/rust/registry/src/index.crates.io-1949cf8c6b5b557f/openssl-0.10.62/src/envelope.rs

Source
//! Envelope encryption.
//!
//! # Example
//!
//! ```rust
//! use openssl::rsa::Rsa;
//! use openssl::envelope::Seal;
//! use openssl::pkey::PKey;
//! use openssl::symm::Cipher;
//!
//! let rsa = Rsa::generate(2048).unwrap();
//! let key = PKey::from_rsa(rsa).unwrap();
//!
//! let cipher = Cipher::aes_256_cbc();
//! let mut seal = Seal::new(cipher, &[key]).unwrap();
//!
//! let secret = b"My secret message";
//! let mut encrypted = vec![0; secret.len() + cipher.block_size()];
//!
//! let mut enc_len = seal.update(secret, &mut encrypted).unwrap();
//! enc_len += seal.finalize(&mut encrypted[enc_len..]).unwrap();
//! encrypted.truncate(enc_len);
//! ```
use crate::cipher::CipherRef;
use crate::cipher_ctx::CipherCtx;
use crate::error::ErrorStack;
use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef};
use crate::symm::Cipher;
use foreign_types::ForeignTypeRef;

/// Represents an EVP_Seal context.
pub struct Seal {
    ctx: CipherCtx,
    iv: Option<Vec<u8>>,
    enc_keys: Vec<Vec<u8>>,
}

impl Seal {
    /// Creates a new `Seal`.
    pub fn new<T>(cipher: Cipher, pub_keys: &[PKey<T>]) -> Result<Seal, ErrorStack>
    where
        T: HasPublic,
    {
        let mut iv = cipher.iv_len().map(|len| vec![0; len]);
        let mut enc_keys = vec![vec![]; pub_keys.len()];

        let mut ctx = CipherCtx::new()?;
        ctx.seal_init(
            Some(unsafe { CipherRef::from_ptr(cipher.as_ptr() as *mut _) }),
            pub_keys,
            &mut enc_keys,
            iv.as_deref_mut(),
        )?;

        Ok(Seal { ctx, iv, enc_keys })
    }

    /// Returns the initialization vector, if the cipher uses one.
    #[allow(clippy::option_as_ref_deref)]
    pub fn iv(&self) -> Option<&[u8]> {
        self.iv.as_ref().map(|v| &**v)
    }

    /// Returns the encrypted keys.
    pub fn encrypted_keys(&self) -> &[Vec<u8>] {
        &self.enc_keys
    }

    /// Feeds data from `input` through the cipher, writing encrypted bytes into `output`.
    ///
    /// The number of bytes written to `output` is returned. Note that this may
    /// not be equal to the length of `input`.
    ///
    /// # Panics
    ///
    /// Panics if `output.len() < input.len() + block_size` where `block_size` is
    /// the block size of the cipher (see `Cipher::block_size`), or if
    /// `output.len() > c_int::max_value()`.
    pub fn update(&mut self, input: &[u8], output: &mut [u8]) -> Result<usize, ErrorStack> {
        self.ctx.cipher_update(input, Some(output))
    }

    /// Finishes the encryption process, writing any remaining data to `output`.
    ///
    /// The number of bytes written to `output` is returned.
    ///
    /// `update` should not be called after this method.
    ///
    /// # Panics
    ///
    /// Panics if `output` is less than the cipher's block size.
    pub fn finalize(&mut self, output: &mut [u8]) -> Result<usize, ErrorStack> {
        self.ctx.cipher_final(output)
    }
}

/// Represents an EVP_Open context.
pub struct Open {
    ctx: CipherCtx,
}

impl Open {
    /// Creates a new `Open`.
    pub fn new<T>(
        cipher: Cipher,
        priv_key: &PKeyRef<T>,
        iv: Option<&[u8]>,
        encrypted_key: &[u8],
    ) -> Result<Open, ErrorStack>
    where
        T: HasPrivate,
    {
        let mut ctx = CipherCtx::new()?;
        ctx.open_init(
            Some(unsafe { CipherRef::from_ptr(cipher.as_ptr() as *mut _) }),
            encrypted_key,
            iv,
            Some(priv_key),
        )?;

        Ok(Open { ctx })
    }

    /// Feeds data from `input` through the cipher, writing decrypted bytes into `output`.
    ///
    /// The number of bytes written to `output` is returned. Note that this may
    /// not be equal to the length of `input`.
    ///
    /// # Panics
    ///
    /// Panics if `output.len() < input.len() + block_size` where
    /// `block_size` is the block size of the cipher (see `Cipher::block_size`),
    /// or if `output.len() > c_int::max_value()`.
    pub fn update(&mut self, input: &[u8], output: &mut [u8]) -> Result<usize, ErrorStack> {
        self.ctx.cipher_update(input, Some(output))
    }

