github.com/letsencrypt/trillian@v1.1.2-0.20180615153820-ae375a99d36a/crypto/keys/generate.go

github.com/letsencrypt/trillian@v1.1.2-0.20180615153820-ae375a99d36a/crypto/keys/generate.go (about)

     1  // Copyright 2017 Google Inc. All Rights Reserved.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package keys
    16  
    17  import (
    18  	"context"
    19  	"crypto"
    20  	"crypto/ecdsa"
    21  	"crypto/elliptic"
    22  	"crypto/rand"
    23  	"crypto/rsa"
    24  	"fmt"
    25  
    26  	"github.com/golang/protobuf/proto"
    27  	"github.com/google/trillian/crypto/keyspb"
    28  )
    29  
    30  const (
    31  	// DefaultRsaKeySizeInBits is the size of an RSA key generated by this package, in bits, if not overridden.
    32  	DefaultRsaKeySizeInBits = 2048
    33  
    34  	// MinRsaKeySizeInBits is the smallest RSA key that this package will generate.
    35  	MinRsaKeySizeInBits = 2048
    36  )
    37  
    38  // ProtoGenerator creates a new private key based on a key specification.
    39  // It returns a proto that can be passed to a ProtoHandler to get a crypto.Signer.
    40  type ProtoGenerator func(context.Context, *keyspb.Specification) (proto.Message, error)
    41  
    42  // NewFromSpec generates a new private key based on a key specification.
    43  // If an RSA key is specified, the key size must be at least MinRsaKeySizeInBits.
    44  func NewFromSpec(spec *keyspb.Specification) (crypto.Signer, error) {
    45  	switch params := spec.GetParams().(type) {
    46  	case *keyspb.Specification_EcdsaParams:
    47  		curve := ECDSACurveFromParams(params.EcdsaParams)
    48  		if curve == nil {
    49  			return nil, fmt.Errorf("unsupported ECDSA curve: %s", params.EcdsaParams.GetCurve())
    50  		}
    51  
    52  		return ecdsa.GenerateKey(curve, rand.Reader)
    53  	case *keyspb.Specification_RsaParams:
    54  		bits := int(params.RsaParams.GetBits())
    55  		if bits == 0 {
    56  			bits = DefaultRsaKeySizeInBits
    57  		}
    58  		if bits < MinRsaKeySizeInBits {
    59  			return nil, fmt.Errorf("minimum RSA key size is %v bits, got %v bits", MinRsaKeySizeInBits, bits)
    60  		}
    61  
    62  		return rsa.GenerateKey(rand.Reader, bits)
    63  	default:
    64  		return nil, fmt.Errorf("unsupported keygen params type: %T", params)
    65  	}
    66  }
    67  
    68  // ECDSACurveFromParams returns the curve specified by the given parameters.
    69  // Returns nil if the curve is not supported.
    70  func ECDSACurveFromParams(params *keyspb.Specification_ECDSA) elliptic.Curve {
    71  	switch params.GetCurve() {
    72  	case keyspb.Specification_ECDSA_DEFAULT_CURVE:
    73  		return elliptic.P256()
    74  	case keyspb.Specification_ECDSA_P256:
    75  		return elliptic.P256()
    76  	case keyspb.Specification_ECDSA_P384:
    77  		return elliptic.P384()
    78  	case keyspb.Specification_ECDSA_P521:
    79  		return elliptic.P521()
    80  	}
    81  	return nil
    82  }