1 // Copyright 2017 Google Inc. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 // 15 //////////////////////////////////////////////////////////////////////////////// 16 17 package com.google.crypto.tink.signature; 18 19 import com.google.crypto.tink.config.TinkFips; 20 import com.google.crypto.tink.proto.RegistryConfig; 21 import com.google.errorprone.annotations.CanIgnoreReturnValue; 22 import java.security.GeneralSecurityException; 23 24 /** 25 * Static methods and constants for registering with the {@link com.google.crypto.tink.Registry} all 26 * instances of {@link com.google.crypto.tink.PublicKeySign} and {@link 27 * com.google.crypto.tink.PublicKeyVerify} key types supported in a particular release of Tink. 28 * 29 * <p>To register all PublicKeySign and PublicKeyVerify key types provided in the latest Tink 30 * version one can do: 31 * 32 * <pre>{@code 33 * SignatureConfig.init(); 34 * }</pre> 35 * 36 * <p>For more information on how to obtain and use instances of PublicKeySign or PublicKeyVerify, 37 * see {@link PublicKeySignFactory} or {@link PublicKeyVerifyFactory}. 38 * 39 * @since 1.0.0 40 */ 41 public final class SignatureConfig { 42 public static final String ECDSA_PUBLIC_KEY_TYPE_URL = 43 initializeClassReturnInput("type.googleapis.com/google.crypto.tink.EcdsaPublicKey"); 44 public static final String ECDSA_PRIVATE_KEY_TYPE_URL = 45 initializeClassReturnInput("type.googleapis.com/google.crypto.tink.EcdsaPrivateKey"); 46 public static final String ED25519_PUBLIC_KEY_TYPE_URL = 47 initializeClassReturnInput("type.googleapis.com/google.crypto.tink.Ed25519PublicKey"); 48 public static final String ED25519_PRIVATE_KEY_TYPE_URL = 49 initializeClassReturnInput("type.googleapis.com/google.crypto.tink.Ed25519PrivateKey"); 50 public static final String RSA_PKCS1_PRIVATE_KEY_TYPE_URL = 51 initializeClassReturnInput("type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PrivateKey"); 52 public static final String RSA_PKCS1_PUBLIC_KEY_TYPE_URL = 53 initializeClassReturnInput("type.googleapis.com/google.crypto.tink.RsaSsaPkcs1PublicKey"); 54 public static final String RSA_PSS_PRIVATE_KEY_TYPE_URL = 55 initializeClassReturnInput("type.googleapis.com/google.crypto.tink.RsaSsaPssPrivateKey"); 56 public static final String RSA_PSS_PUBLIC_KEY_TYPE_URL = 57 initializeClassReturnInput("type.googleapis.com/google.crypto.tink.RsaSsaPssPublicKey"); 58 59 /** 60 * @deprecated Call {@link #register} instead. 61 */ 62 @Deprecated 63 public static final RegistryConfig TINK_1_0_0 = RegistryConfig.getDefaultInstance(); 64 65 /** 66 * @deprecated Call {@link #register} instead. 67 */ 68 @Deprecated 69 public static final RegistryConfig TINK_1_1_0 = RegistryConfig.getDefaultInstance(); 70 71 /** 72 * @deprecated Call {@link #register} instead. 73 */ 74 @Deprecated 75 public static final RegistryConfig LATEST = RegistryConfig.getDefaultInstance(); 76 77 static { 78 try { init()79 init(); 80 } catch (GeneralSecurityException e) { 81 throw new ExceptionInInitializerError(e); 82 } 83 } 84 85 /** 86 * Returns the input, but crucially also calls the static initializer just above. 87 * 88 * <p>Before some refactorings, the string constants in this class were defined as: <code> 89 * private final static string AES_CTR_HMAC_AEAD_TYPE_URL = new SomeKeyMananger().get(); 90 * </code>. After the refactorings, it would be tempting to define them as <code> 91 * AES_CTR_HMAC_AEAD_TYPE_URL = "...";</code> However, this would change the behavior. By the JLS 92 * §12.4.1, the static initializer of the class is called if "A static field declared by T is used 93 * and the field is not a constant variable". The §4.12.4 explains that a constant variable is a 94 * "final variable of type String which is initialized with a constant expression". Hence, after 95 * the above refactoring the initializer wouldn't be called anymore. 96 * 97 * <p>Because of this, we always call this function here to enforce calling the static 98 * initializer, i.e. to enforce that when a user accesses any of the variables here, the class is 99 * initialized. 100 */ 101 @CanIgnoreReturnValue initializeClassReturnInput(String s)102 private static String initializeClassReturnInput(String s) { 103 return s; 104 } 105 106 /** 107 * Tries to register with the {@link com.google.crypto.tink.Registry} all instances of {@link 108 * com.google.crypto.tink.Catalogue} needed to handle PublicKeySign and PublicKeyVerify key types 109 * supported in Tink. 110 * 111 * @deprecated use {@link #register} 112 */ 113 @Deprecated init()114 public static void init() throws GeneralSecurityException { 115 register(); 116 } 117 118 /** 119 * Tries to register with the {@link com.google.crypto.tink.Registry} all instances of {@link 120 * com.google.crypto.tink.Catalogue} needed to handle PublicKeySign and PublicKeyVerify key types 121 * supported in Tink. 122 * 123 * @since 1.2.0 124 */ register()125 public static void register() throws GeneralSecurityException { 126 PublicKeySignWrapper.register(); 127 PublicKeyVerifyWrapper.register(); 128 129 EcdsaSignKeyManager.registerPair(/*newKeyAllowed=*/ true); 130 RsaSsaPkcs1SignKeyManager.registerPair(/*newKeyAllowed=*/ true); 131 RsaSsaPssSignKeyManager.registerPair(/* newKeyAllowed= */ true); 132 133 if (TinkFips.useOnlyFips()) { 134 // If Tink is built in FIPS-mode do not register algorithms which are not compatible. 135 return; 136 } 137 138 Ed25519PrivateKeyManager.registerPair(/*newKeyAllowed=*/ true); 139 } 140 SignatureConfig()141 private SignatureConfig() {} 142 } 143