github.com/trustbloc/kms-go@v1.1.2/kms/localkms/keytemplate.go

github.com/trustbloc/kms-go@v1.1.2/kms/localkms/keytemplate.go (about)

     1  /*
     2  Copyright Avast Software. All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package localkms
     8  
     9  import (
    10  	"fmt"
    11  
    12  	"github.com/golang/protobuf/proto"
    13  	"github.com/google/tink/go/aead"
    14  	"github.com/google/tink/go/mac"
    15  	commonpb "github.com/google/tink/go/proto/common_go_proto"
    16  	ecdsapb "github.com/google/tink/go/proto/ecdsa_go_proto"
    17  	tinkpb "github.com/google/tink/go/proto/tink_go_proto"
    18  	"github.com/google/tink/go/signature"
    19  
    20  	"github.com/trustbloc/kms-go/spi/kms"
    21  
    22  	"github.com/trustbloc/kms-go/crypto/tinkcrypto/primitive/bbs"
    23  	"github.com/trustbloc/kms-go/crypto/tinkcrypto/primitive/composite/ecdh"
    24  	"github.com/trustbloc/kms-go/crypto/tinkcrypto/primitive/secp256k1"
    25  )
    26  
    27  // nolint:gocyclo,funlen
    28  func keyTemplate(keyType kms.KeyType, _ ...kms.KeyOpts) (*tinkpb.KeyTemplate, error) {
    29  	switch keyType {
    30  	case kms.AES128GCMType:
    31  		return aead.AES128GCMKeyTemplate(), nil
    32  	case kms.AES256GCMNoPrefixType:
    33  		// RAW (to support keys not generated by Tink)
    34  		return aead.AES256GCMNoPrefixKeyTemplate(), nil
    35  	case kms.AES256GCMType:
    36  		return aead.AES256GCMKeyTemplate(), nil
    37  	case kms.ChaCha20Poly1305Type:
    38  		return aead.ChaCha20Poly1305KeyTemplate(), nil
    39  	case kms.XChaCha20Poly1305Type:
    40  		return aead.XChaCha20Poly1305KeyTemplate(), nil
    41  	case kms.ECDSAP256TypeDER:
    42  		return signature.ECDSAP256KeyWithoutPrefixTemplate(), nil
    43  	case kms.ECDSAP384TypeDER:
    44  		// Since Tink's signature.ECDSAP384KeyWithoutPrefixTemplate() uses SHA_512 as the hashing function during
    45  		// signature/verification, the kms type must explicitly use SHA_384 just as IEEEP384 key template below.
    46  		// For this reason, the KMS cannot use Tink's `signature.ECDSAP384KeyWithoutPrefixTemplate()` template here.
    47  		return createECDSAKeyTemplate(ecdsapb.EcdsaSignatureEncoding_DER, commonpb.HashType_SHA384,
    48  			commonpb.EllipticCurveType_NIST_P384), nil
    49  	case kms.ECDSAP521TypeDER:
    50  		return signature.ECDSAP521KeyWithoutPrefixTemplate(), nil
    51  	case kms.ECDSAP256TypeIEEEP1363:
    52  		// JWS keys should sign using IEEE_P1363 format only (not DER format)
    53  		return createECDSAIEEE1363KeyTemplate(commonpb.HashType_SHA256, commonpb.EllipticCurveType_NIST_P256), nil
    54  	case kms.ECDSAP384TypeIEEEP1363:
    55  		return createECDSAIEEE1363KeyTemplate(commonpb.HashType_SHA384, commonpb.EllipticCurveType_NIST_P384), nil
    56  	case kms.ECDSAP521TypeIEEEP1363:
    57  		return createECDSAIEEE1363KeyTemplate(commonpb.HashType_SHA512, commonpb.EllipticCurveType_NIST_P521), nil
    58  	case kms.ED25519Type:
    59  		return signature.ED25519KeyWithoutPrefixTemplate(), nil
    60  	case kms.HMACSHA256Tag256Type:
    61  		return mac.HMACSHA256Tag256KeyTemplate(), nil
    62  	case kms.NISTP256ECDHKWType:
    63  		return ecdh.NISTP256ECDHKWKeyTemplate(), nil
    64  	case kms.NISTP384ECDHKWType:
    65  		return ecdh.NISTP384ECDHKWKeyTemplate(), nil
    66  	case kms.NISTP521ECDHKWType:
    67  		return ecdh.NISTP521ECDHKWKeyTemplate(), nil
    68  	case kms.X25519ECDHKWType:
    69  		return ecdh.X25519ECDHKWKeyTemplate(), nil
    70  	case kms.BLS12381G2Type:
    71  		return bbs.BLS12381G2KeyTemplate(), nil
    72  	case kms.ECDSASecp256k1DER:
    73  		return secp256k1.DERKeyTemplate()
    74  	case kms.ECDSASecp256k1IEEEP1363:
    75  		return secp256k1.IEEEP1363KeyTemplate()
    76  	default:
    77  		return nil, fmt.Errorf("getKeyTemplate: key type '%s' unrecognized", keyType)
    78  	}
    79  }
    80  
    81  func createECDSAIEEE1363KeyTemplate(hashType commonpb.HashType, curve commonpb.EllipticCurveType) *tinkpb.KeyTemplate {
    82  	return createECDSAKeyTemplate(ecdsapb.EcdsaSignatureEncoding_IEEE_P1363, hashType, curve)
    83  }
    84  
    85  func createECDSAKeyTemplate(sigEncoding ecdsapb.EcdsaSignatureEncoding, hashType commonpb.HashType,
    86  	curve commonpb.EllipticCurveType) *tinkpb.KeyTemplate {
    87  	params := &ecdsapb.EcdsaParams{
    88  		HashType: hashType,
    89  		Curve:    curve,
    90  		Encoding: sigEncoding,
    91  	}
    92  	format := &ecdsapb.EcdsaKeyFormat{Params: params}
    93  	serializedFormat, _ := proto.Marshal(format) //nolint:errcheck
    94  
    95  	return &tinkpb.KeyTemplate{
    96  		TypeUrl:          ecdsaPrivateKeyTypeURL,
    97  		Value:            serializedFormat,
    98  		OutputPrefixType: tinkpb.OutputPrefixType_RAW,
    99  	}
   100  }