libpep 0.12.0

Library for polymorphic encryption and pseudonymization
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

//! Client type definitions.

use crate::data::traits::{BatchEncryptable, Encryptable, Encrypted};
#[cfg(feature = "offline")]
use crate::keys::GlobalPublicKeys;
use crate::keys::{KeyProvider, SessionKeys};
use rand_core::{CryptoRng, Rng};

/// A PEP client that can encrypt and decrypt data, based on session key pairs for pseudonyms and attributes.
#[derive(Clone)]
pub struct Client {
    pub(crate) keys: SessionKeys,
}

impl Client {
    /// Create a new PEP client from the given session keys.
    pub fn new(keys: SessionKeys) -> Self {
        Self { keys }
    }

    /// Dump the session keys.
    pub fn dump(&self) -> &SessionKeys {
        &self.keys
    }

    /// Restore a PEP client from session keys.
    pub fn restore(keys: SessionKeys) -> Self {
        Self { keys }
    }

    /// Encrypt data with the appropriate session public key.
    /// Automatically selects the correct key (pseudonym or attribute) based on the message type.
    pub fn encrypt<M, R>(&self, message: &M, rng: &mut R) -> M::EncryptedType
    where
        M: Encryptable,
        SessionKeys: KeyProvider<M::PublicKeyType>,
        R: Rng + CryptoRng,
    {
        message.encrypt(self.keys.get_key(), rng)
    }

    /// Decrypt encrypted data with the appropriate session secret key.
    /// Automatically selects the correct key (pseudonym or attribute) based on the encrypted type.
    /// With the `elgamal3` feature, returns `None` if the secret key doesn't match.
    #[cfg(feature = "elgamal3")]
    pub fn decrypt<E>(&self, encrypted: &E) -> Option<E::UnencryptedType>
    where
        E: Encrypted,
        SessionKeys: KeyProvider<E::SecretKeyType>,
    {
        encrypted.decrypt(self.keys.get_key())
    }

    /// Decrypt encrypted data with the appropriate session secret key.
    /// Automatically selects the correct key (pseudonym or attribute) based on the encrypted type.
    #[cfg(not(feature = "elgamal3"))]
    pub fn decrypt<E>(&self, encrypted: &E) -> E::UnencryptedType
    where
        E: Encrypted,
        SessionKeys: KeyProvider<E::SecretKeyType>,
    {
        encrypted.decrypt(self.keys.get_key())
    }

    /// Encrypt a batch of messages with the appropriate session public key.
    /// Automatically selects the correct key (pseudonym or attribute) based on the message type.
    #[cfg(feature = "batch")]
    pub fn encrypt_batch<M, R>(
        &self,
        messages: &[M],
        rng: &mut R,
    ) -> Result<Vec<M::EncryptedType>, crate::transcryptor::BatchError>
    where
        M: BatchEncryptable,
        SessionKeys: KeyProvider<M::PublicKeyType>,
        R: Rng + CryptoRng,
    {
        super::batch::encrypt_batch(messages, self.keys.get_key(), rng)
    }

    /// Encrypt a batch of messages without padding or preprocessing.
    #[cfg(feature = "insecure")]
    pub fn encrypt_batch_raw<M, R>(
        &self,
        messages: &[M],
        rng: &mut R,
    ) -> Result<Vec<M::EncryptedType>, crate::transcryptor::BatchError>
    where
        M: Encryptable,
        SessionKeys: KeyProvider<M::PublicKeyType>,
        R: Rng + CryptoRng,
    {
        super::batch::encrypt_batch_raw(messages, self.keys.get_key(), rng)
    }

    /// Decrypt a batch of encrypted messages with the appropriate session secret key.
    /// Automatically selects the correct key (pseudonym or attribute) based on the encrypted type.
    /// With the `elgamal3` feature, returns an error if any decryption fails.
    #[cfg(all(feature = "batch", feature = "elgamal3"))]
    pub fn decrypt_batch<E>(
        &self,
        encrypted: &[E],
    ) -> Result<Vec<E::UnencryptedType>, crate::transcryptor::BatchError>
    where
        E: Encrypted,
        SessionKeys: KeyProvider<E::SecretKeyType>,
    {
        super::batch::decrypt_batch(encrypted, self.keys.get_key())
    }

    /// Decrypt a batch of encrypted messages with the appropriate session secret key.
    /// Automatically selects the correct key (pseudonym or attribute) based on the encrypted type.
    #[cfg(all(feature = "batch", not(feature = "elgamal3")))]
    pub fn decrypt_batch<E>(
        &self,
        encrypted: &[E],
    ) -> Result<Vec<E::UnencryptedType>, crate::transcryptor::BatchError>
    where
        E: Encrypted,
        SessionKeys: KeyProvider<E::SecretKeyType>,
    {
        super::batch::decrypt_batch(encrypted, self.keys.get_key())
    }
}

/// An offline PEP client that can encrypt data, based on global public keys for pseudonyms and attributes.
/// This client is used for encryption only, and does not have session key pairs.
/// This can be useful when encryption is done offline and no session key pairs are available,
/// or when using a session key would leak information.
#[cfg(feature = "offline")]
#[derive(Clone)]
pub struct OfflineClient {
    pub global_public_keys: GlobalPublicKeys,
}

#[cfg(feature = "offline")]
impl OfflineClient {
    /// Create a new offline PEP client from the given global public keys.
    pub fn new(global_public_keys: GlobalPublicKeys) -> Self {
        Self { global_public_keys }
    }

    /// Encrypt data with the appropriate global public key.
    /// Automatically selects the correct key (pseudonym or attribute) based on the message type.
    pub fn encrypt<M, R>(&self, message: &M, rng: &mut R) -> M::EncryptedType
    where
        M: Encryptable,
        GlobalPublicKeys: KeyProvider<M::GlobalPublicKeyType>,
        R: Rng + CryptoRng,
    {
        message.encrypt_global(self.global_public_keys.get_key(), rng)
    }

    /// Encrypt a batch of messages with the appropriate global public key.
    /// Automatically selects the correct key (pseudonym or attribute) based on the message type.
    #[cfg(feature = "batch")]
    pub fn encrypt_batch<M, R>(
        &self,
        messages: &[M],
        rng: &mut R,
    ) -> Result<Vec<M::EncryptedType>, crate::transcryptor::BatchError>
    where
        M: Encryptable,
        GlobalPublicKeys: KeyProvider<M::GlobalPublicKeyType>,
        R: Rng + CryptoRng,
    {
        super::batch::encrypt_global_batch(messages, self.global_public_keys.get_key(), rng)
    }
}