go-sample-webpage/vendor/github.com/lestrrat-go/jwx/jwe/internal/keyenc/keyenc.go

634 lines
17 KiB
Go
Raw Permalink Normal View History

2021-11-04 01:14:51 +00:00
package keyenc
import (
"crypto"
"crypto/aes"
"crypto/cipher"
"crypto/ecdsa"
"crypto/rand"
"crypto/rsa"
"crypto/sha1"
"crypto/sha256"
"crypto/sha512"
"crypto/subtle"
"encoding/binary"
"fmt"
"hash"
"io"
"golang.org/x/crypto/curve25519"
"golang.org/x/crypto/pbkdf2"
"github.com/lestrrat-go/jwx/internal/ecutil"
"github.com/lestrrat-go/jwx/jwa"
contentcipher "github.com/lestrrat-go/jwx/jwe/internal/cipher"
"github.com/lestrrat-go/jwx/jwe/internal/concatkdf"
"github.com/lestrrat-go/jwx/jwe/internal/keygen"
"github.com/lestrrat-go/jwx/x25519"
"github.com/pkg/errors"
)
func NewNoop(alg jwa.KeyEncryptionAlgorithm, sharedkey []byte) (*Noop, error) {
return &Noop{
alg: alg,
sharedkey: sharedkey,
}, nil
}
func (kw *Noop) Algorithm() jwa.KeyEncryptionAlgorithm {
return kw.alg
}
func (kw *Noop) KeyID() string {
return kw.keyID
}
func (kw *Noop) Encrypt(cek []byte) (keygen.ByteSource, error) {
return keygen.ByteKey(kw.sharedkey), nil
}
// NewAES creates a key-wrap encrypter using AES.
// Although the name suggests otherwise, this does the decryption as well.
func NewAES(alg jwa.KeyEncryptionAlgorithm, sharedkey []byte) (*AES, error) {
return &AES{
alg: alg,
sharedkey: sharedkey,
}, nil
}
// Algorithm returns the key encryption algorithm being used
func (kw *AES) Algorithm() jwa.KeyEncryptionAlgorithm {
return kw.alg
}
// KeyID returns the key ID associated with this encrypter
func (kw *AES) KeyID() string {
return kw.keyID
}
// Decrypt decrypts the encrypted key using AES key unwrap
func (kw *AES) Decrypt(enckey []byte) ([]byte, error) {
block, err := aes.NewCipher(kw.sharedkey)
if err != nil {
return nil, errors.Wrap(err, "failed to create cipher from shared key")
}
cek, err := Unwrap(block, enckey)
if err != nil {
return nil, errors.Wrap(err, "failed to unwrap data")
}
return cek, nil
}
// KeyEncrypt encrypts the given content encryption key
func (kw *AES) Encrypt(cek []byte) (keygen.ByteSource, error) {
block, err := aes.NewCipher(kw.sharedkey)
if err != nil {
return nil, errors.Wrap(err, "failed to create cipher from shared key")
}
encrypted, err := Wrap(block, cek)
if err != nil {
return nil, errors.Wrap(err, `keywrap: failed to wrap key`)
}
return keygen.ByteKey(encrypted), nil
}
func NewAESGCMEncrypt(alg jwa.KeyEncryptionAlgorithm, sharedkey []byte) (*AESGCMEncrypt, error) {
return &AESGCMEncrypt{
algorithm: alg,
sharedkey: sharedkey,
}, nil
}
func (kw AESGCMEncrypt) Algorithm() jwa.KeyEncryptionAlgorithm {
return kw.algorithm
}
func (kw AESGCMEncrypt) KeyID() string {
return kw.keyID
}
func (kw AESGCMEncrypt) Encrypt(cek []byte) (keygen.ByteSource, error) {
block, err := aes.NewCipher(kw.sharedkey)
if err != nil {
return nil, errors.Wrap(err, "failed to create cipher from shared key")
}
aesgcm, err := cipher.NewGCM(block)
if err != nil {
return nil, errors.Wrap(err, "failed to create gcm from cipher")
}
iv := make([]byte, aesgcm.NonceSize())
_, err = io.ReadFull(rand.Reader, iv)
if err != nil {
return nil, errors.Wrap(err, "failed to get random iv")
}
encrypted := aesgcm.Seal(nil, iv, cek, nil)
tag := encrypted[len(encrypted)-aesgcm.Overhead():]
ciphertext := encrypted[:len(encrypted)-aesgcm.Overhead()]
return keygen.ByteWithIVAndTag{
ByteKey: ciphertext,
IV: iv,
Tag: tag,
}, nil
}
func NewPBES2Encrypt(alg jwa.KeyEncryptionAlgorithm, password []byte) (*PBES2Encrypt, error) {
var hashFunc func() hash.Hash
var keylen int
switch alg {
case jwa.PBES2_HS256_A128KW:
hashFunc = sha256.New
keylen = 16
case jwa.PBES2_HS384_A192KW:
hashFunc = sha512.New384
keylen = 24
case jwa.PBES2_HS512_A256KW:
hashFunc = sha512.New
keylen = 32
default:
return nil, errors.Errorf("unexpected key encryption algorithm %s", alg)
}
return &PBES2Encrypt{
algorithm: alg,
password: password,
hashFunc: hashFunc,
keylen: keylen,
}, nil
}
func (kw PBES2Encrypt) Algorithm() jwa.KeyEncryptionAlgorithm {
return kw.algorithm
}
func (kw PBES2Encrypt) KeyID() string {
return kw.keyID
}
func (kw PBES2Encrypt) Encrypt(cek []byte) (keygen.ByteSource, error) {
count := 10000
salt := make([]byte, kw.keylen)
_, err := io.ReadFull(rand.Reader, salt)
if err != nil {
return nil, errors.Wrap(err, "failed to get random salt")
}
fullsalt := []byte(kw.algorithm)
fullsalt = append(fullsalt, byte(0))
fullsalt = append(fullsalt, salt...)
sharedkey := pbkdf2.Key(kw.password, fullsalt, count, kw.keylen, kw.hashFunc)
block, err := aes.NewCipher(sharedkey)
if err != nil {
return nil, errors.Wrap(err, "failed to create cipher from shared key")
}
encrypted, err := Wrap(block, cek)
if err != nil {
return nil, errors.Wrap(err, `keywrap: failed to wrap key`)
}
return keygen.ByteWithSaltAndCount{
ByteKey: encrypted,
Salt: salt,
Count: count,
}, nil
}
// NewECDHESEncrypt creates a new key encrypter based on ECDH-ES
func NewECDHESEncrypt(alg jwa.KeyEncryptionAlgorithm, enc jwa.ContentEncryptionAlgorithm, keysize int, keyif interface{}) (*ECDHESEncrypt, error) {
var generator keygen.Generator
var err error
switch key := keyif.(type) {
case *ecdsa.PublicKey:
generator, err = keygen.NewEcdhes(alg, enc, keysize, key)
case x25519.PublicKey:
generator, err = keygen.NewX25519(alg, enc, keysize, key)
default:
return nil, errors.Errorf("unexpected key type %T", keyif)
}
if err != nil {
return nil, errors.Wrap(err, "failed to create key generator")
}
return &ECDHESEncrypt{
algorithm: alg,
generator: generator,
}, nil
}
// Algorithm returns the key encryption algorithm being used
func (kw ECDHESEncrypt) Algorithm() jwa.KeyEncryptionAlgorithm {
return kw.algorithm
}
// KeyID returns the key ID associated with this encrypter
func (kw ECDHESEncrypt) KeyID() string {
return kw.keyID
}
// KeyEncrypt encrypts the content encryption key using ECDH-ES
func (kw ECDHESEncrypt) Encrypt(cek []byte) (keygen.ByteSource, error) {
kg, err := kw.generator.Generate()
if err != nil {
return nil, errors.Wrap(err, "failed to create key generator")
}
bwpk, ok := kg.(keygen.ByteWithECPublicKey)
if !ok {
return nil, errors.New("key generator generated invalid key (expected ByteWithECPrivateKey)")
}
if kw.algorithm == jwa.ECDH_ES {
return bwpk, nil
}
block, err := aes.NewCipher(bwpk.Bytes())
if err != nil {
return nil, errors.Wrap(err, "failed to generate cipher from generated key")
}
jek, err := Wrap(block, cek)
if err != nil {
return nil, errors.Wrap(err, "failed to wrap data")
}
bwpk.ByteKey = keygen.ByteKey(jek)
return bwpk, nil
}
// NewECDHESDecrypt creates a new key decrypter using ECDH-ES
func NewECDHESDecrypt(keyalg jwa.KeyEncryptionAlgorithm, contentalg jwa.ContentEncryptionAlgorithm, pubkey interface{}, apu, apv []byte, privkey interface{}) *ECDHESDecrypt {
return &ECDHESDecrypt{
keyalg: keyalg,
contentalg: contentalg,
apu: apu,
apv: apv,
privkey: privkey,
pubkey: pubkey,
}
}
// Algorithm returns the key encryption algorithm being used
func (kw ECDHESDecrypt) Algorithm() jwa.KeyEncryptionAlgorithm {
return kw.keyalg
}
func DeriveZ(privkeyif interface{}, pubkeyif interface{}) ([]byte, error) {
switch privkeyif.(type) {
case x25519.PrivateKey:
privkey, ok := privkeyif.(x25519.PrivateKey)
if !ok {
return nil, errors.Errorf(`private key must be x25519.PrivateKey, was: %T`, privkeyif)
}
pubkey, ok := pubkeyif.(x25519.PublicKey)
if !ok {
return nil, errors.Errorf(`public key must be x25519.PublicKey, was: %T`, pubkeyif)
}
return curve25519.X25519(privkey.Seed(), pubkey)
default:
privkey, ok := privkeyif.(*ecdsa.PrivateKey)
if !ok {
return nil, errors.Errorf(`private key must be *ecdsa.PrivateKey, was: %T`, privkeyif)
}
pubkey, ok := pubkeyif.(*ecdsa.PublicKey)
if !ok {
return nil, errors.Errorf(`public key must be *ecdsa.PublicKey, was: %T`, pubkeyif)
}
if !privkey.PublicKey.Curve.IsOnCurve(pubkey.X, pubkey.Y) {
return nil, errors.New(`public key must be on the same curve as private key`)
}
z, _ := privkey.PublicKey.Curve.ScalarMult(pubkey.X, pubkey.Y, privkey.D.Bytes())
zBytes := ecutil.AllocECPointBuffer(z, privkey.Curve)
defer ecutil.ReleaseECPointBuffer(zBytes)
zCopy := make([]byte, len(zBytes))
copy(zCopy, zBytes)
return zCopy, nil
}
}
func DeriveECDHES(alg, apu, apv []byte, privkey interface{}, pubkey interface{}, keysize uint32) ([]byte, error) {
pubinfo := make([]byte, 4)
binary.BigEndian.PutUint32(pubinfo, keysize*8)
zBytes, err := DeriveZ(privkey, pubkey)
if err != nil {
return nil, errors.Wrap(err, "unable to determine Z")
}
kdf := concatkdf.New(crypto.SHA256, alg, zBytes, apu, apv, pubinfo, []byte{})
key := make([]byte, keysize)
if _, err := kdf.Read(key); err != nil {
return nil, errors.Wrap(err, "failed to read kdf")
}
return key, nil
}
// Decrypt decrypts the encrypted key using ECDH-ES
func (kw ECDHESDecrypt) Decrypt(enckey []byte) ([]byte, error) {
var algBytes []byte
var keysize uint32
// Use keyalg except for when jwa.ECDH_ES
algBytes = []byte(kw.keyalg.String())
switch kw.keyalg {
case jwa.ECDH_ES:
// Create a content cipher from the content encryption algorithm
c, err := contentcipher.NewAES(kw.contentalg)
if err != nil {
return nil, errors.Wrapf(err, `failed to create content cipher for %s`, kw.contentalg)
}
keysize = uint32(c.KeySize())
algBytes = []byte(kw.contentalg.String())
case jwa.ECDH_ES_A128KW:
keysize = 16
case jwa.ECDH_ES_A192KW:
keysize = 24
case jwa.ECDH_ES_A256KW:
keysize = 32
default:
return nil, errors.Errorf("invalid ECDH-ES key wrap algorithm (%s)", kw.keyalg)
}
key, err := DeriveECDHES(algBytes, kw.apu, kw.apv, kw.privkey, kw.pubkey, keysize)
if err != nil {
return nil, errors.Wrap(err, `failed to derive ECDHES encryption key`)
}
// ECDH-ES does not wrap keys
if kw.keyalg == jwa.ECDH_ES {
return key, nil
}
block, err := aes.NewCipher(key)
if err != nil {
return nil, errors.Wrap(err, "failed to create cipher for ECDH-ES key wrap")
}
return Unwrap(block, enckey)
}
// NewRSAOAEPEncrypt creates a new key encrypter using RSA OAEP
func NewRSAOAEPEncrypt(alg jwa.KeyEncryptionAlgorithm, pubkey *rsa.PublicKey) (*RSAOAEPEncrypt, error) {
switch alg {
case jwa.RSA_OAEP, jwa.RSA_OAEP_256:
default:
return nil, errors.Errorf("invalid RSA OAEP encrypt algorithm (%s)", alg)
}
return &RSAOAEPEncrypt{
alg: alg,
pubkey: pubkey,
}, nil
}
// NewRSAPKCSEncrypt creates a new key encrypter using PKCS1v15
func NewRSAPKCSEncrypt(alg jwa.KeyEncryptionAlgorithm, pubkey *rsa.PublicKey) (*RSAPKCSEncrypt, error) {
switch alg {
case jwa.RSA1_5:
default:
return nil, errors.Errorf("invalid RSA PKCS encrypt algorithm (%s)", alg)
}
return &RSAPKCSEncrypt{
alg: alg,
pubkey: pubkey,
}, nil
}
// Algorithm returns the key encryption algorithm being used
func (e RSAPKCSEncrypt) Algorithm() jwa.KeyEncryptionAlgorithm {
return e.alg
}
// KeyID returns the key ID associated with this encrypter
func (e RSAPKCSEncrypt) KeyID() string {
return e.keyID
}
// Algorithm returns the key encryption algorithm being used
func (e RSAOAEPEncrypt) Algorithm() jwa.KeyEncryptionAlgorithm {
return e.alg
}
// KeyID returns the key ID associated with this encrypter
func (e RSAOAEPEncrypt) KeyID() string {
return e.keyID
}
// KeyEncrypt encrypts the content encryption key using RSA PKCS1v15
func (e RSAPKCSEncrypt) Encrypt(cek []byte) (keygen.ByteSource, error) {
if e.alg != jwa.RSA1_5 {
return nil, errors.Errorf("invalid RSA PKCS encrypt algorithm (%s)", e.alg)
}
encrypted, err := rsa.EncryptPKCS1v15(rand.Reader, e.pubkey, cek)
if err != nil {
return nil, errors.Wrap(err, "failed to encrypt using PKCS1v15")
}
return keygen.ByteKey(encrypted), nil
}
// KeyEncrypt encrypts the content encryption key using RSA OAEP
func (e RSAOAEPEncrypt) Encrypt(cek []byte) (keygen.ByteSource, error) {
var hash hash.Hash
switch e.alg {
case jwa.RSA_OAEP:
hash = sha1.New()
case jwa.RSA_OAEP_256:
hash = sha256.New()
default:
return nil, errors.New("failed to generate key encrypter for RSA-OAEP: RSA_OAEP/RSA_OAEP_256 required")
}
encrypted, err := rsa.EncryptOAEP(hash, rand.Reader, e.pubkey, cek, []byte{})
if err != nil {
return nil, errors.Wrap(err, `failed to OAEP encrypt`)
}
return keygen.ByteKey(encrypted), nil
}
// NewRSAPKCS15Decrypt creates a new decrypter using RSA PKCS1v15
func NewRSAPKCS15Decrypt(alg jwa.KeyEncryptionAlgorithm, privkey *rsa.PrivateKey, keysize int) *RSAPKCS15Decrypt {
generator := keygen.NewRandom(keysize * 2)
return &RSAPKCS15Decrypt{
alg: alg,
privkey: privkey,
generator: generator,
}
}
// Algorithm returns the key encryption algorithm being used
func (d RSAPKCS15Decrypt) Algorithm() jwa.KeyEncryptionAlgorithm {
return d.alg
}
// Decrypt decrypts the encrypted key using RSA PKCS1v1.5
func (d RSAPKCS15Decrypt) Decrypt(enckey []byte) ([]byte, error) {
// Hey, these notes and workarounds were stolen from go-jose
defer func() {
// DecryptPKCS1v15SessionKey sometimes panics on an invalid payload
// because of an index out of bounds error, which we want to ignore.
// This has been fixed in Go 1.3.1 (released 2014/08/13), the recover()
// only exists for preventing crashes with unpatched versions.
// See: https://groups.google.com/forum/#!topic/golang-dev/7ihX6Y6kx9k
// See: https://code.google.com/p/go/source/detail?r=58ee390ff31602edb66af41ed10901ec95904d33
_ = recover()
}()
// Perform some input validation.
expectedlen := d.privkey.PublicKey.N.BitLen() / 8
if expectedlen != len(enckey) {
// Input size is incorrect, the encrypted payload should always match
// the size of the public modulus (e.g. using a 2048 bit key will
// produce 256 bytes of output). Reject this since it's invalid input.
return nil, fmt.Errorf(
"input size for key decrypt is incorrect (expected %d, got %d)",
expectedlen,
len(enckey),
)
}
var err error
bk, err := d.generator.Generate()
if err != nil {
return nil, errors.New("failed to generate key")
}
cek := bk.Bytes()
// When decrypting an RSA-PKCS1v1.5 payload, we must take precautions to
// prevent chosen-ciphertext attacks as described in RFC 3218, "Preventing
// the Million Message Attack on Cryptographic Message Syntax". We are
// therefore deliberately ignoring errors here.
err = rsa.DecryptPKCS1v15SessionKey(rand.Reader, d.privkey, enckey, cek)
if err != nil {
return nil, errors.Wrap(err, "failed to decrypt via PKCS1v15")
}
return cek, nil
}
// NewRSAOAEPDecrypt creates a new key decrypter using RSA OAEP
func NewRSAOAEPDecrypt(alg jwa.KeyEncryptionAlgorithm, privkey *rsa.PrivateKey) (*RSAOAEPDecrypt, error) {
switch alg {
case jwa.RSA_OAEP, jwa.RSA_OAEP_256:
default:
return nil, errors.Errorf("invalid RSA OAEP decrypt algorithm (%s)", alg)
}
return &RSAOAEPDecrypt{
alg: alg,
privkey: privkey,
}, nil
}
// Algorithm returns the key encryption algorithm being used
func (d RSAOAEPDecrypt) Algorithm() jwa.KeyEncryptionAlgorithm {
return d.alg
}
// Decrypt decrypts the encrypted key using RSA OAEP
func (d RSAOAEPDecrypt) Decrypt(enckey []byte) ([]byte, error) {
var hash hash.Hash
switch d.alg {
case jwa.RSA_OAEP:
hash = sha1.New()
case jwa.RSA_OAEP_256:
hash = sha256.New()
default:
return nil, errors.New("failed to generate key encrypter for RSA-OAEP: RSA_OAEP/RSA_OAEP_256 required")
}
return rsa.DecryptOAEP(hash, rand.Reader, d.privkey, enckey, []byte{})
}
// Decrypt for DirectDecrypt does not do anything other than
// return a copy of the embedded key
func (d DirectDecrypt) Decrypt() ([]byte, error) {
cek := make([]byte, len(d.Key))
copy(cek, d.Key)
return cek, nil
}
var keywrapDefaultIV = []byte{0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6}
const keywrapChunkLen = 8
func Wrap(kek cipher.Block, cek []byte) ([]byte, error) {
if len(cek)%8 != 0 {
return nil, errors.New(`keywrap input must be 8 byte blocks`)
}
n := len(cek) / keywrapChunkLen
r := make([][]byte, n)
for i := 0; i < n; i++ {
r[i] = make([]byte, keywrapChunkLen)
copy(r[i], cek[i*keywrapChunkLen:])
}
buffer := make([]byte, keywrapChunkLen*2)
tBytes := make([]byte, keywrapChunkLen)
copy(buffer, keywrapDefaultIV)
for t := 0; t < 6*n; t++ {
copy(buffer[keywrapChunkLen:], r[t%n])
kek.Encrypt(buffer, buffer)
binary.BigEndian.PutUint64(tBytes, uint64(t+1))
for i := 0; i < keywrapChunkLen; i++ {
buffer[i] = buffer[i] ^ tBytes[i]
}
copy(r[t%n], buffer[keywrapChunkLen:])
}
out := make([]byte, (n+1)*keywrapChunkLen)
copy(out, buffer[:keywrapChunkLen])
for i := range r {
copy(out[(i+1)*8:], r[i])
}
return out, nil
}
func Unwrap(block cipher.Block, ciphertxt []byte) ([]byte, error) {
if len(ciphertxt)%keywrapChunkLen != 0 {
return nil, errors.Errorf(`keyunwrap input must be %d byte blocks`, keywrapChunkLen)
}
n := (len(ciphertxt) / keywrapChunkLen) - 1
r := make([][]byte, n)
for i := range r {
r[i] = make([]byte, keywrapChunkLen)
copy(r[i], ciphertxt[(i+1)*keywrapChunkLen:])
}
buffer := make([]byte, keywrapChunkLen*2)
tBytes := make([]byte, keywrapChunkLen)
copy(buffer[:keywrapChunkLen], ciphertxt[:keywrapChunkLen])
for t := 6*n - 1; t >= 0; t-- {
binary.BigEndian.PutUint64(tBytes, uint64(t+1))
for i := 0; i < keywrapChunkLen; i++ {
buffer[i] = buffer[i] ^ tBytes[i]
}
copy(buffer[keywrapChunkLen:], r[t%n])
block.Decrypt(buffer, buffer)
copy(r[t%n], buffer[keywrapChunkLen:])
}
if subtle.ConstantTimeCompare(buffer[:keywrapChunkLen], keywrapDefaultIV) == 0 {
return nil, errors.New("key unwrap: failed to unwrap key")
}
out := make([]byte, n*keywrapChunkLen)
for i := range r {
copy(out[i*keywrapChunkLen:], r[i])
}
return out, nil
}