github.com/leonlxy/hyperledger@v1.0.0-alpha.0.20170427033203-34922035d248/bccsp/sw/impl.go (about) 1 /* 2 Copyright IBM Corp. 2016 All Rights Reserved. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 package sw 17 18 import ( 19 "crypto/ecdsa" 20 "crypto/rand" 21 "errors" 22 "fmt" 23 "math/big" 24 25 "crypto/rsa" 26 27 "hash" 28 29 "crypto/x509" 30 31 "crypto/hmac" 32 33 "crypto/elliptic" 34 "crypto/sha256" 35 "crypto/sha512" 36 37 "github.com/hyperledger/fabric/bccsp" 38 "github.com/hyperledger/fabric/bccsp/utils" 39 "github.com/hyperledger/fabric/common/flogging" 40 "golang.org/x/crypto/sha3" 41 ) 42 43 var ( 44 logger = flogging.MustGetLogger("bccsp_sw") 45 ) 46 47 // NewDefaultSecurityLevel returns a new instance of the software-based BCCSP 48 // at security level 256, hash family SHA2 and using FolderBasedKeyStore as KeyStore. 49 func NewDefaultSecurityLevel(keyStorePath string) (bccsp.BCCSP, error) { 50 ks := &fileBasedKeyStore{} 51 if err := ks.Init(nil, keyStorePath, false); err != nil { 52 return nil, fmt.Errorf("Failed initializing key store [%s]", err) 53 } 54 55 return New(256, "SHA2", ks) 56 } 57 58 // NewDefaultSecurityLevel returns a new instance of the software-based BCCSP 59 // at security level 256, hash family SHA2 and using the passed KeyStore. 60 func NewDefaultSecurityLevelWithKeystore(keyStore bccsp.KeyStore) (bccsp.BCCSP, error) { 61 return New(256, "SHA2", keyStore) 62 } 63 64 // New returns a new instance of the software-based BCCSP 65 // set at the passed security level, hash family and KeyStore. 66 func New(securityLevel int, hashFamily string, keyStore bccsp.KeyStore) (bccsp.BCCSP, error) { 67 // Init config 68 conf := &config{} 69 err := conf.setSecurityLevel(securityLevel, hashFamily) 70 if err != nil { 71 return nil, fmt.Errorf("Failed initializing configuration [%s]", err) 72 } 73 74 // Check KeyStore 75 if keyStore == nil { 76 return nil, errors.New("Invalid bccsp.KeyStore instance. It must be different from nil.") 77 } 78 79 return &impl{conf, keyStore}, nil 80 } 81 82 // SoftwareBasedBCCSP is the software-based implementation of the BCCSP. 83 type impl struct { 84 conf *config 85 ks bccsp.KeyStore 86 } 87 88 // KeyGen generates a key using opts. 89 func (csp *impl) KeyGen(opts bccsp.KeyGenOpts) (k bccsp.Key, err error) { 90 // Validate arguments 91 if opts == nil { 92 return nil, errors.New("Invalid Opts parameter. It must not be nil.") 93 } 94 95 // Parse algorithm 96 switch opts.(type) { 97 case *bccsp.ECDSAKeyGenOpts: 98 lowLevelKey, err := ecdsa.GenerateKey(csp.conf.ellipticCurve, rand.Reader) 99 if err != nil { 100 return nil, fmt.Errorf("Failed generating ECDSA key [%s]", err) 101 } 102 103 k = &ecdsaPrivateKey{lowLevelKey} 104 105 case *bccsp.ECDSAP256KeyGenOpts: 106 lowLevelKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) 107 if err != nil { 108 return nil, fmt.Errorf("Failed generating ECDSA P256 key [%s]", err) 109 } 110 111 k = &ecdsaPrivateKey{lowLevelKey} 112 113 case *bccsp.ECDSAP384KeyGenOpts: 114 lowLevelKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) 115 if err != nil { 116 return nil, fmt.Errorf("Failed generating ECDSA P384 key [%s]", err) 