From e7801b268c97c6b72bfcd76549ce5fd50ab0b1b5 Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Tue, 27 Oct 2020 19:16:10 +0100 Subject: added ed25519 signing and SDIs --- x509.go | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) (limited to 'x509.go') diff --git a/x509.go b/x509.go index 4e5a4d6..1e443a1 100644 --- a/x509.go +++ b/x509.go @@ -3,6 +3,9 @@ package stfe import ( "fmt" + "crypto" + "crypto/rand" + "crypto/ed25519" "crypto/ecdsa" "crypto/rsa" "crypto/x509" @@ -44,6 +47,38 @@ func LoadTrustAnchors(path string) ([]*x509.Certificate, *x509.CertPool, error) return anchors, pool, nil } + +func LoadEd25519SigningKey(path string) (ed25519.PrivateKey, error) { + data, err := ioutil.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("failed reading private key: %v", err) + } + + var block *pem.Block + block, data = pem.Decode(data) + if block == nil { + return nil, fmt.Errorf("private key not loaded") + } + if block.Type != "PRIVATE KEY" { + return nil, fmt.Errorf("unexpected PEM block type: %s", block.Type) + } + if len(data) != 0 { + return nil, fmt.Errorf("trailing data found after key: %v", data) + } + + key, err := x509.ParsePKCS8PrivateKey(block.Bytes) + if err != nil { + return nil, fmt.Errorf("failed parsing signing key: %v", err) + } + + switch t := key.(type) { + case ed25519.PrivateKey: + return key.(ed25519.PrivateKey), nil + default: + return nil, fmt.Errorf("unexpected signing key type: %v", t) + } +} + func VerifyChain(ld *LogParameters, certificate *x509.Certificate) ([]*x509.Certificate, error) { opts := x509.VerifyOptions{ Roots: ld.AnchorPool, @@ -76,3 +111,13 @@ func VerifySignature(leaf, signature []byte, certificate *x509.Certificate) erro } return nil } + + +func GenV1SDI(ld *LogParameters, leaf []byte) (StItem, error) { + // Note that ed25519 does not use the passed io.Reader + sig, err := ld.Signer.Sign(rand.Reader, leaf, crypto.Hash(0)) + if err != nil { + return StItem{}, fmt.Errorf("ed25519 signature failed: %v", err) + } + return NewSignedDebugInfoV1(ld.LogId, []byte("reserved"), sig), nil +} -- cgit v1.2.3