| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | package crypto | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import ( | 
					
						
							| 
									
										
										
										
											2022-09-12 17:18:08 +01:00
										 |  |  | 	"bytes" | 
					
						
							| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | 	"crypto/rand" | 
					
						
							|  |  |  | 	"crypto/rsa" | 
					
						
							|  |  |  | 	"crypto/x509" | 
					
						
							| 
									
										
										
										
											2022-09-12 17:18:08 +01:00
										 |  |  | 	"crypto/x509/pkix" | 
					
						
							| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | 	"encoding/pem" | 
					
						
							| 
									
										
										
										
											2022-01-12 13:22:04 +01:00
										 |  |  | 	"errors" | 
					
						
							| 
									
										
										
										
											2022-09-12 17:18:08 +01:00
										 |  |  | 	"fmt" | 
					
						
							|  |  |  | 	"math/big" | 
					
						
							|  |  |  | 	"time" | 
					
						
							| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | ) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func GenerateKeyPair(bits int) (*rsa.PrivateKey, *rsa.PublicKey, error) { | 
					
						
							|  |  |  | 	privkey, err := rsa.GenerateKey(rand.Reader, bits) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return privkey, &privkey.PublicKey, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func GenerateEncryptedKeyPair(bits int, alg EncryptionAlgorithm) (*CryptoValue, *CryptoValue, error) { | 
					
						
							|  |  |  | 	privateKey, publicKey, err := GenerateKeyPair(bits) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return EncryptKeys(privateKey, publicKey, alg) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-09-12 17:18:08 +01:00
										 |  |  | type CertificateInformations struct { | 
					
						
							|  |  |  | 	SerialNumber *big.Int | 
					
						
							|  |  |  | 	Organisation []string | 
					
						
							|  |  |  | 	CommonName   string | 
					
						
							|  |  |  | 	NotBefore    time.Time | 
					
						
							|  |  |  | 	NotAfter     time.Time | 
					
						
							|  |  |  | 	KeyUsage     x509.KeyUsage | 
					
						
							|  |  |  | 	ExtKeyUsage  []x509.ExtKeyUsage | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func GenerateEncryptedKeyPairWithCACertificate(bits int, keyAlg, certAlg EncryptionAlgorithm, informations *CertificateInformations) (*CryptoValue, *CryptoValue, *CryptoValue, error) { | 
					
						
							|  |  |  | 	privateKey, publicKey, cert, err := GenerateCACertificate(bits, informations) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	encryptPriv, encryptPub, encryptCaCert, err := EncryptKeysAndCert(privateKey, publicKey, cert, keyAlg, certAlg) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return encryptPriv, encryptPub, encryptCaCert, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func GenerateEncryptedKeyPairWithCertificate(bits int, keyAlg, certAlg EncryptionAlgorithm, caPrivateKey *rsa.PrivateKey, caCertificate []byte, informations *CertificateInformations) (*CryptoValue, *CryptoValue, *CryptoValue, error) { | 
					
						
							|  |  |  | 	privateKey, publicKey, cert, err := GenerateCertificate(bits, caPrivateKey, caCertificate, informations) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	encryptPriv, encryptPub, encryptCaCert, err := EncryptKeysAndCert(privateKey, publicKey, cert, keyAlg, certAlg) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return encryptPriv, encryptPub, encryptCaCert, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func GenerateCACertificate(bits int, informations *CertificateInformations) (*rsa.PrivateKey, *rsa.PublicKey, []byte, error) { | 
					
						
							|  |  |  | 	return generateCertificate(bits, nil, nil, informations) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func GenerateCertificate(bits int, caPrivateKey *rsa.PrivateKey, ca []byte, informations *CertificateInformations) (*rsa.PrivateKey, *rsa.PublicKey, []byte, error) { | 
					
						
							|  |  |  | 	return generateCertificate(bits, caPrivateKey, ca, informations) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func generateCertificate(bits int, caPrivateKey *rsa.PrivateKey, ca []byte, informations *CertificateInformations) (*rsa.PrivateKey, *rsa.PublicKey, []byte, error) { | 
					
						
							|  |  |  | 	notBefore := time.Now() | 
					
						
							|  |  |  | 	if !informations.NotBefore.IsZero() { | 
					
						
							|  |  |  | 		notBefore = informations.NotBefore | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	cert := &x509.Certificate{ | 
					
						
							|  |  |  | 		SerialNumber: informations.SerialNumber, | 
					
						
							|  |  |  | 		Subject: pkix.Name{ | 
					
						
							|  |  |  | 			CommonName:   informations.CommonName, | 
					
						
							|  |  |  | 			Organization: informations.Organisation, | 
					
						
							|  |  |  | 		}, | 
					
						
							|  |  |  | 		NotBefore:   notBefore, | 
					
						
							|  |  |  | 		NotAfter:    informations.NotAfter, | 
					
						
							|  |  |  | 		KeyUsage:    informations.KeyUsage, | 
					
						
							|  |  |  | 		ExtKeyUsage: informations.ExtKeyUsage, | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	certPrivKey, err := rsa.GenerateKey(rand.Reader, bits) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	certBytes := make([]byte, 0) | 
					
						
							|  |  |  | 	if ca == nil { | 
					
						
							|  |  |  | 		cert.IsCA = true | 
					
						
							|  |  |  | 		cert.BasicConstraintsValid = true | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		certBytes, err = x509.CreateCertificate(rand.Reader, cert, cert, &certPrivKey.PublicKey, certPrivKey) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			return nil, nil, nil, err | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} else { | 
					