117 } 118 119 k = &ecdsaPrivateKey{lowLevelKey} 120 121 case *bccsp.AESKeyGenOpts: 122 lowLevelKey, err := GetRandomBytes(csp.conf.aesBitLength) 123 124 if err != nil { 125 return nil, fmt.Errorf("Failed generating AES key [%s]", err) 126 } 127 128 k = &aesPrivateKey{lowLevelKey, false} 129 130 case *bccsp.AES256KeyGenOpts: 131 lowLevelKey, err := GetRandomBytes(32) 132 133 if err != nil { 134 return nil, fmt.Errorf("Failed generating AES 256 key [%s]", err) 135 } 136 137 k = &aesPrivateKey{lowLevelKey, false} 138 139 case *bccsp.AES192KeyGenOpts: 140 lowLevelKey, err := GetRandomBytes(24) 141 142 if err != nil { 143 return nil, fmt.Errorf("Failed generating AES 192 key [%s]", err) 144 } 145 146 k = &aesPrivateKey{lowLevelKey, false} 147 148 case *bccsp.AES128KeyGenOpts: 149 lowLevelKey, err := GetRandomBytes(16) 150 151 if err != nil { 152 return nil, fmt.Errorf("Failed generating AES 128 key [%s]", err) 153 } 154 155 k = &aesPrivateKey{lowLevelKey, false} 156 157 case *bccsp.RSAKeyGenOpts: 158 lowLevelKey, err := rsa.GenerateKey(rand.Reader, csp.conf.rsaBitLength) 159 160 if err != nil { 161 return nil, fmt.Errorf("Failed generating RSA key [%s]", err) 162 } 163 164 k = &rsaPrivateKey{lowLevelKey} 165 166 case *bccsp.RSA1024KeyGenOpts: 167 lowLevelKey, err := rsa.GenerateKey(rand.Reader, 1024) 168 169 if err != nil { 170 return nil, fmt.Errorf("Failed generating RSA 1024 key [%s]", err) 171 } 172 173 k = &rsaPrivateKey{lowLevelKey} 174 175 case *bccsp.RSA2048KeyGenOpts: 176 lowLevelKey, err := rsa.GenerateKey(rand.Reader, 2048) 177 178 if err != nil { 179 return nil, fmt.Errorf("Failed generating RSA 2048 key [%s]", err) 180 } 181 182 k = &rsaPrivateKey{lowLevelKey} 183 184 case *bccsp.RSA3072KeyGenOpts: 185 lowLevelKey, err := rsa.GenerateKey(rand.Reader, 3072) 186 187 if err != nil { 188 return nil, fmt.Errorf("Failed generating RSA 3072 key [%s]", err) 189 } 190 191 k = &rsaPrivateKey{lowLevelKey} 192 193 case *bccsp.RSA4096KeyGenOpts: 194 lowLevelKey, err := rsa.GenerateKey(rand.Reader, 4096) 195 196 if err != nil { 197 return nil, fmt.Errorf("Failed generating RSA 4096 key [%s]", err) 198 } 199 200 k = &rsaPrivateKey{lowLevelKey} 201 202 default: 203 return nil, fmt.Errorf("Unrecognized KeyGenOpts provided [%s]", opts.Algorithm()) 204 } 205 206 // If the key is not Ephemeral, store it. 207 if !opts.Ephemeral() { 208 // Store the key 209 err = csp.ks.StoreKey(k) 210 if err != nil { 211 return nil, fmt.Errorf("Failed storing key [%s]. [%s]", opts.Algorithm(), err) 212 } 213 } 214 215 return k, nil 216 } 217 218 // KeyDeriv derives a key from k using opts. 219 // The opts argument should be appropriate for the primitive used. 220 func (csp *impl) KeyDeriv(k bccsp.Key, opts bccsp.KeyDerivOpts) (dk bccsp.Key, err error) { 221 // Validate arguments 222 if k == nil { 223 return nil, errors.New("Invalid Key. It must not be nil.") 224 } 225 226 // Derive key 227 switch k.(type) { 228 case *ecdsaPublicKey: 229 // Validate opts 230 if opts == nil { 231 return nil, errors.New("Invalid Opts parameter. It must not be nil.") 232 } 233 234 ecdsaK := k.(*ecdsaPublicKey) 235 236 switch opts.