// ToCSRBundle converts a byte-based raw DER certificate bundle // to a PEM-based string certificate bundle func (p *ParsedCSRBundle) ToCSRBundle() (*CSRBundle, error) { result := &CSRBundle{} block := pem.Block{ Type: "CERTIFICATE REQUEST", } if p.CSRBytes != nil && len(p.CSRBytes) > 0 { block.Bytes = p.CSRBytes result.CSR = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 { block.Bytes = p.PrivateKeyBytes switch p.PrivateKeyType { case RSAPrivateKey: result.PrivateKeyType = "rsa" block.Type = "RSA PRIVATE KEY" case ECPrivateKey: result.PrivateKeyType = "ec" block.Type = "EC PRIVATE KEY" default: return nil, errutil.InternalError{"Could not determine private key type when creating block"} } result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } return result, nil }
func GenKeyPairIfNone(privateName string, publicName string) { dir, _ := filepath.Abs(filepath.Dir(os.Args[0])) privatekey := filepath.Join(dir, privateName) publickey := filepath.Join(dir, publicName) if _, err := os.Stat(string(privatekey)); os.IsNotExist(err) { log.Println("Generating JWT private key at ", string(privatekey)) k, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { log.Fatal(err) } var private pem.Block private.Type = "RSA PRIVATE KEY" private.Bytes = x509.MarshalPKCS1PrivateKey(k) pp := new(bytes.Buffer) pem.Encode(pp, &private) err = ioutil.WriteFile(string(privatekey), pp.Bytes(), 0644) if err != nil { log.Fatal(err) } log.Println("Generating JWT public key at ", string(privatekey)) var public pem.Block public.Type = "RSA PUBLIC KEY" public.Bytes, _ = x509.MarshalPKIXPublicKey(&k.PublicKey) ps := new(bytes.Buffer) pem.Encode(ps, &public) err = ioutil.WriteFile(string(publickey), ps.Bytes(), 0644) if err != nil { log.Fatal(err) } } }
// Read a PEM file and ask for a password to decrypt it if needed func ReadPEMData(pemFile string, pemPass []byte) ([]byte, error) { pemData, err := ioutil.ReadFile(pemFile) if err != nil { return pemData, err } // We should really just get the pem.Block back here, if there's other // junk on the end, warn about it. pemBlock, rest := pem.Decode(pemData) if len(rest) > 0 { log.Warning("Didn't parse all of", pemFile) } if x509.IsEncryptedPEMBlock(pemBlock) { // Decrypt and get the ASN.1 DER bytes here pemData, err = x509.DecryptPEMBlock(pemBlock, pemPass) if err != nil { return pemData, err } else { log.Info("Decrypted", pemFile, "successfully") } // Shove the decrypted DER bytes into a new pem Block with blank headers var newBlock pem.Block newBlock.Type = pemBlock.Type newBlock.Bytes = pemData // This is now like reading in an uncrypted key from a file and stuffing it // into a byte stream pemData = pem.EncodeToMemory(&newBlock) } return pemData, nil }
func EncodePEM(binary []byte, blockType string, password string) (pemBlock string, err error) { var blk *pem.Block /* Awaiting Go 1.1 */ if password != "" { passwordBytes := ([]byte)(password) blk, err = x509.EncryptPEMBlock(rand.Reader, blockType, binary, passwordBytes, x509.PEMCipherAES256) if err != nil { return } } else { /* */ blk = new(pem.Block) blk.Type = blockType blk.Bytes = binary /* Awaiting Go 1.1 */ } /* */ buf := new(bytes.Buffer) err = pem.Encode(buf, blk) if err != nil { return } pemBlock = buf.String() return }
func (pk *PrivateKey) Marshal(ss ...string) ([]byte, error) { var k = x509.MarshalPKCS1PrivateKey(&pk.PrivateKey) var block pem.Block block.Bytes = k block.Type = strings.Join(ss, " ") return pem.EncodeToMemory(&block), nil }
