podman
253 строки · 8.1 Кб
1package libtrust
2
3import (
4"crypto"
5"crypto/ecdsa"
6"crypto/rsa"
7"crypto/x509"
8"encoding/json"
9"encoding/pem"
10"errors"
11"fmt"
12"io"
13)
14
15// PublicKey is a generic interface for a Public Key.
16type PublicKey interface {
17// KeyType returns the key type for this key. For elliptic curve keys,
18// this value should be "EC". For RSA keys, this value should be "RSA".
19KeyType() string
20// KeyID returns a distinct identifier which is unique to this Public Key.
21// The format generated by this library is a base32 encoding of a 240 bit
22// hash of the public key data divided into 12 groups like so:
23// ABCD:EFGH:IJKL:MNOP:QRST:UVWX:YZ23:4567:ABCD:EFGH:IJKL:MNOP
24KeyID() string
25// Verify verifyies the signature of the data in the io.Reader using this
26// Public Key. The alg parameter should identify the digital signature
27// algorithm which was used to produce the signature and should be
28// supported by this public key. Returns a nil error if the signature
29// is valid.
30Verify(data io.Reader, alg string, signature []byte) error
31// CryptoPublicKey returns the internal object which can be used as a
32// crypto.PublicKey for use with other standard library operations. The type
33// is either *rsa.PublicKey or *ecdsa.PublicKey
34CryptoPublicKey() crypto.PublicKey
35// These public keys can be serialized to the standard JSON encoding for
36// JSON Web Keys. See section 6 of the IETF draft RFC for JOSE JSON Web
37// Algorithms.
38MarshalJSON() ([]byte, error)
39// These keys can also be serialized to the standard PEM encoding.
40PEMBlock() (*pem.Block, error)
41// The string representation of a key is its key type and ID.
42String() string
43AddExtendedField(string, interface{})
44GetExtendedField(string) interface{}
45}
46
47// PrivateKey is a generic interface for a Private Key.
48type PrivateKey interface {
49// A PrivateKey contains all fields and methods of a PublicKey of the
50// same type. The MarshalJSON method also outputs the private key as a
51// JSON Web Key, and the PEMBlock method outputs the private key as a
52// PEM block.
53PublicKey
54// PublicKey returns the PublicKey associated with this PrivateKey.
55PublicKey() PublicKey
56// Sign signs the data read from the io.Reader using a signature algorithm
57// supported by the private key. If the specified hashing algorithm is
58// supported by this key, that hash function is used to generate the
59// signature otherwise the the default hashing algorithm for this key is
60// used. Returns the signature and identifier of the algorithm used.
61Sign(data io.Reader, hashID crypto.Hash) (signature []byte, alg string, err error)
62// CryptoPrivateKey returns the internal object which can be used as a
63// crypto.PublicKey for use with other standard library operations. The
64// type is either *rsa.PublicKey or *ecdsa.PublicKey
65CryptoPrivateKey() crypto.PrivateKey
66}
67
68// FromCryptoPublicKey returns a libtrust PublicKey representation of the given
69// *ecdsa.PublicKey or *rsa.PublicKey. Returns a non-nil error when the given
70// key is of an unsupported type.
71func FromCryptoPublicKey(cryptoPublicKey crypto.PublicKey) (PublicKey, error) {
72switch cryptoPublicKey := cryptoPublicKey.(type) {
73case *ecdsa.PublicKey:
74return fromECPublicKey(cryptoPublicKey)
75case *rsa.PublicKey:
76return fromRSAPublicKey(cryptoPublicKey), nil
77default:
78return nil, fmt.Errorf("public key type %T is not supported", cryptoPublicKey)
79}
80}
81
82// FromCryptoPrivateKey returns a libtrust PrivateKey representation of the given
83// *ecdsa.PrivateKey or *rsa.PrivateKey. Returns a non-nil error when the given
84// key is of an unsupported type.
85func FromCryptoPrivateKey(cryptoPrivateKey crypto.PrivateKey) (PrivateKey, error) {
86switch cryptoPrivateKey := cryptoPrivateKey.(type) {
87case *ecdsa.PrivateKey:
88return fromECPrivateKey(cryptoPrivateKey)
89case *rsa.PrivateKey:
90return fromRSAPrivateKey(cryptoPrivateKey), nil
91default:
92return nil, fmt.Errorf("private key type %T is not supported", cryptoPrivateKey)
93}
94}
95
96// UnmarshalPublicKeyPEM parses the PEM encoded data and returns a libtrust
97// PublicKey or an error if there is a problem with the encoding.
98func UnmarshalPublicKeyPEM(data []byte) (PublicKey, error) {
99pemBlock, _ := pem.Decode(data)
100if pemBlock == nil {
101return nil, errors.New("unable to find PEM encoded data")
102} else if pemBlock.Type != "PUBLIC KEY" {
103return nil, fmt.Errorf("unable to get PublicKey from PEM type: %s", pemBlock.Type)
104}
105
106return pubKeyFromPEMBlock(pemBlock)
107}
108
109// UnmarshalPublicKeyPEMBundle parses the PEM encoded data as a bundle of
110// PEM blocks appended one after the other and returns a slice of PublicKey
111// objects that it finds.
