diff --git a/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsAead.java b/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsAead.java index a65f24f..deb61dc 100644 --- a/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsAead.java +++ b/src/main/java/com/google/crypto/tink/integration/gcpkms/GcpKmsAead.java @@ -123,6 +123,19 @@ public byte[] decrypt(final byte[] ciphertext, final byte[] associatedData) .decrypt(this.keyName, request) .execute(); + // Verify the server confirmed it received the request CRCs intact; + // see https://cloud.google.com/kms/docs/data-integrity-guidelines. + if (response.getVerifiedCiphertextCrc32c() == null + || !response.getVerifiedCiphertextCrc32c()) { + throw new GeneralSecurityException( + "Verifying the provided ciphertext checksum failed."); + } + if (response.getVerifiedAdditionalAuthenticatedDataCrc32c() == null + || !response.getVerifiedAdditionalAuthenticatedDataCrc32c()) { + throw new GeneralSecurityException( + "Verifying the provided associated data checksum failed."); + } + byte[] plaintext = toNonNullableByteArray(response.decodePlaintext()); long plaintextCrc32c = Hashing.crc32c().hashBytes(plaintext).padToLong(); if (response.getPlaintextCrc32c() != plaintextCrc32c) { @@ -248,6 +261,17 @@ public byte[] decrypt(final byte[] ciphertext, final byte[] associatedData) com.google.cloud.kms.v1.DecryptResponse decResponse = kmsClient.decrypt(decryptRequest); + // Verify the server confirmed it received the request CRCs intact; + // see https://cloud.google.com/kms/docs/data-integrity-guidelines. + if (!decResponse.getVerifiedCiphertextCrc32C()) { + throw new GeneralSecurityException( + "Verifying the provided ciphertext checksum failed."); + } + if (!decResponse.getVerifiedAdditionalAuthenticatedDataCrc32C()) { + throw new GeneralSecurityException( + "Verifying the provided associated data checksum failed."); + } + byte[] plaintext = decResponse.getPlaintext().toByteArray(); long plaintextCrc = Hashing.crc32c().hashBytes(plaintext).padToLong();