Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: clarify wording for CMM algorithm suites #225

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

chore: clarify wording for CMM algorithm suites #225

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5d1a536
chore: clarify wording for CMM algorithm suites
alex-chew Aug 11, 2020
141293b
fix condition for returning signing key from Get Encryption Materials
alex-chew Aug 12, 2020
c89e44c
clarify caching CMM behavior sans algorithm suite
alex-chew Aug 12, 2020
aa3fbac
Merge branch 'master' into clarify-cmm-algorithm-suite-requirements
seebees Sep 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions framework/caching-cmm.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,8 @@ The number of bytes encrypted by the [encryption](structures.md#encryption-mater

### Get Encryption Materials

If the [algorithm suite](algorithm-suites.md) requested contains a [Identity KDF](algorithm-suites.md#identity-kdf),
If the [algorithm suite](algorithm-suites.md) is present in the encryption materials request,
and it contains an [Identity KDF](algorithm-suites.md#identity-kdf),
alex-chew marked this conversation as resolved.
Show resolved Hide resolved
the caching CMM MUST obtain the encryption materials by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials) function.

Otherwise, the caching CMM MUST attempt to find the [encryption materials](structures.md#encryption-materials)
Expand All @@ -147,10 +148,12 @@ If a cache entry is found, the caching CMM MUST return the encryption materials
If a cache entry is not found or the cache entry is expired, the caching CMM MUST then attempt to obtain the encryption materials
by making a call to the underlying CMM's [Get Encryption Materials](cmm-interface.md#get-encryption-materials).

If the [algorithm suite](algorithm-suites.md) requested does not contain an [Identity KDF](algorithm-suites.md#identity-kdf),
If the [algorithm suite](algorithm-suites.md) is present in the encryption materials request,
and it does not contain an [Identity KDF](algorithm-suites.md#identity-kdf),
the caching CMM MUST add the encryption materials obtained from the underlying CMM into the underlying CMC.
alex-chew marked this conversation as resolved.
Show resolved Hide resolved

If the [algorithm suite](algorithm-suites.md) requested contains an Identity KDF,
If the [algorithm suite](algorithm-suites.md) is present in the encryption materials request,
and it contains an Identity KDF,
the caching CMM MUST NOT store the encryption materials in the underlying CMC.

### Decrypt Materials
Expand Down
12 changes: 7 additions & 5 deletions framework/cmm-interface.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,17 +106,19 @@ The encryption materials returned MUST include the following:
- [Encryption Context](structures.md#encryption-context)
- The CMM MAY modify the encryption context.

If the algorithm suite contains a [signing algorithm](algorithm-suites.md#signature-algorithm):

- The CMM MUST include a [signing key](structures.md#signing-key).
alex-chew marked this conversation as resolved.
Show resolved Hide resolved
If the algorithm suite is present in the encryption materials request,
and it contains a [signing algorithm](algorithm-suites.md#signature-algorithm),
then the encryption materials returned MUST include a [signing key](structures.md#signing-key).

The CMM MUST ensure that the encryption materials returned are valid.

- The encryption materials returned MUST follow the specification for [encryption-materials](structures.md#encryption-materials).
- The value of the plaintext data key MUST be non-NULL.
- The plaintext data key length MUST be equal to the [key derivation input length](algorithm-suites.md#key-derivation-input-length).
- The encrypted data keys list MUST contain at least one encrypted data key.
- If the algorithm suite contains a signing algorithm, the encryption materials returned MUST include the generated signing key.
- If the algorithm suite is present in the encryption materials request,
and it contains a signing algorithm,
then the encryption materials returned MUST include the generated signing key.

#### Decrypt Materials

Expand All @@ -130,7 +132,7 @@ The decryption materials returned MUST include the following:
- The CMM MAY modify the encryption context.
- The operations made on the encryption context on the Get Encryption Materials call SHOULD be inverted on the Decrypt Materials call.
- [Algorithm Suite](algorithm-suites.md)
- If the decrypt materials request contains an algorithm suite, the decryption materials returned SHOULD contain the same algorithm suite.
- The decryption materials returned SHOULD contain the same algorithm suite as the decrypt materials request.

If the algorithm suite obtained from the decryption request contains a [signing algorithm](algorithm-suites.md#signature-algorithm),
the decryption materials MUST include the [signature verification key](structures.md#verification-key).
Expand Down