-
Notifications
You must be signed in to change notification settings - Fork 8.8k
/
entities.go
255 lines (213 loc) · 6.77 KB
/
entities.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
/*
Copyright IBM Corp. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
package entities
import (
"encoding/pem"
"reflect"
"github.com/hyperledger/fabric/bccsp"
"github.com/pkg/errors"
)
type pkiEntity struct {
IDstr string
bccsp bccsp.BCCSP
eKey bccsp.Key
eOpts bccsp.EncrypterOpts
dOpts bccsp.DecrypterOpts
}
// NewAES256EncrypterEntity returns an encrypter entity that is
// capable of performing AES 256 bit encryption using PKCS#7 padding.
// Optionally, the IV can be provided in which case it is used during
// the encryption; othjerwise, a random one is generated.
func NewAES256EncrypterEntity(ID string, b bccsp.BCCSP, key, IV []byte) (EncrypterEntity, error) {
if b == nil {
return nil, errors.New("nil BCCSP")
}
k, err := b.KeyImport(key, &bccsp.AES256ImportKeyOpts{Temporary: true})
if err != nil {
return nil, errors.WithMessage(err, "bccspInst.KeyImport failed")
}
return NewEncrypterEntity(ID, b, k, &bccsp.AESCBCPKCS7ModeOpts{IV: IV}, &bccsp.AESCBCPKCS7ModeOpts{})
}
// NewEncrypterEntity returns an EncrypterEntity that is capable
// of performing encryption using i) the supplied BCCSP instance;
// ii) the supplied encryption key and iii) the supplied encryption
// and decryption options. The identifier of the entity is supplied
// as an argument as well - it's the caller's responsibility to
// choose it in a way that it is meaningful
func NewEncrypterEntity(ID string, bccsp bccsp.BCCSP, eKey bccsp.Key, eOpts bccsp.EncrypterOpts, dOpts bccsp.DecrypterOpts) (EncrypterEntity, error) {
if ID == "" {
return nil, errors.New("NewEntity error: empty ID")
}
if bccsp == nil {
return nil, errors.New("NewEntity error: nil bccsp")
}
if eKey == nil {
return nil, errors.New("NewEntity error: nil keys")
}
return &pkiEntity{
IDstr: ID,
bccsp: bccsp,
eKey: eKey,
eOpts: eOpts,
dOpts: dOpts,
}, nil
}
func (e *pkiEntity) Encrypt(plaintext []byte) ([]byte, error) {
return e.bccsp.Encrypt(e.eKey, plaintext, e.eOpts)
}
func (e *pkiEntity) Decrypt(ciphertext []byte) ([]byte, error) {
return e.bccsp.Decrypt(e.eKey, ciphertext, e.dOpts)
}
// compare returns true if the two supplied keys are equivalent.
// If the supplied keys are symmetric keys, we compare their
// public versions. This is required because when we compare
// two entities, we might compare the public and the private
// version of the same entity and expect to be told that the
// entities are equivalent
func (*pkiEntity) compare(this, that bccsp.Key) bool {
var err error
if this.Private() {
this, err = this.PublicKey()
if err != nil {
return false
}
}
if that.Private() {
that, err = that.PublicKey()
if err != nil {
return false
}
}
return reflect.DeepEqual(this, that)
}
func (this *pkiEntity) Equals(e Entity) bool {
if that, rightType := e.(*pkiEntity); rightType {
return this.compare(this.eKey, that.eKey)
}
return false
}
func (pe *pkiEntity) ID() string {
return pe.IDstr
}
func (pe *pkiEntity) Public() (Entity, error) {
var err error
eKeyPub := pe.eKey
if !pe.eKey.Symmetric() {
if eKeyPub, err = pe.eKey.PublicKey(); err != nil {
return nil, errors.WithMessage(err, "public error, eKey.PublicKey returned")
}
}
return &pkiEntity{
IDstr: pe.IDstr,
bccsp: pe.bccsp,
dOpts: pe.dOpts,
eOpts: pe.eOpts,
eKey: eKeyPub,
}, nil
}
