-
Notifications
You must be signed in to change notification settings - Fork 42
/
core.go
115 lines (93 loc) · 2.98 KB
/
core.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package keysharecore
import (
"crypto/rand"
"crypto/rsa"
"sync"
"github.com/privacybydesign/gabi/big"
"github.com/privacybydesign/gabi/gabikeys"
irma "github.com/privacybydesign/irmago"
)
const (
JWTIssuerDefault = "keyshare_server"
JWTPinExpiryDefault = 5 * 60 // seconds
)
type (
AESKey [32]byte
Core struct {
// Keys used for storage encryption/decryption
decryptionKeys map[uint32]AESKey
decryptionKey AESKey
decryptionKeyID uint32
// Key used to sign keyshare protocol messages
jwtPrivateKey *rsa.PrivateKey
jwtPrivateKeyID uint32
jwtIssuer string
jwtPinExpiry int
// Commit values generated in first step of keyshare protocol
commitmentData map[uint64]*big.Int
commitmentMutex sync.Mutex
// authorization challenges
authChallenges map[string][]byte
authChallengesMutex sync.Mutex
// IRMA issuer keys that are allowed to be used in keyshare
// sessions
trustedKeys map[irma.PublicKeyIdentifier]*gabikeys.PublicKey
}
Configuration struct {
// Keys used for storage encryption/decryption
DecryptionKey AESKey
DecryptionKeyID uint32
// Key used to sign keyshare protocol messages
JWTPrivateKey *rsa.PrivateKey
JWTPrivateKeyID uint32
JWTIssuer string
JWTPinExpiry int // in seconds
}
)
func NewKeyshareCore(conf *Configuration) *Core {
c := &Core{
decryptionKeys: map[uint32]AESKey{},
commitmentData: map[uint64]*big.Int{},
trustedKeys: map[irma.PublicKeyIdentifier]*gabikeys.PublicKey{},
authChallenges: map[string][]byte{},
}
c.setDecryptionKey(conf.DecryptionKeyID, conf.DecryptionKey)
c.setJWTPrivateKey(conf.JWTPrivateKeyID, conf.JWTPrivateKey)
c.jwtIssuer = conf.JWTIssuer
if c.jwtIssuer == "" {
c.jwtIssuer = JWTIssuerDefault
}
c.jwtPinExpiry = conf.JWTPinExpiry
if c.jwtPinExpiry == 0 {
c.jwtPinExpiry = JWTPinExpiryDefault
}
return c
}
func GenerateDecryptionKey() (AESKey, error) {
var res AESKey
_, err := rand.Read(res[:])
return res, err
}
// DangerousAddDecryptionKey adds an AES key for decryption, with identifier keyID.
// Calling this will cause all keyshare secrets generated with the key to be trusted.
func (c *Core) DangerousAddDecryptionKey(keyID uint32, key AESKey) {
c.decryptionKeys[keyID] = key
}
// Set the aes key for encrypting new/changed keyshare data
// with identifier keyid
// Calling this will also cause all keyshare user secrets generated with the key to be trusted
func (c *Core) setDecryptionKey(keyID uint32, key AESKey) {
c.decryptionKeys[keyID] = key
c.decryptionKey = key
c.decryptionKeyID = keyID
}
// Set key used to sign keyshare protocol messages
func (c *Core) setJWTPrivateKey(id uint32, key *rsa.PrivateKey) {
c.jwtPrivateKey = key
c.jwtPrivateKeyID = id
}
// DangerousAddTrustedPublicKey adds a public key as trusted by keysharecore.
// Calling this on incorrectly generated key material WILL compromise keyshare secrets!
func (c *Core) DangerousAddTrustedPublicKey(keyID irma.PublicKeyIdentifier, key *gabikeys.PublicKey) {
c.trustedKeys[keyID] = key
}