登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
2 Star 1 Fork 0

李玮 / trireme-lib

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
compactpki.go 4.47 KB
一键复制 编辑 原始数据 按行查看 历史
李玮 提交于 2020-01-29 13:23 . v1
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
package secrets



import (

	"crypto/ecdsa"

	"crypto/x509"

	"errors"

	"time"



	"git.cloud.top/DSec/trireme-lib/controller/pkg/claimsheader"

	"git.cloud.top/DSec/trireme-lib/controller/pkg/pkiverifier"

	"git.cloud.top/DSec/trireme-lib/utils/crypto"

	"go.uber.org/zap"

)



const (

	compactPKIAckSize = 300

)



// CompactPKI holds all PKI information

type CompactPKI struct {

	PrivateKeyPEM []byte

	PublicKeyPEM  []byte

	AuthorityPEM  []byte

	TokenKeyPEMs  [][]byte

	Compressed    claimsheader.CompressionType

	privateKey    *ecdsa.PrivateKey

	publicKey     *x509.Certificate

	txKey         []byte

	verifier      pkiverifier.PKITokenVerifier

}



// NewCompactPKI creates new secrets for PKI implementation based on compact encoding

func NewCompactPKI(keyPEM []byte, certPEM []byte, caPEM []byte, txKey []byte, compress claimsheader.CompressionType) (*CompactPKI, error) {



	zap.L().Warn("DEPRECATED. secrets.NewCompactPKI is deprecated in favor of secrets.NewCompactPKIWithTokenCA")

	return NewCompactPKIWithTokenCA(keyPEM, certPEM, caPEM, [][]byte{caPEM}, txKey, compress)

}



// NewCompactPKIWithTokenCA creates new secrets for PKI implementation based on compact encoding.

//    keyPEM: is the private key that will be used for signing tokens formated as a PEM file.

//    certPEM: is the public key that will be used formated as a PEM file.

//    tokenKeyPEMs: is a list of public keys that can be used to verify the public token that

//                  that is transmitted over the wire. These are essentially the public CA PEMs

//                  that were used to sign the txtKey

//    txKey: is the public key that is send over the wire.

//    compressionType: is packed with the secrets to indicate compression.

func NewCompactPKIWithTokenCA(keyPEM []byte, certPEM []byte, caPEM []byte, tokenKeyPEMs [][]byte, txKey []byte, compress claimsheader.CompressionType) (*CompactPKI, error) {



	key, cert, _, err := crypto.LoadAndVerifyECSecrets(keyPEM, certPEM, caPEM)

	if err != nil {

		return nil, err

	}



	tokenKeys := make([]*ecdsa.PublicKey, len(tokenKeyPEMs))

	for _, ca := range tokenKeyPEMs {

		caCert, err := crypto.LoadCertificate(ca)

		if err != nil {

			return nil, err

		}

		tokenKeys = append(tokenKeys, caCert.PublicKey.(*ecdsa.PublicKey))

	}



	if len(txKey) == 0 {

		return nil, errors.New("transmit token missing")

	}



	p := &CompactPKI{

		PrivateKeyPEM: keyPEM,

		PublicKeyPEM:  certPEM,

		AuthorityPEM:  caPEM,

		TokenKeyPEMs:  tokenKeyPEMs,

		Compressed:    compress,

		privateKey:    key,

		publicKey:     cert,

		txKey:         txKey,

		verifier:      pkiverifier.NewPKIVerifier(tokenKeys, 5*time.Minute),

	}



	return p, nil

}



// Type implements the interface Secrets

func (p *CompactPKI) Type() PrivateSecretsType {

	return PKICompactType

}



// EncodingKey returns the private key

func (p *CompactPKI) EncodingKey() interface{} {

	return p.privateKey

}



// PublicKey returns the public key

func (p *CompactPKI) PublicKey() interface{} {

	return p.publicKey

}



//KeyAndClaims returns both the key and any attributes associated with the public key.

func (p *CompactPKI) KeyAndClaims(pkey []byte) (interface{}, []string, time.Time, error) {

	kc, err := p.verifier.Verify(pkey)

	if err != nil {

		return nil, nil, time.Unix(0, 0), err

	}

	return kc.PublicKey, kc.Tags, kc.Expiration, nil

}



// TransmittedKey returns the PEM of the public key in the case of PKI

// if there is no certificate cache configured

func (p *CompactPKI) TransmittedKey() []byte {

	return p.txKey

}



// AckSize returns the default size of an ACK packet

func (p *CompactPKI) AckSize() uint32 {

	return uint32(compactPKIAckSize)

}



// PublicSecrets returns the secrets that are marshallable over the RPC interface.

func (p *CompactPKI) PublicSecrets() PublicSecrets {

	return &CompactPKIPublicSecrets{

		Type:        PKICompactType,

		Key:         p.PrivateKeyPEM,

		Certificate: p.PublicKeyPEM,

		CA:          p.AuthorityPEM,

		Token:       p.txKey,

		TokenCAs:    p.TokenKeyPEMs,

		Compressed:  p.Compressed,

	}

}



// CompactPKIPublicSecrets includes all the secrets that can be transmitted over

// the RPC interface.

type CompactPKIPublicSecrets struct {

	Type        PrivateSecretsType

	Key         []byte

	Certificate []byte

	CA          []byte

	TokenCAs    [][]byte

	Token       []byte

	Compressed  claimsheader.CompressionType

}



// SecretsType returns the type of secrets.

func (p *CompactPKIPublicSecrets) SecretsType() PrivateSecretsType {

	return p.Type

}



// CertAuthority returns the cert authority

func (p *CompactPKIPublicSecrets) CertAuthority() []byte {

	return p.CA

}
1
https://gitee.com/emmoblin/trireme-lib.git
git@gitee.com:emmoblin/trireme-lib.git
emmoblin
trireme-lib
trireme-lib
7726874a2b9a
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部