encrypted_writer.h

Go to the documentation of this file.

// BSD 3-Clause License
// Copyright (c) 2025, 🍀☀🌕🌥 🌊
// See the LICENSE file in the project root for full license information.
 
#pragma once
 
#include "decorator_writer_base.h"
#include "../security/secure_key_storage.h"
#include "../core/error_codes.h"
 
#include <kcenon/logger/logger_export.h>
 
#include <array>
#include <memory>
#include <mutex>
#include <atomic>
#include <chrono>
#include <optional>
#include <vector>
#include <cstdint>
#include <functional>
 
// OpenSSL for AES-GCM encryption
#if __has_include(<openssl/evp.h>)
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include <openssl/opensslv.h>
#define LOGGER_HAS_OPENSSL_CRYPTO 1
#endif
 
namespace kcenon::logger {
 
enum class encryption_algorithm {
    aes_256_gcm,       
    aes_256_cbc,       
    chacha20_poly1305  
};
 
struct encryption_config {
    encryption_algorithm algorithm = encryption_algorithm::aes_256_gcm;
 
    security::secure_key key;
 
    bool rotate_iv_per_entry = true;
 
    std::optional<std::chrono::hours> key_rotation_interval;
 
    std::filesystem::path key_rotation_path;
 
    std::filesystem::path key_storage_base = "/var/log/keys";
 
    encryption_config(
        encryption_algorithm algo,
        security::secure_key encryption_key
    ) : algorithm(algo), key(std::move(encryption_key)) {}
 
    // Allow default construction with explicit key setting
    encryption_config() : key(32) {}
 
    // Move-only semantics (secure_key is move-only)
    encryption_config(encryption_config&&) noexcept = default;
    encryption_config& operator=(encryption_config&&) noexcept = default;
    encryption_config(const encryption_config&) = delete;
    encryption_config& operator=(const encryption_config&) = delete;
};
 
struct encrypted_log_header {
    static constexpr uint32_t kMagic = 0x454E4352;  // "ENCR"
    static constexpr uint8_t kVersion = 1;
    static constexpr size_t kIvSize = 16;
    static constexpr size_t kTagSize = 16;
 
    uint32_t magic = kMagic;          
    uint8_t version = kVersion;       
    uint8_t algorithm = 0;            
    uint16_t reserved = 0;            
    uint32_t original_length = 0;     
    uint32_t encrypted_length = 0;    
    std::array<uint8_t, kIvSize> iv{};   
    std::array<uint8_t, kTagSize> tag{}; 
};
 
class LOGGER_SYSTEM_API encrypted_writer : public decorator_writer_base {
public:
    explicit encrypted_writer(
        std::unique_ptr<log_writer_interface> wrapped,
        encryption_config config
    );
 
    ~encrypted_writer() override;
 
    // Non-copyable and non-movable (mutex cannot be moved)
    encrypted_writer(const encrypted_writer&) = delete;
    encrypted_writer& operator=(const encrypted_writer&) = delete;
    encrypted_writer(encrypted_writer&&) = delete;
    encrypted_writer& operator=(encrypted_writer&&) = delete;
 
    common::VoidResult write(const log_entry& entry) override;
 
    common::VoidResult rotate_key(security::secure_key new_key);
 
    uint64_t get_entries_encrypted() const;
 
    std::chrono::system_clock::time_point get_last_key_rotation() const;
 
    static result<std::string> decrypt_entry(
        const std::vector<uint8_t>& encrypted_data,
        const security::secure_key& key
    );
 
private:
    common::VoidResult encrypt_data(
        const std::string& plaintext,
        std::vector<uint8_t>& output
    );
 
    common::VoidResult generate_iv(uint8_t* iv);
 
    bool should_rotate_key() const;
 
    common::VoidResult auto_rotate_key_if_needed();
 
#ifdef LOGGER_HAS_OPENSSL_CRYPTO
    common::VoidResult init_cipher_context();
 
    void cleanup_cipher_context();
#endif
 
    encryption_config config_;
    mutable std::mutex write_mutex_;
 
    std::atomic<uint64_t> entries_encrypted_{0};
    std::chrono::system_clock::time_point last_key_rotation_;
    std::atomic<bool> is_initialized_{false};
 
#ifdef LOGGER_HAS_OPENSSL_CRYPTO
    EVP_CIPHER_CTX* cipher_ctx_ = nullptr;
#endif
};
 
class log_decryptor {
public:
    explicit log_decryptor(const security::secure_key& key);
 
    ~log_decryptor();
 
    // Non-copyable and non-movable
    log_decryptor(const log_decryptor&) = delete;
    log_decryptor& operator=(const log_decryptor&) = delete;
    log_decryptor(log_decryptor&&) = delete;
    log_decryptor& operator=(log_decryptor&&) = delete;
 
    result<size_t> decrypt_file(
        const std::filesystem::path& input_path,
        const std::filesystem::path& output_path
    );
 
    result<size_t> decrypt_file_streaming(
        const std::filesystem::path& input_path,
        std::function<void(const std::string&)> callback
    );
 
private:
    security::secure_key key_;
 
#ifdef LOGGER_HAS_OPENSSL_CRYPTO
    EVP_CIPHER_CTX* cipher_ctx_ = nullptr;
#endif
};
 
} // namespace kcenon::logger