mirror of
https://github.com/gregtwallace/apc-p15-tool.git
synced 2025-07-10 09:32:58 +00:00
add ecdsa key support and enable 4,092 RSA
* apcssh: add descriptive error when required file(s) not passed * create: dont create key+cert file when key isn't supported by NMC2 * config: fix usage messages re: key types * p15 files: dont generate key+cert when it isn't needed (aka NMC2 doesn't support key) * pkcs15: pre-calculate envelope when making the p15 struct * pkcs15: omit key ID 8 & 9 from EC keys * pkcs15: update key decode logic * pkcs15: add key type value for easy determination of compatibility * pkcs15: add ec key support * pkcs15: separate functions for key and key+cert p15 files * update README see: https://github.com/gregtwallace/apc-p15-tool/issues/6
This commit is contained in:
parent
51e5847409
commit
cbb831e009
12 changed files with 508 additions and 266 deletions
pkg/pkcs15
|
@ -2,8 +2,10 @@ package pkcs15
|
|||
|
||||
import (
|
||||
"apc-p15-tool/pkg/tools/asn1obj"
|
||||
"crypto/ecdsa"
|
||||
"crypto/rsa"
|
||||
"encoding/asn1"
|
||||
"fmt"
|
||||
"math/big"
|
||||
)
|
||||
|
||||
|
@ -13,39 +15,87 @@ const (
|
|||
|
||||
// toP15KeyCert creates a P15 file with both the private key and certificate, mirroring the
|
||||
// final p15 file an APC UPS expects (though without the header)
|
||||
func (p15 *pkcs15KeyCert) toP15KeyCert(keyEnvelope []byte) (keyCert []byte, err error) {
|
||||
// private key object
|
||||
privateKey := asn1obj.Sequence([][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
// CommonKeyAttributes - iD - uses keyId that is SHA1( SubjectPublicKeyInfo SEQUENCE )
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
// CommonKeyAttributes - usage (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b11100010)}),
|
||||
// CommonKeyAttributes - accessFlags (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b10110000)}),
|
||||
// CommonKeyAttributes - startDate
|
||||
asn1obj.GeneralizedTime(p15.cert.NotBefore),
|
||||
// CommonKeyAttributes - [0] endDate
|
||||
asn1obj.GeneralizedTimeExplicitValue(0, p15.cert.NotAfter),
|
||||
}),
|
||||
// ObjectValue - indirect-protected
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
func (p15 *pkcs15KeyCert) ToP15KeyCert() (keyCert []byte, err error) {
|
||||
// encrypted envelope is required
|
||||
err = p15.computeEncryptedKeyEnvelope()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// create private key object
|
||||
var privKeyObj []byte
|
||||
|
||||
switch p15.key.(type) {
|
||||
case *rsa.PrivateKey:
|
||||
// private key object
|
||||
privKeyObj =
|
||||
asn1obj.Sequence([][]byte{
|
||||
// AuthEnvelopedData Type ([4])
|
||||
asn1obj.ExplicitCompound(4, [][]byte{
|
||||
keyEnvelope,
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
// CommonKeyAttributes - iD - uses keyId that is SHA1( SubjectPublicKeyInfo SEQUENCE )
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
// CommonKeyAttributes - usage (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b11100010)}),
|
||||
// CommonKeyAttributes - accessFlags (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b10110000)}),
|
||||
// CommonKeyAttributes - startDate
|
||||
asn1obj.GeneralizedTime(p15.cert.NotBefore),
|
||||
// CommonKeyAttributes - [0] endDate
|
||||
asn1obj.GeneralizedTimeExplicitValue(0, p15.cert.NotAfter),
|
||||
}),
|
||||
// ObjectValue - indirect-protected
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
// AuthEnvelopedData Type ([4])
|
||||
asn1obj.ExplicitCompound(4, [][]byte{
|
||||
p15.envelopedPrivateKey,
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
|
||||
case *ecdsa.PrivateKey:
|
||||
privKeyObj =
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
// CommonKeyAttributes - iD - uses keyId that is SHA1( SubjectPublicKeyInfo SEQUENCE )
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
// CommonKeyAttributes - usage (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b00100010)}),
|
||||
// CommonKeyAttributes - accessFlags (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b10110000)}),
|
||||
// CommonKeyAttributes - startDate
|
||||
asn1obj.GeneralizedTime(p15.cert.NotBefore),
|
||||
// CommonKeyAttributes - [0] endDate
|
||||
asn1obj.GeneralizedTimeExplicitValue(0, p15.cert.NotAfter),
|
||||
}),
|
||||
// ObjectValue - indirect-protected
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
// AuthEnvelopedData Type ([4])
|
||||
asn1obj.ExplicitCompound(4, [][]byte{
|
||||
p15.envelopedPrivateKey,
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
|
||||
default:
|
||||
// bad key type
|
||||
return nil, errKeyWrongType
|
||||
}
|
||||
|
||||
// cert object
|
||||
cert := asn1obj.Sequence([][]byte{
|
||||
certObj := asn1obj.Sequence([][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
|
@ -59,6 +109,7 @@ func (p15 *pkcs15KeyCert) toP15KeyCert(keyEnvelope []byte) (keyCert []byte, err
