project-oak
diff --git a/‎Cargo.lock‎
Lines changed: 14 additions & 0 deletions b/‎Cargo.lock‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎aead/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎aead/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎aead/src/aead_key_templates.rs‎
Lines changed: 35 additions & 0 deletions b/‎aead/src/aead_key_templates.rs‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎aead/src/aes_eax_key_manager.rs‎
Lines changed: 120 additions & 0 deletions b/‎aead/src/aes_eax_key_manager.rs‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎aead/src/lib.rs‎
Lines changed: 6 additions & 0 deletions b/‎aead/src/lib.rs‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎aead/src/subtle/aes_eax.rs‎
Lines changed: 113 additions & 0 deletions b/‎aead/src/subtle/aes_eax.rs‎
Lines changed: 113 additions & 0 deletions
diff --git a/‎aead/src/subtle/mod.rs‎
Lines changed: 2 additions & 0 deletions b/‎aead/src/subtle/mod.rs‎
Lines changed: 2 additions & 0 deletions
@@ -20,6 +20,7 @@ aes-gcm = "^0.10.3"
 aes-gcm-siv = "^0.11.1"
 chacha20poly1305 = "^0.10"
 ctr = "^0.9.2"
+eax = "^0.5.0"
 generic-array = "^0.14.7"
 tink-core = "^0.3"
 tink-mac = "^0.3"
 
@@ -61,6 +61,22 @@ pub fn aes256_gcm_siv_no_prefix_key_template() -> KeyTemplate {
     create_aes_gcm_siv_key_template(32, OutputPrefixType::Raw)
 }
 
+/// Return a [`KeyTemplate`] that generates an AES-EAX key with the following parameters:
+///   - Key size: 16 bytes
+///   - IV size: 16 bytes
+///   - Output prefix type: TINK
+pub fn aes128_eax_key_template() -> KeyTemplate {
+    create_aes_eax_key_template(16, 16, OutputPrefixType::Tink)
+}
+
+/// Return a [`KeyTemplate`] that generates an AES-EAX key with the following parameters:
+///   - Key size: 32 bytes
+///   - IV size: 16 bytes
+///   - Output prefix type: TINK
+pub fn aes256_eax_key_template() -> KeyTemplate {
+    create_aes_eax_key_template(32, 16, OutputPrefixType::Tink)
+}
+
 /// Return a [`KeyTemplate`] that generates an AES-CTR-HMAC-AEAD key with the following parameters:
 ///  - AES key size: 16 bytes
 ///  - AES CTR IV size: 16 bytes
@@ -164,6 +180,25 @@ fn create_aes_gcm_siv_key_template(
     }
 }
 
+/// Return an AES-EAX key template with the given key size and IV size in bytes.
+fn create_aes_eax_key_template(
+    key_size: u32,
+    iv_size: u32,
+    output_prefix_type: OutputPrefixType,
+) -> KeyTemplate {
+    let format = tink_proto::AesEaxKeyFormat {
+        params: Some(tink_proto::AesEaxParams { iv_size }),
+        key_size,
+    };
+    let mut serialized_format = Vec::new();
+    format.encode(&mut serialized_format).unwrap(); // safe: proto-encode
+    KeyTemplate {
+        type_url: crate::AES_EAX_TYPE_URL.to_string(),
+        value: serialized_format,
+        output_prefix_type: output_prefix_type as i32,
+    }
+}
+
 /// Return an AES-CTR-HMAC key template with the given parameters.
 fn create_aes_ctr_hmac_aead_key_template(
     aes_key_size: u32,
 
