// Init initializes this KeyStore with a password, a path to a folder
// where the keys are stored and a read only flag.
// Each key is stored in a separated file whose name contains the key's SKI
// and flags to identity the key's type.
// If the KeyStore is initialized with a password, this password
// is used to encrypt and decrypt the files storing the keys.
// The pwd can be nil for non-encrypted KeyStores. If an encrypted
// key-store is initialized without a password, then retrieving keys from the
// KeyStore will fail.
// A KeyStore can be read only to avoid the overwriting of keys.
func (ks *FileBasedKeyStore) Init(pwd []byte, path string, readOnly bool) error {
// Validate inputs
// pwd can be nil
if len(path) == 0 {
return errors.New("An invalid KeyStore path provided. Path cannot be an empty string.")
}
ks.m.Lock()
defer ks.m.Unlock()
if ks.isOpen {
return errors.New("KeyStore already initilized.")
}
ks.path = path
ks.pwd = utils.Clone(pwd)
err := ks.createKeyStoreIfNotExists()
if err != nil {
return err
}
err = ks.openKeyStore()
if err != nil {
return err
}
ks.readOnly = readOnly
return nil
}
// KeyImport imports a key from its raw representation using opts.
// The opts argument should be appropriate for the primitive used.
func (csp *impl) KeyImport(raw interface{}, opts bccsp.KeyImportOpts) (k bccsp.Key, err error) {
// Validate arguments
if raw == nil {
return nil, errors.New("Invalid raw. Cannot be nil")
}
if opts == nil {
return nil, errors.New("Invalid Opts parameter. It must not be nil.")
}
switch opts.(type) {
case *bccsp.AES256ImportKeyOpts:
aesRaw, ok := raw.([]byte)
if !ok {
return nil, errors.New("[AES256ImportKeyOpts] Invalid raw material. Expected byte array.")
}
if len(aesRaw) != 32 {
return nil, fmt.Errorf("[AES256ImportKeyOpts] Invalid Key Length [%d]. Must be 32 bytes", len(aesRaw))
}
aesK := &aesPrivateKey{utils.Clone(aesRaw), false}
// If the key is not Ephemeral, store it.
if !opts.Ephemeral() {
// Store the key
err = csp.ks.StoreKey(aesK)
if err != nil {
return nil, fmt.Errorf("Failed storing AES key [%s]", err)
}
}
return aesK, nil
case *bccsp.HMACImportKeyOpts:
aesRaw, ok := raw.([]byte)
if !ok {
return nil, errors.New("[HMACImportKeyOpts] Invalid raw material. Expected byte array.")
}
if len(aesRaw) == 0 {
return nil, errors.New("[HMACImportKeyOpts] Invalid raw. It must not be nil.")
}
aesK := &aesPrivateKey{utils.Clone(aesRaw), false}
// If the key is not Ephemeral, store it.
if !opts.Ephemeral() {
// Store the key
err = csp.ks.StoreKey(aesK)
if err != nil {
return nil, fmt.Errorf("Failed storing AES key [%s]", err)
}
}
return aesK, nil
case *bccsp.ECDSAPKIXPublicKeyImportOpts:
der, ok := raw.([]byte)
if !ok {
return nil, errors.New("[ECDSAPKIXPublicKeyImportOpts] Invalid raw material. Expected byte array.")
}
if len(der) == 0 {
return nil, errors.New("[ECDSAPKIXPublicKeyImportOpts] Invalid raw. It must not be nil.")
}
lowLevelKey, err := utils.DERToPublicKey(der)
if err != nil {
return nil, fmt.Errorf("Failed converting PKIX to ECDSA public key [%s]", err)
}
ecdsaPK, ok := lowLevelKey.(*ecdsa.PublicKey)
if !ok {
return nil, errors.New("Failed casting to ECDSA public key. Invalid raw material.")
}
k = &ecdsaPublicKey{ecdsaPK}
// If the key is not Ephemeral, store it.
if !opts.Ephemeral() {
// Store the key
err = csp.ks.StoreKey(k)
if err != nil {
return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err)
}
}
return k, nil
case *bccsp.ECDSAPrivateKeyImportOpts:
der, ok := raw.([]byte)
if !ok {
return nil, errors.New("[ECDSADERPrivateKeyImportOpts] Invalid raw material. Expected byte array.")
}
if len(der) == 0 {
return nil, errors.New("[ECDSADERPrivateKeyImportOpts] Invalid raw. It must not be nil.")
}
lowLevelKey, err := utils.DERToPrivateKey(der)
if err != nil {
return nil, fmt.Errorf("Failed converting PKIX to ECDSA public key [%s]", err)
}
ecdsaSK, ok := lowLevelKey.(*ecdsa.PrivateKey)
if !ok {
return nil, errors.New("Failed casting to ECDSA public key. Invalid raw material.")
}
k = &ecdsaPrivateKey{ecdsaSK}
// If the key is not Ephemeral, store it.
if !opts.Ephemeral() {
// Store the key
err = csp.ks.StoreKey(k)
if err != nil {
return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err)
}
}
return k, nil
case *bccsp.ECDSAGoPublicKeyImportOpts:
lowLevelKey, ok := raw.(*ecdsa.PublicKey)
if !ok {
return nil, errors.New("[ECDSAGoPublicKeyImportOpts] Invalid raw material. Expected *ecdsa.PublicKey.")
}
k = &ecdsaPublicKey{lowLevelKey}
// If the key is not Ephemeral, store it.
if !opts.Ephemeral() {
// Store the key
err = csp.ks.StoreKey(k)
if err != nil {
return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err)
}
}
return k, nil
case *bccsp.RSAGoPublicKeyImportOpts:
lowLevelKey, ok := raw.(*rsa.PublicKey)
if !ok {
return nil, errors.New("[RSAGoPublicKeyImportOpts] Invalid raw material. Expected *rsa.PublicKey.")
}
k = &rsaPublicKey{lowLevelKey}
// If the key is not Ephemeral, store it.
if !opts.Ephemeral() {
// Store the key
err = csp.ks.StoreKey(k)
if err != nil {
return nil, fmt.Errorf("Failed storing RSA publi key [%s]", err)
}
}
return k, nil
case *bccsp.X509PublicKeyImportOpts:
x509Cert, ok := raw.(*x509.Certificate)
if !ok {
return nil, errors.New("[X509PublicKeyImportOpts] Invalid raw material. Expected *x509.Certificate.")
}
pk := x509Cert.PublicKey
switch pk.(type) {
case *ecdsa.PublicKey:
return csp.KeyImport(pk, &bccsp.ECDSAGoPublicKeyImportOpts{Temporary: opts.Ephemeral()})
case *rsa.PublicKey:
return csp.KeyImport(pk, &bccsp.RSAGoPublicKeyImportOpts{Temporary: opts.Ephemeral()})
default:
return nil, errors.New("Certificate public key type not recognized. Supported keys: [ECDSA, RSA]")
}
default:
return nil, errors.New("Import Key Options not recognized")
}
}
