コード例 #1
0
ファイル: x509utils.go プロジェクト: RichardScothern/notary
// EncryptPrivateKey returns an encrypted PEM key given a Privatekey
// and a passphrase
func EncryptPrivateKey(key *data.PrivateKey, passphrase string) ([]byte, error) {
	var blockType string
	algorithm := key.Algorithm()

	switch algorithm {
	case data.RSAKey:
		blockType = "RSA PRIVATE KEY"
	case data.ECDSAKey:
		blockType = "EC PRIVATE KEY"
	default:
		return nil, fmt.Errorf("only RSA or ECDSA keys are currently supported. Found: %s", algorithm)
	}

	password := []byte(passphrase)
	cipherType := x509.PEMCipherAES256

	encryptedPEMBlock, err := x509.EncryptPEMBlock(rand.Reader,
		blockType,
		key.Private(),
		password,
		cipherType)
	if err != nil {
		return nil, err
	}

	return pem.EncodeToMemory(encryptedPEMBlock), nil
}
コード例 #2
0
ファイル: verifiers_test.go プロジェクト: programmerq/notary
func ecdsaSign(privKey data.PrivateKey, hashed []byte) ([]byte, error) {
	if privKey.Algorithm() != data.ECDSAKey {
		return nil, fmt.Errorf("private key type not supported: %s", privKey.Algorithm())
	}

	// Create an ecdsa.PrivateKey out of the private key bytes
	ecdsaPrivKey, err := x509.ParseECPrivateKey(privKey.Private())
	if err != nil {
		return nil, err
	}

	// Use the ECDSA key to sign the data
	r, s, err := ecdsa.Sign(rand.Reader, ecdsaPrivKey, hashed[:])
	if err != nil {
		return nil, err
	}

	rBytes, sBytes := r.Bytes(), s.Bytes()
	octetLength := (ecdsaPrivKey.Params().BitSize + 7) >> 3

	// MUST include leading zeros in the output
	rBuf := make([]byte, octetLength-len(rBytes), octetLength)
	sBuf := make([]byte, octetLength-len(sBytes), octetLength)

	rBuf = append(rBuf, rBytes...)
	sBuf = append(sBuf, sBytes...)

	return append(rBuf, sBuf...), nil
}
コード例 #3
0
ファイル: x509utils.go プロジェクト: souravbh/lattice-release
// KeyToPEM returns a PEM encoded key from a Private Key
func KeyToPEM(privKey data.PrivateKey) ([]byte, error) {
	blockType, err := blockType(privKey.Algorithm())
	if err != nil {
		return nil, err
	}

	return pem.EncodeToMemory(&pem.Block{Type: blockType, Bytes: privKey.Private()}), nil
}
コード例 #4
0
// Sign returns the signatures for the payload with a set of keyIDs. It ignores
// errors to sign and expects the called to validate if the number of returned
// signatures is adequate.
func (ccs *CryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signature, error) {
	// Create hasher and hash data
	hash := crypto.SHA256
	hashed := sha256.Sum256(payload)

	signatures := make([]data.Signature, 0, len(keyIDs))
	for _, keyid := range keyIDs {
		// ccs.gun will be empty if this is the root key
		keyName := filepath.Join(ccs.gun, keyid)

		var privKey *data.PrivateKey
		var err error

		// Read PrivateKey from file and decrypt it if there is a passphrase.
		if ccs.passphrase != "" {
			privKey, err = ccs.keyStore.GetDecryptedKey(keyName, ccs.passphrase)
		} else {
			privKey, err = ccs.keyStore.GetKey(keyName)
		}
		if err != nil {
			// Note that GetDecryptedKey always fails on InitRepo.
			// InitRepo gets a signer that doesn't have access to
			// the root keys. Continuing here is safe because we
			// end up not returning any signatures.
			logrus.Debugf("ignoring error attempting to retrieve key ID: %s, %v", keyid, err)
			continue
		}

		algorithm := privKey.Algorithm()
		var sigAlgorithm data.SigAlgorithm
		var sig []byte

		switch algorithm {
		case data.RSAKey:
			sig, err = rsaSign(privKey, hash, hashed[:])
			sigAlgorithm = data.RSAPSSSignature
		case data.ECDSAKey:
			sig, err = ecdsaSign(privKey, hashed[:])
			sigAlgorithm = data.ECDSASignature
		}
		if err != nil {
			logrus.Debugf("ignoring error attempting to %s sign with keyID: %s, %v", algorithm, keyid, err)
			continue
		}

		logrus.Debugf("appending %s signature with Key ID: %s", algorithm, keyid)

		// Append signatures to result array
		signatures = append(signatures, data.Signature{
			KeyID:     keyid,
			Method:    sigAlgorithm,
			Signature: sig[:],
		})
	}

	return signatures, nil
}
コード例 #5
0
func ed25519Sign(privKey data.PrivateKey, message []byte) ([]byte, error) {
	if privKey.Algorithm() != data.ED25519Key {
		return nil, fmt.Errorf("private key type not supported: %s", privKey.Algorithm())
	}

	priv := [ed25519.PrivateKeySize]byte{}
	copy(priv[:], privKey.Private()[ed25519.PublicKeySize:])
	sig := ed25519.Sign(&priv, message)

	return sig[:], nil
}
コード例 #6
0
ファイル: x509utils.go プロジェクト: RichardScothern/notary
// KeyToPEM returns a PEM encoded key from a Private Key
func KeyToPEM(privKey *data.PrivateKey) ([]byte, error) {
	var pemType string
	algorithm := privKey.Algorithm()

	switch algorithm {
	case data.RSAKey:
		pemType = "RSA PRIVATE KEY"
	case data.ECDSAKey:
		pemType = "EC PRIVATE KEY"
	default:
		return nil, fmt.Errorf("only RSA or ECDSA keys are currently supported. Found: %s", algorithm)
	}