@@ -0,0 +1,120 @@
+// Copyright 2026 The Tink-Rust Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+//! Key manager for AES-EAX keys.
+
+use crate::subtle;
+use tink_core::{utils::wrap_err, TinkError};
+use tink_proto::prost::Message;
+
+/// Maximal version of AES-EAX keys.
+pub const AES_EAX_KEY_VERSION: u32 = 0;
+/// Type URL of AES-EAX keys that Tink supports.
+pub const AES_EAX_TYPE_URL: &str = "type.googleapis.com/google.crypto.tink.AesEaxKey";
+
+/// `AesEaxKeyManager` is an implementation of the `tink_core::registry::KeyManager` trait.
+/// It generates new [`AesEaxKey`](tink_proto::AesEaxKey) keys and produces new instances of
+/// [`subtle::AesEax`].
+#[derive(Default)]
+pub(crate) struct AesEaxKeyManager {}
+
+impl tink_core::registry::KeyManager for AesEaxKeyManager {
+    /// Create a [`subtle::AesEax`] for the given serialized [`tink_proto::AesEaxKey`].
+    fn primitive(&self, serialized_key: &[u8]) -> Result<tink_core::Primitive, TinkError> {
+        if serialized_key.is_empty() {
+            return Err("AesEaxKeyManager: invalid key".into());
+        }
+
+        let key = tink_proto::AesEaxKey::decode(serialized_key)
+            .map_err(|e| wrap_err("AesEaxKeyManager: invalid key", e))?;
+        validate_key(&key)?;
+
+        let params = key
+            .params
+            .ok_or_else(|| TinkError::new("AesEaxKeyManager: missing params"))?;
+
+        match subtle::AesEax::new(&key.key_value, params.iv_size as usize) {
+            Ok(p) => Ok(tink_core::Primitive::Aead(Box::new(p))),
+            Err(e) => Err(wrap_err("AesEaxKeyManager: cannot create new primitive", e)),
+        }
+    }
+
+    /// Create a new key according to specification the given serialized
+    /// [`tink_proto::AesEaxKeyFormat`].
+    fn new_key(&self, serialized_key_format: &[u8]) -> Result<Vec<u8>, TinkError> {
+        if serialized_key_format.is_empty() {
+            return Err("AesEaxKeyManager: invalid key format".into());
+        }
+
+        let key_format = tink_proto::AesEaxKeyFormat::decode(serialized_key_format)
+            .map_err(|e| wrap_err("AesEaxKeyManager: invalid key format", e))?;
+        validate_key_format(&key_format)
+            .map_err(|e| wrap_err("AesEaxKeyManager: invalid key format", e))?;
+
+        let key_value = tink_core::subtle::random::get_random_bytes(key_format.key_size as usize);
+        let key = tink_proto::AesEaxKey {
+            version: AES_EAX_KEY_VERSION,
+            params: key_format.params,
+            key_value,
+        };
+
+        let mut sk = Vec::new();
+        key.encode(&mut sk)
+            .map_err(|e| wrap_err("AesEaxKeyManager: failed to encode new key", e))?;
+
+        Ok(sk)
+    }
+
+    fn type_url(&self) -> &'static str {
+        AES_EAX_TYPE_URL
+    }
+
+    fn key_material_type(&self) -> tink_proto::key_data::KeyMaterialType {
+        tink_proto::key_data::KeyMaterialType::Symmetric
+    }
+}
+
+/// Validate the given [`tink_proto::AesEaxKey`].
+fn validate_key(key: &tink_proto::AesEaxKey) -> Result<(), TinkError> {
+    tink_core::keyset::validate_key_version(key.version, AES_EAX_KEY_VERSION)
+        .map_err(|e| wrap_err("AesEaxKeyManager", e))?;
+
+    crate::subtle::validate_aes_key_size(key.key_value.len())
+        .map_err(|e| wrap_err("AesEaxKeyManager", e))?;
+
+    let params = key
+        .params
+        .as_ref()
+        .ok_or_else(|| TinkError::new("AesEaxKeyManager: missing params"))?;
+    validate_aes_eax_params(params).map_err(|e| wrap_err("AesEaxKeyManager", e))
+}
+
+/// Validate the given [`tink_proto::AesEaxKeyFormat`].
+fn validate_key_format(format: &tink_proto::AesEaxKeyFormat) -> Result<(), TinkError> {
+    crate::subtle::validate_aes_key_size(format.key_size as usize)
+        .map_err(|e| wrap_err("AesEaxKeyManager", e))?;
+
+    let params = format
+        .params
+        .as_ref()
+        .ok_or_else(|| TinkError::new("AesEaxKeyManager: missing params"))?;
+    validate_aes_eax_params(params).map_err(|e| wrap_err("AesEaxKeyManager", e))
+}
+
+/// Validate AES-EAX parameters.
+fn validate_aes_eax_params(params: &tink_proto::AesEaxParams) -> Result<(), TinkError> {
+    crate::subtle::validate_iv_size(params.iv_size as usize)
+}
@@ -30,6 +30,8 @@ mod aead_key_templates;
 pub use aead_key_templates::*;
 mod aes_ctr_hmac_aead_key_manager;
 pub use aes_ctr_hmac_aead_key_manager::*;
+mod aes_eax_key_manager;
+pub use aes_eax_key_manager::*;
 mod aes_gcm_key_manager;
 pub use aes_gcm_key_manager::*;
 mod aes_gcm_siv_key_manager;
@@ -57,6 +59,8 @@ pub fn init() {
     INIT.call_once(|| {
         register_key_manager(std::sync::Arc::new(AesCtrHmacAeadKeyManager::default()))
             .expect("tink_aead::init() failed"); // safe: init
+        register_key_manager(std::sync::Arc::new(AesEaxKeyManager::default()))
+            .expect("tink_aead::init() failed"); // safe: init
         register_key_manager(std::sync::Arc::new(AesGcmKeyManager::default()))
             .expect("tink_aead::init() failed"); // safe: init
         register_key_manager(std::sync::Arc::new(AesGcmSivKeyManager::default()))
@@ -68,6 +72,8 @@ pub fn init() {
         register_key_manager(std::sync::Arc::new(KmsEnvelopeAeadKeyManager::default()))
             .expect("tink_aead::init() failed"); // safe:init
 
+        tink_core::registry::register_template_generator("AES128_EAX", aes128_eax_key_template);
+        tink_core::registry::register_template_generator("AES256_EAX", aes256_eax_key_template);
         tink_core::registry::register_template_generator("AES128_GCM", aes128_gcm_key_template);
         tink_core::registry::register_template_generator("AES256_GCM", aes256_gcm_key_template);
         tink_core::registry::register_template_generator(
 