(type) { 237 238 // Re-randomized an ECDSA private key 239 case *bccsp.ECDSAReRandKeyOpts: 240 reRandOpts := opts.(*bccsp.ECDSAReRandKeyOpts) 241 tempSK := &ecdsa.PublicKey{ 242 Curve: ecdsaK.pubKey.Curve, 243 X: new(big.Int), 244 Y: new(big.Int), 245 } 246 247 var k = new(big.Int).SetBytes(reRandOpts.ExpansionValue()) 248 var one = new(big.Int).SetInt64(1) 249 n := new(big.Int).Sub(ecdsaK.pubKey.Params().N, one) 250 k.Mod(k, n) 251 k.Add(k, one) 252 253 // Compute temporary public key 254 tempX, tempY := ecdsaK.pubKey.ScalarBaseMult(k.Bytes()) 255 tempSK.X, tempSK.Y = tempSK.Add( 256 ecdsaK.pubKey.X, ecdsaK.pubKey.Y, 257 tempX, tempY, 258 ) 259 260 // Verify temporary public key is a valid point on the reference curve 261 isOn := tempSK.Curve.IsOnCurve(tempSK.X, tempSK.Y) 262 if !isOn { 263 return nil, errors.New("Failed temporary public key IsOnCurve check.") 264 } 265 266 reRandomizedKey := &ecdsaPublicKey{tempSK} 267 268 // If the key is not Ephemeral, store it. 269 if !opts.Ephemeral() { 270 // Store the key 271 err = csp.ks.StoreKey(reRandomizedKey) 272 if err != nil { 273 return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err) 274 } 275 } 276 277 return reRandomizedKey, nil 278 279 default: 280 return nil, fmt.Errorf("Unrecognized KeyDerivOpts provided [%s]", opts.Algorithm()) 281 282 } 283 case *ecdsaPrivateKey: 284 // Validate opts 285 if opts == nil { 286 return nil, errors.New("Invalid Opts parameter. It must not be nil.") 287 } 288 289 ecdsaK := k.(*ecdsaPrivateKey) 290 291 switch opts.(type) { 292 293 // Re-randomized an ECDSA private key 294 case *bccsp.ECDSAReRandKeyOpts: 295 reRandOpts := opts.(*bccsp.ECDSAReRandKeyOpts) 296 tempSK := &ecdsa.PrivateKey{ 297 PublicKey: ecdsa.PublicKey{ 298 Curve: ecdsaK.privKey.Curve, 299 X: new(big.Int), 300 Y: new(big.Int), 301 }, 302 D: new(big.Int), 303 } 304 305 var k = new(big.Int).SetBytes(reRandOpts.ExpansionValue()) 306 var one = new(big.Int).SetInt64(1) 307 n := new(big.Int).Sub(ecdsaK.privKey.Params().N, one) 308 k.Mod(k, n) 309 k.Add(k, one) 310 311 tempSK.D.Add(ecdsaK.privKey.D, k) 312 tempSK.D.Mod(tempSK.D, ecdsaK.privKey.PublicKey.Params().N) 313 314 // Compute temporary public key 315 tempX, tempY := ecdsaK.privKey.PublicKey.ScalarBaseMult(k.Bytes()) 316 tempSK.PublicKey.X, tempSK.PublicKey.Y = 317 tempSK.PublicKey.Add( 318 ecdsaK.privKey.PublicKey.X, ecdsaK.privKey.PublicKey.Y, 319 tempX, tempY, 320 ) 321 322 // Verify temporary public key is a valid point on the reference curve 323 isOn := tempSK.Curve.IsOnCurve(tempSK.PublicKey.X, tempSK.PublicKey.Y) 324 if !isOn { 325 return nil, errors.New("Failed temporary public key IsOnCurve check.") 326 } 327 328 reRandomizedKey := &ecdsaPrivateKey{tempSK} 329 330 // If the key is not Ephemeral, store it. 331 if !opts.Ephemeral() { 332 // Store the key 333 err = csp.ks.StoreKey(reRandomizedKey) 334 if err != nil { 335 return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err) 336 } 337 } 338 339 return reRandomizedKey, nil 340 341 default: 342 return nil, fmt.Errorf("Unrecognized KeyDerivOpts provided [%s]", opts.Algorithm()) 343 344 } 345 case *aesPrivateKey: 346 // Validate opts 347 if opts == nil { 348 return nil, errors.New("Invalid Opts parameter. It must not be nil.") 349 } 350 351 aesK := k.