-
Notifications
You must be signed in to change notification settings - Fork 1
/
bifrost.go
95 lines (86 loc) · 2.77 KB
/
bifrost.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.
// Bifrost is an mTLS authentication toolkit.
package bifrost
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"github.com/google/uuid"
)
// Signature and Public Key Algorithms
const (
SignatureAlgorithm = x509.ECDSAWithSHA256
PublicKeyAlgorithm = x509.ECDSA
)
// Namespace is the default UUID Namespace for Bifrost identities.
var Namespace = uuid.MustParse("1512daa4-ddc1-41d1-8673-3fd19d2f338d")
// Errors.
var (
ErrInvalidPublicKey = errors.New("invalid public key")
ErrUnsupportedAlgorithm = errors.New("unsupported algorithm")
ErrWrongNamespace = errors.New("wrong namespace")
)
// NewIdentity generates a new ECDSA private key.
// The private key is also returned as a PEM encoded DER bytes in the second return value.
func NewIdentity() (*ecdsa.PrivateKey, []byte, error) {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, err
}
keyDer, err := x509.MarshalECPrivateKey(key)
if err != nil {
return nil, nil, err
}
keyPem := pem.EncodeToMemory(&pem.Block{
Type: "EC PRIVATE KEY", Headers: nil, Bytes: keyDer,
})
return key, keyPem, nil
}
// UUID returns a unique identifier derived from the namespace and the client's public key identity.
// The UUID is generated by SHA-1 hashing the namesapce UUID
// with the big endian bytes of the X and Y curve points from the public key.
func UUID(ns uuid.UUID, pubkey *ecdsa.PublicKey) uuid.UUID {
// X and Y are guaranteed to by 256 bits (32 bytes) for elliptic curve P256 keys
var buf [64]byte
pubkey.X.FillBytes(buf[:32])
pubkey.Y.FillBytes(buf[32:])
return uuid.NewSHA1(ns, buf[:])
}
// ParseCertificate parses a DER encoded certificate and returns the bifrost
// client's UUID and the certificate.
func ParseCertificate(ns uuid.UUID, der []byte) (uuid.UUID, *x509.Certificate, error) {
cert, err := x509.ParseCertificate(der)
if err != nil {
return uuid.UUID{}, nil, err
}
pubkey, ok := cert.PublicKey.(*ecdsa.PublicKey)
if !ok {
return uuid.UUID{}, nil, fmt.Errorf(
"invalid public key: %T, %w",
cert.PublicKey,
ErrInvalidPublicKey,
)
}
if cert.SignatureAlgorithm != SignatureAlgorithm {
return uuid.UUID{}, nil, fmt.Errorf(
"unsupported signature algorithm: %s, %w",
cert.SignatureAlgorithm,
ErrUnsupportedAlgorithm,
)
}
id := UUID(ns, pubkey)
cnid, err := uuid.Parse(cert.Subject.CommonName)
if err != nil {
return uuid.UUID{}, nil, fmt.Errorf("invalid common name: %s", cert.Subject.CommonName)
}
if cnid != id {
return uuid.UUID{}, nil, ErrWrongNamespace
}
return id, cert, nil
}