func encrypt(key []byte, keytype Type, password string) (out []byte, err error) { cryptkey, iv, err := encryptKey(key, password) if err != nil { return } var block pem.Block switch keytype { case KEY_RSA: block.Type = "RSA PRIVATE KEY" case KEY_ECDSA: block.Type = "EC PRIVATE KEY" case KEY_DSA: block.Type = "DSA PRIVATE KEY" default: err = ErrInvalidPrivateKey return } block.Bytes = cryptkey block.Headers = make(map[string]string) block.Headers["Proc-Type"] = "4,ENCRYPTED" block.Headers["DEK-Info"] = fmt.Sprintf("AES-128-CBC,%X", iv) out = pem.EncodeToMemory(&block) return }
// CertificateLockFile adds a new certificate lock on the given Client and // Config that ensures that a server's certificate is signed by the same CA // from connection-to-connection. This is helpful when connecting to servers // with self-signed certificates. // // If filename does not exist, the server's certificate chain will be written // to that file. If it does exist, certificates will be read from that file and // added to RootCAs in config's TLSConfig. // // Example: // // if firstConnectionToServer { // // Allow self-signed certificates to be accepted on the initial // // connection. // config.TLSConfig.InsecureSkipVerify = true // } // gumbleutil.CertificateLockFile(client, &config, filename) // // if err := client.Connect(); err != nil { // panic(err) // } func CertificateLockFile(client *gumble.Client, config *gumble.Config, filename string) (gumble.Detacher, error) { if file, err := os.Open(filename); err == nil { defer file.Close() if config.TLSConfig.RootCAs == nil { config.TLSConfig.RootCAs = x509.NewCertPool() } if data, err := ioutil.ReadAll(file); err == nil { config.TLSConfig.RootCAs.AppendCertsFromPEM(data) } return nil, nil } return client.Attach(Listener{ Connect: func(e *gumble.ConnectEvent) { tlsClient, ok := e.Client.Conn().(*tls.Conn) if !ok { return } serverCerts := tlsClient.ConnectionState().PeerCertificates file, err := os.Create(filename) if err != nil { return } block := pem.Block{ Type: "CERTIFICATE", } for _, cert := range serverCerts { block.Bytes = cert.Raw pem.Encode(file, &block) } file.Close() }, }), nil }
func execSSH(url, uuid string, key *rsa.PrivateKey, args []string) error { f, err := ioutil.TempFile("", "runx") if err != nil { return fmt.Errorf("tmpfile: %s", err) } defer f.Close() var b pem.Block b.Type = "RSA PRIVATE KEY" b.Bytes = x509.MarshalPKCS1PrivateKey(key) if err = pem.Encode(f, &b); err != nil { return fmt.Errorf("pem: %s", err) } f.Seek(0, 0) argv := []string{ "ssh", "-i" + f.Name(), "-oProxyCommand=hk runx [proxy]", "-oLocalCommand=rm " + f.Name(), "-oStrictHostKeyChecking=no", "-oUserKnownHostsFile=/dev/null", "dyno@" + uuid, } env := append(os.Environ(), "RUNX_URL="+url) return syscall.Exec("/usr/bin/ssh", append(argv, args...), env) }
// Given a private key and a (possibly empty) password, returns a byte // slice containing a PEM-encoded private key in the appropriate // OpenSSH format. func MarshalPrivate(priv interface{}, password string) (out []byte, err error) { var ( keytype Type der []byte btype string ) switch priv.(type) { case *rsa.PrivateKey: keytype = KEY_RSA der = x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey)) if der == nil { err = ErrInvalidPrivateKey return } btype = "RSA PRIVATE KEY" case *ecdsa.PrivateKey: keytype = KEY_ECDSA der, err = marshalECDSAKey(priv.(*ecdsa.PrivateKey)) btype = "EC PRIVATE KEY" case *dsa.PrivateKey: keytype = KEY_DSA dsakey := priv.(*dsa.PrivateKey) k := struct { Version int P *big.Int Q *big.Int G *big.Int Priv *big.Int Pub *big.Int }{ Version: 1, P: dsakey.PublicKey.P, Q: dsakey.PublicKey.Q, G: dsakey.PublicKey.G, Priv: dsakey.PublicKey.Y, Pub: dsakey.X, } der, err = asn1.Marshal(k) if err != nil { return } btype = "DSA PRIVATE KEY" default: err = ErrInvalidPrivateKey return } if password != "" { out, err = encrypt(der, keytype, password) return } var block pem.Block block.Type = btype block.Bytes = der out = pem.EncodeToMemory(&block) return }
