示例#1
0
// unwrapKey decrypts first key in keys whose encryption keys are in keycache
func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (unwrappedKey []byte, names []string, err error) {
	var (
		keyFound  error
		fullMatch bool = false
		nameSet        = map[string]bool{}
	)

	for _, mwKey := range encrypted.KeySet {
		// validate the size of the keys
		if len(mwKey.Key) != 16 {
			err = errors.New("Invalid Input")
		}

		if err != nil {
			return nil, nil, err
		}

		// loop through users to see if they are all delegated
		fullMatch = true
		for _, mwName := range mwKey.Name {
			if valid := cache.Valid(mwName, user, encrypted.Labels); !valid {
				fullMatch = false
				break
			}
			nameSet[mwName] = true
		}

		// if the keys are delegated, decrypt the mwKey with them
		if fullMatch == true {
			tmpKeyValue := mwKey.Key
			for _, mwName := range mwKey.Name {
				pubEncrypted := encrypted.KeySetRSA[mwName]
				if tmpKeyValue, keyFound = cache.DecryptKey(tmpKeyValue, mwName, user, encrypted.Labels, pubEncrypted.Key); keyFound != nil {
					break
				}
			}
			unwrappedKey = tmpKeyValue
			break
		}
	}

	if !fullMatch {
		err = errors.New("Need more delegated keys")
		names = nil
	}

	names = make([]string, 0, len(nameSet))
	for name := range nameSet {
		names = append(names, name)
	}
	return
}
// unwrapKey decrypts first key in keys whose encryption keys are in keycache
func (encrypted *EncryptedData) unwrapKey(cache *keycache.Cache, user string) (unwrappedKey []byte, names []string, err error) {
	var (
		decryptErr error
		fullMatch  bool = false
		nameSet         = map[string]bool{}
	)

	if len(encrypted.Predicate) == 0 {
		for _, mwKey := range encrypted.KeySet {
			// validate the size of the keys
			if len(mwKey.Key) != 16 {
				err = errors.New("Invalid Input")
			}

			if err != nil {
				return nil, nil, err
			}

			// loop through users to see if they are all delegated
			fullMatch = true
			for _, mwName := range mwKey.Name {
				if valid := cache.Valid(mwName, user, encrypted.Labels); !valid {
					fullMatch = false
					break
				}
				nameSet[mwName] = true
			}

			// if the keys are delegated, decrypt the mwKey with them
			if fullMatch == true {
				tmpKeyValue := mwKey.Key
				for _, mwName := range mwKey.Name {
					pubEncrypted := encrypted.KeySetRSA[mwName]
					if tmpKeyValue, decryptErr = cache.DecryptKey(tmpKeyValue, mwName, user, encrypted.Labels, pubEncrypted.Key); decryptErr != nil {
						break
					}
				}
				unwrappedKey = tmpKeyValue
				break
			}
		}

		if !fullMatch {
			err = errors.New("Need more delegated keys")
			return
		}

		if decryptErr != nil {
			err = errors.New("Failed to decrypt with all keys in keyset")
			return
		}

		names = make([]string, 0, len(nameSet))
		for name := range nameSet {
			names = append(names, name)
		}
		return
	} else {
		var sss msp.MSP
		sss, err = msp.StringToMSP(encrypted.Predicate)
		if err != nil {
			return nil, nil, err
		}

		db := UserDatabase{
			names:    &names,
			cache:    cache,
			user:     user,
			labels:   encrypted.Labels,
			keySet:   encrypted.KeySetRSA,
			shareSet: encrypted.ShareSet,
		}
		unwrappedKey, err = sss.RecoverSecret(&db)

		return
	}
}