    /// Finishes the decryption process, writing any remaining data to `output`.
    ///
    /// The number of bytes written to `output` is returned.
    ///
    /// `update` should not be called after this method.
    ///
    /// # Panics
    ///
    /// Panics if `output` is less than the cipher's block size.
    pub fn finalize(&mut self, output: &mut [u8]) -> Result<usize, ErrorStack> {
        self.ctx.cipher_final(output)
    }
}

#[cfg(test)]
mod test {
    use super::*;
    use crate::pkey::PKey;
    use crate::symm::Cipher;

    #[test]
    fn public_encrypt_private_decrypt() {
        let private_pem = include_bytes!("../test/rsa.pem");
        let public_pem = include_bytes!("../test/rsa.pem.pub");
        let private_key = PKey::private_key_from_pem(private_pem).unwrap();
        let public_key = PKey::public_key_from_pem(public_pem).unwrap();
        let cipher = Cipher::aes_256_cbc();
        let secret = b"My secret message";

        let mut seal = Seal::new(cipher, &[public_key]).unwrap();
        let mut encrypted = vec![0; secret.len() + cipher.block_size()];
        let mut enc_len = seal.update(secret, &mut encrypted).unwrap();
        enc_len += seal.finalize(&mut encrypted[enc_len..]).unwrap();
        let iv = seal.iv();
        let encrypted_key = &seal.encrypted_keys()[0];

        let mut open = Open::new(cipher, &private_key, iv, encrypted_key).unwrap();
        let mut decrypted = vec![0; enc_len + cipher.block_size()];
        let mut dec_len = open.update(&encrypted[..enc_len], &mut decrypted).unwrap();
        dec_len += open.finalize(&mut decrypted[dec_len..]).unwrap();