func readPEMFile(path, passphrase string) ([]byte, error) { pass := []byte(passphrase) var blocks []*pem.Block content, err := ioutil.ReadFile(path) if err != nil { return nil, err } for len(content) > 0 { var block *pem.Block block, content = pem.Decode(content) if block == nil { if len(blocks) == 0 { return nil, errors.New("no pem file") } break } if x509.IsEncryptedPEMBlock(block) { var buffer []byte var err error if len(pass) == 0 { err = errors.New("No passphrase available") } else { // Note, decrypting pem might succeed even with wrong password, but // only noise will be stored in buffer in this case. buffer, err = x509.DecryptPEMBlock(block, pass) } if err != nil { logp.Err("Dropping encrypted pem '%v' block read from %v. %v", block.Type, path, err) continue } // DEK-Info contains encryption info. Remove header to mark block as // unencrypted. delete(block.Headers, "DEK-Info") block.Bytes = buffer } blocks = append(blocks, block) } if len(blocks) == 0 { return nil, errors.New("no PEM blocks") } // re-encode available, decrypted blocks buffer := bytes.NewBuffer(nil) for _, block := range blocks { err := pem.Encode(buffer, block) if err != nil { return nil, err } } return buffer.Bytes(), nil }
func convertBag(bag *safeBag, password []byte) (*pem.Block, error) { b := new(pem.Block) for _, attribute := range bag.Attributes { k, v, err := convertAttribute(&attribute) if err != nil { return nil, err } if b.Headers == nil { b.Headers = make(map[string]string) } b.Headers[k] = v } switch { case bag.ID.Equal(oidCertBagType): b.Type = CertificateType certsData, err := decodeCertBag(bag.Value.Bytes) if err != nil { return nil, err } b.Bytes = certsData case bag.ID.Equal(oidPkcs8ShroudedKeyBagType): b.Type = PrivateKeyType key, err := decodePkcs8ShroudedKeyBag(bag.Value.Bytes, password) if err != nil { return nil, err } switch key := key.(type) { case *rsa.PrivateKey: b.Bytes = x509.MarshalPKCS1PrivateKey(key) case *ecdsa.PrivateKey: b.Bytes, err = x509.MarshalECPrivateKey(key) if err != nil { return nil, err } default: return nil, errors.New("found unknown private key type in PKCS#8 wrapping") } default: return nil, errors.New("don't know how to convert a safe bag of type " + bag.ID.String()) } return b, nil }
func main() { key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) pubkey := key.Public() bytes, _ := x509.MarshalECPrivateKey(key) block := pem.Block{} block.Bytes = bytes block.Type = "EC PRIVATE KEY" bytes_encoded := pem.EncodeToMemory(&block) fmt.Println(string(bytes_encoded)) if err != nil { fmt.Println(err) } bytes, _ = x509.MarshalPKIXPublicKey(pubkey) block = pem.Block{} block.Type = "EC PUBLIC KEY" block.Bytes = bytes bytes_encoded = pem.EncodeToMemory(&block) fmt.Println(string(bytes_encoded)) if err != nil { fmt.Println(err) } // dat, err := ioutil.ReadFile("prime256v1-key.pem") // pemblock, _ := pem.Decode(dat) // check(err) // privkey, parseerr := x509.ParseECPrivateKey(pemblock.Bytes) // // if parseerr != nil { // fmt.Println(err) // } // // bytes, _ = x509.MarshalECPrivateKey(privkey) // block = pem.Block{} // block.Bytes = bytes // block.Type = "EC PRIVATE KEY" // bytes_encoded = pem.EncodeToMemory(&block) // fmt.Println(string(bytes_encoded)) }