(*aesPrivateKey) 352 353 switch opts.(type) { 354 case *bccsp.HMACTruncated256AESDeriveKeyOpts: 355 hmacOpts := opts.(*bccsp.HMACTruncated256AESDeriveKeyOpts) 356 357 mac := hmac.New(csp.conf.hashFunction, aesK.privKey) 358 mac.Write(hmacOpts.Argument()) 359 hmacedKey := &aesPrivateKey{mac.Sum(nil)[:csp.conf.aesBitLength], false} 360 361 // If the key is not Ephemeral, store it. 362 if !opts.Ephemeral() { 363 // Store the key 364 err = csp.ks.StoreKey(hmacedKey) 365 if err != nil { 366 return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err) 367 } 368 } 369 370 return hmacedKey, nil 371 372 case *bccsp.HMACDeriveKeyOpts: 373 374 hmacOpts := opts.(*bccsp.HMACDeriveKeyOpts) 375 376 mac := hmac.New(csp.conf.hashFunction, aesK.privKey) 377 mac.Write(hmacOpts.Argument()) 378 hmacedKey := &aesPrivateKey{mac.Sum(nil), true} 379 380 // If the key is not Ephemeral, store it. 381 if !opts.Ephemeral() { 382 // Store the key 383 err = csp.ks.StoreKey(hmacedKey) 384 if err != nil { 385 return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err) 386 } 387 } 388 389 return hmacedKey, nil 390 391 default: 392 return nil, fmt.Errorf("Unrecognized KeyDerivOpts provided [%s]", opts.Algorithm()) 393 394 } 395 396 default: 397 return nil, fmt.Errorf("Key type not recognized [%s]", k) 398 } 399 } 400 401 // KeyImport imports a key from its raw representation using opts. 402 // The opts argument should be appropriate for the primitive used. 403 func (csp *impl) KeyImport(raw interface{}, opts bccsp.KeyImportOpts) (k bccsp.Key, err error) { 404 // Validate arguments 405 if raw == nil { 406 return nil, errors.New("Invalid raw. Cannot be nil") 407 } 408 409 if opts == nil { 410 return nil, errors.New("Invalid Opts parameter. It must not be nil.") 411 } 412 413 switch opts.(type) { 414 415 case *bccsp.AES256ImportKeyOpts: 416 aesRaw, ok := raw.([]byte) 417 if !ok { 418 return nil, errors.New("[AES256ImportKeyOpts] Invalid raw material. Expected byte array.") 419 } 420 421 if len(aesRaw) != 32 { 422 return nil, fmt.Errorf("[AES256ImportKeyOpts] Invalid Key Length [%d]. Must be 32 bytes", len(aesRaw)) 423 } 424 425 aesK := &aesPrivateKey{utils.Clone(aesRaw), false} 426 427 // If the key is not Ephemeral, store it. 428 if !opts.Ephemeral() { 429 // Store the key 430 err = csp.ks.StoreKey(aesK) 431 if err != nil { 432 return nil, fmt.Errorf("Failed storing AES key [%s]", err) 433 } 434 } 435 436 return aesK, nil 437 438 case *bccsp.HMACImportKeyOpts: 439 aesRaw, ok := raw.([]byte) 440 if !ok { 441 return nil, errors.New("[HMACImportKeyOpts] Invalid raw material. Expected byte array.") 442 } 443 444 if len(aesRaw) == 0 { 445 return nil, errors.New("[HMACImportKeyOpts] Invalid raw. It must not be nil.") 446 } 447 448 aesK := &aesPrivateKey{utils.Clone(aesRaw), false} 449 450 // If the key is not Ephemeral, store it. 451 if !opts.Ephemeral() { 452 // Store the key 453 err = csp.ks.StoreKey(aesK) 454 if err != nil { 455 return nil, fmt.Errorf("Failed storing AES key [%s]", err) 456 } 457 } 458 459 return aesK, nil 460 461 case *bccsp.ECDSAPKIXPublicKeyImportOpts: 462 der, ok := raw.