	return pem.EncodeToMemory(&pem.Block{Type: pemType, Bytes: privKey.Private()}), nil
}
コード例 #7
0
// Sign returns the signatures for the payload with a set of keyIDs. It ignores
// errors to sign and expects the called to validate if the number of returned
// signatures is adequate.
func (ccs *CryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signature, error) {
	signatures := make([]data.Signature, 0, len(keyIDs))
	for _, keyid := range keyIDs {
		// ccs.gun will be empty if this is the root key
		keyName := filepath.Join(ccs.gun, keyid)

		var privKey data.PrivateKey
		var err error

		privKey, _, err = ccs.keyStore.GetKey(keyName)
		if err != nil {
			logrus.Debugf("error attempting to retrieve key ID: %s, %v", keyid, err)
			return nil, err
		}

		algorithm := privKey.Algorithm()
		var sigAlgorithm data.SigAlgorithm
		var sig []byte

		switch algorithm {
		case data.RSAKey:
			sig, err = rsaSign(privKey, payload)
			sigAlgorithm = data.RSAPSSSignature
		case data.ECDSAKey:
			sig, err = ecdsaSign(privKey, payload)
			sigAlgorithm = data.ECDSASignature
		case data.ED25519Key:
			// ED25519 does not operate on a SHA256 hash
			sig, err = ed25519Sign(privKey, payload)
			sigAlgorithm = data.EDDSASignature
		}
		if err != nil {
			logrus.Debugf("ignoring error attempting to %s sign with keyID: %s, %v", algorithm, keyid, err)
			return nil, err
		}

		logrus.Debugf("appending %s signature with Key ID: %s", algorithm, keyid)

		// Append signatures to result array
		signatures = append(signatures, data.Signature{
			KeyID:     keyid,
			Method:    sigAlgorithm,
			Signature: sig[:],
		})
	}

	return signatures, nil
}
コード例 #8
0
ファイル: verifiers_test.go プロジェクト: programmerq/notary
func rsaPKCS1v15Sign(privKey data.PrivateKey, hash crypto.Hash, hashed []byte) ([]byte, error) {
	if privKey.Algorithm() != data.RSAKey {
		return nil, fmt.Errorf("private key type not supported: %s", privKey.Algorithm())
	}

	// Create an rsa.PrivateKey out of the private key bytes
	rsaPrivKey, err := x509.ParsePKCS1PrivateKey(privKey.Private())
	if err != nil {
		return nil, err
	}

	// Use the RSA key to RSAPKCS1v15 sign the data
	sig, err := rsa.SignPKCS1v15(rand.Reader, rsaPrivKey, hash, hashed[:])
	if err != nil {
		return nil, err
	}

	return sig, nil
}
コード例 #9
0
ファイル: verifiers_test.go プロジェクト: programmerq/notary
func rsaPSSSign(privKey data.PrivateKey, hash crypto.Hash, hashed []byte) ([]byte, error) {
	if privKey.Algorithm() != data.RSAKey {
		return nil, fmt.Errorf("private key type not supported: %s", privKey.Algorithm())
	}

	// Create an rsa.PrivateKey out of the private key bytes
	rsaPrivKey, err := x509.ParsePKCS1PrivateKey(privKey.Private())
	if err != nil {
		return nil, err
	}

	// Use the RSA key to RSASSA-PSS sign the data
	sig, err := rsa.SignPSS(rand.Reader, rsaPrivKey, hash, hashed[:], &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash})
	if err != nil {
		return nil, err
	}

	return sig, nil
}
コード例 #10
0
ファイル: x509utils.go プロジェクト: souravbh/lattice-release
// EncryptPrivateKey returns an encrypted PEM key given a Privatekey
// and a passphrase
func EncryptPrivateKey(key data.PrivateKey, passphrase string) ([]byte, error) {
	blockType, err := blockType(key.Algorithm())
	if err != nil {
		return nil, err
	}

	password := []byte(passphrase)
	cipherType := x509.PEMCipherAES256

	encryptedPEMBlock, err := x509.EncryptPEMBlock(rand.Reader,
		blockType,
		key.Private(),
		password,
		cipherType)
	if err != nil {
		return nil, err
	}

	return pem.EncodeToMemory(encryptedPEMBlock), nil
}
コード例 #11
0
ファイル: keydbstore.go プロジェクト: programmerq/notary
// AddKey stores the contents of a private key. Both name and alias are ignored,
// we always use Key IDs as name, and don't support aliases
func (s *KeyDBStore) AddKey(name, alias string, privKey data.PrivateKey) error {

	passphrase, _, err := s.retriever(privKey.ID(), s.defaultPassAlias, false, 1)
	if err != nil {
		return err
	}

	encryptedKey, err := jose.Encrypt(string(privKey.Private()), KeywrapAlg, EncryptionAlg, passphrase)
	if err != nil {
		return err
	}

	gormPrivKey := GormPrivateKey{
		KeyID:           privKey.ID(),
		EncryptionAlg:   EncryptionAlg,
		KeywrapAlg:      KeywrapAlg,
		PassphraseAlias: s.defaultPassAlias,
		Algorithm:       privKey.Algorithm().String(),
		Public:          string(privKey.Public()),
		Private:         encryptedKey}

	// Add encrypted private key to the database
	s.db.Create(&gormPrivKey)
	// Value will be false if Create suceeds
	failure := s.db.NewRecord(gormPrivKey)
	if failure {
		return fmt.Errorf("failed to add private key to database: %s", privKey.ID())
	}

	// Add the private key to our cache
	s.Lock()
	defer s.Unlock()
	s.cachedKeys[privKey.ID()] = privKey

	return nil
}