func byteToPEM(b []byte, t PEMType) []byte { var blk pem.Block = pem.Block{ Type: string(t), Headers: nil, } blk.Bytes = b data := pem.EncodeToMemory(&blk) return data }
func (pk *PublicKey) Marshal(ss ...string) ([]byte, error) { var k, err = x509.MarshalPKIXPublicKey(&pk.PublicKey) if err != nil { return nil, err } var block pem.Block block.Bytes = k block.Type = strings.Join(ss, " ") return pem.EncodeToMemory(&block), nil }
func main() { k, err := rsa.GenerateKey(rand.Reader, 768) if err != nil { log.Fatal(err) } var b pem.Block b.Type = "RSA PRIVATE KEY" b.Bytes = x509.MarshalPKCS1PrivateKey(k) pem.Encode(os.Stdout, &b) }
func saveKey(keyPath string, key crypto.PrivateKey) error { if fileExists(keyPath) { return nil } f, err := os.Create(keyPath) if err != nil { return err } w := bufio.NewWriter(f) defer f.Close() var block pem.Block switch i := key.(type) { case *ecdsa.PrivateKey: // TODO: How do we encode and save the parameters of the curve? Do we need to? key := key.(*ecdsa.PrivateKey) b, err := x509.MarshalECPrivateKey(key) if err != nil { return err } block.Type = "EC PARAMETERS" err = pem.Encode(w, &block) block.Type = "EC PRIVATE KEY" block.Bytes = b case *rsa.PrivateKey: k := x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey)) block.Type = "RSA PRIVATE KEY" block.Bytes = k default: fmt.Println(i) return new(unknownKeyError) } err = pem.Encode(w, &block) if err != nil { return err } return w.Flush() }
// ToCertBundle converts a byte-based raw DER certificate bundle // to a PEM-based string certificate bundle func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error) { result := &CertBundle{} block := pem.Block{ Type: "CERTIFICATE", } if p.Certificate != nil { result.SerialNumber = strings.TrimSpace(GetHexFormatted(p.Certificate.SerialNumber.Bytes(), ":")) } if p.CertificateBytes != nil && len(p.CertificateBytes) > 0 { block.Bytes = p.CertificateBytes result.Certificate = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } for _, caCert := range p.CAChain { block.Bytes = caCert.Bytes certificate := strings.TrimSpace(string(pem.EncodeToMemory(&block))) result.CAChain = append(result.CAChain, certificate) } if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 { block.Type = string(p.PrivateKeyFormat) block.Bytes = p.PrivateKeyBytes result.PrivateKeyType = p.PrivateKeyType //Handle bundle not parsed by us if block.Type == "" { switch p.PrivateKeyType { case ECPrivateKey: block.Type = string(ECBlock) case RSAPrivateKey: block.Type = string(PKCS1Block) } } result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } return result, nil }
func PrintPublicKey(pubkey crypto.PublicKey) { bytes, _ := x509.MarshalPKIXPublicKey(pubkey) block := pem.Block{} block.Type = "EC PUBLIC KEY" block.Bytes = bytes bytes_encoded := pem.EncodeToMemory(&block) log.Debugf("Public key:\n%s", string(bytes_encoded)) }
// ExportPrivatePEM writes the RSA private key to a file in PEM format. func ExportPrivatePEM(prv *rsa.PrivateKey, filename string) (err error) { cert := x509.MarshalPKCS1PrivateKey(prv) blk := new(pem.Block) blk.Type = "RSA PRIVATE KEY" blk.Bytes = cert out, err := os.Create(filename) if err == nil { err = pem.Encode(out, blk) } return }
func main() { var blk pem.Block = pem.Block{ Type: "CERTIFICATE", Headers: nil, } ca_b, _ := ioutil.ReadFile("ca.pem") blk.Bytes = ca_b data := pem.EncodeToMemory(&blk) fmt.Printf("%s\n", data) }
