-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsign.go
executable file
·126 lines (103 loc) · 2.74 KB
/
sign.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package pkcs11
import (
"crypto"
"crypto/ecdsa"
"crypto/rsa"
"encoding/asn1"
"io"
"math/big"
"fmt"
"github.com/miekg/pkcs11"
)
type dsaSignature struct {
R, S *big.Int
}
type ecdsaSignature dsaSignature
// A PrivateKey represents an RSA key
type PrivateKey struct {
ctx *pkcs11.Ctx
sessionHandle pkcs11.SessionHandle
ckaId []byte
}
// New returns a new private key object
func InitPrivateKey(p *pkcs11.Ctx, s pkcs11.SessionHandle, ckaId []byte) (*PrivateKey, error) {
return &PrivateKey{
ctx: p,
sessionHandle: s,
ckaId: ckaId,
}, nil
}
// Public returns the public key corresponding to priv.
func (priv *PrivateKey) Public() crypto.PublicKey {
// Get public key from the HSM
publicKey, err := GetPublic(priv.ctx, priv.sessionHandle, priv.ckaId)
if err != nil {
return nil
}
return publicKey
}
// Sign delegates the signing of 'msg' to the PKCS11 library.
func (priv *PrivateKey) Sign(rand io.Reader, msg []byte, opts crypto.SignerOpts) (sig []byte, err error) {
var mechanism *pkcs11.Mechanism
var orgMsg = make([]byte, len(msg))
// Copy original message so we can verify RSA signature
copy(orgMsg, msg)
// Get the public key corresponding to this private key
publicKey := priv.Public()
if publicKey == nil {
err = fmt.Errorf("Public key of signing private key not found")
return
}
// Pre Signing
switch publicKey.(type) {
case *rsa.PublicKey:
mechanism = pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil)
// DigestInfo (PKCS1v15)
msg = append(hashPrefixes[opts.HashFunc()], msg...)
case *ecdsa.PublicKey:
mechanism = pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil)
default:
err = fmt.Errorf("Only RSA and ECDSA keys are supported")
}
if err != nil {
return
}
// Get the key identifier based on the CKA_ID
keyId, err := getKeyId(priv.ctx, priv.sessionHandle, priv.ckaId)
if err != nil {
return
}
// Signing Initiation
err = priv.ctx.SignInit(priv.sessionHandle, []*pkcs11.Mechanism{mechanism}, keyId)
if err != nil {
err = fmt.Errorf("Signing Initiation failed (%s)", err.Error())
return
}
// Sign 'msg'
sig, err = priv.ctx.Sign(priv.sessionHandle, msg)
if err != nil {
err = fmt.Errorf("Signing failed (%s)", err.Error())
return
}
// Post Signing
switch pub := publicKey.(type) {
case *rsa.PublicKey:
if rsa.VerifyPKCS1v15(pub, opts.HashFunc(), orgMsg, sig) != nil {
err = fmt.Errorf("Invalid RSA signature")
return
}
case *ecdsa.PublicKey:
// Marshal ECDSA signature
r := new(big.Int).SetBytes(sig[:len(sig)/2])
s := new(big.Int).SetBytes(sig[len(sig)/2:])
if !ecdsa.Verify(pub, msg, r, s) {
err = fmt.Errorf("Invalid ECDSA signature")
return
}
sig, err = asn1.Marshal(ecdsaSignature{r, s})
if err != nil {
return
}
}
return
}