-
Notifications
You must be signed in to change notification settings - Fork 51
/
compactpki.go
120 lines (95 loc) · 2.82 KB
/
compactpki.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package secrets
import (
"crypto/ecdsa"
"crypto/x509"
"fmt"
"github.com/aporeto-inc/trireme/crypto"
"github.com/aporeto-inc/trireme/enforcer/utils/pkiverifier"
"go.uber.org/zap"
)
// CompactPKI holds all PKI information
type CompactPKI struct {
PrivateKeyPEM []byte
PublicKeyPEM []byte
AuthorityPEM []byte
privateKey *ecdsa.PrivateKey
publicKey *x509.Certificate
certPool *x509.CertPool
txKey []byte
verifier *pkiverifier.PKIConfiguration
}
// NewCompactPKI creates new secrets for PKI implementation based on compact encoding
func NewCompactPKI(keyPEM, certPEM, caPEM, txKey []byte) (*CompactPKI, error) {
zap.L().Debug("Initializing with Compact PKI")
key, cert, caCertPool, err := crypto.LoadAndVerifyECSecrets(keyPEM, certPEM, caPEM)
if err != nil {
return nil, err
}
caKey, err := crypto.LoadCertificate(caPEM)
if err != nil {
return nil, err
}
if len(txKey) == 0 {
return nil, fmt.Errorf("TransmitToken missing")
}
p := &CompactPKI{
PrivateKeyPEM: keyPEM,
PublicKeyPEM: certPEM,
AuthorityPEM: caPEM,
privateKey: key,
publicKey: cert,
certPool: caCertPool,
txKey: txKey,
verifier: pkiverifier.NewConfig(caKey.PublicKey.(*ecdsa.PublicKey), nil, -1),
}
return p, nil
}
// Type implements the interface Secrets
func (p *CompactPKI) Type() PrivateSecretsType {
return PKICompactType
}
// EncodingKey returns the private key
func (p *CompactPKI) EncodingKey() interface{} {
return p.privateKey
}
// PublicKey returns the public key
func (p *CompactPKI) PublicKey() interface{} {
return p.publicKey
}
// DecodingKey returns the public key
func (p *CompactPKI) DecodingKey(server string, ackKey interface{}, prevKey interface{}) (interface{}, error) {
// If we have an inband certificate, return this one
if ackKey != nil {
return ackKey.(*ecdsa.PublicKey), nil
}
// Otherwise, return the prevCert
if prevKey != nil {
return prevKey, nil
}
return nil, fmt.Errorf("No valid certificate")
}
// VerifyPublicKey verifies if the inband public key is correct.
func (p *CompactPKI) VerifyPublicKey(pkey []byte) (interface{}, error) {
return p.verifier.Verify(pkey)
}
// TransmittedKey returns the PEM of the public key in the case of PKI
// if there is no certificate cache configured
func (p *CompactPKI) TransmittedKey() []byte {
return p.txKey
}
// AckSize returns the default size of an ACK packet
func (p *CompactPKI) AckSize() uint32 {
return uint32(322)
}
// AuthPEM returns the Certificate Authority PEM
func (p *CompactPKI) AuthPEM() []byte {
return p.AuthorityPEM
}
// TransmittedPEM returns the PEM certificate that is transmitted
func (p *CompactPKI) TransmittedPEM() []byte {
return p.PublicKeyPEM
}
// EncodingPEM returns the certificate PEM that is used for encoding
func (p *CompactPKI) EncodingPEM() []byte {
return p.PrivateKeyPEM
}