cosmian_kms_crypto 5.24.0

Cosmian KMS Crypto - cryptographic operations and algorithms
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

use cosmian_kmip::kmip_2_1::{
    kmip_attributes::Attributes,
    kmip_objects::Object,
    kmip_operations::{Decrypt, DecryptResponse, Encrypt, EncryptResponse},
    kmip_types::VendorAttributeValue,
};
pub use elliptic_curves::CURVE_25519_Q_LENGTH_BITS;
pub use password_derivation::FIPS_MIN_SALT_SIZE;

use crate::error::CryptoError;

#[cfg(feature = "non-fips")]
pub mod anonymization;
pub mod certificates;
#[cfg(feature = "non-fips")]
pub mod cover_crypt;
pub mod dh_shared_keys;
pub mod elliptic_curves;
#[cfg(feature = "non-fips")]
pub mod fpe;
#[cfg(feature = "non-fips")]
pub mod kem;
pub mod password_derivation;
#[cfg(feature = "non-fips")]
pub mod pqc;
pub mod rsa;
pub mod secret;
pub mod symmetric;
pub mod wrap;

pub trait EncryptionSystem {
    fn encrypt(&self, request: &Encrypt) -> Result<EncryptResponse, CryptoError>;
}

impl<T: EncryptionSystem + ?Sized> EncryptionSystem for Box<T> {
    fn encrypt(&self, request: &Encrypt) -> Result<EncryptResponse, CryptoError> {
        (**self).encrypt(request)
    }
}

pub trait DecryptionSystem {
    fn decrypt(&self, request: &Decrypt) -> Result<DecryptResponse, CryptoError>;
}

/// A `KeyPair` is a tuple `(Object::PrivateKey, Object::PublicKey)`
///
/// Note: this object does not exist in the KMIP specs,
/// hence its definition here
pub struct KeyPair(pub (Object, Object));

impl KeyPair {
    /// Create a new `KeyPair` from a private and public key
    #[must_use]
    pub const fn new(private_key: Object, public_key: Object) -> Self {
        Self((private_key, public_key))
    }

    /// Get the private key
    #[must_use]
    pub const fn private_key(&self) -> &Object {
        &self.0.0
    }

    /// Get the public key
    #[must_use]
    pub const fn public_key(&self) -> &Object {
        &self.0.1
    }

    /// Get the private key
    pub const fn private_key_mut(&mut self) -> &mut Object {
        &mut self.0.0
    }

    /// Get the public key
    pub const fn public_key_mut(&mut self) -> &mut Object {
        &mut self.0.1
    }
}

pub const VENDOR_ATTR_COVER_CRYPT_ATTR: &str = "cover_crypt_attributes";
pub const VENDOR_ATTR_COVER_CRYPT_ACCESS_STRUCTURE: &str = "cover_crypt_access_structure";
pub const VENDOR_ATTR_COVER_CRYPT_ACCESS_POLICY: &str = "cover_crypt_access_policy";
pub const VENDOR_ATTR_COVER_CRYPT_REKEY_ACTION: &str = "cover_crypt_rekey_action";

/// Extract an `Covercrypt` Access policy from attributes
pub fn access_policy_from_attributes(
    vendor_id: &str,
    attributes: &Attributes,
) -> Result<String, CryptoError> {
    attributes
        .get_vendor_attribute_value(vendor_id, VENDOR_ATTR_COVER_CRYPT_ACCESS_POLICY)
        .map_or_else(
            || {
                Err(CryptoError::Kmip(
                    "the attributes do not contain an Access Policy".to_owned(),
                ))
            },
            |bytes| {
                let VendorAttributeValue::ByteString(bytes) = bytes else {
                    return Err(CryptoError::Kmip(
                        "the Access Policy is not a byte string".to_owned(),
                    ));
                };
                String::from_utf8(bytes.clone()).map_err(|e| {
                    CryptoError::Kmip(format!(
                        "failed to read Access Policy string from the (vendor) attributes bytes: \
                         {e}"
                    ))
                })
            },
        )
}