([]byte) 463 if !ok { 464 return nil, errors.New("[ECDSAPKIXPublicKeyImportOpts] Invalid raw material. Expected byte array.") 465 } 466 467 if len(der) == 0 { 468 return nil, errors.New("[ECDSAPKIXPublicKeyImportOpts] Invalid raw. It must not be nil.") 469 } 470 471 lowLevelKey, err := utils.DERToPublicKey(der) 472 if err != nil { 473 return nil, fmt.Errorf("Failed converting PKIX to ECDSA public key [%s]", err) 474 } 475 476 ecdsaPK, ok := lowLevelKey.(*ecdsa.PublicKey) 477 if !ok { 478 return nil, errors.New("Failed casting to ECDSA public key. Invalid raw material.") 479 } 480 481 k = &ecdsaPublicKey{ecdsaPK} 482 483 // If the key is not Ephemeral, store it. 484 if !opts.Ephemeral() { 485 // Store the key 486 err = csp.ks.StoreKey(k) 487 if err != nil { 488 return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err) 489 } 490 } 491 492 return k, nil 493 494 case *bccsp.ECDSAPrivateKeyImportOpts: 495 der, ok := raw.([]byte) 496 if !ok { 497 return nil, errors.New("[ECDSADERPrivateKeyImportOpts] Invalid raw material. Expected byte array.") 498 } 499 500 if len(der) == 0 { 501 return nil, errors.New("[ECDSADERPrivateKeyImportOpts] Invalid raw. It must not be nil.") 502 } 503 504 lowLevelKey, err := utils.DERToPrivateKey(der) 505 if err != nil { 506 return nil, fmt.Errorf("Failed converting PKIX to ECDSA public key [%s]", err) 507 } 508 509 ecdsaSK, ok := lowLevelKey.(*ecdsa.PrivateKey) 510 if !ok { 511 return nil, errors.New("Failed casting to ECDSA public key. Invalid raw material.") 512 } 513 514 k = &ecdsaPrivateKey{ecdsaSK} 515 516 // If the key is not Ephemeral, store it. 517 if !opts.Ephemeral() { 518 // Store the key 519 err = csp.ks.StoreKey(k) 520 if err != nil { 521 return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err) 522 } 523 } 524 525 return k, nil 526 527 case *bccsp.ECDSAGoPublicKeyImportOpts: 528 lowLevelKey, ok := raw.(*ecdsa.PublicKey) 529 if !ok { 530 return nil, errors.New("[ECDSAGoPublicKeyImportOpts] Invalid raw material. Expected *ecdsa.PublicKey.") 531 } 532 533 k = &ecdsaPublicKey{lowLevelKey} 534 535 // If the key is not Ephemeral, store it. 536 if !opts.Ephemeral() { 537 // Store the key 538 err = csp.ks.StoreKey(k) 539 if err != nil { 540 return nil, fmt.Errorf("Failed storing ECDSA key [%s]", err) 541 } 542 } 543 544 return k, nil 545 546 case *bccsp.RSAGoPublicKeyImportOpts: 547 lowLevelKey, ok := raw.(*rsa.PublicKey) 548 if !ok { 549 return nil, errors.New("[RSAGoPublicKeyImportOpts] Invalid raw material. Expected *rsa.PublicKey.") 550 } 551 552 k = &rsaPublicKey{lowLevelKey} 553 554 // If the key is not Ephemeral, store it. 555 if !opts.Ephemeral() { 556 // Store the key 557 err = csp.ks.StoreKey(k) 558 if err != nil { 559 return nil, fmt.Errorf("Failed storing RSA publi key [%s]", err) 560 } 561 } 562 563 return k, nil 564 565 case *bccsp.X509PublicKeyImportOpts: 566 x509Cert, ok := raw.(*x509.Certificate) 567 if !ok { 568 return nil, errors.New("[X509PublicKeyImportOpts] Invalid raw material. Expected *x509.Certificate.") 569 } 570 571 pk := x509Cert.PublicKey 572 573 switch pk.