diff options
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java index 8a1a7dd3688..66a87a94707 100644 --- a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java +++ b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java @@ -62,10 +62,7 @@ public class SharedKeyGenerator { public static SecretSharedKey generateForReceiverPublicKey(PublicKey receiverPublicKey, KeyId keyId) { var secretKey = generateRandomSecretAesKey(); - // We protect the integrity of the key ID by passing it as AAD. - var sealed = HPKE.sealBase((XECPublicKey) receiverPublicKey, EMPTY_BYTES, keyId.asBytes(), secretKey.getEncoded()); - var sealedSharedKey = new SealedSharedKey(keyId, sealed.enc(), sealed.ciphertext()); - return new SecretSharedKey(secretKey, sealedSharedKey); + return internalSealSecretKeyForReceiver(secretKey, receiverPublicKey, keyId); } public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, PrivateKey receiverPrivateKey) { @@ -74,6 +71,17 @@ public class SharedKeyGenerator { return new SecretSharedKey(new SecretKeySpec(secretKeyBytes, "AES"), sealedKey); } + public static SecretSharedKey reseal(SecretSharedKey secret, PublicKey receiverPublicKey, KeyId keyId) { + return internalSealSecretKeyForReceiver(secret.secretKey(), receiverPublicKey, keyId); + } + + private static SecretSharedKey internalSealSecretKeyForReceiver(SecretKey secretKey, PublicKey receiverPublicKey, KeyId keyId) { + // We protect the integrity of the key ID by passing it as AAD. + var sealed = HPKE.sealBase((XECPublicKey) receiverPublicKey, EMPTY_BYTES, keyId.asBytes(), secretKey.getEncoded()); + var sealedSharedKey = new SealedSharedKey(keyId, sealed.enc(), sealed.ciphertext()); + return new SecretSharedKey(secretKey, sealedSharedKey); + } + // A given key+IV pair can only be used for one single encryption session, ever. // Since our keys are intended to be inherently single-use, we can satisfy that // requirement even with a fixed IV. This avoids the need for explicitly including |