forked from mutecomm/mute
-
Notifications
You must be signed in to change notification settings - Fork 0
/
signedmap.go
86 lines (75 loc) · 2.15 KB
/
signedmap.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// Copyright (c) 2015 Mute Communications Ltd.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package sortedmap
import (
"encoding/json"
"errors"
"github.com/agl/ed25519"
"github.com/mutecomm/mute/util/times"
)
var (
// ErrNoVerify is returned when a signature could not be verified.
ErrNoVerify = errors.New("sortedmap: signature verification failed")
// ErrBadTime is returned if a signature time is either too old or too young.
ErrBadTime = errors.New("sortedmap: signature time wrong")
// ErrWalkBack is returned if an old certificate was presented.
ErrWalkBack = errors.New("sortedmap: expired certificate replayed")
)
// MaxSignatureAge is the maximum difference between now and the signature time.
const MaxSignatureAge = 14400 // four hours
// SignedMap is a signed map.
type SignedMap struct {
Config StringMap
Signature []byte
SignDate uint64
}
func diff(a, b uint64) uint64 {
if a > b {
return a - b
}
return b - a
}
// Marshal a signed map.
func (sm *SignedMap) Marshal() ([]byte, error) {
d, err := json.Marshal(sm)
if err != nil {
return nil, err
}
return d, nil
}
// Unmarshal a signed map back to struct.
func Unmarshal(d []byte) (*SignedMap, error) {
sm := new(SignedMap)
err := json.Unmarshal(d, sm)
if err != nil {
return nil, err
}
return sm, nil
}
// GenerateCertificate returns a signed and encoded SortedMap.
func (sm StringMap) GenerateCertificate(privKey *[ed25519.PrivateKeySize]byte) ([]byte, error) {
so := sm.Sort()
sigmap := new(SignedMap)
sigmap.SignDate = uint64(times.Now())
sigmap.Signature = so.Sign(sigmap.SignDate, privKey)
sigmap.Config = sm
return sigmap.Marshal()
}
// Certify verifies an encoded certificate.
func Certify(lastSignDate uint64, publicKey []byte, cert []byte) (*SignedMap, error) {
sm, err := Unmarshal(cert)
if err != nil {
return nil, err
}
if lastSignDate > 0 && sm.SignDate < lastSignDate {
return nil, ErrWalkBack
}
if diff(uint64(times.Now()), sm.SignDate) > MaxSignatureAge {
return nil, ErrBadTime
}
if !sm.Config.Sort().Verify(sm.SignDate, publicKey, sm.Signature) {
return nil, ErrNoVerify
}
return sm, nil
}