-
Notifications
You must be signed in to change notification settings - Fork 1
/
runme.rs
91 lines (76 loc) · 3.21 KB
/
runme.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
//! This is the demo given in `README.md` and `lib.rs`
use cosmian_cover_crypt::{
abe_policy::{AccessPolicy, Attribute, DimensionBuilder, EncryptionHint, Policy},
Covercrypt, EncryptedHeader,
};
fn main() {
// The first attribute axis will be a security level.
// This axis is hierarchical, i.e. users matching
// `Security Level::Confidential` can also decrypt
// messages encrypted for `Security Level::Protected`.
let sec_level = DimensionBuilder::new(
"Security Level",
vec![
("Protected", EncryptionHint::Classic),
("Confidential", EncryptionHint::Classic),
("Top Secret", EncryptionHint::Hybridized),
],
true,
);
// Another attribute axis will be department names.
// This axis is *not* hierarchical.
let department = DimensionBuilder::new(
"Department",
vec![
("R&D", EncryptionHint::Classic),
("HR", EncryptionHint::Classic),
("MKG", EncryptionHint::Classic),
("FIN", EncryptionHint::Classic),
],
false,
);
// Generate a new `Policy` object with a 100 revocations allowed.
let mut policy = Policy::new();
// Add the two generated axes to the policy
policy.add_dimension(sec_level).unwrap();
policy.add_dimension(department).unwrap();
// Setup Covercrypt and generate master keys
let cover_crypt = Covercrypt::default();
let (mut msk, mut mpk) = cover_crypt.generate_master_keys(&policy).unwrap();
// The user has a security clearance `Security Level::Top Secret`,
// and belongs to the finance department (`Department::FIN`).
let access_policy =
AccessPolicy::from_boolean_expression("Security Level::Top Secret && Department::FIN")
.unwrap();
let mut usk = cover_crypt
.generate_user_secret_key(&msk, &access_policy, &policy)
.unwrap();
// Encrypt
let (_, encrypted_header) =
EncryptedHeader::generate(&cover_crypt, &policy, &mpk, &access_policy, None, None).unwrap();
// The user is able to decrypt the encrypted header.
assert!(encrypted_header.decrypt(&cover_crypt, &usk, None).is_ok());
//
// Rekey all keys using the `Security Level::Top Secret` attribute
let rekey_access_policy = AccessPolicy::Attr(Attribute::from(("Security Level", "Top Secret")));
cover_crypt
.rekey_master_keys(&rekey_access_policy, &policy, &mut msk, &mut mpk)
.unwrap();
// Encrypt with rotated attribute
let (_, new_encrypted_header) =
EncryptedHeader::generate(&cover_crypt, &policy, &mpk, &access_policy, None, None).unwrap();
// user cannot decrypt the newly encrypted header
assert!(new_encrypted_header
.decrypt(&cover_crypt, &usk, None)
.is_err());
// refresh user secret key, do not grant old encryption access
cover_crypt
.refresh_user_secret_key(&mut usk, &msk, false)
.unwrap();
// The user with refreshed key is able to decrypt the newly encrypted header.
assert!(new_encrypted_header
.decrypt(&cover_crypt, &usk, None)
.is_ok());
// But it cannot decrypt old ciphertexts
assert!(encrypted_header.decrypt(&cover_crypt, &usk, None).is_err());
}