112func UnmarshalPublicKeyPEMBundle(data []byte) ([]PublicKey, error) {
113pubKeys := []PublicKey{}
114
115for {
116var pemBlock *pem.Block
117pemBlock, data = pem.Decode(data)
118if pemBlock == nil {
119break
120} else if pemBlock.Type != "PUBLIC KEY" {
121return nil, fmt.Errorf("unable to get PublicKey from PEM type: %s", pemBlock.Type)
122}
123
124pubKey, err := pubKeyFromPEMBlock(pemBlock)
125if err != nil {
126return nil, err
127}
128
129pubKeys = append(pubKeys, pubKey)
130}
131
132return pubKeys, nil
133}
134
135// UnmarshalPrivateKeyPEM parses the PEM encoded data and returns a libtrust
136// PrivateKey or an error if there is a problem with the encoding.
137func UnmarshalPrivateKeyPEM(data []byte) (PrivateKey, error) {
138pemBlock, _ := pem.Decode(data)
139if pemBlock == nil {
140return nil, errors.New("unable to find PEM encoded data")
141}
142
143var key PrivateKey
144
145switch {
146case pemBlock.Type == "RSA PRIVATE KEY":
147rsaPrivateKey, err := x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
148if err != nil {
149return nil, fmt.Errorf("unable to decode RSA Private Key PEM data: %s", err)
150}
151key = fromRSAPrivateKey(rsaPrivateKey)
152case pemBlock.Type == "EC PRIVATE KEY":
153ecPrivateKey, err := x509.ParseECPrivateKey(pemBlock.Bytes)
154if err != nil {
155return nil, fmt.Errorf("unable to decode EC Private Key PEM data: %s", err)
156}
157key, err = fromECPrivateKey(ecPrivateKey)
158if err != nil {
159return nil, err
160}
161default:
162return nil, fmt.Errorf("unable to get PrivateKey from PEM type: %s", pemBlock.Type)
163}
164
165addPEMHeadersToKey(pemBlock, key.PublicKey())
166
167return key, nil
168}
169
170// UnmarshalPublicKeyJWK unmarshals the given JSON Web Key into a generic
171// Public Key to be used with libtrust.
172func UnmarshalPublicKeyJWK(data []byte) (PublicKey, error) {
173jwk := make(map[string]interface{})
174
175err := json.Unmarshal(data, &jwk)
176if err != nil {
177return nil, fmt.Errorf(
178"decoding JWK Public Key JSON data: %s\n", err,
179)
180}
181
182// Get the Key Type value.
183kty, err := stringFromMap(jwk, "kty")
184if err != nil {
185return nil, fmt.Errorf("JWK Public Key type: %s", err)
186}
187
188switch {
189case kty == "EC":
190// Call out to unmarshal EC public key.
191return ecPublicKeyFromMap(jwk)
192case kty == "RSA":
193// Call out to unmarshal RSA public key.
194return rsaPublicKeyFromMap(jwk)
195default:
196return nil, fmt.Errorf(
197"JWK Public Key type not supported: %q\n", kty,
198)
199}
200}
201
202// UnmarshalPublicKeyJWKSet parses the JSON encoded data as a JSON Web Key Set
203// and returns a slice of Public Key objects.
204func UnmarshalPublicKeyJWKSet(data []byte) ([]PublicKey, error) {
205rawKeys, err := loadJSONKeySetRaw(data)
206if err != nil {
207return nil, err
208}
209
210pubKeys := make([]PublicKey, 0, len(rawKeys))
211
212for _, rawKey := range rawKeys {
213pubKey, err := UnmarshalPublicKeyJWK(rawKey)
214if err != nil {
215return nil, err
216}
217pubKeys = append(pubKeys, pubKey)
218}
219
220return pubKeys, nil
221}
222
223// UnmarshalPrivateKeyJWK unmarshals the given JSON Web Key into a generic
224// Private Key to be used with libtrust.
225func UnmarshalPrivateKeyJWK(data []byte) (PrivateKey, error) {
226jwk := make(map[string]interface{})
227
228err := json.Unmarshal(data, &jwk)
229if err != nil {
230return nil, fmt.Errorf(
231"decoding JWK Private Key JSON data: %s\n", err,
232)
233}
234
235// Get the Key Type value.
236kty, err := stringFromMap(jwk, "kty")
237if err != nil {
238return nil, fmt.Errorf("JWK Private Key type: %s", err)
239}
240
241switch {
242case kty == "EC":
243// Call out to unmarshal EC private key.
244return ecPrivateKeyFromMap(jwk)
245case kty == "RSA":
246// Call out to unmarshal RSA private key.
247return rsaPrivateKeyFromMap(jwk)
248default:
249return nil, fmt.Errorf(
250"JWK Private Key type not supported: %q\n", kty,
251)
252}
253}
254