1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

use crate::*;
use async_trait::*;
use secret_vault_value::SecretValue;

/// A trait that defines the encryption and decryption of a value using a data encryption key
/// and additional authenticated data (AEAD).
#[async_trait]
pub trait AeadEncryption<Aad> {
    async fn encrypt_value(
        &self,
        aad: &Aad,
        plain_text: &SecretValue,
        encryption_key: &DataEncryptionKey,
    ) -> KmsAeadResult<CipherText>;

    async fn decrypt_value(
        &self,
        aad: &Aad,
        cipher_text: &CipherText,
        encryption_key: &DataEncryptionKey,
    ) -> KmsAeadResult<SecretValue>;
}

/// A trait that defines the envelope encryption and decryption of a value using
/// a data encryption key (DEK), a key encryption key (KEK) from KMS providers,
/// and additional authenticated data (AEAD).
#[async_trait]
pub trait KmsAeadEnvelopeEncryption<Aad> {
    /// Encrypts the plain text using a new data encryption key.
    async fn encrypt_value(
        &self,
        aad: &Aad,
        plain_text: &SecretValue,
    ) -> KmsAeadResult<CipherTextWithEncryptedKey>;

    /// Decrypts the cipher text using the cipher text with corresponding encrypted data encryption key.
    async fn decrypt_value(
        &self,
        aad: &Aad,
        cipher_text: &CipherTextWithEncryptedKey,
    ) -> KmsAeadResult<SecretValue>;

    /// Encrypts the plain text using the provided data encryption key.
    async fn encrypt_value_with_dek(
        &self,
        aad: &Aad,
        plain_text: &SecretValue,
        dek: &DataEncryptionKey,
    ) -> KmsAeadResult<CipherText>;

    /// Encrypts the plain text using the provided encrypted data encryption key.
    async fn encrypt_value_with_encrypted_dek(
        &self,
        aad: &Aad,
        plain_text: &SecretValue,
        dek: &EncryptedDataEncryptionKey,
    ) -> KmsAeadResult<CipherText>;

    /// Decrypts the cipher text using the provided encrypted data encryption key.
    async fn decrypt_value_with_dek(
        &self,
        aad: &Aad,
        cipher_text: &CipherText,
        data_encryption_key: &DataEncryptionKey,
    ) -> KmsAeadResult<SecretValue>;

    /// Decrypts the cipher text using the provided encrypted data encryption key.
    async fn decrypt_value_with_encrypted_dek(
        &self,
        aad: &Aad,
        cipher_text: &CipherText,
        encrypted_data_encryption_key: &EncryptedDataEncryptionKey,
    ) -> KmsAeadResult<SecretValue>;

    /// Generates a new data encryption key and encrypts it using the KMS provider.
    async fn generate_new_dek(
        &self,
    ) -> KmsAeadResult<(DataEncryptionKey, EncryptedDataEncryptionKey)>;
}