github.com/letsencrypt/trillian@v1.1.2-0.20180615153820-ae375a99d36a/crypto/signer.go (about)

     1  // Copyright 2016 Google Inc. All Rights Reserved.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package crypto provides signing functionality for Trillian.
    16  package crypto
    17  
    18  import (
    19  	"crypto"
    20  	"crypto/rand"
    21  
    22  	"github.com/golang/glog"
    23  	"github.com/google/trillian"
    24  	"github.com/google/trillian/types"
    25  )
    26  
    27  // Signer is responsible for signing log-related data and producing the appropriate
    28  // application specific signature objects.
    29  type Signer struct {
    30  	KeyHint []byte
    31  	Hash    crypto.Hash
    32  	Signer  crypto.Signer
    33  }
    34  
    35  // NewSigner returns a new signer. The signer will set the KeyHint field, when available, with KeyID.
    36  func NewSigner(keyID int64, signer crypto.Signer, hash crypto.Hash) *Signer {
    37  	return &Signer{
    38  		KeyHint: types.SerializeKeyHint(keyID),
    39  		Hash:    hash,
    40  		Signer:  signer,
    41  	}
    42  }
    43  
    44  // NewSHA256Signer creates a new SHA256 based Signer and a KeyID of 0.
    45  // TODO(gbelvin): remove
    46  func NewSHA256Signer(signer crypto.Signer) *Signer {
    47  	return &Signer{
    48  		Hash:   crypto.SHA256,
    49  		Signer: signer,
    50  	}
    51  }
    52  
    53  // Public returns the public key that can verify signatures produced by s.
    54  func (s *Signer) Public() crypto.PublicKey {
    55  	return s.Signer.Public()
    56  }
    57  
    58  // Sign obtains a signature after first hashing the input data.
    59  func (s *Signer) Sign(data []byte) ([]byte, error) {
    60  	h := s.Hash.New()
    61  	h.Write(data)
    62  	digest := h.Sum(nil)
    63  
    64  	return s.Signer.Sign(rand.Reader, digest, s.Hash)
    65  }
    66  
    67  // SignLogRoot returns a complete SignedLogRoot (including signature).
    68  func (s *Signer) SignLogRoot(r *types.LogRootV1) (*trillian.SignedLogRoot, error) {
    69  	logRoot, err := r.MarshalBinary()
    70  	if err != nil {
    71  		return nil, err
    72  	}
    73  	signature, err := s.Sign(logRoot)
    74  	if err != nil {
    75  		glog.Warningf("%v: signer failed to sign log root: %v", s.KeyHint, err)
    76  		return nil, err
    77  	}
    78  
    79  	return &trillian.SignedLogRoot{
    80  		KeyHint:          s.KeyHint,
    81  		LogRoot:          logRoot,
    82  		LogRootSignature: signature,
    83  		// TODO(gbelvin): Remove deprecated fields
    84  		TimestampNanos: int64(r.TimestampNanos),
    85  		RootHash:       r.RootHash,
    86  		TreeSize:       int64(r.TreeSize),
    87  		TreeRevision:   int64(r.Revision),
    88  	}, nil
    89  }
    90  
    91  // SignMapRoot hashes and signs the supplied (to-be) SignedMapRoot and returns a signature.
    92  func (s *Signer) SignMapRoot(r *types.MapRootV1) (*trillian.SignedMapRoot, error) {
    93  	rootBytes, err := r.MarshalBinary()
    94  	if err != nil {
    95  		return nil, err
    96  	}
    97  
    98  	signature, err := s.Sign(rootBytes)
    99  	if err != nil {
   100  		glog.Warningf("%v: signer failed to sign map root: %v", s.KeyHint, err)
   101  		return nil, err
   102  	}
   103  
   104  	return &trillian.SignedMapRoot{
   105  		MapRoot:   rootBytes,
   106  		Signature: signature,
   107  	}, nil
   108  }