2024-01-26 01:16:37 +00:00
|
|
|
package pkcs15
|
|
|
|
|
|
|
|
|
|
import (
|
2024-06-24 22:23:05 +00:00
|
|
|
"crypto"
|
2024-01-26 01:16:37 +00:00
|
|
|
"crypto/rsa"
|
|
|
|
|
"crypto/tls"
|
|
|
|
|
"crypto/x509"
|
|
|
|
|
"encoding/pem"
|
|
|
|
|
"errors"
|
|
|
|
|
"fmt"
|
2024-06-24 22:23:05 +00:00
|
|
|
"reflect"
|
2024-01-26 01:16:37 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
errPemKeyBadBlock = errors.New("pkcs15: pem key: failed to decode pem block")
|
|
|
|
|
errPemKeyFailedToParse = errors.New("pkcs15: pem key: failed to parse key")
|
|
|
|
|
errPemKeyWrongBlockType = errors.New("pkcs15: pem key: unsupported pem block type (only pkcs1 and pkcs8 supported)")
|
2024-06-24 22:23:02 +00:00
|
|
|
errPemKeyWrongType = errors.New("pkcs15: pem key: unsupported key type (only rsa 1,024, 2,048, and 3,072 supported)")
|
2024-01-26 01:16:37 +00:00
|
|
|
|
|
|
|
|
errPemCertBadBlock = errors.New("pkcs15: pem cert: failed to decode pem block")
|
|
|
|
|
errPemCertFailedToParse = errors.New("pkcs15: pem cert: failed to parse cert")
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// pemKeyDecode attempts to decode a pem encoded byte slice and then attempts
|
|
|
|
|
// to parse an RSA private key from the decoded pem block. an error is returned
|
2024-02-04 15:59:58 +00:00
|
|
|
// if any of these steps fail OR if the key is not RSA and of bitlen 1,024 or 2,048
|
2024-06-24 22:23:05 +00:00
|
|
|
func pemKeyDecode(keyPem []byte) (crypto.PrivateKey, error) {
|
2024-01-26 01:16:37 +00:00
|
|
|
// decode
|
|
|
|
|
pemBlock, _ := pem.Decode([]byte(keyPem))
|
|
|
|
|
if pemBlock == nil {
|
|
|
|
|
return nil, errPemKeyBadBlock
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// parsing depends on block type
|
2024-06-24 22:23:05 +00:00
|
|
|
var privateKey crypto.PrivateKey
|
2024-01-26 01:16:37 +00:00
|
|
|
|
|
|
|
|
switch pemBlock.Type {
|
|
|
|
|
case "RSA PRIVATE KEY": // PKCS1
|
2024-06-24 22:23:05 +00:00
|
|
|
rsaKey, err := x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
|
2024-01-26 01:16:37 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, errPemKeyFailedToParse
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// basic sanity check
|
|
|
|
|
err = rsaKey.Validate()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("pkcs15: pem key: failed sanity check (%s)", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// verify proper bitlen
|
2024-06-24 22:23:02 +00:00
|
|
|
if rsaKey.N.BitLen() != 1024 && rsaKey.N.BitLen() != 2048 && rsaKey.N.BitLen() != 3072 {
|
2024-01-26 01:16:37 +00:00
|
|
|
return nil, errPemKeyWrongType
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// good to go
|
2024-06-24 22:23:05 +00:00
|
|
|
privateKey = rsaKey
|
|
|
|
|
|
|
|
|
|
// case "EC PRIVATE KEY": // SEC1, ASN.1
|
|
|
|
|
// var ecdKey *ecdsa.PrivateKey
|
|
|
|
|
// ecdKey, err := x509.ParseECPrivateKey(pemBlock.Bytes)
|
|
|
|
|
// if err != nil {
|
|
|
|
|
// return nil, errPemKeyFailedToParse
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
// // verify acceptable curve name
|
|
|
|
|
// if ecdKey.Curve.Params().Name != "P-256" && ecdKey.Curve.Params().Name != "P-384" {
|
|
|
|
|
// return nil, errPemKeyWrongType
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
// // good to go
|
|
|
|
|
// privateKey = ecdKey
|
2024-01-26 01:16:37 +00:00
|
|
|
|
|
|
|
|
case "PRIVATE KEY": // PKCS8
|
|
|
|
|
pkcs8Key, err := x509.ParsePKCS8PrivateKey(pemBlock.Bytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errPemKeyFailedToParse
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch pkcs8Key := pkcs8Key.(type) {
|
|
|
|
|
case *rsa.PrivateKey:
|
|
|
|
|
// basic sanity check
|
2024-06-24 22:23:05 +00:00
|
|
|
err = pkcs8Key.Validate()
|
2024-01-26 01:16:37 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("pkcs15: pem key: failed sanity check (%s)", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// verify proper bitlen
|
2024-06-24 22:23:05 +00:00
|
|
|
if pkcs8Key.N.BitLen() != 1024 && pkcs8Key.N.BitLen() != 2048 && pkcs8Key.N.BitLen() != 3072 {
|
2024-01-26 01:16:37 +00:00
|
|
|
return nil, errPemKeyWrongType
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// good to go
|
2024-06-24 22:23:05 +00:00
|
|
|
privateKey = pkcs8Key
|
|
|
|
|
|
|
|
|
|
// case *ecdsa.PrivateKey:
|
|
|
|
|
// // verify acceptable curve name
|
|
|
|
|
// if pkcs8Key.Curve.Params().Name != "P-256" && pkcs8Key.Curve.Params().Name != "P-384" {
|
|
|
|
|
// return nil, errPemKeyWrongType
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
// // good to go
|
|
|
|
|
// privateKey = pkcs8Key
|
2024-01-26 01:16:37 +00:00
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
return nil, errPemKeyWrongType
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
return nil, errPemKeyWrongBlockType
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// if rsaKey is nil somehow, error
|
2024-06-24 22:23:05 +00:00
|
|
|
if reflect.ValueOf(privateKey).IsNil() {
|
2024-01-26 01:16:37 +00:00
|
|
|
return nil, errors.New("pkcs15: pem key: rsa key unexpectedly nil (report bug to project repo)")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// success!
|
2024-06-24 22:23:05 +00:00
|
|
|
return privateKey, nil
|
2024-01-26 01:16:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// pemCertDecode attempts to decode a pem encoded byte slice and then attempts
|
|
|
|
|
// to parse a certificate from it. The certificate is also check against the
|
|
|
|
|
// key that is passed in to verify the key matches the certificate.
|
|
|
|
|
func pemCertDecode(certPem, keyPem []byte) (*x509.Certificate, error) {
|
|
|
|
|
// verify key and cert make a valid key pair
|
|
|
|
|
_, err := tls.X509KeyPair(certPem, keyPem)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// discard rest, apc tool only bundles end cert
|
|
|
|
|
block, _ := pem.Decode(certPem)
|
|
|
|
|
if block == nil || block.Type != "CERTIFICATE" {
|
|
|
|
|
return nil, errPemCertBadBlock
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the cert struct
|
|
|
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errPemCertFailedToParse
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return cert, nil
|
|
|
|
|
}
|
