/* * Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use * this file except in compliance with the License. A copy of the License is * located at * * http://aws.amazon.com/apache2.0/ * * or in the "license" file accompanying this file. This file is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or * implied. See the License for the specific language governing permissions and * limitations under the License. */ #ifndef AWS_CRYPTOSDK_RAW_AES_KEYRING_H #define AWS_CRYPTOSDK_RAW_AES_KEYRING_H #include <aws/cryptosdk/cipher.h> #include <aws/cryptosdk/exports.h> #include <aws/cryptosdk/materials.h> #ifdef __cplusplus extern "C" { #endif /** * @defgroup raw_keyring Keyrings using local (raw) keys * @{ */ /** * A keyring which does local AES-GCM encryption and decryption of data keys using * the bytes in the array provided as the wrapping key. * * Key namespace, name, and raw key bytes provided by the caller are copied into * the state of the KR, so those arrays do not need to be maintained while using * the KR. For maximum security, the caller should zero out the array of raw key * bytes after creating this object. * * The encryption context which is passed to this KR on encrypt and decrypt calls * is used as additional authenticated data (AAD) in the AES-GCM encryption of the * data keys. This means that the same encryption context must be present for both * encryption and decryption. * * Set your own namespace and name for the wrapping key you use, for bookkeeping * purposes. A raw AES keyring which attempts to decrypt data previously encrypted * by another raw AES keyring must specify the same name and namespace. * * Note: when this keyring is used, it generates a trace that includes copies of * the namespace and name strings for each call. If you generate either or both of * the namespace and name strings using the AWS_STATIC_STRING_FROM_LITERAL macro, * all copies of these strings will be optimized out. * * On failure returns NULL and sets an internal AWS error code. */ AWS_CRYPTOSDK_API struct aws_cryptosdk_keyring *aws_cryptosdk_raw_aes_keyring_new( struct aws_allocator *alloc, const struct aws_string *key_namespace, const struct aws_string *key_name, const uint8_t *key_bytes, enum aws_cryptosdk_aes_key_len key_len); /** @} */ // doxygen group raw_keyring #ifdef __cplusplus } #endif #endif // AWS_CRYPTOSDK_RAW_AES_KEYRING_H