/
signer.go
215 lines (199 loc) · 6.18 KB
/
signer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
package fwt
import (
"crypto/hmac"
"crypto/sha256"
"crypto/sha512"
"fmt"
"github.com/cloudflare/circl/sign/ed25519"
"github.com/cloudflare/circl/sign/ed448"
"github.com/zeebo/blake3"
"golang.org/x/crypto/blake2b"
)
// NewEd25519Signer creates a new signer using Ed25519 with ed25519.PrivateKey.
func NewEd25519Signer(key ed25519.PrivateKey) func([]byte) ([]byte, error) {
return func(data []byte) ([]byte, error) {
return ed25519.Sign(key, data), nil
}
}
// NewEd25519Verifier creates a new verifier using Ed25519 with ed25519.PublicKey
func NewEd25519Verifier(key ed25519.PublicKey) func([]byte, []byte) error {
return func(data []byte, sig []byte) error {
if ed25519.Verify(key, data, sig) {
return nil
}
return fmt.Errorf("invalid signature")
}
}
// NewEd448Signer creates a new signer using Ed448 with ed448.PrivateKey.
// context is optional and defaults to fwt.defaultCtx.
// please refer to https://tools.ietf.org/html/rfc8032#section-5.2.6 for more information.
func NewEd448Signer(key ed448.PrivateKey, context ...string) func([]byte) ([]byte, error) {
var ctx string
if len(context) != 0 {
ctx = context[0]
} else {
ctx = defaultCtx
}
return func(data []byte) ([]byte, error) {
return ed448.Sign(key, data, ctx), nil
}
}
// NewEd448Verifier creates a new verifier using Ed448 with ed448.PublicKey.
// context is optional and defaults to fwt.defaultCtx.
// please refer to https://tools.ietf.org/html/rfc8032#section-5.2.6 for more information.
func NewEd448Verifier(key ed448.PublicKey, context ...string) func([]byte, []byte) error {
var ctx string
if len(context) != 0 {
ctx = context[0]
} else {
ctx = defaultCtx
}
return func(data []byte, sig []byte) error {
if ed448.Verify(key, data, sig, ctx) {
return nil
}
return fmt.Errorf("invalid signature")
}
}
// NewHMACSha256Signer creates a new signer using HMAC-SHA256 with a key.
func NewHMACSha256Signer(key []byte) func([]byte) ([]byte, error) {
return func(data []byte) ([]byte, error) {
hasher := hmac.New(sha256.New, key)
hasher.Write(data)
return hasher.Sum(nil), nil
}
}
// NewHMACSha256Verifier creates a new verifier using HMAC-SHA256 with a key.
func NewHMACSha256Verifier(key []byte) func([]byte, []byte) error {
return func(data []byte, sig []byte) error {
hasher := hmac.New(sha256.New, key)
hasher.Write(data)
if hmac.Equal(hasher.Sum(nil), sig) {
return nil
}
return fmt.Errorf("invalid signature")
}
}
// NewHMACSha512Signer creates a new signer using HMAC-SHA512 with a key.
func NewHMACSha512Signer(key []byte) func([]byte) ([]byte, error) {
return func(data []byte) ([]byte, error) {
hasher := hmac.New(sha512.New, key)
hasher.Write(data)
return hasher.Sum(nil), nil
}
}
// NewHMACSha512Verifier creates a new verifier using HMAC-SHA512 with a key.
func NewHMACSha512Verifier(key []byte) func([]byte, []byte) error {
return func(data []byte, sig []byte) error {
hasher := hmac.New(sha512.New, key)
hasher.Write(data)
if hmac.Equal(hasher.Sum(nil), sig) {
return nil
}
return fmt.Errorf("invalid signature")
}
}
// NewBlake2b256Signer creates a new signer using blake2b-256 with a key.
// If the key is longer than 64 bytes, it will be hashed with blake2b-512.
func NewBlake2b256Signer(key []byte) func([]byte) ([]byte, error) {
if len(key) > blake2b.Size {
t := blake2b.Sum512(key)
key = t[:]
}
return func(data []byte) ([]byte, error) {
hasher, err := blake2b.New256(key)
if err != nil {
return nil, fmt.Errorf("failed to create blake2b-256 hasher: %w", err)
}
hasher.Write(data)
return hasher.Sum(nil), nil
}
}
// NewBlake2b256Verifier creates a new verifier using blake2b-256 with a key.
// If the key is longer than 64 bytes, it will be hashed with blake2b-512.
func NewBlake2b256Verifier(key []byte) func([]byte, []byte) error {
if len(key) > blake2b.Size {
t := blake2b.Sum512(key)
key = t[:]
}
return func(data []byte, sig []byte) error {
hasher, err := blake2b.New256(key)
if err != nil {
return fmt.Errorf("failed to create blake2b-256 hasher: %w", err)
}
hasher.Write(data)
if hmac.Equal(hasher.Sum(nil), sig) {
return nil
}
return fmt.Errorf("invalid signature")
}
}
// NewBlake2b512Signer creates a new signer using blake2b-512 with a key.
// If the key is larger than 64 bytes, it will be hashed with blake2b-512.
func NewBlake2b512Signer(key []byte) func([]byte) ([]byte, error) {
if len(key) > blake2b.Size {
t := blake2b.Sum512(key)
key = t[:]
}
return func(data []byte) ([]byte, error) {
hasher, err := blake2b.New512(key)
if err != nil {
return nil, fmt.Errorf("failed to create blake2b-512 hasher: %w", err)
}
hasher.Write(data)
return hasher.Sum(nil), nil
}
}
// NewBlake2b512Verifier creates a new verifier using blake2b-512 with a key.
// If the key is larger than 64 bytes, it will be hashed with blake2b-512.
func NewBlake2b512Verifier(key []byte) func([]byte, []byte) error {
if len(key) > blake2b.Size {
t := blake2b.Sum512(key)
key = t[:]
}
return func(data []byte, sig []byte) error {
hasher, err := blake2b.New512(key)
if err != nil {
return fmt.Errorf("failed to create blake2b-512 hasher: %w", err)
}
hasher.Write(data)
if hmac.Equal(hasher.Sum(nil), sig) {
return nil
}
return fmt.Errorf("invalid signature")
}
}
// NewBlake3Signer creates a new signer using blake3 with a key.
// If the key is not 32 bytes, it will be hashed with blake3.
func NewBlake3Signer(key []byte) func([]byte) ([]byte, error) {
if len(key) != 32 {
t := blake3.Sum256(key)
key = t[:]
}
return func(data []byte) ([]byte, error) {
hasher, err := blake3.NewKeyed(key)
if err != nil {
return nil, fmt.Errorf("failed to create blake3 hasher: %w", err)
}
_, _ = hasher.Write(data)
return hasher.Sum(nil), nil
}
}
// NewBlake3Verifier creates a new verifier using blake3 with a key.
func NewBlake3Verifier(key []byte) func([]byte, []byte) error {
if len(key) != 32 {
t := blake3.Sum256(key)
key = t[:]
}
return func(data []byte, sig []byte) error {
hasher, err := blake3.NewKeyed(key)
if err != nil {
return fmt.Errorf("failed to create blake3 hasher: %w", err)
}
_, _ = hasher.Write(data)
if hmac.Equal(hasher.Sum(nil), sig) {
return nil
}
return fmt.Errorf("invalid signature")
}
}