Blame - security/util.go - release.go.x.ref

blob: 1ce53ef343753f2f898efce8b09fafb1d655f98c [file] [log] [blame]

Tilak Sharma	d6ade0e	2014-08-20 16:28:32 -0700	[diff] [blame]	1	package security
				2
				3	import (
Ankur	f044a8d	2014-09-05 17:05:24 -0700	[diff] [blame]	4	"bytes"
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	5	"crypto/ecdsa"
gauthamt	a134eda	2014-11-05 17:57:42 -0800	[diff] [blame]	6	"crypto/elliptic"
Suharsh Sivakumar	0f35904	2014-10-01 22:53:45 -0700	[diff] [blame]	7	"crypto/rand"
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	8	"crypto/x509"
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	9	"encoding/pem"
				10	"errors"
Ankur	f044a8d	2014-09-05 17:05:24 -0700	[diff] [blame]	11	"fmt"
Tilak Sharma	d6ade0e	2014-08-20 16:28:32 -0700	[diff] [blame]	12	"io"
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	13	"io/ioutil"
Tilak Sharma	d6ade0e	2014-08-20 16:28:32 -0700	[diff] [blame]	14
Jiri Simsa	519c507	2014-09-17 21:37:57 -0700	[diff] [blame]	15	"veyron.io/veyron/veyron2/security"
				16	"veyron.io/veyron/veyron2/vom"
Tilak Sharma	d6ade0e	2014-08-20 16:28:32 -0700	[diff] [blame]	17	)
				18
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	19	const ecPrivateKeyPEMType = "EC PRIVATE KEY"
				20
Suharsh Sivakumar	4684f4e	2014-10-24 13:42:06 -0700	[diff] [blame]	21	var PassphraseErr = errors.New("passphrase incorrect for decrypting private key")
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	22
gauthamt	a134eda	2014-11-05 17:57:42 -0800	[diff] [blame]	23	// NewPrincipalKey generates an ECDSA (public, private) key pair.
				24	func NewPrincipalKey() (security.PublicKey, *ecdsa.PrivateKey, error) {
				25	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
				26	if err != nil {
				27	return nil, nil, err
				28	}
				29	return security.NewECDSAPublicKey(&priv.PublicKey), priv, nil
				30	}
				31
Ankur	73e7a93	2014-10-24 15:57:03 -0700	[diff] [blame]	32	// LoadPEMKey loads a key from 'r'. returns PassphraseErr for incorrect Passphrase.
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	33	// If the key held in 'r' is unencrypted, 'passphrase' will be ignored.
Ankur	73e7a93	2014-10-24 15:57:03 -0700	[diff] [blame]	34	func LoadPEMKey(r io.Reader, passphrase []byte) (interface{}, error) {
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	35	pemBlockBytes, err := ioutil.ReadAll(r)
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	36	if err != nil {
				37	return nil, err
				38	}
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	39	pemBlock, _ := pem.Decode(pemBlockBytes)
				40	if pemBlock == nil {
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	41	return nil, errors.New("no PEM key block read")
				42	}
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	43	var data []byte
				44	if x509.IsEncryptedPEMBlock(pemBlock) {
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	45	data, err = x509.DecryptPEMBlock(pemBlock, passphrase)
				46	if err != nil {
Suharsh Sivakumar	4684f4e	2014-10-24 13:42:06 -0700	[diff] [blame]	47	return nil, PassphraseErr
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	48	}
				49	} else {
				50	data = pemBlock.Bytes
Suharsh Sivakumar	0f35904	2014-10-01 22:53:45 -0700	[diff] [blame]	51	}
				52
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	53	switch pemBlock.Type {
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	54	case ecPrivateKeyPEMType:
Suharsh Sivakumar	4684f4e	2014-10-24 13:42:06 -0700	[diff] [blame]	55	key, err := x509.ParseECPrivateKey(data)
				56	if err != nil {
				57	return nil, PassphraseErr
				58	}
				59	return key, nil
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	60	}
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	61	return nil, fmt.Errorf("PEM key block has an unrecognized type: %v", pemBlock.Type)
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	62	}
				63
Ankur	73e7a93	2014-10-24 15:57:03 -0700	[diff] [blame]	64	// SavePEMKey marshals 'key', encrypts it using 'passphrase', and saves the bytes to 'w' in PEM format.
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	65	// If passphrase is nil, the key will not be encrypted.
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	66	//
				67	// For example, if key is an ECDSA private key, it will be marshaled
Suharsh Sivakumar	0f35904	2014-10-01 22:53:45 -0700	[diff] [blame]	68	// in ASN.1, DER format, encrypted, and then written in a PEM block.
Ankur	73e7a93	2014-10-24 15:57:03 -0700	[diff] [blame]	69	func SavePEMKey(w io.Writer, key interface{}, passphrase []byte) error {
Suharsh Sivakumar	0f35904	2014-10-01 22:53:45 -0700	[diff] [blame]	70	var data []byte
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	71	var err error
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	72	switch k := key.(type) {
				73	case *ecdsa.PrivateKey:
Suharsh Sivakumar	0f35904	2014-10-01 22:53:45 -0700	[diff] [blame]	74	if data, err = x509.MarshalECPrivateKey(k); err != nil {
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	75	return err
				76	}
				77	default:
				78	return fmt.Errorf("key of type %T cannot be saved", k)
				79	}
Suharsh Sivakumar	0f35904	2014-10-01 22:53:45 -0700	[diff] [blame]	80
Suharsh Sivakumar	aca1c32	2014-10-21 11:27:32 -0700	[diff] [blame]	81	var pemKey *pem.Block
				82	if passphrase != nil {
				83	pemKey, err = x509.EncryptPEMBlock(rand.Reader, ecPrivateKeyPEMType, data, passphrase, x509.PEMCipherAES256)
				84	if err != nil {
				85	return fmt.Errorf("failed to encrypt pem block: %v", err)
				86	}
				87	} else {
				88	pemKey = &pem.Block{
				89	Type: ecPrivateKeyPEMType,
				90	Bytes: data,
				91	}
Suharsh Sivakumar	0f35904	2014-10-01 22:53:45 -0700	[diff] [blame]	92	}
				93
Ankur	021e38e	2014-09-26 10:26:45 -0700	[diff] [blame]	94	return pem.Encode(w, pemKey)
				95	}
				96
Ankur	f044a8d	2014-09-05 17:05:24 -0700	[diff] [blame]	97	// ThirdPartyCaveats returns the set of security.ThirdPartyCaveats
				98	// that could be successfully decoded from the provided caveat bytes.
Asim Shankar	bb0f0c1	2014-09-09 13:32:28 -0700	[diff] [blame]	99	func ThirdPartyCaveats(caveats ...security.Caveat) []security.ThirdPartyCaveat {
Ankur	f044a8d	2014-09-05 17:05:24 -0700	[diff] [blame]	100	var tpCaveats []security.ThirdPartyCaveat
				101	for _, c := range caveats {
				102	var t security.ThirdPartyCaveat
Asim Shankar	bb0f0c1	2014-09-09 13:32:28 -0700	[diff] [blame]	103	if err := vom.NewDecoder(bytes.NewReader(c.ValidatorVOM)).Decode(&t); err != nil {
Ankur	f044a8d	2014-09-05 17:05:24 -0700	[diff] [blame]	104	continue
				105	}
				106	tpCaveats = append(tpCaveats, t)
				107	}
				108	return tpCaveats
				109	}