type pkiSigningEntity struct {
pkiEntity
sKey bccsp.Key
sOpts bccsp.SignerOpts
hOpts bccsp.HashOpts
}
// NewAES256EncrypterECDSASignerEntity returns an encrypter entity that is
// capable of performing AES 256 bit encryption using PKCS#7 padding and
// signing using ECDSA
func NewAES256EncrypterECDSASignerEntity(ID string, b bccsp.BCCSP, encKeyBytes, signKeyBytes []byte) (EncrypterSignerEntity, error) {
if b == nil {
return nil, errors.New("nil BCCSP")
}
encKey, err := b.KeyImport(encKeyBytes, &bccsp.AES256ImportKeyOpts{Temporary: true})
if err != nil {
return nil, errors.WithMessage(err, "bccspInst.KeyImport failed")
}
bl, _ := pem.Decode(signKeyBytes)
if bl == nil {
return nil, errors.New("pem.Decode returns nil")
}
signKey, err := b.KeyImport(bl.Bytes, &bccsp.ECDSAPrivateKeyImportOpts{Temporary: true})
if err != nil {
return nil, errors.WithMessage(err, "bccspInst.KeyImport failed")
}
return NewEncrypterSignerEntity(ID, b, encKey, signKey, &bccsp.AESCBCPKCS7ModeOpts{}, &bccsp.AESCBCPKCS7ModeOpts{}, nil, &bccsp.SHA256Opts{})
}
// NewEncrypterSignerEntity returns an EncrypterSignerEntity
// (which is also an EncrypterEntity) that is capable of
// performing encryption AND of generating signatures using
// i) the supplied BCCSP instance; ii) the supplied encryption
// and signing keys and iii) the supplied encryption, decryption,
// signing and hashing options. The identifier of the entity is
// supplied as an argument as well - it's the caller's responsibility
// to choose it in a way that it is meaningful
func NewEncrypterSignerEntity(ID string, bccsp bccsp.BCCSP, eKey, sKey bccsp.Key, eOpts bccsp.EncrypterOpts, dOpts bccsp.DecrypterOpts, sOpts bccsp.SignerOpts, hOpts bccsp.HashOpts) (EncrypterSignerEntity, error) {
if ID == "" {
return nil, errors.New("NewEntity error: empty ID")
}
if bccsp == nil {
return nil, errors.New("NewEntity error: nil bccsp")
}
if eKey == nil || sKey == nil {
return nil, errors.New("NewEntity error: nil keys")
}
return &pkiSigningEntity{
pkiEntity: pkiEntity{
IDstr: ID,
bccsp: bccsp,
eKey: eKey,
eOpts: eOpts,
dOpts: dOpts,
},
sKey: sKey,
sOpts: sOpts,
hOpts: hOpts,
}, nil
}
func (pe *pkiSigningEntity) Public() (Entity, error) {
var err error
eKeyPub := pe.eKey
if !pe.eKey.Symmetric() {
if eKeyPub, err = pe.eKey.PublicKey(); err != nil {
return nil, errors.WithMessage(err, "public error, eKey.PublicKey returned")
}
}
sKeyPub, err := pe.sKey.PublicKey()
if err != nil {
return nil, errors.WithMessage(err, "public error, sKey.PublicKey returned")
}
return &pkiSigningEntity{
pkiEntity: pkiEntity{
IDstr: pe.IDstr,
bccsp: pe.bccsp,
eKey: eKeyPub,
eOpts: pe.eOpts,
dOpts: pe.dOpts,
},
sKey: sKeyPub,
hOpts: pe.hOpts,
sOpts: pe.sOpts,
}, nil
}
func (this *pkiSigningEntity) Equals(e Entity) bool {
if that, rightType := e.(*pkiSigningEntity); rightType {
return this.compare(this.sKey, that.sKey) && this.compare(this.eKey, that.eKey)
} else {
return false
}
}
func (pe *pkiSigningEntity) Sign(msg []byte) ([]byte, error) {
h, err := pe.bccsp.Hash(msg, pe.hOpts)
if err != nil {
return nil, errors.WithMessage(err, "sign error: bccsp.Hash returned")
}
return pe.bccsp.Sign(pe.sKey, h, pe.sOpts)
}
func (pe *pkiSigningEntity) Verify(signature, msg []byte) (bool, error) {
h, err := pe.bccsp.Hash(msg, pe.hOpts)
if err != nil {
return false, errors.WithMessage(err, "sign error: bccsp.Hash returned")
}
return pe.bccsp.Verify(pe.sKey, signature, h, pe.sOpts)
}