-
-
Notifications
You must be signed in to change notification settings - Fork 13
/
v4.go
101 lines (72 loc) · 2.75 KB
/
v4.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
package paseto
import (
"crypto/ed25519"
"crypto/hmac"
"aidanwoods.dev/go-paseto/internal/encoding"
"aidanwoods.dev/go-paseto/internal/hashing"
"aidanwoods.dev/go-paseto/internal/random"
"golang.org/x/crypto/chacha20"
)
func v4PublicSign(packet packet, key V4AsymmetricSecretKey, implicit []byte) message {
data, footer := packet.content, packet.footer
header := []byte(V4Public.Header())
m2 := encoding.Pae(header, data, footer, implicit)
sig := ed25519.Sign(key.material, m2)
if len(sig) != 64 {
panic("Bad signature length")
}
var signature [64]byte
copy(signature[:], sig)
return newMessageFromPayload(v4PublicPayload{data, signature}, footer)
}
func v4PublicVerify(msg message, key V4AsymmetricPublicKey, implicit []byte) (packet, error) {
payload, ok := msg.p.(v4PublicPayload)
if msg.header() != V4Public.Header() || !ok {
return packet{}, errorMessageHeaderVerify(V4Public, msg.header())
}
header, footer := []byte(msg.header()), msg.footer
data := payload.message
m2 := encoding.Pae(header, data, footer, implicit)
if !ed25519.Verify(key.material, m2, payload.signature[:]) {
return packet{}, errorBadSignature
}
return packet{data, footer}, nil
}
func v4LocalEncrypt(p packet, key V4SymmetricKey, implicit []byte, unitTestNonce []byte) message {
var nonce [32]byte
random.UseProvidedOrFillBytes(unitTestNonce, nonce[:])
encKey, authKey, nonce2 := key.split(nonce)
cipher, err := chacha20.NewUnauthenticatedCipher(encKey[:], nonce2[:])
if err != nil {
panic("Cannot construct cipher")
}
cipherText := make([]byte, len(p.content))
cipher.XORKeyStream(cipherText, p.content)
header := []byte(V4Local.Header())
preAuth := encoding.Pae(header, nonce[:], cipherText, p.footer, implicit)
var tag [32]byte
hashing.GenericHash(preAuth, tag[:], authKey[:])
return newMessageFromPayload(v4LocalPayload{nonce, cipherText, tag}, p.footer)
}
func v4LocalDecrypt(msg message, key V4SymmetricKey, implicit []byte) (packet, error) {
payload, ok := msg.p.(v4LocalPayload)
if msg.header() != V4Local.Header() || !ok {
return packet{}, errorMessageHeaderDecrypt(V4Local, msg.header())
}
nonce, cipherText, givenTag := payload.nonce, payload.cipherText, payload.tag
encKey, authKey, nonce2 := key.split(nonce)
header := []byte(msg.header())
preAuth := encoding.Pae(header, nonce[:], cipherText, msg.footer, implicit)
var expectedTag [32]byte
hashing.GenericHash(preAuth, expectedTag[:], authKey[:])
if !hmac.Equal(expectedTag[:], givenTag[:]) {
return packet{}, errorBadMAC
}
cipher, err := chacha20.NewUnauthenticatedCipher(encKey[:], nonce2[:])
if err != nil {
panic("Cannot construct cipher")
}
plainText := make([]byte, len(cipherText))
cipher.XORKeyStream(plainText, cipherText)
return packet{plainText, msg.footer}, nil
}