-
Notifications
You must be signed in to change notification settings - Fork 19
/
rsacrypt.go
126 lines (97 loc) · 2.98 KB
/
rsacrypt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package sshego
import (
cryptrand "crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"golang.org/x/crypto/ssh"
)
/*
// WARNING: not implemented/done yet. TODO: finish this.
// looking at
// /usr/local/go/src/crypto/x509/pem_decrypt_test.go
// here are ideas for implementation
// encrypt:
if !x509.IsEncryptedPEMBlock(block) {
t.Error("PEM block does not appear to be encrypted")
}
plainDER, err := base64.StdEncoding.DecodeString(data.plainDER)
block, err := EncryptPEMBlock(rand.Reader, "RSA PRIVATE KEY", plainDER, password, data.kind)
// decrypt:
der, err := DecryptPEMBlock(block, password)
if err != nil {
t.Error("decrypt: ", err)
continue
}
or:
block, rest := pem.Decode(data.pemData)
if len(rest) > 0 {
t.Error("extra data")
}
der, err := DecryptPEMBlock(block, data.password)
if err != nil {
t.Error("decrypt failed: ", err)
continue
}
if _, err := ParsePKCS1PrivateKey(der); err != nil {
t.Error("invalid private key: ", err)
}
plainDER, err := base64.StdEncoding.DecodeString(data.plainDER)
if err != nil {
t.Fatal("cannot decode test DER data: ", err)
}
if !bytes.Equal(der, plainDER) {
t.Error("data mismatch")
}
// /usr/local/go/src/crypto/x509/pem_decrypt_test.go
*/
// TODO: Finish this-- specified but password based
// encryption not implemented.
// GenRSAKeyPairCrypt generates an RSA keypair of
// length bits. If rsa_file != "", we write
// the private key to rsa_file and the public
// key to rsa_file + ".pub". If rsa_file == ""
// the keys are not written to disk.
// The private key is encrypted with the password.
func GenRSAKeyPairCrypt(rsaFile string, bits int, password string) (priv *rsa.PrivateKey, sshPriv ssh.Signer, err error) {
privKey, err := rsa.GenerateKey(cryptrand.Reader, bits)
panicOn(err)
var pubKey *rsa.PublicKey = privKey.Public().(*rsa.PublicKey)
err = privKey.Validate()
panicOn(err)
// write to disk
// save to pem: serialize private key
privBytes := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(privKey),
},
)
sshPrivKey, err := ssh.ParsePrivateKey(privBytes)
panicOn(err)
if rsaFile != "" {
// serialize public key
pubBytes := RSAToSSHPublicKey(pubKey)
err = ioutil.WriteFile(rsaFile, privBytes, 0600)
panicOn(err)
err = ioutil.WriteFile(rsaFile+".pub", pubBytes, 0600)
panicOn(err)
}
return privKey, sshPrivKey, nil
}
// TODO: Finish this-- specified but password based
// encryption not implemented.
// LoadRSAPrivateKey reads a private key from path on disk.
func LoadRSAPrivateKeyCrypt(path string, password string) (privkey ssh.Signer, err error) {
buf, err := ioutil.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("got error '%s' trying to read path '%s'", err, path)
}
privkey, err = ssh.ParsePrivateKey(buf)
if err != nil {
return nil, fmt.Errorf("got error '%s' trying to parse private key from path '%s'", err, path)
}
return privkey, err
}