[#22] Unmanaged Decryption (#32)

DocumentAdvancedOps::document_decrypt_unmanaged function added for advanced use cases. This decrypt operation is the inverse of DocumentAdvancedOps::document_encrypt_unmanaged
IronCoreLabs · Aug 20, 2019 · cf64122 · cf64122
1 parent 2d9e8a1
commit cf64122
Show file tree

Hide file tree

Showing 9 changed files with 488 additions and 108 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,4 @@ java/scala/src/test/resources/service-keys.conf
 java/scala/src/test/resources/service-keys.conf.stage
 java/scala/src/test/resources/service-keys.conf.local
 .vscode
+src/proto/transform.rs
diff --git a/src/document/advanced.rs b/src/document/advanced.rs
@@ -1,6 +1,8 @@
 use crate::document::{partition_user_or_group, DocumentEncryptOpts};
 use crate::internal;
-use crate::internal::document_api::DocumentEncryptUnmanagedResult;
+pub use crate::internal::document_api::{
+ DocumentDecryptUnmanagedResult, DocumentEncryptUnmanagedResult,
+};
 use crate::Result;
 use itertools::EitherOrBoth;
 use tokio::runtime::current_thread::Runtime;
@@ -25,6 +27,21 @@ pub trait DocumentAdvancedOps {
  data: &[u8],
  encrypt_opts: &DocumentEncryptOpts,
  ) -> Result<DocumentEncryptUnmanagedResult>;
+
+ /// (Advanced) Decrypt a document not managed by the ironcore service. Both the encrypted
+ /// data and the encrypted deks need to be provided.
+ ///
+ /// The webservice is still needed to transform a chosen encrypted dek so it can be decrypted
+ /// by the caller's private key.
+ ///
+ /// # Arguments
+ /// - `encrypted_data` - Encrypted document
+ /// - `encrypted_deks` - Associated encrypted DEKs for the `encrypted_data`
+ fn document_decrypt_unmanaged(
+ &self,
+ encrypted_data: &[u8],
+ encrypted_deks: &[u8],
+ ) -> Result<DocumentDecryptUnmanagedResult>;
 }
 
 impl DocumentAdvancedOps for crate::IronOxide {
@@ -66,4 +83,20 @@ impl DocumentAdvancedOps for crate::IronOxide {
  policy_grants,
  ))
  }
+
+ fn document_decrypt_unmanaged(
+ &self,
+ encrypted_data: &[u8],
+ encrypted_deks: &[u8],
+ ) -> Result<DocumentDecryptUnmanagedResult> {
+ let mut rt = Runtime::new().unwrap();
+
+ rt.block_on(internal::document_api::decrypt_document_unmanaged(
+ self.device.auth(),
+ &self.recrypt,
+ self.device().private_device_key(),
+ encrypted_data,
+ encrypted_deks,
+ ))
+ }
 }
diff --git a/src/document/mod.rs b/src/document/mod.rs
@@ -1,7 +1,7 @@
 pub use crate::internal::document_api::{
  AssociationType, DocAccessEditErr, DocumentAccessResult, DocumentDecryptResult,
- DocumentEncryptResult, DocumentEncryptUnmanagedResult, DocumentListMeta, DocumentListResult,
- DocumentMetadataResult, UserOrGroup, VisibleGroup, VisibleUser,
+ DocumentEncryptResult, DocumentListMeta, DocumentListResult, DocumentMetadataResult,
+ UserOrGroup, VisibleGroup, VisibleUser,
 };
 use crate::{
  internal::{