(type) { 574 case *ecdsa.PublicKey: 575 return csp.KeyImport(pk, &bccsp.ECDSAGoPublicKeyImportOpts{Temporary: opts.Ephemeral()}) 576 case *rsa.PublicKey: 577 return csp.KeyImport(pk, &bccsp.RSAGoPublicKeyImportOpts{Temporary: opts.Ephemeral()}) 578 default: 579 return nil, errors.New("Certificate public key type not recognized. Supported keys: [ECDSA, RSA]") 580 } 581 582 default: 583 return nil, errors.New("Import Key Options not recognized") 584 } 585 } 586 587 // GetKey returns the key this CSP associates to 588 // the Subject Key Identifier ski. 589 func (csp *impl) GetKey(ski []byte) (k bccsp.Key, err error) { 590 return csp.ks.GetKey(ski) 591 } 592 593 // Hash hashes messages msg using options opts. 594 func (csp *impl) Hash(msg []byte, opts bccsp.HashOpts) (digest []byte, err error) { 595 var h hash.Hash 596 if opts == nil { 597 h = csp.conf.hashFunction() 598 } else { 599 switch opts.(type) { 600 case *bccsp.SHAOpts: 601 h = csp.conf.hashFunction() 602 case *bccsp.SHA256Opts: 603 h = sha256.New() 604 case *bccsp.SHA384Opts: 605 h = sha512.New384() 606 case *bccsp.SHA3_256Opts: 607 h = sha3.New256() 608 case *bccsp.SHA3_384Opts: 609 h = sha3.New384() 610 default: 611 return nil, fmt.Errorf("Algorithm not recognized [%s]", opts.Algorithm()) 612 } 613 } 614 615 h.Write(msg) 616 return h.Sum(nil), nil 617 } 618 619 // GetHash returns and instance of hash.Hash using options opts. 620 // If opts is nil then the default hash function is returned. 621 func (csp *impl) GetHash(opts bccsp.HashOpts) (h hash.Hash, err error) { 622 if opts == nil { 623 return csp.conf.hashFunction(), nil 624 } 625 626 switch opts.(type) { 627 case *bccsp.SHAOpts: 628 return csp.conf.hashFunction(), nil 629 case *bccsp.SHA256Opts: 630 return sha256.New(), nil 631 case *bccsp.SHA384Opts: 632 return sha512.New384(), nil 633 case *bccsp.SHA3_256Opts: 634 return sha3.New256(), nil 635 case *bccsp.SHA3_384Opts: 636 return sha3.New384(), nil 637 default: 638 return nil, fmt.Errorf("Algorithm not recognized [%s]", opts.Algorithm()) 639 } 640 } 641 642 // Sign signs digest using key k. 643 // The opts argument should be appropriate for the primitive used. 644 // 645 // Note that when a signature of a hash of a larger message is needed, 646 // the caller is responsible for hashing the larger message and passing 647 // the hash (as digest). 648 func (csp *impl) Sign(k bccsp.Key, digest []byte, opts bccsp.SignerOpts) (signature []byte, err error) { 649 // Validate arguments 650 if k == nil { 651 return nil, errors.New("Invalid Key. It must not be nil.") 652 } 653 if len(digest) == 0 { 654 return nil, errors.New("Invalid digest. Cannot be empty.") 655 } 656 657 // Check key type 658 switch k.(type) { 659 case *ecdsaPrivateKey: 660 return csp.signECDSA(k.(*ecdsaPrivateKey).privKey, digest, opts) 661 case *rsaPrivateKey: 662 if opts == nil { 663 return nil, errors.New("Invalid options. Nil.") 664 } 665 666 return k.(*rsaPrivateKey).privKey.Sign(rand.Reader, digest, opts) 667 default: 668 return nil, fmt.Errorf("Key type not recognized [%s]", k) 669 } 670 } 671 672 // Verify verifies signature against key k and digest 673 func (csp *impl) Verify(k bccsp.Key, signature, digest []byte, opts bccsp.SignerOpts) (valid bool, err error) { 674 // Validate arguments 675 if k == nil { 676 return false, errors.New("Invalid Key. It must not be nil.") 677 } 678 if len(signature) == 0 { 679 return false, errors.New("Invalid signature. Cannot be empty.") 