// UnmarshalPrivate parses a byte slice into a private key.
func UnmarshalPrivate(in []byte) (*PrivateKey, error) {
priv := PrivateKey{
D: new([32]byte),
S: new([64]byte),
PublicKey: &PublicKey{
E: new([32]byte),
V: new([32]byte),
},
}
var mkey struct {
D []byte
S []byte
E []byte
V []byte
}
dec := tlv.NewDecoder(in)
err := dec.Decode(&mkey.D)
if err != nil {
return nil, err
}
err = dec.Decode(&mkey.S)
if err != nil {
return nil, err
}
err = dec.Decode(&mkey.E)
if err != nil {
return nil, err
}
err = dec.Decode(&mkey.V)
if err != nil {
return nil, err
}
copy(priv.D[:], mkey.D)
copy(priv.S[:], mkey.S)
copy(priv.E[:], mkey.E)
copy(priv.V[:], mkey.V)
util.Zero(mkey.D)
util.Zero(mkey.S)
util.Zero(mkey.E)
util.Zero(mkey.V)
return &priv, nil
}
// DecryptAndVerify decrypts the message and verifies its signature.
func DecryptAndVerify(priv *PrivateKey, pub *PublicKey, enc []byte) ([]byte, bool) {
if !priv.Valid() || !pub.Valid() {
return nil, false
}
if len(enc) < overhead {
return nil, false
}
out, ok := decrypt(priv, enc)
if !ok {
return nil, false
}
var m, s []byte
dec := tlv.NewDecoder(out)
err := dec.Decode(&m)
if err != nil {
return nil, false
}
err = dec.Decode(&s)
if err != nil {
util.Zero(m)
return nil, false
}
if dec.Length() != 0 {
util.Zero(m)
return nil, false
}
if len(s) != ed25519.SignatureSize {
util.Zero(m)
return nil, false
}
if !Verify(pub, m, s) {
util.Zero(m)
return nil, false
}
return m, true
}
// ParseTOTPConfig parses a serialised TOTP configuration.
func ParseTOTPConfig(in []byte) (*TOTPConfig, error) {
var size int32
var algo int8
var provider []byte
var config = new(TOTPConfig)
dec := tlv.NewDecoder(in)
err := dec.Decode(&config.Key)
if err != nil {
return nil, errInvalidTOTPConfig
}
err = dec.Decode(&config.Start)
if err != nil {
return nil, errInvalidTOTPConfig
}
err = dec.Decode(&config.Step)
if err != nil {
return nil, errInvalidTOTPConfig
}
err = dec.Decode(&size)
if err != nil {
return nil, errInvalidTOTPConfig
}
config.Size = int(size)
err = dec.Decode(&algo)
if err != nil {
return nil, errInvalidTOTPConfig
}
config.Algo = crypto.Hash(algo)
err = dec.Decode(&provider)
if err != nil {
return nil, errInvalidTOTPConfig
}
config.Provider = string(provider)
return config, nil
}
// Decrypt opens the secured message using the private key.
func Decrypt(priv *PrivateKey, enc []byte) (message []byte, ok bool) {
out, ok := decrypt(priv, enc)
if !ok {
return nil, false
}
defer util.Zero(out)
var m []byte
dec := tlv.NewDecoder(out)
err := dec.Decode(&m)
if err != nil {
return nil, false
}
if dec.Length() != 0 {
util.Zero(m)
return nil, false
}
return m, true
}
// ParseYubiKeyConfig attempts to parse a YubiKeyConfig from a
// byte slice.
func ParseYubiKeyConfig(in []byte) (*YubiKeyConfig, error) {
config := &YubiKeyConfig{}
dec := tlv.NewDecoder(in)
err := dec.Decode(&config.Key)
if err != nil {
return nil, errInvalidYKConfig
} else if len(config.Key) != yubikey.KeySize {
return nil, errInvalidYKConfig
}
err = dec.Decode(&config.Counter)
if err != nil {
return nil, errInvalidYKConfig
}
err = dec.Decode(&config.Public)
if err != nil {
return nil, errInvalidYKConfig
}
return config, nil
}