From 95b7d0399dc2734e76268959f70bede03d931fad Mon Sep 17 00:00:00 2001 From: Paul Flynn Date: Sun, 28 Apr 2024 14:24:05 -0400 Subject: [PATCH] feat(service): kas ec --- .gitignore | 1 + service/internal/security/standard_crypto.go | 79 ++++++++++++++++++-- 2 files changed, 75 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 36e0eaa31..9cb5247f6 100644 --- a/.gitignore +++ b/.gitignore @@ -50,3 +50,4 @@ sensitive.txt.tdf /server.crt /server.json /server.key +/service/kas-ec-public.pem diff --git a/service/internal/security/standard_crypto.go b/service/internal/security/standard_crypto.go index 6ef88fc63..b23bb9115 100644 --- a/service/internal/security/standard_crypto.go +++ b/service/internal/security/standard_crypto.go @@ -2,7 +2,10 @@ package security import ( "crypto" + "crypto/ecdsa" + "crypto/x509" "encoding/json" + "encoding/pem" "errors" "fmt" "log/slog" @@ -34,14 +37,15 @@ type StandardRSACrypto struct { } type StandardECCrypto struct { - Identifier string - // ecPublicKey *ecdh.PublicKey - // ecPrivateKey *ecdh.PrivateKey + Identifier string + ecPublicKey *ecdsa.PublicKey + ecPrivateKey *ecdsa.PrivateKey + ecCertificatePEM string } type StandardCrypto struct { rsaKeys []StandardRSACrypto - // ecKeys []StandardECCrypto + ecKeys []StandardECCrypto } // NewStandardCrypto Create a new instance of standard crypto @@ -74,6 +78,56 @@ func NewStandardCrypto(cfg StandardConfig) (*StandardCrypto, error) { asymEncryption: asymEncryption, }) } + for id, kasInfo := range cfg.ECKeys { + slog.Info("cfg.ECKeys", "id", id, "kasInfo", kasInfo) + privatePemData, err := os.ReadFile(kasInfo.PrivateKeyPath) + if err != nil { + return nil, fmt.Errorf("failed to rsa private key file: %w", err) + } + // this returns a certificate not a PUBLIC KEY + publicPemData, err := os.ReadFile(kasInfo.PublicKeyPath) + if err != nil { + return nil, fmt.Errorf("failed to rsa public key file: %w", err) + } + //block, _ := pem.Decode(publicPemData) + //if block == nil { + // return nil, errors.New("failed to decode PEM block containing public key") + //} + //ecPublicKey, err := x509.ParsePKIXPublicKey(block.Bytes) + //if err != nil { + // return nil, fmt.Errorf("failed to parse EC public key: %w", err) + //} + block, _ := pem.Decode(privatePemData) + if block == nil { + return nil, errors.New("failed to decode PEM block containing private key") + } + ecPrivateKey, err := x509.ParsePKCS8PrivateKey(block.Bytes) + if err != nil { + return nil, fmt.Errorf("failed to parse EC private key: %w", err) + } + //var ecdsaPublicKey *ecdsa.PublicKey + //switch pub := ecPublicKey.(type) { + //case *ecdsa.PublicKey: + // fmt.Println("pub is of type ECDSA:", pub) + // ecdsaPublicKey = pub + //default: + // panic("unknown type of public key") + //} + var ecdsaPrivateKey *ecdsa.PrivateKey + switch priv := ecPrivateKey.(type) { + case *ecdsa.PrivateKey: + fmt.Println("pub is of type ECDSA:", priv) + ecdsaPrivateKey = priv + default: + panic("unknown type of public key") + } + standardCrypto.ecKeys = append(standardCrypto.ecKeys, StandardECCrypto{ + Identifier: id, + //ecPublicKey: ecdsaPublicKey, + ecPrivateKey: ecdsaPrivateKey, + ecCertificatePEM: string(publicPemData), + }) + } return standardCrypto, nil } @@ -95,7 +149,22 @@ func (s StandardCrypto) RSAPublicKey(keyID string) (string, error) { } func (s StandardCrypto) ECPublicKey(string) (string, error) { - return "", ErrCertNotFound + if len(s.ecKeys) == 0 { + return "", ErrCertNotFound + } + // this endpoint returns certificate + ecKey := s.ecKeys[0] + return ecKey.ecCertificatePEM, nil + //publicKeyBytes, err := x509.MarshalPKIXPublicKey(ecKey.ecPublicKey) + //if err != nil { + // return "", ErrPublicKeyMarshal + //} + //pemEncoded := pem.EncodeToMemory(&pem.Block{ + // Type: "PUBLIC KEY", + // Bytes: publicKeyBytes, + //}) + //return string(pemEncoded), nil + } func (s StandardCrypto) RSADecrypt(_ crypto.Hash, keyID string, _ string, ciphertext []byte) ([]byte, error) {