[PD1] encryptMessageContent and supporting function implemented
This commit is contained in:
parent
2c4f1fd2fc
commit
0629b45894
SSH key fingerprint:
SHA256:odOD9vln9U7qNe1R8o3UCbE3jkQCkr5/q5mgd5hwua0
1 changed files with 78 additions and 15 deletions
|
|
@ -2,13 +2,19 @@ package cryptoUtils
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"PD1/internal/client"
|
"PD1/internal/client"
|
||||||
|
"crypto"
|
||||||
|
"crypto/rand"
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
|
"crypto/sha256"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
|
"encoding/binary"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"log"
|
"log"
|
||||||
"os"
|
"os"
|
||||||
|
|
||||||
|
"vendor/golang.org/x/crypto/chacha20poly1305"
|
||||||
|
|
||||||
"software.sslmate.com/src/go-pkcs12"
|
"software.sslmate.com/src/go-pkcs12"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -51,26 +57,26 @@ func LoadKeyStore(keyStorePath string) KeyStore {
|
||||||
return KeyStore{cert: cert, caCertChain: caCerts, privKey: privKey}
|
return KeyStore{cert: cert, caCertChain: caCerts, privKey: privKey}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k KeyStore)GetTLSConfig() *tls.Config {
|
func (k KeyStore) GetTLSConfig() *tls.Config {
|
||||||
certificate ,err := tls.X509KeyPair(k.cert.Raw, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(&k.privKey)}))
|
certificate, err := tls.X509KeyPair(k.cert.Raw, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(&k.privKey)}))
|
||||||
if err!=nil{
|
if err != nil {
|
||||||
log.Panicln("Could not load certificate and privkey to TLS")
|
log.Panicln("Could not load certificate and privkey to TLS")
|
||||||
}
|
}
|
||||||
|
|
||||||
//Add the CA certificate chain to a CertPool
|
//Add the CA certificate chain to a CertPool
|
||||||
caCertPool := x509.NewCertPool()
|
caCertPool := x509.NewCertPool()
|
||||||
for _, caCert := range k.caCertChain {
|
for _, caCert := range k.caCertChain {
|
||||||
caCertPool.AddCert(caCert)
|
caCertPool.AddCert(caCert)
|
||||||
}
|
}
|
||||||
|
|
||||||
config := &tls.Config{
|
config := &tls.Config{
|
||||||
Certificates: []tls.Certificate{certificate},
|
Certificates: []tls.Certificate{certificate},
|
||||||
ClientCAs: caCertPool,
|
ClientCAs: caCertPool,
|
||||||
}
|
}
|
||||||
return config
|
return config
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k KeyStore)GetTLSConfigServer() *tls.Config {
|
func (k KeyStore) GetTLSConfigServer() *tls.Config {
|
||||||
config := k.GetTLSConfig()
|
config := k.GetTLSConfig()
|
||||||
|
|
||||||
config.ClientAuth = tls.RequireAndVerifyClientCert
|
config.ClientAuth = tls.RequireAndVerifyClientCert
|
||||||
|
|
@ -78,15 +84,72 @@ func (k KeyStore)GetTLSConfigServer() *tls.Config {
|
||||||
return config
|
return config
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k KeyStore)GetTLSConfigClient() *tls.Config {
|
func (k KeyStore) GetTLSConfigClient() *tls.Config {
|
||||||
config:= k.GetTLSConfig()
|
config := k.GetTLSConfig()
|
||||||
|
|
||||||
config.ServerName = "SERVER"
|
config.ServerName = "SERVER"
|
||||||
|
|
||||||
return config
|
return config
|
||||||
}
|
}
|
||||||
|
|
||||||
func (k KeyStore)EncryptMessageContent(peerPubKey rsa.PublicKey, content []byte) []byte {
|
func (k KeyStore) EncryptMessageContent(receiverCert *x509.Certificate, content []byte) []byte {
|
||||||
// Digital envolope
|
// Digital envolope
|
||||||
return nil
|
|
||||||
|
// Create a random symmetric key
|
||||||
|
dataKey := make([]byte, 32)
|
||||||
|
if _, err := rand.Read(dataKey); err != nil {
|
||||||
|
log.Panicln("Could not create dataKey properly: ", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
cipher, err := chacha20poly1305.New(dataKey)
|
||||||
|
if err != nil {
|
||||||
|
log.Panicln("Could not create cipher: ", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
nonce := make([]byte, cipher.NonceSize(), cipher.NonceSize()+len(content)+cipher.Overhead())
|
||||||
|
if _, err := rand.Read(nonce); err != nil {
|
||||||
|
log.Panicln("Could not create data nonce properly: ", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// sign the message and append the signature
|
||||||
|
hashedContent := sha256.Sum256(content)
|
||||||
|
signature, err := rsa.SignPKCS1v15(nil, &k.privKey, crypto.SHA256, hashedContent[:])
|
||||||
|
if err != nil {
|
||||||
|
log.Panicln("Could not create content signature: ", err)
|
||||||
|
}
|
||||||
|
content = pair(content, signature)
|
||||||
|
ciphertext := cipher.Seal(nonce, nonce, content, nil)
|
||||||
|
|
||||||
|
// crypto/rand.Reader is a good source of entropy for randomizing the
|
||||||
|
// encryption function.
|
||||||
|
receiverPubKey := receiverCert.PublicKey.(*rsa.PublicKey)
|
||||||
|
encryptedDataKey, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, receiverPubKey, dataKey, nil)
|
||||||
|
if err != nil {
|
||||||
|
log.Panicln("Could not encrypt dataKey: ", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return pair(encryptedDataKey, ciphertext)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (k KeyStore) DecryptMessageContent(senderCert *x509.Certificate, cipherContent []byte) []byte {
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func pair(l []byte, r []byte) []byte {
|
||||||
|
length := len(l)
|
||||||
|
lenBytes := make([]byte, 2)
|
||||||
|
binary.BigEndian.PutUint16(lenBytes, uint16(length))
|
||||||
|
|
||||||
|
lWithLen := append(lenBytes, l...)
|
||||||
|
return append(lWithLen, r...)
|
||||||
|
}
|
||||||
|
|
||||||
|
func unPair(pair []byte) ([]byte, []byte) {
|
||||||
|
lenBytes := pair[:2]
|
||||||
|
pair = pair[2:]
|
||||||
|
length := binary.BigEndian.Uint16(lenBytes)
|
||||||
|
l := pair[:length]
|
||||||
|
r := pair[length:]
|
||||||
|
return l, r
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue