/
gcp.go
75 lines (64 loc) · 1.81 KB
/
gcp.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package signer
import (
"context"
"crypto/ecdsa"
"encoding/pem"
"fmt"
api "cloud.google.com/go/kms/apiv1"
"google.golang.org/genproto/googleapis/cloud/kms/v1"
"google.golang.org/protobuf/types/known/wrapperspb"
)
type GCPSigner struct {
client *api.KeyManagementClient
keyPath string
publicKey ecdsa.PublicKey
}
// NewGCPSigner creates a new GCP signer with the provided signing key
func NewGCPSigner(client *api.KeyManagementClient, keyPath string) (*GCPSigner, error) {
// Get public key from KMS
key, err := client.GetPublicKey(context.Background(), &kms.GetPublicKeyRequest{
Name: keyPath,
})
if err != nil {
return nil, fmt.Errorf("signer: unable to get public key: %w", err)
}
// Convert to ecdsa.PublicKey
pem, _ := pem.Decode([]byte(key.Pem))
pk, err := pemToPubkey(pem.Bytes)
if err != nil {
return nil, fmt.Errorf("signer: failed to decode public key: %w", err)
}
return &GCPSigner{
client: client,
keyPath: keyPath,
publicKey: *pk,
}, nil
}
// GetPublicKey returns a public key
func (c *GCPSigner) GetPublicKey() ecdsa.PublicKey {
return c.publicKey
}
// Sign the given digest using a KMS key and return ECDSA signature
func (c *GCPSigner) Sign(digest []byte) (SignatureECDSA, error) {
req := &kms.AsymmetricSignRequest{
Name: c.keyPath,
Digest: &kms.Digest{
Digest: &kms.Digest_Sha256{
Sha256: digest,
},
},
DigestCrc32C: wrapperspb.Int64(crc32c(digest)),
}
// Call the API
res, err := c.client.AsymmetricSign(context.Background(), req)
if err != nil {
return nil, err
}
if !res.VerifiedDigestCrc32C {
return nil, fmt.Errorf("signer: request corrupted in-transit")
}
if crc32c(res.Signature) != res.SignatureCrc32C.Value {
return nil, fmt.Errorf("signer: response corrupted in-transit")
}
return recoverAndVerify(digest, res.Signature, c.publicKey)
}