app: restructure and start building p15 output

2025-07-06 08:06:32 +00:00 · 2024-01-25 20:16:37 -05:00 · 2024-01-25 20:16:37 -05:00 · e2e4f2037c
commit e2e4f2037c
parent 6610c92058
24 changed files with 622 additions and 168 deletions
--- a/pkg/pkcs15/pem_decode.go
+++ b/pkg/pkcs15/pem_decode.go
@ -0,0 +1,120 @@
+package pkcs15
+
+import (
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+)
+
+var (
+	errPemKeyBadBlock       = errors.New("pkcs15: pem key: failed to decode pem block")
+	errPemKeyFailedToParse  = errors.New("pkcs15: pem key: failed to parse key")
+	errPemKeyWrongBlockType = errors.New("pkcs15: pem key: unsupported pem block type (only pkcs1 and pkcs8 supported)")
+	errPemKeyWrongType      = errors.New("pkcs15: pem key: unsupported key type (only rsa 2,048 supported)")
+
+	errPemCertBadBlock      = errors.New("pkcs15: pem cert: failed to decode pem block")
+	errPemCertFailedToParse = errors.New("pkcs15: pem cert: failed to parse cert")
+)
+
+// pemKeyDecode attempts to decode a pem encoded byte slice and then attempts
+// to parse an RSA private key from the decoded pem block. an error is returned
+// if any of these steps fail OR if the rsa key is not of bitlen 2,048
+func pemKeyDecode(keyPem []byte) (*rsa.PrivateKey, error) {
+	// decode
+	pemBlock, _ := pem.Decode([]byte(keyPem))
+	if pemBlock == nil {
+		return nil, errPemKeyBadBlock
+	}
+
+	// parsing depends on block type
+	var rsaKey *rsa.PrivateKey
+
+	switch pemBlock.Type {
+	case "RSA PRIVATE KEY": // PKCS1
+		var err error
+
+		rsaKey, err = x509.ParsePKCS1PrivateKey(pemBlock.Bytes)
+		if err != nil {
+			return nil, errPemKeyFailedToParse
+		}
+
+		// basic sanity check
+		err = rsaKey.Validate()
+		if err != nil {
+			return nil, fmt.Errorf("pkcs15: pem key: failed sanity check (%s)", err)
+		}
+
+		// verify proper bitlen
+		if rsaKey.N.BitLen() != 2048 {
+			return nil, errPemKeyWrongType
+		}
+
+		// good to go
+
+	case "PRIVATE KEY": // PKCS8
+		pkcs8Key, err := x509.ParsePKCS8PrivateKey(pemBlock.Bytes)
+		if err != nil {
+			return nil, errPemKeyFailedToParse
+		}
+
+		switch pkcs8Key := pkcs8Key.(type) {
+		case *rsa.PrivateKey:
+			rsaKey = pkcs8Key
+
+			// basic sanity check
+			err = rsaKey.Validate()
+			if err != nil {
+				return nil, fmt.Errorf("pkcs15: pem key: failed sanity check (%s)", err)
+			}
+
+			// verify proper bitlen
+			if rsaKey.N.BitLen() != 2048 {
+				return nil, errPemKeyWrongType
+			}
+
+			// good to go
+
+		default:
+			return nil, errPemKeyWrongType
+		}
+
+	default:
+		return nil, errPemKeyWrongBlockType
+	}
+
+	// if rsaKey is nil somehow, error
+	if rsaKey == nil {
+		return nil, errors.New("pkcs15: pem key: rsa key unexpectedly nil (report bug to project repo)")
+	}
+
+	// success!
+	return rsaKey, nil
+}
+
+// pemCertDecode attempts to decode a pem encoded byte slice and then attempts
+// to parse a certificate from it. The certificate is also check against the
+// key that is passed in to verify the key matches the certificate.
+func pemCertDecode(certPem, keyPem []byte) (*x509.Certificate, error) {
+	// verify key and cert make a valid key pair
+	_, err := tls.X509KeyPair(certPem, keyPem)
+	if err != nil {
+		return nil, err
+	}
+
+	// discard rest, apc tool only bundles end cert
+	block, _ := pem.Decode(certPem)
+	if block == nil || block.Type != "CERTIFICATE" {
+		return nil, errPemCertBadBlock
+	}
+
+	// Get the cert struct
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, errPemCertFailedToParse
+	}
+
+	return cert, nil
+}