func MakeKeyMgr() *dkeyczar.KeyManager {
// make key set
keytype := dkeyczar.T_AES
km := dkeyczar.NewKeyManager()
keypurpose := dkeyczar.P_DECRYPT_AND_ENCRYPT
km.Create("goq.aes.key", keypurpose, keytype)
return &km
}
func writeKeyczartTest(dir string) {
fulldir := TESTDATA + dir
km := dkeyczar.NewKeyManager()
r := dkeyczar.NewFileReader(fulldir)
km.Load(r)
json := km.ToJSONs(nil)
fmt.Println(`
meta = """` + json[0] + `"""
keys={`)
for i := 1; i < len(json); i++ {
fmt.Println(" " + strconv.Itoa(i) + `: """` + json[i] + `""",`)
}
fmt.Println(`}
r = JSONReader(meta, keys)`)
signer, _ := dkeyczar.NewSigner(r)
if signer != nil {
signature, _ := signer.Sign([]byte(PLAINTEXT))
fmt.Println(
`check_verify(r,
"json ` + dir + `",
"` + PLAINTEXT + `",
"` + signature + `",
)`)
} else {
crypter, _ := dkeyczar.NewCrypter(r)
ciphertext, _ := crypter.Encrypt([]byte(PLAINTEXT))
fmt.Println(
`check_decrypt(r,
"json ` + dir + `",
"` + PLAINTEXT + `",
"` + ciphertext + `",
)`)
}
}
func main() {
//value string `short:"" long:"" description:""`
var createOpts struct {
Location string `short:"l" long:"location" description:"The location of the key set."`
Purpose string `short:"o" long:"purpose" description:"The purpose of the key set (sign|crypt)."`
Name string `short:"n" long:"name" description:"The key set name."`
Asymmetric string `short:"a" long:"asymmetric" description:"Use asymmetric algorithm (dsa|rsa)."`
}
var addKeyOpts struct {
Location string `short:"l" long:"location" description:"The location of the key set."`
Status string `short:"s" long:"status" description:"The status (active|primary)."`
Size int `short:"b" long:"size" description:"The key size in bits."`
Crypter string `short:"c" long:"crypter" description:"The location of the crypter key set to crypt the main key set."`
}
var promoteOpts struct {
Location string `short:"l" long:"location" description:"The location of the key set."`
Version int `short:"v" long:"version" default:"0" description:"The key version."`
}
var demoteOpts struct {
Location string `short:"l" long:"location" description:"The location of the key set."`
Version int `short:"v" long:"version" default:"0" description:"The key version."`
}
var revokeOpts struct {
Location string `short:"l" long:"location" description:"The location of the key set."`
Version int `short:"v" long:"version" default:"0" description:"The key version."`
}
var pubKeyOpts struct {
Location string `short:"l" long:"location" description:"The location of the key set."`
Destination string `short:"d" long:"destination" description:"The destination location of the operation."`
Crypter string `short:"c" long:"crypter" description:"The location of the crypter key set to crypt the main key set."`
}
var useKeyOpts struct {
Format string `long:"format" description:"Output usage for key (crypt|sign|sign-timeout|sign-vanilla|sign-attached|crypt-session|crypt-signedsession)."`
Location string `short:"l" long:"location" description:"The location of the key set."`
Location2 string `long:"location2" description:"The location of the 2nd key set."`
Destination string `short:"d" long:"destination" description:"The destination location of the operation."`
Destination2 string `long:"destination2" description:"The second destination location of the operation."`
Crypter string `short:"c" long:"crypter" description:"The location of the crypter key set to crypt the main key set."`
Crypter2 string `short:"c" long:"crypter2" description:"The location of the crypter key set to crypt the 2nd key set."`
}
parser := flags.NewNamedParser("dkeyczart", flags.Default)
parser.AddCommand("create", "Create a new key set.", "Create a new key set.", &createOpts)
parser.AddCommand("addkey", "Add a new key to an existing key set.", "Add a new key to an existing key set.", &addKeyOpts)
parser.AddCommand("promote", "Promote a given key version from the key set.", "Promote a given key version from the key set.", &promoteOpts)
parser.AddCommand("demote", "Demote a given key version from the key set.", "Demote a given key version from the key set.", &demoteOpts)
parser.AddCommand("revoke", "Revoke a given key version from the key set.", "Revoke a given key version from the key set.", &revokeOpts)
parser.AddCommand("pubkey", "Extracts public keys to a new key set.", "Extracts public keys to a new key set.", &pubKeyOpts)
parser.AddCommand("usekey", "Uses keyset to encrypt or sign a message.", "Uses keyset to encrypt or sign a message.", &useKeyOpts)
args, err := parser.Parse()
if err != nil {
os.Exit(1)
}
command := os.Args[1]
km := dkeyczar.NewKeyManager()
switch command {
case "create":
keypurpose := dkeyczar.P_TEST
