#include <secret_sealer.h>
|
| | SecretSealer ()=default |
| |
| virtual | ~SecretSealer ()=default |
| |
| virtual SealingRootType | RootType () const =0 |
| | Gets the sealing root type of this SecretSealer. More...
|
| |
| virtual std::string | RootName () const =0 |
| | Gets the sealing root name of this SecretSealer. More...
|
| |
| virtual std::vector< EnclaveIdentityExpectation > | RootAcl () const =0 |
| | Gets the sealing root ACL of this SecretSealer. More...
|
| |
| virtual Status | SetDefaultHeader (SealedSecretHeader *header) const =0 |
| | Generates the default sealed-secret header based on the configuration of the SecretSealer and writes it to header. More...
|
| |
| virtual StatusOr< size_t > | MaxMessageSize (const SealedSecretHeader &header) const =0 |
| | Gets the maximum message size (in bytes) that can be sealed according to the cipher-suite configuration recorded in header. More...
|
| |
| virtual StatusOr< uint64_t > | MaxSealedMessages (const SealedSecretHeader &header) const =0 |
| | Gets the maximum number of messages that can safely be sealed according to the cipher-suite configuration recorded in header. More...
|
| |
| virtual Status | Seal (const SealedSecretHeader &header, ByteContainerView additional_authenticated_data, ByteContainerView secret, SealedSecret *sealed_secret)=0 |
| | Seals the input per the header specification. More...
|
| |
| virtual Status | Unseal (const SealedSecret &sealed_secret, CleansingVector< uint8_t > *secret)=0 |
| | Unseals the sealed_secret and writes it to secret. More...
|
| |
| virtual Status | Reseal (const SealedSecret &old_sealed_secret, const SealedSecretHeader &new_header, SealedSecret *new_sealed_secret) |
| | Re-seals an already sealed secret to a new header. More...
|
| |
|
| static StatusOr< std::string > | GenerateSealerId (SealingRootType type, const std::string &name) |
| | Combines the specified sealing root type and sealing root name to form a string. More...
|
| |
◆ SecretSealer()
| asylo::SecretSealer::SecretSealer |
( |
| ) |
|
|
default |
◆ ~SecretSealer()
| virtual asylo::SecretSealer::~SecretSealer |
( |
| ) |
|
|
virtualdefault |
◆ GenerateSealerId()
| static StatusOr<std::string> asylo::SecretSealer::GenerateSealerId |
( |
SealingRootType |
type, |
|
|
const std::string & |
name |
|
) |
| |
|
static |
Combines the specified sealing root type and sealing root name to form a string.
The combined string uniquely identifies the SecretSealer responsible for handling secrets associated with the particular combination of root-type type and root-name name.
- Parameters
-
| type | The root type for sealing (e.g., from RootType()). |
| name | The root name for sealing (e.g., from RootName()). |
- Returns
- An object that represents a result string, or a failure status.
◆ MaxMessageSize()
| virtual StatusOr<size_t> asylo::SecretSealer::MaxMessageSize |
( |
const SealedSecretHeader & |
header | ) |
const |
|
pure virtual |
Gets the maximum message size (in bytes) that can be sealed according to the cipher-suite configuration recorded in header.
The user is expected to call this before calling Seal() to ensure that they have chunked their messages correctly. The maximum message sizes of supported cipher-suites are as follows:
- AES-GCM-SIV supports a maximum message size of 32 MiB
- Parameters
-
| header | The associated header to determine the maximum message size. |
- Returns
- The maximum message size that can be encrypted based on the cipher-suite configuration in header, or a non-OK status if the
Implemented in asylo::SgxLocalSecretSealer.
◆ MaxSealedMessages()
| virtual StatusOr<uint64_t> asylo::SecretSealer::MaxSealedMessages |
( |
const SealedSecretHeader & |
header | ) |
const |
|
pure virtual |
Gets the maximum number of messages that can safely be sealed according to the cipher-suite configuration recorded in header.
The user is responsible for following these guidelines. The secret sealer will not check the number of secrets sealed. The maximum number of sealed messages of supported cipher-suites are as follows:
- AES-GCM-SIV can safely seal 2 ^ 48 messages
- Parameters
-
| header | The associated header to determine the maximum number of sealed messages. |
- Returns
- The maximum number of messages that can be sealed based on the cipher-suite configuration in header, or a non-OK status if the cipher-suite configuration is not supported.
Implemented in asylo::SgxLocalSecretSealer.
◆ Reseal()
| virtual Status asylo::SecretSealer::Reseal |
( |
const SealedSecret & |
old_sealed_secret, |
|
|
const SealedSecretHeader & |
new_header, |
|
|
SealedSecret * |
new_sealed_secret |
|
) |
| |
|
virtual |
Re-seals an already sealed secret to a new header.
The net effect of calling this method is same as unsealing the secret and then sealing it to the new header, and that is exactly how this method is implemented by the base class. A derived class of SecretSealer may choose to further optimize this method.
- Parameters
-
| old_sealed_secret | The sealed secret to re-seal. |
| new_header | The metadata to guide the re-sealing. |
| [out] | new_sealed_secret | The output sealed secret. |
- Returns
- A non-OK status if re-sealing fails.
◆ RootAcl()
| virtual std::vector<EnclaveIdentityExpectation> asylo::SecretSealer::RootAcl |
( |
| ) |
const |
|
pure virtual |
◆ RootName()
| virtual std::string asylo::SecretSealer::RootName |
( |
| ) |
const |
|
pure virtual |
◆ RootType()
| virtual SealingRootType asylo::SecretSealer::RootType |
( |
| ) |
const |
|
pure virtual |
◆ Seal()
| virtual Status asylo::SecretSealer::Seal |
( |
const SealedSecretHeader & |
header, |
|
|
ByteContainerView |
additional_authenticated_data, |
|
|
ByteContainerView |
secret, |
|
|
SealedSecret * |
sealed_secret |
|
) |
| |
|
pure virtual |
Seals the input per the header specification.
The header must have its secret_name, secret_version and secret_purpose fields populated. If any of the remaining fields in the header are populated, then they must be compatible with the underlying sealing root.
- Parameters
-
| header | The metadata to guide the sealing. |
| additional_authenticated_data | Unencrypted data that is bundled with the sealed secret. |
| secret | The data to encrypt and seal. |
| [out] | sealed_secret | The output sealed secret. |
- Returns
- A non-OK status if sealing fails.
Implemented in asylo::SgxLocalSecretSealer.
◆ SetDefaultHeader()
| virtual Status asylo::SecretSealer::SetDefaultHeader |
( |
SealedSecretHeader * |
header | ) |
const |
|
pure virtual |
Generates the default sealed-secret header based on the configuration of the SecretSealer and writes it to header.
- Parameters
-
| [out] | header | The destination for the default SealedSecretHeader value. |
- Returns
- A non-OK status if a default cannot be set.
Implemented in asylo::SgxLocalSecretSealer.
◆ Unseal()
| virtual Status asylo::SecretSealer::Unseal |
( |
const SealedSecret & |
sealed_secret, |
|
|
CleansingVector< uint8_t > * |
secret |
|
) |
| |
|
pure virtual |
Unseals the sealed_secret and writes it to secret.
- Parameters
-
| sealed_secret | The input secret to unseal. |
| [out] | secret | The destination for the unsealed secret. |
- Returns
- A non-OK Status if unsealing fails.
Implemented in asylo::SgxLocalSecretSealer.
The documentation for this class was generated from the following file:
