mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-01 02:46:16 -05:00
90b88e1cf9
In the light of extending our eKMS support it will be helpful to have a tighter use of the word "KMS". KMS should refer to the actual component that manages keys. The keyservice, also called KMS in the constellation code, does not manage keys itself. It talks to a KMS backend, which in turn does the actual key management.
77 lines
2.0 KiB
Go
77 lines
2.0 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
|
|
package util
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"reflect"
|
|
|
|
"github.com/google/tink/go/kwp/subtle"
|
|
)
|
|
|
|
// WrapAES performs AES Key Wrap with Padding as specified in RFC 5649: https://datatracker.ietf.org/doc/html/rfc5649
|
|
//
|
|
// Key sizes are limited to 16 and 32 Bytes.
|
|
func WrapAES(key []byte, wrapKeyAES []byte) ([]byte, error) {
|
|
wrapper, err := subtle.NewKWP(wrapKeyAES)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return wrapper.Wrap(key)
|
|
}
|
|
|
|
// UnwrapAES decrypts data wrapped with AES Key Wrap with Padding as specified in RFC 5649: https://datatracker.ietf.org/doc/html/rfc5649
|
|
//
|
|
// Key sizes are limited to 16 and 32 Bytes.
|
|
func UnwrapAES(encryptedKey []byte, wrapKeyAES []byte) ([]byte, error) {
|
|
wrapper, err := subtle.NewKWP(wrapKeyAES)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return wrapper.Unwrap(encryptedKey)
|
|
}
|
|
|
|
// ParsePEMtoPublicKeyRSA parses a public RSA key from bytes to *rsa.PublicKey.
|
|
func ParsePEMtoPublicKeyRSA(pkPEM []byte) (*rsa.PublicKey, error) {
|
|
pkDER, _ := pem.Decode(pkPEM)
|
|
if pkDER == nil {
|
|
return nil, fmt.Errorf("did not find any PEM data")
|
|
}
|
|
if pkDER.Type != "PUBLIC KEY" {
|
|
return nil, fmt.Errorf("invalid PEM format: want [PUBLIC KEY], got [%s]", pkDER.Type)
|
|
}
|
|
return ParseDERtoPublicKeyRSA(pkDER.Bytes)
|
|
}
|
|
|
|
// ParseDERtoPublicKeyRSA parses a PKIX, ASN.1 DER RSA public key from []byte to *rsa.PublicKey.
|
|
func ParseDERtoPublicKeyRSA(pkDER []byte) (*rsa.PublicKey, error) {
|
|
key, err := x509.ParsePKIXPublicKey(pkDER)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
switch t := key.(type) {
|
|
case *rsa.PublicKey:
|
|
return t, nil
|
|
default:
|
|
return nil, fmt.Errorf("invalid key type: want [*rsa.PublicKey], got [%v]", reflect.TypeOf(t))
|
|
}
|
|
}
|
|
|
|
// GetRandomKey reads length bytes from getrandom(2) if available, /dev/urandom otherwise.
|
|
func GetRandomKey(length int) ([]byte, error) {
|
|
key := make([]byte, length)
|
|
if _, err := rand.Read(key); err != nil {
|
|
return nil, err
|
|
}
|
|
return key, nil
|
|
}
|