680 } 681 if len(digest) == 0 { 682 return false, errors.New("Invalid digest. Cannot be empty.") 683 } 684 685 // Check key type 686 switch k.(type) { 687 case *ecdsaPrivateKey: 688 return csp.verifyECDSA(&(k.(*ecdsaPrivateKey).privKey.PublicKey), signature, digest, opts) 689 case *ecdsaPublicKey: 690 return csp.verifyECDSA(k.(*ecdsaPublicKey).pubKey, signature, digest, opts) 691 case *rsaPrivateKey: 692 if opts == nil { 693 return false, errors.New("Invalid options. It must not be nil.") 694 } 695 switch opts.(type) { 696 case *rsa.PSSOptions: 697 err := rsa.VerifyPSS(&(k.(*rsaPrivateKey).privKey.PublicKey), 698 (opts.(*rsa.PSSOptions)).Hash, 699 digest, signature, opts.(*rsa.PSSOptions)) 700 701 return err == nil, err 702 default: 703 return false, fmt.Errorf("Opts type not recognized [%s]", opts) 704 } 705 case *rsaPublicKey: 706 if opts == nil { 707 return false, errors.New("Invalid options. It must not be nil.") 708 } 709 switch opts.(type) { 710 case *rsa.PSSOptions: 711 err := rsa.VerifyPSS(k.(*rsaPublicKey).pubKey, 712 (opts.(*rsa.PSSOptions)).Hash, 713 digest, signature, opts.(*rsa.PSSOptions)) 714 715 return err == nil, err 716 default: 717 return false, fmt.Errorf("Opts type not recognized [%s]", opts) 718 } 719 default: 720 return false, fmt.Errorf("Key type not recognized [%s]", k) 721 } 722 } 723 724 // Encrypt encrypts plaintext using key k. 725 // The opts argument should be appropriate for the primitive used. 726 func (csp *impl) Encrypt(k bccsp.Key, plaintext []byte, opts bccsp.EncrypterOpts) (ciphertext []byte, err error) { 727 // Validate arguments 728 if k == nil { 729 return nil, errors.New("Invalid Key. It must not be nil.") 730 } 731 732 // Check key type 733 switch k.(type) { 734 case *aesPrivateKey: 735 // check for mode 736 switch opts.(type) { 737 case *bccsp.AESCBCPKCS7ModeOpts, bccsp.AESCBCPKCS7ModeOpts: 738 // AES in CBC mode with PKCS7 padding 739 return AESCBCPKCS7Encrypt(k.(*aesPrivateKey).privKey, plaintext) 740 default: 741 return nil, fmt.Errorf("Mode not recognized [%s]", opts) 742 } 743 default: 744 return nil, fmt.Errorf("Key type not recognized [%s]", k) 745 } 746 } 747 748 // Decrypt decrypts ciphertext using key k. 749 // The opts argument should be appropriate for the primitive used. 750 func (csp *impl) Decrypt(k bccsp.Key, ciphertext []byte, opts bccsp.DecrypterOpts) (plaintext []byte, err error) { 751 // Validate arguments 752 if k == nil { 753 return nil, errors.New("Invalid Key. It must not be nil.") 754 } 755 756 // Check key type 757 switch k.(type) { 758 case *aesPrivateKey: 759 // check for mode 760 switch opts.(type) { 761 case *bccsp.AESCBCPKCS7ModeOpts, bccsp.AESCBCPKCS7ModeOpts: 762 // AES in CBC mode with PKCS7 padding 763 return AESCBCPKCS7Decrypt(k.(*aesPrivateKey).privKey, ciphertext) 764 default: 765 return nil, fmt.Errorf("Mode not recognized [%s]", opts) 766 } 767 default: 768 return nil, fmt.Errorf("Key type not recognized [%s]", k) 769 } 770 }