// Export writes the keychain to a file in PEM format. func (kc *KeyChain) Export(filename string) (err error) { if !kc.Validate() { return ErrInvalidKeyChain } var blk pem.Block var buf = new(bytes.Buffer) var fail = func() { buf.Reset() err = ErrInvalidKeyChain } blk.Type = "RSA PRIVATE KEY" blk.Bytes = x509.MarshalPKCS1PrivateKey(kc.Private) err = pem.Encode(buf, &blk) if err != nil { fail() return } blk.Type = "RSA PUBLIC KEY" for _, pk := range kc.Public { if pk.Key == nil { continue } if pk.Id != "" { if blk.Headers == nil { blk.Headers = make(map[string]string) } blk.Headers["id"] = pk.Id } else { if blk.Headers != nil { delete(blk.Headers, "id") blk.Headers = nil } } blk.Bytes, err = x509.MarshalPKIXPublicKey(pk.Key) if err != nil { fail() return } err = pem.Encode(buf, &blk) if err != nil { fail() } fmt.Println("wrote a public key") } err = ioutil.WriteFile(filename, buf.Bytes(), 0400) buf.Reset() return }
func DecryptPemBlock(block *pem.Block, prompt func() (string, error)) (err error) { if x509.IsEncryptedPEMBlock(block) { if password, err := prompt(); nil != err { return err } else if data, err := x509.DecryptPEMBlock(block, []byte(password)); nil != err { return err } else { delete(block.Headers, "Proc-Type") delete(block.Headers, "DEK-Info") block.Bytes = data } } return nil }
// ExportPublicPEM writes the public key to a file in PEM format. func ExportPublicPEM(pub *rsa.PublicKey, filename string) (err error) { cert, err := x509.MarshalPKIXPublicKey(pub) if err != nil { return } blk := new(pem.Block) blk.Type = "RSA PUBLIC KEY" blk.Bytes = cert out, err := os.Create(filename) if err == nil { err = pem.Encode(out, blk) } return }
// ToCertBundle converts a byte-based raw DER certificate bundle // to a PEM-based string certificate bundle func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error) { result := &CertBundle{} block := pem.Block{ Type: "CERTIFICATE", } if p.Certificate != nil { result.SerialNumber = strings.TrimSpace(GetOctalFormatted(p.Certificate.SerialNumber.Bytes(), ":")) } if p.CertificateBytes != nil && len(p.CertificateBytes) > 0 { block.Bytes = p.CertificateBytes result.Certificate = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } if p.IssuingCABytes != nil && len(p.IssuingCABytes) > 0 { block.Bytes = p.IssuingCABytes result.IssuingCA = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } if p.PrivateKeyBytes != nil && len(p.PrivateKeyBytes) > 0 { block.Bytes = p.PrivateKeyBytes switch p.PrivateKeyType { case RSAPrivateKey: result.PrivateKeyType = "rsa" block.Type = "RSA PRIVATE KEY" case ECPrivateKey: result.PrivateKeyType = "ec" block.Type = "EC PRIVATE KEY" default: return nil, InternalError{"Could not determine private key type when creating block"} } result.PrivateKey = strings.TrimSpace(string(pem.EncodeToMemory(&block))) } return result, nil }
func generatePrivatePem(prv *rsa.PrivateKey) (prvPem string, err error) { cert := x509.MarshalPKCS1PrivateKey(prv) blk := new(pem.Block) blk.Type = "RSA PRIVATE KEY" blk.Bytes = cert var b bytes.Buffer err = pem.Encode(&b, blk) if err != nil { return } prvPem = b.String() return }
// packageBox actually handles boxing. It can output either PEM-encoded or // DER-encoded boxes. func packageBox(lockedKey, box []byte, armour bool) (pkg []byte, err error) { var pkgBox = boxPackage{lockedKey, box} pkg, err = asn1.Marshal(pkgBox) if err != nil { fmt.Println("[!] couldn't package the box") return } if armour { var block pem.Block block.Type = "SSHBOX ENCRYPTED FILE" block.Bytes = pkg pkg = pem.EncodeToMemory(&block) } return }