@@ -0,0 +1,113 @@
+// Copyright 2026 The Tink-Rust Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+//! AES-EAX based implementation of the [`tink_core::Aead`] trait.
+
+use aes::{Aes128, Aes256};
+use eax::aead::{generic_array::GenericArray, Aead, KeyInit, Payload};
+use generic_array::typenum;
+use tink_core::{utils::wrap_err, TinkError};
+
+/// The only IV size that this implementation supports.
+/// Note: The Rust eax crate only supports nonces equal to the cipher block size (16 bytes for AES).
+pub const AES_EAX_IV_SIZE: usize = 16;
+/// The only tag size that this implementation supports.
+pub const AES_EAX_TAG_SIZE: usize = 16;
+
+#[derive(Clone)]
+enum AesEaxVariant {
+    Aes128(eax::Eax<Aes128, typenum::U16>),
+    Aes256(eax::Eax<Aes256, typenum::U16>),
+}
+
+/// `AesEax` is an implementation of the [`tink_core::Aead`] trait.
+/// Note: This implementation only supports 16-byte IVs due to limitations in the underlying eax crate.
+#[derive(Clone)]
+pub struct AesEax {
+    cipher: AesEaxVariant,
+}
+
+impl AesEax {
+    /// Return an [`AesEax`] instance.
+    /// The key argument should be the AES key, either 16 or 32 bytes to select
+    /// AES-128 or AES-256.
+    /// The `iv_size` must be 16 bytes (128 bits).
+    pub fn new(key: &[u8], iv_size: usize) -> Result<AesEax, TinkError> {
+        validate_iv_size(iv_size).map_err(|e| wrap_err("AesEax", e))?;
+        let cipher = match key.len() {
+            16 => AesEaxVariant::Aes128(eax::Eax::new(GenericArray::from_slice(key))),
+            32 => AesEaxVariant::Aes256(eax::Eax::new(GenericArray::from_slice(key))),
+            l => return Err(format!("AesEax: invalid AES key size {} (want 16, 32)", l).into()),
+        };
+        Ok(AesEax { cipher })
+    }
+}
+
+impl tink_core::Aead for AesEax {
+    /// Encrypt `pt` with `aad` as additional authenticated data.  The resulting ciphertext consists
+    /// of two parts: (1) the IV used for encryption and (2) the actual ciphertext with tag.
+    ///
+    /// Note: AES-EAX implementation always returns ciphertext with 128-bit tag.
+    fn encrypt(&self, pt: &[u8], aad: &[u8]) -> Result<Vec<u8>, TinkError> {
+        let iv = tink_core::subtle::random::get_random_bytes(AES_EAX_IV_SIZE);
+        let nonce = GenericArray::<u8, typenum::U16>::from_slice(&iv);
+
+        let payload = Payload { msg: pt, aad };
+        let ct_or = match &self.cipher {
+            AesEaxVariant::Aes128(cipher) => cipher.encrypt(nonce, payload),
+            AesEaxVariant::Aes256(cipher) => cipher.encrypt(nonce, payload),
+        };
+
+        let ct = ct_or.map_err(|e| wrap_err("AesEax", e))?;
+        let mut ret = Vec::with_capacity(iv.len() + ct.len());
+        ret.extend_from_slice(&iv);
+        ret.extend_from_slice(&ct);
+
+        Ok(ret)
+    }
+
+    /// Decrypt `ct` with `aad` as the additional authenticated data.
+    fn decrypt(&self, ct: &[u8], aad: &[u8]) -> Result<Vec<u8>, TinkError> {
+        if ct.len() < AES_EAX_IV_SIZE + AES_EAX_TAG_SIZE {
+            return Err("AesEax: ciphertext too short".into());
+        }
+        let nonce = GenericArray::<u8, typenum::U16>::from_slice(&ct[..AES_EAX_IV_SIZE]);
+
+        let payload = Payload {
+            msg: &ct[AES_EAX_IV_SIZE..],
+            aad,
+        };
+        let pt_or = match &self.cipher {
+            AesEaxVariant::Aes128(cipher) => cipher.decrypt(nonce, payload),
+            AesEaxVariant::Aes256(cipher) => cipher.decrypt(nonce, payload),
+        };
+
+        let pt = pt_or.map_err(|e| wrap_err("AesEax", e))?;
+        Ok(pt)
+    }
+}
+
+/// Validate AES-EAX IV (nonce) size.
+pub(crate) fn validate_iv_size(iv_size: usize) -> Result<(), TinkError> {
+    if iv_size != AES_EAX_IV_SIZE {
+        return Err(format!(
+            "invalid AES-EAX IV size; only {} is supported (got {})",
+            AES_EAX_IV_SIZE, iv_size
+        )
+        .into());
+    }
+    Ok(())
+}
@@ -20,6 +20,8 @@ mod aead;
 pub use self::aead::*;
 mod aes_ctr;
 pub use self::aes_ctr::*;
+mod aes_eax;
+pub use self::aes_eax::*;
 mod aes_gcm;
 pub use self::aes_gcm::*;
 mod aes_gcm_siv;