File: keys.go

package info (click to toggle)
tiup 1.16.3-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 6,384 kB
  • sloc: sh: 1,988; makefile: 138; sql: 16
file content (139 lines) | stat: -rw-r--r-- 4,328 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
// Copyright 2020 PingCAP, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.

package crypto

import (
	"crypto"
	"crypto/x509"
	"errors"
)

var (
	// ErrorKeyUninitialized will be present when key is used before Deserialize called
	ErrorKeyUninitialized = errors.New("key not initialized, call Deserialize first")
	// ErrorDeserializeKey means the key format is not valid
	ErrorDeserializeKey = errors.New("error on deserialize key, check if the key is valid")
	// ErrorUnsupportedKeyType means we don't supported this type of key
	ErrorUnsupportedKeyType = errors.New("provided key type not supported")
	// ErrorUnsupportedKeySchema means we don't support this schema
	ErrorUnsupportedKeySchema = errors.New("provided schema not supported")
)

const (
	// KeyTypeRSA represents the RSA type of keys
	KeyTypeRSA = "rsa"

	// KeySchemeRSASSAPSSSHA256 represents rsassa-pss-sha256 scheme
	KeySchemeRSASSAPSSSHA256 = "rsassa-pss-sha256"

	// strings used for cert subject
	pkixOrganization       = "PingCAP"
	pkixOrganizationalUnit = "TiUP"

	// PKCS12Password is a hard-coded password for PKCS#12 file, it is by
	// intend to use pre-defined string instead of generated every time,
	// as the encryption of PKCS#12 it self is weak. The key should be
	// protected by other means.
	PKCS12Password = "tiup"
)

// Serializable represents object that can be serialized and deserialized
type Serializable interface {
	// Translate the key to the format that can be stored
	Serialize() ([]byte, error)

	// Deserialize a key from data
	Deserialize([]byte) error
}

// PubKey is a public key available to TiUP
type PubKey interface {
	Serializable
	// Type returns the type of the key, e.g. RSA
	Type() string
	// Scheme returns the scheme of  signature algorithm, e.g. rsassa-pss-sha256
	Scheme() string
	// Key returns the raw public key
	Key() crypto.PublicKey
	// VerifySignature check the signature is right
	VerifySignature(payload []byte, sig string) error
}

// PrivKey is the private key that provide signature method
type PrivKey interface {
	Serializable
	// Type returns the type of the key, e.g. RSA
	Type() string
	// Scheme returns the scheme of  signature algorithm, e.g. rsassa-pss-sha256
	Scheme() string
	// Signature sign a signature with the key for payload
	Signature(payload []byte) (string, error)
	// Signer returns the signer of the private key
	Signer() crypto.Signer
	// Public returns public key of the PrivKey
	Public() PubKey
	// Pem returns the raw private key in PEM format
	Pem() []byte
	// CSR creates a new CSR from the private key
	CSR(role, commonName string, hostList []string, IPList []string) ([]byte, error)
	// PKCS12 encodes the certificate to a pfxData
	PKCS12(cert *x509.Certificate, ca *CertificateAuthority) ([]byte, error)
}

// NewKeyPair return a pair of key
func NewKeyPair(keyType, keyScheme string) (PrivKey, error) {
	// We only support RSA now
	if keyType != KeyTypeRSA {
		return nil, ErrorUnsupportedKeyType
	}

	// We only support rsassa-pss-sha256 now
	if keyScheme != KeySchemeRSASSAPSSSHA256 {
		return nil, ErrorUnsupportedKeySchema
	}

	return RSAPair()
}

// NewPrivKey return PrivKey
func NewPrivKey(keyType, keyScheme string, key []byte) (PrivKey, error) {
	// We only support RSA now
	if keyType != KeyTypeRSA {
		return nil, ErrorUnsupportedKeyType
	}

	// We only support rsassa-pss-sha256 now
	if keyScheme != KeySchemeRSASSAPSSSHA256 {
		return nil, ErrorUnsupportedKeySchema
	}

	priv := &RSAPrivKey{}
	return priv, priv.Deserialize(key)
}

// NewPubKey return PrivKey
func NewPubKey(keyType, keyScheme string, key []byte) (PubKey, error) {
	// We only support RSA now
	if keyType != KeyTypeRSA {
		return nil, ErrorUnsupportedKeyType
	}

	// We only support rsassa-pss-sha256 now
	if keyScheme != KeySchemeRSASSAPSSSHA256 {
		return nil, ErrorUnsupportedKeySchema
	}

	pub := &RSAPubKey{}
	return pub, pub.Deserialize(key)
}