-
Notifications
You must be signed in to change notification settings - Fork 8
/
derive.go
128 lines (117 loc) · 3.69 KB
/
derive.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
package peer
import (
"crypto/ecdh"
"crypto/ed25519"
"crypto/rsa"
"github.com/aperturerobotics/bifrost/util/extra25519"
"github.com/aperturerobotics/util/scrub"
"github.com/libp2p/go-libp2p/core/crypto"
"github.com/pkg/errors"
"github.com/zeebo/blake3"
)
// DeriveKey derives a secret using a private key.
//
// Not all private key types are supported.
// Data is written to out.
//
// context should be globally unique, and application-specific.
// salt is any additional data to mix with the private key.
//
// A good format for ctx strings is: [application] [commit timestamp] [purpose]
// e.g., "example.com 2019-12-25 16:18:03 session tokens v1"
//
// the purpose of these requirements is to ensure that an attacker cannot trick
// two different applications into using the same context string.
func DeriveKey(context string, salt []byte, privKey crypto.PrivKey, out []byte) error {
spKey, err := crypto.PrivKeyToStdKey(privKey)
if err != nil {
return err
}
var material []byte
switch t := spKey.(type) {
case *rsa.PrivateKey:
rawKey, err := privKey.Raw()
if err != nil {
return err
}
rawKeyHash := blake3.Sum512(rawKey)
material = rawKeyHash[:]
case *ed25519.PrivateKey:
tPrivKeyCurve25519 := extra25519.PrivateKeyToCurve25519(*t)
tPrivKeyEcdh, err := ecdh.X25519().NewPrivateKey(tPrivKeyCurve25519[:32])
if err != nil {
scrub.Scrub(tPrivKeyCurve25519[:])
return err
}
// hash the context + the curve25519 key
secret := append(tPrivKeyCurve25519[:], []byte(context)...)
seed := blake3.Sum256(secret)
scrub.Scrub(secret)
scrub.Scrub(tPrivKeyCurve25519[:])
// generate a new ephemeral private / public key
ephPrivKey := ed25519.NewKeyFromSeed(seed[:])
defer scrub.Scrub(ephPrivKey)
ephPubKey := ephPrivKey.Public().(ed25519.PublicKey)
defer scrub.Scrub(ephPubKey)
ephPubKeyCurve25519, valid := extra25519.PublicKeyToCurve25519(ephPubKey)
if !valid {
return ErrInvalidEd25519PubKeyForCurve25519
}
echPubKey, err := ecdh.X25519().NewPublicKey(ephPubKeyCurve25519[:])
defer scrub.Scrub(ephPubKeyCurve25519[:])
if err != nil {
return err
}
// derive a shared secret w/ ephemeral & private key
material, err = tPrivKeyEcdh.ECDH(echPubKey)
if err != nil {
return err
}
default:
return errors.Errorf("unhandled private key type: %s", privKey.Type().String())
}
// xor the material with context
contextb := []byte(context)
for i := range material {
material[i] = material[i] ^ contextb[i%len(contextb)]
}
// derive key with blake3
dkh := blake3.NewDeriveKey(context)
_, err = dkh.Write([]byte("bifrost/peer/derive-key"))
if err != nil {
return err
}
if len(salt) != 0 {
_, err = dkh.Write(salt) // never returns an error
if err != nil {
return err
}
}
_, err = dkh.Write(material) // never returns an error
if err != nil {
return err
}
_, err = dkh.Digest().Read(out)
if err != nil {
return err
}
return nil
}
// DeriveEd25519Key derives a ed25519 private key from an existing private key.
//
// context should be globally unique, and application-specific.
// salt is any additional data to mix with the private key.
//
// A good format for ctx strings is: [application] [commit timestamp] [purpose]
// e.g., "example.com 2019-12-25 16:18:03 session tokens v1"
//
// the purpose of these requirements is to ensure that an attacker cannot trick
// two different applications into using the same context string.
func DeriveEd25519Key(context string, salt []byte, privKey crypto.PrivKey) (crypto.PrivKey, crypto.PubKey, error) {
seed := make([]byte, ed25519.SeedSize)
if err := DeriveKey(context, salt, privKey, seed); err != nil {
return nil, nil, err
}
key := ed25519.NewKeyFromSeed(seed)
return crypto.KeyPairFromStdKey(&key)
}