface KeyManager<java.lang.Void>
        Returns:
        the new generated key
        Throws:
        java.security.GeneralSecurityException - if the specified format is wrong or not supported

      • getPrimitiveClass

        public final java.lang.Class<java.lang.Void> getPrimitiveClass()
        Description copied from interface: KeyManager
        Returns the primitive class object of the P. Should be implemented as return P.class; when implementing a key manager for primitive {$code P}.
        Specified by:
        getPrimitiveClass in interface KeyManager<java.lang.Void>
        Returns:
        P.class

      • register

        public static void register​(boolean newKeyAllowed)
                     throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException