318 lines
9.3 KiB
Go
318 lines
9.3 KiB
Go
// Copyright (C) 2019 Storj Labs, Inc.
|
|
// See LICENSE for copying information.
|
|
|
|
package pkcrypto
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"encoding/pem"
|
|
"io"
|
|
"math/big"
|
|
|
|
"github.com/zeebo/errs"
|
|
)
|
|
|
|
// WritePublicKeyPEM writes the public key, in a PEM-enveloped
|
|
// PKIX form.
|
|
func WritePublicKeyPEM(w io.Writer, key crypto.PublicKey) error {
|
|
kb, err := PublicKeyToPKIX(key)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = pem.Encode(w, &pem.Block{Type: BlockLabelPublicKey, Bytes: kb})
|
|
return errs.Wrap(err)
|
|
}
|
|
|
|
// PublicKeyToPEM encodes a public key to a PEM-enveloped PKIX form.
|
|
func PublicKeyToPEM(key crypto.PublicKey) ([]byte, error) {
|
|
kb, err := PublicKeyToPKIX(key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return pem.EncodeToMemory(&pem.Block{Type: BlockLabelPublicKey, Bytes: kb}), nil
|
|
}
|
|
|
|
// PublicKeyToPKIX serializes a public key to a PKIX-encoded form.
|
|
func PublicKeyToPKIX(key crypto.PublicKey) ([]byte, error) {
|
|
return x509.MarshalPKIXPublicKey(key)
|
|
}
|
|
|
|
// PublicKeyFromPKIX parses a public key from its PKIX encoding.
|
|
func PublicKeyFromPKIX(pkixData []byte) (crypto.PublicKey, error) {
|
|
return x509.ParsePKIXPublicKey(pkixData)
|
|
}
|
|
|
|
// PublicKeyFromPEM parses a public key from its PEM-enveloped PKIX
|
|
// encoding.
|
|
func PublicKeyFromPEM(pemData []byte) (crypto.PublicKey, error) {
|
|
pb, _ := pem.Decode(pemData)
|
|
if pb == nil {
|
|
return nil, ErrParse.New("could not parse PEM encoding")
|
|
}
|
|
if pb.Type != BlockLabelPublicKey {
|
|
return nil, ErrParse.New("can not parse public key from PEM block labeled %q", pb.Type)
|
|
}
|
|
return PublicKeyFromPKIX(pb.Bytes)
|
|
}
|
|
|
|
// WritePrivateKeyPEM writes the private key to the writer, in a PEM-enveloped
|
|
// PKCS#8 form.
|
|
func WritePrivateKeyPEM(w io.Writer, key crypto.PrivateKey) error {
|
|
kb, err := PrivateKeyToPKCS8(key)
|
|
if err != nil {
|
|
return errs.Wrap(err)
|
|
}
|
|
err = pem.Encode(w, &pem.Block{Type: BlockLabelPrivateKey, Bytes: kb})
|
|
return errs.Wrap(err)
|
|
}
|
|
|
|
// PrivateKeyToPEM serializes a private key to a PEM-enveloped PKCS#8 form.
|
|
func PrivateKeyToPEM(key crypto.PrivateKey) ([]byte, error) {
|
|
kb, err := PrivateKeyToPKCS8(key)
|
|
if err != nil {
|
|
return nil, errs.Wrap(err)
|
|
}
|
|
return pem.EncodeToMemory(&pem.Block{Type: BlockLabelPrivateKey, Bytes: kb}), nil
|
|
}
|
|
|
|
// PrivateKeyToPKCS8 serializes a private key to a PKCS#8-encoded form.
|
|
func PrivateKeyToPKCS8(key crypto.PrivateKey) ([]byte, error) {
|
|
return x509.MarshalPKCS8PrivateKey(key)
|
|
}
|
|
|
|
// PrivateKeyFromPKCS8 parses a private key from its PKCS#8 encoding.
|
|
func PrivateKeyFromPKCS8(keyBytes []byte) (crypto.PrivateKey, error) {
|
|
key, err := x509.ParsePKCS8PrivateKey(keyBytes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return crypto.PrivateKey(key), nil
|
|
}
|
|
|
|
// PrivateKeyFromPEM parses a private key from its PEM-enveloped PKCS#8
|
|
// encoding.
|
|
func PrivateKeyFromPEM(keyBytes []byte) (crypto.PrivateKey, error) {
|
|
pb, _ := pem.Decode(keyBytes)
|
|
if pb == nil {
|
|
return nil, ErrParse.New("could not parse PEM encoding")
|
|
}
|
|
switch pb.Type {
|
|
case BlockLabelEcPrivateKey:
|
|
return ecPrivateKeyFromASN1(pb.Bytes)
|
|
case BlockLabelPrivateKey:
|
|
return PrivateKeyFromPKCS8(pb.Bytes)
|
|
}
|
|
return nil, ErrParse.New("can not parse private key from PEM block labeled %q", pb.Type)
|
|
}
|
|
|
|
// WriteCertPEM writes the certificate to the writer, in a PEM-enveloped DER
|
|
// encoding.
|
|
func WriteCertPEM(w io.Writer, certs ...*x509.Certificate) error {
|
|
if len(certs) == 0 {
|
|
return errs.New("no certs to encode")
|
|
}
|
|
encodeErrs := new(errs.Group)
|
|
for _, cert := range certs {
|
|
encodeErrs.Add(pem.Encode(w, &pem.Block{Type: BlockLabelCertificate, Bytes: cert.Raw}))
|
|
}
|
|
return encodeErrs.Err()
|
|
}
|
|
|
|
// CertToPEM returns the bytes of the certificate, in a PEM-enveloped DER
|
|
// encoding.
|
|
func CertToPEM(cert *x509.Certificate) []byte {
|
|
return pem.EncodeToMemory(&pem.Block{Type: BlockLabelCertificate, Bytes: cert.Raw})
|
|
}
|
|
|
|
// CertToDER returns the bytes of the certificate, in a DER encoding.
|
|
//
|
|
// Note that this is fairly useless, as x509.Certificate objects are always
|
|
// supposed to have a member containing the raw DER encoding. But this is
|
|
// included for completeness with the rest of this module's API.
|
|
func CertToDER(cert *x509.Certificate) ([]byte, error) {
|
|
return cert.Raw, nil
|
|
}
|
|
|
|
// CertFromDER parses an X.509 certificate from its DER encoding.
|
|
func CertFromDER(certDER []byte) (*x509.Certificate, error) {
|
|
return x509.ParseCertificate(certDER)
|
|
}
|
|
|
|
// CertFromPEM parses an X.509 certificate from its PEM-enveloped DER encoding.
|
|
func CertFromPEM(certPEM []byte) (*x509.Certificate, error) {
|
|
kb, _ := pem.Decode(certPEM)
|
|
if kb == nil {
|
|
return nil, ErrParse.New("could not decode certificate as PEM")
|
|
}
|
|
if kb.Type != BlockLabelCertificate {
|
|
return nil, ErrParse.New("can not parse certificate from PEM block labeled %q", kb.Type)
|
|
}
|
|
return CertFromDER(kb.Bytes)
|
|
}
|
|
|
|
// CertsFromDER parses an x509 certificate from each of the given byte
|
|
// slices, which should be encoded in DER.
|
|
func CertsFromDER(rawCerts [][]byte) ([]*x509.Certificate, error) {
|
|
certs := make([]*x509.Certificate, len(rawCerts))
|
|
for i, c := range rawCerts {
|
|
var err error
|
|
certs[i], err = CertFromDER(c)
|
|
if err != nil {
|
|
return nil, ErrParse.New("unable to parse certificate at index %d", i)
|
|
}
|
|
}
|
|
return certs, nil
|
|
}
|
|
|
|
// CertsFromPEM parses a PEM chain from a single byte string (the PEM-enveloped
|
|
// certificates should be concatenated). The PEM blocks may include PKIX
|
|
// extensions.
|
|
func CertsFromPEM(pemBytes []byte) ([]*x509.Certificate, error) {
|
|
var (
|
|
encChain encodedChain
|
|
blockErrs errs.Group
|
|
)
|
|
for {
|
|
var pemBlock *pem.Block
|
|
pemBlock, pemBytes = pem.Decode(pemBytes)
|
|
if pemBlock == nil {
|
|
break
|
|
}
|
|
switch pemBlock.Type {
|
|
case BlockLabelCertificate:
|
|
encChain.AddCert(pemBlock.Bytes)
|
|
case BlockLabelExtension:
|
|
err := encChain.AddExtension(pemBlock.Bytes)
|
|
blockErrs.Add(err)
|
|
}
|
|
}
|
|
if err := blockErrs.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return encChain.Parse()
|
|
}
|
|
|
|
type encodedChain struct {
|
|
chain [][]byte
|
|
extensions [][][]byte
|
|
}
|
|
|
|
func (e *encodedChain) AddCert(b []byte) {
|
|
e.chain = append(e.chain, b)
|
|
e.extensions = append(e.extensions, [][]byte{})
|
|
}
|
|
|
|
func (e *encodedChain) AddExtension(b []byte) error {
|
|
chainLen := len(e.chain)
|
|
if chainLen < 1 {
|
|
return ErrChainLength.New("expected: >= 1; actual: %d", chainLen)
|
|
}
|
|
|
|
i := chainLen - 1
|
|
e.extensions[i] = append(e.extensions[i], b)
|
|
return nil
|
|
}
|
|
|
|
func (e *encodedChain) Parse() ([]*x509.Certificate, error) {
|
|
chain, err := CertsFromDER(e.chain)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var extErrs errs.Group
|
|
for i, cert := range chain {
|
|
for _, ee := range e.extensions[i] {
|
|
ext, err := PKIXExtensionFromASN1(ee)
|
|
extErrs.Add(err) // TODO: is this correct?
