Google Git
Sign in
vanadium / release.go.x.ref / c195b6d240446f02b97538e56107599949641e97 / . / security / util.go
blob: f7cff3f571046a7467ceba76e3675ccbfa96a87c [file] [log] [blame]
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]1package security
2
3import (
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]4 "crypto/ecdsa"
gauthamta134eda2014-11-05 17:57:42 -0800[diff] [blame]5 "crypto/elliptic"
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]6 "crypto/rand"
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]7 "crypto/x509"
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]8 "encoding/pem"
9 "errors"
Ankurf044a8d2014-09-05 17:05:24 -0700[diff] [blame]10 "fmt"
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]11 "io"
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]12 "io/ioutil"
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]13
Jiri Simsa764efb72014-12-25 20:57:03 -0800[diff] [blame]14 "v.io/core/veyron2/security"
Tilak Sharmad6ade0e2014-08-20 16:28:32 -0700[diff] [blame]15)
16
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]17const ecPrivateKeyPEMType = "EC PRIVATE KEY"
18
Suharsh Sivakumar4684f4e2014-10-24 13:42:06 -0700[diff] [blame]19var PassphraseErr = errors.New("passphrase incorrect for decrypting private key")
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]20
gauthamta134eda2014-11-05 17:57:42 -0800[diff] [blame]21// NewPrincipalKey generates an ECDSA (public, private) key pair.
22func NewPrincipalKey() (security.PublicKey, *ecdsa.PrivateKey, error) {
23 priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
24 if err != nil {
25 return nil, nil, err
26 }
27 return security.NewECDSAPublicKey(&priv.PublicKey), priv, nil
28}
29
Ankur73e7a932014-10-24 15:57:03 -0700[diff] [blame]30// LoadPEMKey loads a key from 'r'. returns PassphraseErr for incorrect Passphrase.
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]31// If the key held in 'r' is unencrypted, 'passphrase' will be ignored.
Ankur73e7a932014-10-24 15:57:03 -0700[diff] [blame]32func LoadPEMKey(r io.Reader, passphrase []byte) (interface{}, error) {
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]33 pemBlockBytes, err := ioutil.ReadAll(r)
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]34 if err != nil {
35 return nil, err
36 }
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]37 pemBlock, _ := pem.Decode(pemBlockBytes)
38 if pemBlock == nil {
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]39 return nil, errors.New("no PEM key block read")
40 }
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]41 var data []byte
42 if x509.IsEncryptedPEMBlock(pemBlock) {
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]43 data, err = x509.DecryptPEMBlock(pemBlock, passphrase)
44 if err != nil {
Suharsh Sivakumar4684f4e2014-10-24 13:42:06 -0700[diff] [blame]45 return nil, PassphraseErr
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]46 }
47 } else {
48 data = pemBlock.Bytes
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]49 }
50
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]51 switch pemBlock.Type {
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]52 case ecPrivateKeyPEMType:
Suharsh Sivakumar4684f4e2014-10-24 13:42:06 -0700[diff] [blame]53 key, err := x509.ParseECPrivateKey(data)
54 if err != nil {
55 return nil, PassphraseErr
56 }
57 return key, nil
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]58 }
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]59 return nil, fmt.Errorf("PEM key block has an unrecognized type: %v", pemBlock.Type)
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]60}
61
Ankur73e7a932014-10-24 15:57:03 -0700[diff] [blame]62// SavePEMKey marshals 'key', encrypts it using 'passphrase', and saves the bytes to 'w' in PEM format.
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]63// If passphrase is nil, the key will not be encrypted.
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]64//
65// For example, if key is an ECDSA private key, it will be marshaled
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]66// in ASN.1, DER format, encrypted, and then written in a PEM block.
Ankur73e7a932014-10-24 15:57:03 -0700[diff] [blame]67func SavePEMKey(w io.Writer, key interface{}, passphrase []byte) error {
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]68 var data []byte
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]69 var err error
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]70 switch k := key.(type) {
71 case *ecdsa.PrivateKey:
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]72 if data, err = x509.MarshalECPrivateKey(k); err != nil {
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]73 return err
74 }
75 default:
76 return fmt.Errorf("key of type %T cannot be saved", k)
77 }
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]78
Suharsh Sivakumaraca1c322014-10-21 11:27:32 -0700[diff] [blame]79 var pemKey *pem.Block
80 if passphrase != nil {
81 pemKey, err = x509.EncryptPEMBlock(rand.Reader, ecPrivateKeyPEMType, data, passphrase, x509.PEMCipherAES256)
82 if err != nil {
83 return fmt.Errorf("failed to encrypt pem block: %v", err)
84 }
85 } else {
86 pemKey = &pem.Block{
87 Type: ecPrivateKeyPEMType,
88 Bytes: data,
89 }
Suharsh Sivakumar0f359042014-10-01 22:53:45 -0700[diff] [blame]90 }
91
Ankur021e38e2014-09-26 10:26:45 -0700[diff] [blame]92 return pem.Encode(w, pemKey)
93}