Google Git
Sign in
vanadium / release.go.x.ref / 94ec7564883d6bbf6fd79a24a200f4946331a9c3 / . / security / util.go
blob: 6e1f848f1c6e6f864c4c24c62f0894c4f2a6e4dc [file] [log] [blame]
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]1package security
2
3import (
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]4 "bytes"
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]5 "crypto/ecdsa"
gauthamta134eda2014-11-05 17:57:42 -0800[diff] [blame]6 "crypto/elliptic"
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]7 "crypto/rand"
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]8 "crypto/x509"
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]9 "encoding/json"
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]10 "encoding/pem"
11 "errors"
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]12 "fmt"
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]13 "io"
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]14 "io/ioutil"
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]15
Jiri Simsa519c5072014-09-17 21:37:57 -0700[diff] [blame]16 "veyron.io/veyron/veyron2/security"
17 "veyron.io/veyron/veyron2/vom"
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]18)
19
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]20const ecPrivateKeyPEMType = "EC PRIVATE KEY"
21
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]22var nullACL security.ACL
23
Gautham82bb9952014-08-28 14:11:51 -0700[diff] [blame]24// OpenACL creates an ACL that grants access to all principals.
25func OpenACL() security.ACL {
26 acl := security.ACL{}
27 acl.In = map[security.BlessingPattern]security.LabelSet{security.AllPrincipals: security.AllLabels}
28 return acl
29}
30
Suharsh Sivakumar4684f4e2014-10-24 13:42:06 -0700[diff] [blame]31var PassphraseErr = errors.New("passphrase incorrect for decrypting private key")
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]32
gauthamta134eda2014-11-05 17:57:42 -0800[diff] [blame]33// NewPrincipalKey generates an ECDSA (public, private) key pair.
34func NewPrincipalKey() (security.PublicKey, *ecdsa.PrivateKey, error) {
35 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
36 if err != nil {
37 return nil, nil, err
38 }
39 return security.NewECDSAPublicKey(&priv.PublicKey), priv, nil
40}
41
Ankur73e7a932014-10-24 15:57:03 -0700[diff] [blame]42// LoadPEMKey loads a key from 'r'. returns PassphraseErr for incorrect Passphrase.
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]43// If the key held in 'r' is unencrypted, 'passphrase' will be ignored.
Ankur73e7a932014-10-24 15:57:03 -0700[diff] [blame]44func LoadPEMKey(r io.Reader, passphrase []byte) (interface{}, error) {
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]45 pemBlockBytes, err := ioutil.ReadAll(r)
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]46 if err != nil {
47 return nil, err
48 }
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]49 pemBlock, _ := pem.Decode(pemBlockBytes)
50 if pemBlock == nil {
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]51 return nil, errors.New("no PEM key block read")
52 }
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]53 var data []byte
54 if x509.IsEncryptedPEMBlock(pemBlock) {
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]55 data, err = x509.DecryptPEMBlock(pemBlock, passphrase)
56 if err != nil {
Suharsh Sivakumar4684f4e2014-10-24 13:42:06 -0700[diff] [blame]57 return nil, PassphraseErr
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]58 }
59 } else {
60 data = pemBlock.Bytes
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]61 }
62
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]63 switch pemBlock.Type {
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]64 case ecPrivateKeyPEMType:
Suharsh Sivakumar4684f4e2014-10-24 13:42:06 -0700[diff] [blame]65 key, err := x509.ParseECPrivateKey(data)
66 if err != nil {
67 return nil, PassphraseErr
68 }
69 return key, nil
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]70 }
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]71 return nil, fmt.Errorf("PEM key block has an unrecognized type: %v", pemBlock.Type)
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]72}
73
Ankur73e7a932014-10-24 15:57:03 -0700[diff] [blame]74// SavePEMKey marshals 'key', encrypts it using 'passphrase', and saves the bytes to 'w' in PEM format.
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]75// If passphrase is nil, the key will not be encrypted.
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]76//
77// For example, if key is an ECDSA private key, it will be marshaled
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]78// in ASN.1, DER format, encrypted, and then written in a PEM block.
Ankur73e7a932014-10-24 15:57:03 -0700[diff] [blame]79func SavePEMKey(w io.Writer, key interface{}, passphrase []byte) error {
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]80 var data []byte
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]81 var err error
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]82 switch k := key.(type) {
83 case *ecdsa.PrivateKey:
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]84 if data, err = x509.MarshalECPrivateKey(k); err != nil {
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]85 return err
86 }
87 default:
88 return fmt.Errorf("key of type %T cannot be saved", k)
89 }
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]90
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]91 var pemKey *pem.Block
92 if passphrase != nil {
93 pemKey, err = x509.EncryptPEMBlock(rand.Reader, ecPrivateKeyPEMType, data, passphrase, x509.PEMCipherAES256)
94 if err != nil {
95 return fmt.Errorf("failed to encrypt pem block: %v", err)
96 }
97 } else {
98 pemKey = &pem.Block{
99 Type: ecPrivateKeyPEMType,
100 Bytes: data,
101 }
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]102 }
103
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]104 return pem.Encode(w, pemKey)
105}
106
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]107// LoadACL reads an ACL from the provided Reader containing a JSON encoded ACL.
108func LoadACL(r io.Reader) (security.ACL, error) {
109 var acl security.ACL
110 if err := json.NewDecoder(r).Decode(&acl); err != nil {
111 return nullACL, err
112 }
113 return acl, nil
114}
115
116// SaveACL encodes an ACL in JSON format and writes it to the provided Writer.
117func SaveACL(w io.Writer, acl security.ACL) error {
118 return json.NewEncoder(w).Encode(acl)
119}
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]120
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]121// CaveatValidators returns the set of security.CaveatValidators
122// obtained by decoding the provided caveat bytes.
123//
124// It is an error if any of the provided caveat bytes cannot
125// be decoded into a security.CaveatValidator.
Asim Shankarbb0f0c12014-09-09 13:32:28 -0700[diff] [blame]126func CaveatValidators(caveats ...security.Caveat) ([]security.CaveatValidator, error) {
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]127 if len(caveats) == 0 {
128 return nil, nil
129 }
130 validators := make([]security.CaveatValidator, len(caveats))
131 for i, c := range caveats {
132 var v security.CaveatValidator
Asim Shankarbb0f0c12014-09-09 13:32:28 -0700[diff] [blame]133 if err := vom.NewDecoder(bytes.NewReader(c.ValidatorVOM)).Decode(&v); err != nil {
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]134 return nil, fmt.Errorf("caveat bytes could not be VOM-decoded: %s", err)
135 }
136 validators[i] = v
137 }
138 return validators, nil
139}
140
141// ThirdPartyCaveats returns the set of security.ThirdPartyCaveats
142// that could be successfully decoded from the provided caveat bytes.
Asim Shankarbb0f0c12014-09-09 13:32:28 -0700[diff] [blame]143func ThirdPartyCaveats(caveats ...security.Caveat) []security.ThirdPartyCaveat {
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]144 var tpCaveats []security.ThirdPartyCaveat
145 for _, c := range caveats {
146 var t security.ThirdPartyCaveat
Asim Shankarbb0f0c12014-09-09 13:32:28 -0700[diff] [blame]147 if err := vom.NewDecoder(bytes.NewReader(c.ValidatorVOM)).Decode(&t); err != nil {
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]148 continue
149 }
150 tpCaveats = append(tpCaveats, t)
151 }
152 return tpCaveats
153}