|
|
cert.ExtraExtensions = append(cert.ExtraExtensions, *ext)
|
|
}
|
|
}
|
|
if err := extErrs.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return chain, nil
|
|
}
|
|
|
|
// WritePKIXExtensionPEM writes the certificate extension to the writer, in a PEM-
|
|
// enveloped PKIX form.
|
|
func WritePKIXExtensionPEM(w io.Writer, extension *pkix.Extension) error {
|
|
extBytes, err := PKIXExtensionToASN1(extension)
|
|
if err != nil {
|
|
return errs.Wrap(err)
|
|
}
|
|
err = pem.Encode(w, &pem.Block{Type: BlockLabelExtension, Bytes: extBytes})
|
|
return errs.Wrap(err)
|
|
}
|
|
|
|
// PKIXExtensionToPEM serializes a PKIX certificate extension to PEM-
|
|
// enveloped ASN.1 bytes.
|
|
func PKIXExtensionToPEM(extension *pkix.Extension) ([]byte, error) {
|
|
asn, err := PKIXExtensionToASN1(extension)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return pem.EncodeToMemory(&pem.Block{Type: BlockLabelExtension, Bytes: asn}), nil
|
|
}
|
|
|
|
// PKIXExtensionToASN1 serializes a PKIX certificate extension to the
|
|
// appropriate ASN.1 structure for such things. See RFC 5280, section 4.1.1.2.
|
|
func PKIXExtensionToASN1(extension *pkix.Extension) ([]byte, error) {
|
|
extBytes, err := asn1.Marshal(extension)
|
|
return extBytes, errs.Wrap(err)
|
|
}
|
|
|
|
// PKIXExtensionFromASN1 deserializes a PKIX certificate extension from
|
|
// the appropriate ASN.1 structure for such things.
|
|
func PKIXExtensionFromASN1(extData []byte) (*pkix.Extension, error) {
|
|
var extension pkix.Extension
|
|
if _, err := asn1.Unmarshal(extData, &extension); err != nil {
|
|
return nil, ErrParse.New("unable to unmarshal PKIX extension: %v", err)
|
|
}
|
|
return &extension, nil
|
|
}
|
|
|
|
// PKIXExtensionFromPEM parses a PKIX certificate extension from
|
|
// PEM-enveloped ASN.1 bytes.
|
|
func PKIXExtensionFromPEM(pemBytes []byte) (*pkix.Extension, error) {
|
|
pb, _ := pem.Decode(pemBytes)
|
|
if pb == nil {
|
|
return nil, ErrParse.New("unable to parse PEM block")
|
|
}
|
|
if pb.Type != BlockLabelExtension {
|
|
return nil, ErrParse.New("can not parse PKIX cert extension from PEM block labeled %q", pb.Type)
|
|
}
|
|
return PKIXExtensionFromASN1(pb.Bytes)
|
|
}
|
|
|
|
type ecdsaSignature struct {
|
|
R, S *big.Int
|
|
}
|
|
|
|
func marshalECDSASignature(r, s *big.Int) ([]byte, error) {
|
|
return asn1.Marshal(ecdsaSignature{R: r, S: s})
|
|
}
|
|
|
|
func unmarshalECDSASignature(signatureBytes []byte) (r, s *big.Int, err error) {
|
|
var signature ecdsaSignature
|
|
if _, err = asn1.Unmarshal(signatureBytes, &signature); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
return signature.R, signature.S, nil
|
|
}
|
|
|
|
// ecPrivateKeyFromASN1 parses a private key from the special Elliptic Curve
|
|
// Private Key ASN.1 structure. This is here only for backward compatibility.
|
|
// Use PKCS#8 instead.
|
|
func ecPrivateKeyFromASN1(privKeyData []byte) (crypto.PrivateKey, error) {
|
|
key, err := x509.ParseECPrivateKey(privKeyData)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return crypto.PrivateKey(key), nil
|
|
}
|