|
|||
p15.keyIdInt3(),
|
||||
p15.keyIdInt6(),
|
||||
p15.keyIdInt7(),
|
||||
// 8 & 9 will return nil for EC keys (effectively omitting them)
|
||||
p15.keyIdInt8(),
|
||||
p15.keyIdInt9(),
|
||||
}),
|
||||
|
@ -77,7 +128,7 @@ func (p15 *pkcs15KeyCert) toP15KeyCert(keyEnvelope []byte) (keyCert []byte, err
|
|||
}),
|
||||
})
|
||||
|
||||
// build the file
|
||||
// build the object
|
||||
|
||||
// ContentInfo
|
||||
keyCert = asn1obj.Sequence([][]byte{
|
||||
|
@ -92,12 +143,12 @@ func (p15 *pkcs15KeyCert) toP15KeyCert(keyEnvelope []byte) (keyCert []byte, err
|
|||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
privateKey,
|
||||
privKeyObj,
|
||||
}),
|
||||
}),
|
||||
asn1obj.ExplicitCompound(4, [][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
cert,
|
||||
certObj,
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
|
@ -111,141 +162,212 @@ func (p15 *pkcs15KeyCert) toP15KeyCert(keyEnvelope []byte) (keyCert []byte, err
|
|||
// toP15Key creates a P15 file with just the private key, mirroring the p15 format
|
||||
// the APC tool uses when generating a new private key (Note: no header is used on
|
||||
// this file)
|
||||
func (p15 *pkcs15KeyCert) toP15Key(keyEnvelope []byte) (key []byte, err error) {
|
||||
// create public key object
|
||||
var pubKeyObj []byte
|
||||
func (p15 *pkcs15KeyCert) ToP15Key() (key []byte, err error) {
|
||||
// encrypted envelope is required
|
||||
err = p15.computeEncryptedKeyEnvelope()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// create private and public key objects
|
||||
var pubKeyObj, privKeyObj []byte
|
||||
|
||||
switch privKey := p15.key.(type) {
|
||||
case *rsa.PrivateKey:
|
||||
pubKeyObj = asn1obj.ExplicitCompound(1, [][]byte{
|
||||
// private key object (slightly different than the key+cert format)
|
||||
privKeyObj =
|
||||
asn1obj.Sequence([][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
// CommonKeyAttributes - iD - uses keyId that is SHA1( SubjectPublicKeyInfo SEQUENCE )
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
// CommonKeyAttributes - usage (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b11100010)}),
|
||||
// CommonKeyAttributes - accessFlags (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b10110000)}),
|
||||
}),
|
||||
|
||||
// Key IDs
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ObjectIdentifier(asn1obj.OIDrsaEncryptionPKCS1),
|
||||
asn1.NullBytes,
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
p15.keyIdInt2(),
|
||||
p15.keyIdInt8(),
|
||||
p15.keyIdInt9(),
|
||||
}),
|
||||
// RSAPublicKey SubjectPublicKeyInfo
|
||||
asn1obj.BitString(
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.Integer(privKey.PublicKey.N),
|
||||
asn1obj.Integer(big.NewInt(int64(privKey.PublicKey.E))),
|
||||
}),
|
||||
),
|
||||
}),
|
||||
}),
|
||||
// not 100% certain but appears to be rsa key byte len
|
||||
asn1obj.Integer(big.NewInt(int64(privKey.PublicKey.N.BitLen() / 8))),
|
||||
}),
|
||||
})
|
||||
|
||||
// ObjectValue - indirect-protected
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
// AuthEnvelopedData Type ([4])
|
||||
asn1obj.ExplicitCompound(4, [][]byte{
|
||||
p15.envelopedPrivateKey,
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
|
||||
// pub key stub
|
||||
pubKeyObj =
|
||||
asn1obj.Sequence([][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
asn1obj.BitString([]byte{byte(0b10000010)}),
|
||||
asn1obj.BitString([]byte{byte(0b01000000)}),
|
||||
}),
|
||||
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ObjectIdentifier(asn1obj.OIDrsaEncryptionPKCS1),
|
||||
asn1.NullBytes,
|
||||
}),
|
||||
// RSAPublicKey SubjectPublicKeyInfo
|
||||
asn1obj.BitString(
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.Integer(privKey.PublicKey.N),
|
||||
asn1obj.Integer(big.NewInt(int64(privKey.PublicKey.E))),
|
||||
}),
|
||||
),
|
||||
}),
|
||||
}),
|
||||
// not 100% certain but appears to be rsa key byte len
|
||||
asn1obj.Integer(big.NewInt(int64(privKey.PublicKey.N.BitLen() / 8))),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
|
||||
case *ecdsa.PrivateKey:
|
||||
// private key object (slightly different than the key+cert format)
|
||||
privKeyObj =
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
// CommonKeyAttributes - iD - uses keyId that is SHA1( SubjectPublicKeyInfo SEQUENCE )
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
// CommonKeyAttributes - usage (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b00100010)}),
|
||||
// CommonKeyAttributes - accessFlags (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b10110000)}),
|
||||
}),
|
||||
|
||||
// Key IDs
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
p15.keyIdInt2(),
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
|
||||
// ObjectValue - indirect-protected
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