switch createOpts.Purpose {
case "crypt":
keypurpose = dkeyczar.P_DECRYPT_AND_ENCRYPT
case "sign":
keypurpose = dkeyczar.P_SIGN_AND_VERIFY
case "":
fmt.Println("must provide a purpose with --purpose")
return
default:
fmt.Println("unknown cryptographic purpose:", createOpts.Purpose)
return
}
if createOpts.Asymmetric != "" && createOpts.Asymmetric != "dsa" && createOpts.Asymmetric != "rsa" {
fmt.Println("unknown asymmetric key type:", createOpts.Asymmetric)
return
}
keytype := dkeyczar.T_AES
switch {
case keypurpose == dkeyczar.P_DECRYPT_AND_ENCRYPT && createOpts.Asymmetric == "":
keytype = dkeyczar.T_AES
case keypurpose == dkeyczar.P_DECRYPT_AND_ENCRYPT && createOpts.Asymmetric == "rsa":
keytype = dkeyczar.T_RSA_PRIV
case keypurpose == dkeyczar.P_SIGN_AND_VERIFY && createOpts.Asymmetric == "":
keytype = dkeyczar.T_HMAC_SHA1
case keypurpose == dkeyczar.P_SIGN_AND_VERIFY && createOpts.Asymmetric == "rsa":
keytype = dkeyczar.T_RSA_PRIV
case keypurpose == dkeyczar.P_SIGN_AND_VERIFY && createOpts.Asymmetric == "dsa":
keytype = dkeyczar.T_DSA_PRIV
default:
fmt.Println("unknown or invalid purpose/asymmetric combination:", createOpts.Purpose, "/", createOpts.Asymmetric)
return
}
km.Create(createOpts.Name, keypurpose, keytype)
Save(createOpts.Location, km, nil)
case "promote":
if !loadLocationReader(km, promoteOpts.Location, nil) {
return
}
if promoteOpts.Version == 0 {
fmt.Println("must provide a version with --version")
return
}
km.Promote(promoteOpts.Version)
Update(promoteOpts.Location, km, nil)
case "demote":
if !loadLocationReader(km, demoteOpts.Location, nil) {
return
}
if demoteOpts.Version == 0 {
fmt.Println("must provide a version with --version")
return
}
km.Demote(demoteOpts.Version)
Update(demoteOpts.Location, km, nil)
case "addkey":
c := loadCrypter(addKeyOpts.Crypter)
if !loadLocationReader(km, addKeyOpts.Location, c) {
return
}
status := dkeyczar.S_ACTIVE
switch addKeyOpts.Status {
case "":
// FIXME: really, want to do: status = (km.kz.primary == -1 ? S_PRIMARY : S_ACTIVE)
status = dkeyczar.S_ACTIVE
case "primary":
status = dkeyczar.S_PRIMARY
case "active":
status = dkeyczar.S_ACTIVE
case "inactive":
status = dkeyczar.S_INACTIVE
default:
fmt.Println("unknown status:", addKeyOpts.Status)
return
}
err := km.AddKey(uint(addKeyOpts.Size), status)
if err != nil {
fmt.Println("error adding key:", err)
return
}
Update(addKeyOpts.Location, km, c)
case "pubkey":
if !loadLocationReader(km, pubKeyOpts.Location, nil) {
return
}
kpub := km.PubKeys()
Save(pubKeyOpts.Destination, kpub, nil) // doesn't make sense to encrypt a public key
return
case "usekey":
c := loadCrypter(useKeyOpts.Crypter)
r := loadReader(useKeyOpts.Location, c)
if r == nil {
return
}
var output string
var output2 string
if len(args) == 0 {
fmt.Println("must provide input")
return
}
input := []byte(args[0])
switch useKeyOpts.Format {
case "crypt":
encrypter, _ := dkeyczar.NewEncrypter(r)
output, _ = encrypter.Encrypt(input)
case "sign":
signer, _ := dkeyczar.NewSigner(r)
output, _ = signer.Sign(input)
case "sign-timeout":
if len(args) < 2 {
fmt.Println("must provide date")
}
t, _ := time.Parse(time.RFC3339, args[1])
ticks := t.Unix() * 1000
signer, _ := dkeyczar.NewSigner(r)
output, _ = signer.TimeoutSign(input, ticks)
case "sign-unversioned":
signer, _ := dkeyczar.NewSigner(r)
output, _ = signer.UnversionedSign(input)
case "sign-attached":
nonce := ""
if len(args) > 1 {
nonce = args[1]
}
signer, _ := dkeyczar.NewSigner(r)
output, _ = signer.AttachedSign(input, []byte(nonce))
case "crypt-session":
e, err := dkeyczar.NewEncrypter(r)
if err != nil {
fmt.Println(err)
}
var se dkeyczar.Crypter
se, output, err = dkeyczar.NewSessionEncrypter(e)
if err != nil {
fmt.Println(err)
}
output2, err = se.Encrypt(input)
if err != nil {
fmt.Println(err)
}
case "crypt-signedsession":
c2 := loadCrypter(useKeyOpts.Crypter2)
r2 := loadReader(useKeyOpts.Location2, c2)
e, err := dkeyczar.NewEncrypter(r)
if err != nil {
fmt.Println(err)
}
s, err := dkeyczar.NewSigner(r2)
if err != nil {
fmt.Println(err)
}
var se dkeyczar.SignedEncrypter
se, output, err = dkeyczar.NewSignedSessionEncrypter(e, s)
if err != nil {
fmt.Println(err)
}
output2, err = se.Encrypt(input)
if err != nil {
fmt.Println(err)
}
default:
fmt.Println("must provide a format with --format")
return
}
if useKeyOpts.Destination == "" {
fmt.Println("must provide a destination with --destination")
return
}
ioutil.WriteFile(useKeyOpts.Destination, []byte(output), 0600)
if output2 != "" {
if useKeyOpts.Destination2 == "" {
fmt.Println("must provide a Destination2 with --destination2")
return
}
ioutil.WriteFile(useKeyOpts.Destination2, []byte(output2), 0600)
}
return
}
}