// GenerateKeyAndCSR generates a new PEM-encoded private key and // certificate signature request. The keyType parameter controls what // type of key is generated; the size parameter controls what size key // (in bits) is generated. For ECDSA, valid key sizes are 256, 384, // and 521; these translate to secp256v1, secp384r1, and secp521r1. The // SubjectInfo parameter contains the information used to create the CSR. func GenerateKeyAndCSR(keyType PublicAlgo, size int, si *SubjectInfo) (pemKey []byte, csr []byte, err error) { var priv interface{} var block pem.Block switch keyType { case RSA: priv, err = rsa.GenerateKey(rand.Reader, size) if err != nil { return nil, nil, err } block.Bytes = x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey)) block.Type = "RSA PRIVATE KEY" case ECDSA: var curve elliptic.Curve switch size { case 256: curve = elliptic.P256() case 384: curve = elliptic.P384() case 521: curve = elliptic.P521() default: err = ErrUnsupportedPrivate return } priv, err = ecdsa.GenerateKey(curve, rand.Reader) if err != nil { return } block.Bytes, err = x509.MarshalECPrivateKey(priv.(*ecdsa.PrivateKey)) if err != nil { return } block.Type = "EC PRIVATE KEY" default: err = ErrUnsupportedPrivate return } pemKey = pem.EncodeToMemory(&block) csr, err = NewCertificateRequest(priv, si) return }
// CertificateLockFile adds a new certificate lock on the given Client that // ensures that a server's certificate chain is the same from // connection-to-connection. This is helpful when connecting to servers with // self-signed certificates. // // If filename does not exist, the server's certificate chain will be written // to that file. If it does exist, certificates will be read from the file and // checked against the server's certificate chain upon connection. // // Example: // // if allowSelfSignedCertificates { // config.TLSConfig.InsecureSkipVerify = true // } // gumbleutil.CertificateLockFile(client, filename) // // if err := client.Connect(); err != nil { // panic(err) // } func CertificateLockFile(client *gumble.Client, filename string) { client.Config.TLSVerify = func(state *tls.ConnectionState) error { if file, err := os.Open(filename); err == nil { defer file.Close() data, err := ioutil.ReadAll(file) if err != nil { return err } i := 0 for block, data := pem.Decode(data); block != nil; block, data = pem.Decode(data) { cert, err := x509.ParseCertificate(block.Bytes) if err != nil { return err } if i >= len(state.PeerCertificates) { return errors.New("gumbleutil: invalid certificate chain length") } if !cert.Equal(state.PeerCertificates[i]) { return errors.New("gumbleutil: certificate verification failure") } i++ } if i != len(state.PeerCertificates) { return errors.New("gumbleutil: invalid certificate chain length") } return nil } file, err := os.Create(filename) if err != nil { return err } defer file.Close() block := pem.Block{ Type: "CERTIFICATE", } for _, cert := range state.PeerCertificates { block.Bytes = cert.Raw if err := pem.Encode(file, &block); err != nil { return err } } return nil } }
// Export a private key to PEM format. func ExportPrivatePEM(prv *PrivateKey) (out []byte, err error) { der, err := MarshalPrivate(prv) if err != nil { return } var block pem.Block block.Type = "ELLIPTIC CURVE PRIVATE KEY" block.Bytes = der buf := new(bytes.Buffer) err = pem.Encode(buf, &block) if err != nil { return } else { out = buf.Bytes() } return }
// Export a public key to PEM format. func ExportPublicPEM(pub *PublicKey) (out []byte, err error) { der, err := MarshalPublic(pub) if err != nil { return } var block pem.Block block.Type = "ELLIPTIC CURVE PUBLIC KEY" block.Bytes = der buf := new(bytes.Buffer) err = pem.Encode(buf, &block) if err != nil { return } else { out = buf.Bytes() } return }