        assert_eq!(&secret[..], &decrypted[..dec_len]);
    }
}

Line	Count	Source
1		//! Envelope encryption.
2		//!
3		//! # Example
4		//!
5		//! ```rust
6		//! use openssl::rsa::Rsa;
7		//! use openssl::envelope::Seal;
8		//! use openssl::pkey::PKey;
9		//! use openssl::symm::Cipher;
10		//!
11		//! let rsa = Rsa::generate(2048).unwrap();
12		//! let key = PKey::from_rsa(rsa).unwrap();
13		//!
14		//! let cipher = Cipher::aes_256_cbc();
15		//! let mut seal = Seal::new(cipher, &[key]).unwrap();
16		//!
17		//! let secret = b"My secret message";
18		//! let mut encrypted = vec![0; secret.len() + cipher.block_size()];
19		//!
20		//! let mut enc_len = seal.update(secret, &mut encrypted).unwrap();
21		//! enc_len += seal.finalize(&mut encrypted[enc_len..]).unwrap();
22		//! encrypted.truncate(enc_len);
23		//! ```
24		use crate::cipher::CipherRef;
25		use crate::cipher_ctx::CipherCtx;
26		use crate::error::ErrorStack;
27		use crate::pkey::{HasPrivate, HasPublic, PKey, PKeyRef};
28		use crate::symm::Cipher;
29		use foreign_types::ForeignTypeRef;
30
31		/// Represents an EVP_Seal context.
32		pub struct Seal {
33		ctx: CipherCtx,
34		iv: Option<Vec<u8>>,
35		enc_keys: Vec<Vec<u8>>,
36		}
37
38		impl Seal {
39		/// Creates a new `Seal`.
40	0	pub fn new<T>(cipher: Cipher, pub_keys: &[PKey<T>]) -> Result<Seal, ErrorStack>
41	0	where
42	0	T: HasPublic,
43		{
44	0	let mut iv = cipher.iv_len().map(\|len\| vec![0; len]);
45	0	let mut enc_keys = vec![vec![]; pub_keys.len()];
46
47	0	let mut ctx = CipherCtx::new()?;
48	0	ctx.seal_init(
49	0	Some(unsafe { CipherRef::from_ptr(cipher.as_ptr() as *mut _) }),
50	0	pub_keys,
51	0	&mut enc_keys,
52	0	iv.as_deref_mut(),
53	0	)?;
54
55	0	Ok(Seal { ctx, iv, enc_keys })
56	0	}
57
58		/// Returns the initialization vector, if the cipher uses one.
59		#[allow(clippy::option_as_ref_deref)]
60	0	pub fn iv(&self) -> Option<&[u8]> {
61	0	self.iv.as_ref().map(\|v\| &**v)
62	0	}
63
64		/// Returns the encrypted keys.
65	0	pub fn encrypted_keys(&self) -> &[Vec<u8>] {
66	0	&self.enc_keys
67	0	}
68
69		/// Feeds data from `input` through the cipher, writing encrypted bytes into `output`.
70		///
71		/// The number of bytes written to `output` is returned. Note that this may
72		/// not be equal to the length of `input`.
73		///
74		/// # Panics
75		///
76		/// Panics if `output.len() < input.len() + block_size` where `block_size` is
77		/// the block size of the cipher (see `Cipher::block_size`), or if
78		/// `output.len() > c_int::max_value()`.
79	0	pub fn update(&mut self, input: &[u8], output: &mut [u8]) -> Result<usize, ErrorStack> {
80	0	self.ctx.cipher_update(input, Some(output))
81	0	}
82
83		/// Finishes the encryption process, writing any remaining data to `output`.
84		///
85		/// The number of bytes written to `output` is returned.
86		///
87		/// `update` should not be called after this method.
88		///
89		/// # Panics
90		///
91		/// Panics if `output` is less than the cipher's block size.
92	0	pub fn finalize(&mut self, output: &mut [u8]) -> Result<usize, ErrorStack> {
93	0	self.ctx.cipher_final(output)
94	0	}
95		}
96
97		/// Represents an EVP_Open context.
98		pub struct Open {
99		ctx: CipherCtx,
100		}
101
102		impl Open {
103		/// Creates a new `Open`.
104	0	pub fn new<T>(
105	0	cipher: Cipher,
106	0	priv_key: &PKeyRef<T>,
107	0	iv: Option<&[u8]>,
108	0	encrypted_key: &[u8],
109	0	) -> Result<Open, ErrorStack>
110	0	where
111	0	T: HasPrivate,
112		{
113	0	let mut ctx = CipherCtx::new()?;
114	0	ctx.open_init(
115	0	Some(unsafe { CipherRef::from_ptr(cipher.as_ptr() as *mut _) }),
116	0	encrypted_key,
117	0	iv,
118	0	Some(priv_key),
119	0	)?;
120
121	0	Ok(Open { ctx })
122	0	}
123
124		/// Feeds data from `input` through the cipher, writing decrypted bytes into `output`.
125		///
126		/// The number of bytes written to `output` is returned. Note that this may
127		/// not be equal to the length of `input`.
128		///
129		/// # Panics
130		///
131		/// Panics if `output.len() < input.len() + block_size` where
132		/// `block_size` is the block size of the cipher (see `Cipher::block_size`),
133		/// or if `output.len() > c_int::max_value()`.
134	0	pub fn update(&mut self, input: &[u8], output: &mut [u8]) -> Result<usize, ErrorStack> {
135	0	self.ctx.cipher_update(input, Some(output))
136	0	}
137
138		/// Finishes the decryption process, writing any remaining data to `output`.
139		///
140		/// The number of bytes written to `output` is returned.
141		///
142		/// `update` should not be called after this method.
143		///
144		/// # Panics
145		///
146		/// Panics if `output` is less than the cipher's block size.
147	0	pub fn finalize(&mut self, output: &mut [u8]) -> Result<usize, ErrorStack> {
148	0	self.ctx.cipher_final(output)
149	0	}
150		}
151
152		#[cfg(test)]
153		mod test {
154		use super::*;
155		use crate::pkey::PKey;
156		use crate::symm::Cipher;
157
158		#[test]
159		fn public_encrypt_private_decrypt() {
160		let private_pem = include_bytes!("../test/rsa.pem");
161		let public_pem = include_bytes!("../test/rsa.pem.pub");
162		let private_key = PKey::private_key_from_pem(private_pem).unwrap();
163		let public_key = PKey::public_key_from_pem(public_pem).unwrap();
164		let cipher = Cipher::aes_256_cbc();
165		let secret = b"My secret message";
166
167		let mut seal = Seal::new(cipher, &[public_key]).unwrap();
168		let mut encrypted = vec![0; secret.len() + cipher.block_size()];
169		let mut enc_len = seal.update(secret, &mut encrypted).unwrap();
170		enc_len += seal.finalize(&mut encrypted[enc_len..]).unwrap();
171		let iv = seal.iv();
172		let encrypted_key = &seal.encrypted_keys()[0];
173
174		let mut open = Open::new(cipher, &private_key, iv, encrypted_key).unwrap();
175		let mut decrypted = vec![0; enc_len + cipher.block_size()];
176		let mut dec_len = open.update(&encrypted[..enc_len], &mut decrypted).unwrap();
177		dec_len += open.finalize(&mut decrypted[dec_len..]).unwrap();
178
179		assert_eq!(&secret[..], &decrypted[..dec_len]);
180		}
181		}

Coverage Report

Created: 2026-03-28 06:55