						
							|  |  |  | 		caCert, err := x509.ParseCertificate(ca) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			return nil, nil, nil, err | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		certBytes, err = x509.CreateCertificate(rand.Reader, cert, caCert, &certPrivKey.PublicKey, caPrivateKey) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			return nil, nil, nil, err | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	x509Cert, err := x509.ParseCertificate(certBytes) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	certPem, err := CertificateToBytes(x509Cert) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return certPrivKey, &certPrivKey.PublicKey, certPem, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | func PrivateKeyToBytes(priv *rsa.PrivateKey) []byte { | 
					
						
							|  |  |  | 	return pem.EncodeToMemory( | 
					
						
							|  |  |  | 		&pem.Block{ | 
					
						
							|  |  |  | 			Type:  "RSA PRIVATE KEY", | 
					
						
							|  |  |  | 			Bytes: x509.MarshalPKCS1PrivateKey(priv), | 
					
						
							|  |  |  | 		}, | 
					
						
							|  |  |  | 	) | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func PublicKeyToBytes(pub *rsa.PublicKey) ([]byte, error) { | 
					
						
							|  |  |  | 	pubASN1, err := x509.MarshalPKIXPublicKey(pub) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	pubBytes := pem.EncodeToMemory(&pem.Block{ | 
					
						
							|  |  |  | 		Type:  "RSA PUBLIC KEY", | 
					
						
							|  |  |  | 		Bytes: pubASN1, | 
					
						
							|  |  |  | 	}) | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	return pubBytes, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func BytesToPrivateKey(priv []byte) (*rsa.PrivateKey, error) { | 
					
						
							|  |  |  | 	block, _ := pem.Decode(priv) | 
					
						
							|  |  |  | 	enc := x509.IsEncryptedPEMBlock(block) | 
					
						
							|  |  |  | 	b := block.Bytes | 
					
						
							|  |  |  | 	var err error | 
					
						
							|  |  |  | 	if enc { | 
					
						
							|  |  |  | 		b, err = x509.DecryptPEMBlock(block, nil) | 
					
						
							|  |  |  | 		if err != nil { | 
					
						
							|  |  |  | 			return nil, err | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	key, err := x509.ParsePKCS1PrivateKey(b) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return key, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-01-12 13:22:04 +01:00
										 |  |  | var ErrEmpty = errors.New("cannot decode, empty data") | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | func BytesToPublicKey(pub []byte) (*rsa.PublicKey, error) { | 
					
						
							| 
									
										
										
										
											2024-05-30 11:35:30 +02:00
										 |  |  | 	if len(pub) == 0 { | 
					
						
							| 
									
										
										
										
											2022-01-12 13:22:04 +01:00
										 |  |  | 		return nil, ErrEmpty | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | 	block, _ := pem.Decode(pub) | 
					
						
							| 
									
										
										
										
											2022-01-12 13:22:04 +01:00
										 |  |  | 	if block == nil { | 
					
						
							|  |  |  | 		return nil, ErrEmpty | 
					
						
							| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2022-01-12 13:22:04 +01:00
										 |  |  | 	ifc, err := x509.ParsePKIXPublicKey(block.Bytes) | 
					
						
							| 
									
										
										
										
											2020-06-05 07:50:04 +02:00
										 |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	key, ok := ifc.(*rsa.PublicKey) | 
					
						
							|  |  |  | 	if !ok { | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return key, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func EncryptKeys(privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey, alg EncryptionAlgorithm) (*CryptoValue, *CryptoValue, error) { | 
					
						
							|  |  |  | 	encryptedPrivateKey, err := Encrypt(PrivateKeyToBytes(privateKey), alg) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	pubKey, err := PublicKeyToBytes(publicKey) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	encryptedPublicKey, err := Encrypt(pubKey, alg) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return encryptedPrivateKey, encryptedPublicKey, nil | 
					
						
							|  |  |  | } | 
					
						
							| 
									
										
										
										
											2022-09-12 17:18:08 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | func CertificateToBytes(cert *x509.Certificate) ([]byte, error) { | 
					
						
							|  |  |  | 	certPem := new(bytes.Buffer) | 
					
						
							|  |  |  | 	if err := pem.Encode(certPem, &pem.Block{ | 
					
						
							|  |  |  | 		Type:  "CERTIFICATE", | 
					
						
							|  |  |  | 		Bytes: cert.Raw, | 
					
						
							|  |  |  | 	}); err != nil { | 
					
						
							|  |  |  | 		return nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return certPem.Bytes(), nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func BytesToCertificate(data []byte) ([]byte, error) { | 
					
						
							|  |  |  | 	block, _ := pem.Decode(data) | 
					
						
							|  |  |  | 	if block == nil || block.Type != "CERTIFICATE" { | 
					
						
							|  |  |  | 		return nil, fmt.Errorf("failed to decode PEM block containing public key") | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return block.Bytes, nil | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | func EncryptKeysAndCert(privateKey *rsa.PrivateKey, publicKey *rsa.PublicKey, cert []byte, keyAlg, certAlg EncryptionAlgorithm) (*CryptoValue, *CryptoValue, *CryptoValue, error) { | 
					
						
							|  |  |  | 	encryptedPrivateKey, encryptedPublicKey, err := EncryptKeys(privateKey, publicKey, keyAlg) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	encryptedCertificate, err := Encrypt(cert, certAlg) | 
					
						
							|  |  |  | 	if err != nil { | 
					
						
							|  |  |  | 		return nil, nil, nil, err | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	return encryptedPrivateKey, encryptedPublicKey, encryptedCertificate, nil | 
					
						
							|  |  |  | } |