// AuthEnvelopedData Type ([4])
|
||||
asn1obj.ExplicitCompound(4, [][]byte{
|
||||
p15.envelopedPrivateKey,
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
|
||||
// convert ec pub key to a form that provides a public key bytes function
|
||||
ecdhKey, err := privKey.PublicKey.ECDH()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse ec public key (%s)", err)
|
||||
}
|
||||
|
||||
// select correct OID for curve
|
||||
var curveOID asn1.ObjectIdentifier
|
||||
switch privKey.Curve.Params().Name {
|
||||
case "P-256":
|
||||
curveOID = asn1obj.OIDprime256v1
|
||||
case "P-384":
|
||||
curveOID = asn1obj.OIDsecp384r1
|
||||
case "P-521":
|
||||
curveOID = asn1obj.OIDsecp521r1
|
||||
default:
|
||||
// bad curve name
|
||||
return nil, errKeyWrongType
|
||||
}
|
||||
|
||||
// pub key stub
|
||||
pubKeyObj =
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
asn1obj.BitString([]byte{byte(0b00000010)}),
|
||||
asn1obj.BitString([]byte{byte(0b01000000)}),
|
||||
}),
|
||||
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ObjectIdentifier(asn1obj.OIDecPublicKey),
|
||||
asn1obj.ObjectIdentifier(curveOID),
|
||||
}),
|
||||
asn1obj.BitString(ecdhKey.Bytes()),
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
|
||||
default:
|
||||
// panic if non-RSA key
|
||||
panic("p15 key file for non-rsa key is unexpected and unsupported")
|
||||
// bad key type
|
||||
return nil, errKeyWrongType
|
||||
}
|
||||
|
||||
// private key object (slightly different than the key+cert format)
|
||||
privateKey := asn1obj.Sequence([][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
// assemble complete object
|
||||
key =
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
// CommonKeyAttributes - iD - uses keyId that is SHA1( SubjectPublicKeyInfo SEQUENCE )
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
// CommonKeyAttributes - usage (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b11100010)}),
|
||||
// CommonKeyAttributes - accessFlags (trailing 0s will drop)
|
||||
asn1obj.BitString([]byte{byte(0b10110000)}),
|
||||
}),
|
||||
|
||||
//
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
p15.keyIdInt2(),
|
||||
p15.keyIdInt8(),
|
||||
p15.keyIdInt9(),
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
|
||||
// ObjectValue - indirect-protected
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
// AuthEnvelopedData Type ([4])
|
||||
asn1obj.ExplicitCompound(4, [][]byte{
|
||||
keyEnvelope,
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
|
||||
// ContentInfo
|
||||
key = asn1obj.Sequence([][]byte{
|
||||
|
||||
// contentType: OID: 1.2.840.113549.1.15.3.1 pkcs15content (PKCS #15 content type)
|
||||
asn1obj.ObjectIdentifier(asn1obj.OIDPkscs15Content),
|
||||
|
||||
// content
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.Integer(big.NewInt(0)),
|
||||
// contentType: OID: 1.2.840.113549.1.15.3.1 pkcs15content (PKCS #15 content type)
|
||||
asn1obj.ObjectIdentifier(asn1obj.OIDPkscs15Content),
|
||||
// content
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
// [0] Private Key
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.Integer(big.NewInt(0)),
|
||||
asn1obj.Sequence([][]byte{
|
||||
// [0] Private Keys
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
privateKey,
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
privKeyObj,
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
// [1] Public Key
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
asn1obj.Sequence([][]byte{
|
||||
// commonObjectAttributes - Label
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.UTF8String(apcKeyLabel),
|
||||
}),
|
||||
// CommonKeyAttributes
|
||||
asn1obj.Sequence([][]byte{
|
||||
asn1obj.OctetString(p15.keyId()),
|
||||
asn1obj.BitString([]byte{byte(0b10000010)}),
|
||||
asn1obj.BitString([]byte{byte(0b01000000)}),
|
||||
}),
|
||||
|
||||
// [1] Public Keys
|
||||
asn1obj.ExplicitCompound(1, [][]byte{
|
||||
asn1obj.ExplicitCompound(0, [][]byte{
|
||||
pubKeyObj,
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
}),
|
||||
})
|
||||
})
|
||||
|
||||
return key, nil
|
||||
}
|
||||
|
||||
// ToP15File turns the key and cert into a properly formatted and encoded
|
||||
// p15 file
|
||||
func (p15 *pkcs15KeyCert) ToP15Files() (keyCertFile []byte, keyFile []byte, err error) {
|
||||
// rsa encrypted key in encrypted envelope (will be shared by both output files)
|
||||
envelope, err := p15.encryptedKeyEnvelope()
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// key + cert file
|
||||
keyCertFile, err = p15.toP15KeyCert(envelope)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
// key only file
|
||||
keyFile, err = p15.toP15Key(envelope)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
||||
return keyCertFile, keyFile, nil
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue