summaryrefslogtreecommitdiffstats
path: root/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
diff options
context:
space:
mode:
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java')
-rw-r--r--security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java16
1 files changed, 12 insertions, 4 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
index 8a1a7dd3688..66a87a94707 100644
--- a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
+++ b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
@@ -62,10 +62,7 @@ public class SharedKeyGenerator {
public static SecretSharedKey generateForReceiverPublicKey(PublicKey receiverPublicKey, KeyId keyId) {
var secretKey = generateRandomSecretAesKey();
- // We protect the integrity of the key ID by passing it as AAD.
- var sealed = HPKE.sealBase((XECPublicKey) receiverPublicKey, EMPTY_BYTES, keyId.asBytes(), secretKey.getEncoded());
- var sealedSharedKey = new SealedSharedKey(keyId, sealed.enc(), sealed.ciphertext());
- return new SecretSharedKey(secretKey, sealedSharedKey);
+ return internalSealSecretKeyForReceiver(secretKey, receiverPublicKey, keyId);
}
public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, PrivateKey receiverPrivateKey) {
@@ -74,6 +71,17 @@ public class SharedKeyGenerator {
return new SecretSharedKey(new SecretKeySpec(secretKeyBytes, "AES"), sealedKey);
}
+ public static SecretSharedKey reseal(SecretSharedKey secret, PublicKey receiverPublicKey, KeyId keyId) {
+ return internalSealSecretKeyForReceiver(secret.secretKey(), receiverPublicKey, keyId);
+ }
+
+ private static SecretSharedKey internalSealSecretKeyForReceiver(SecretKey secretKey, PublicKey receiverPublicKey, KeyId keyId) {
+ // We protect the integrity of the key ID by passing it as AAD.
+ var sealed = HPKE.sealBase((XECPublicKey) receiverPublicKey, EMPTY_BYTES, keyId.asBytes(), secretKey.getEncoded());
+ var sealedSharedKey = new SealedSharedKey(keyId, sealed.enc(), sealed.ciphertext());
+ return new SecretSharedKey(secretKey, sealedSharedKey);
+ }
+
// A given key+IV pair can only be used for one single encryption session, ever.
// Since our keys are intended to be inherently single-use, we can satisfy that
// requirement even with a fixed IV. This avoids the need for explicitly including