luke-20/fckeuspy-go
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2b7e3f6c85
fckeuspy-go/lib/crypto.go

241 lines
5.9 KiB
Go
Raw Blame History

package encrypt
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"io/fs"
"math/big"
"os"
"path/filepath"
"time"
)
type Envelope struct {
EK string `json:"ek"`
N string `json:"n"`
CT string `json:"ct"`
}
type Service struct {
Priv *rsa.PrivateKey `json:"priv,omitempty"`
PubPEM []byte `json:"pub,omitempty"`
CertPEM []byte `json:"cert,omitempty"`
dir string `json:"-"`
}
func NewService(storageDir string) (*Service, error) {
s := &Service{dir: storageDir}
if err := s.loadOrGenerateKeys(); err != nil {
return nil, err
}
return s, nil
}
func (s *Service) PublicPEM() string { return string(s.PubPEM) }
func (s *Service) PublicCert() string { return string(s.CertPEM) }
func (s *Service) Encrypt(message, peerPEMorCert string) (string, error) {
pubKey, err := parsePeerPublicKey(peerPEMorCert)
if err != nil {
return "", err
}
aesKey := make([]byte, 32)
if _, err := rand.Read(aesKey); err != nil {
return "", err
}
block, err := aes.NewCipher(aesKey)
if err != nil {
return "", err
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return "", err
}
nonce := make([]byte, gcm.NonceSize())
if _, err := rand.Read(nonce); err != nil {
return "", err
}
ciphertext := gcm.Seal(nil, nonce, []byte(message), nil)
label := []byte{}
ek, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, pubKey, aesKey, label)
if err != nil {
return "", err
}
env := Envelope{
EK: base64.StdEncoding.EncodeToString(ek),
N: base64.StdEncoding.EncodeToString(nonce),
CT: base64.StdEncoding.EncodeToString(ciphertext),
}
out, _ := json.MarshalIndent(env, "", " ")
return string(out), nil
}
func (s *Service) Decrypt(payload string) (string, error) {
var env Envelope
if err := json.Unmarshal([]byte(payload), &env); err != nil {
return "", fmt.Errorf("invalid JSON: %w", err)
}
ek, err := base64.StdEncoding.DecodeString(env.EK)
if err != nil {
return "", fmt.Errorf("ek b64: %w", err)
}
nonce, err := base64.StdEncoding.DecodeString(env.N)
if err != nil {
return "", fmt.Errorf("n b64: %w", err)
}
ct, err := base64.StdEncoding.DecodeString(env.CT)
if err != nil {
return "", fmt.Errorf("ct b64: %w", err)
}
label := []byte{}
aesKey, err := rsa.DecryptOAEP(sha256.New(), rand.Reader, s.Priv, ek, label)
if err != nil {
return "", fmt.Errorf("RSA-OAEP decrypt: %w", err)
}
block, err := aes.NewCipher(aesKey)
if err != nil {
return "", err
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return "", err
}
plain, err := gcm.Open(nil, nonce, ct, nil)
if err != nil {
return "", fmt.Errorf("GCM open: %w", err)
}
return string(plain), nil
}
func parsePeerPublicKey(pemOrCert string) (*rsa.PublicKey, error) {
block, _ := pem.Decode([]byte(pemOrCert))
if block == nil {
return nil, errors.New("no PEM block found")
}
switch block.Type {
case "PUBLIC KEY":
k, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, err
}
rsaPub, ok := k.(*rsa.PublicKey)
if !ok {
return nil, errors.New("expecting RSA PUBLIC KEY")
}
return rsaPub, nil
case "RSA PUBLIC KEY":
return x509.ParsePKCS1PublicKey(block.Bytes)
case "CERTIFICATE":
c, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, err
}
rsaPub, ok := c.PublicKey.(*rsa.PublicKey)
if !ok {
return nil, errors.New("certificate does not contain RSA key")
}
return rsaPub, nil
default:
return nil, fmt.Errorf("unsupported PEM type: %s", block.Type)
}
}
func ParsePeerPublicKey(pemOrCert string) (*rsa.PublicKey, error) {
return parsePeerPublicKey(pemOrCert)
}
func (s *Service) loadOrGenerateKeys() error {
privPath := filepath.Join(s.dir, "identity_key.pem")
pubPath := filepath.Join(s.dir, "public.pem")
certPath := filepath.Join(s.dir, "identity.crt")
fmt.Printf("Using storage dir: %s\n", s.dir)
if fileExists(privPath) && fileExists(pubPath) && fileExists(certPath) {
pkBytes, err := os.ReadFile(privPath)
if err != nil {
return err
}
block, _ := pem.Decode(pkBytes)
if block == nil || block.Type != "RSA PRIVATE KEY" {
return errors.New("invalid private key PEM")
}
key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
return err
}
s.Priv = key
s.PubPEM, _ = os.ReadFile(pubPath)
s.CertPEM, _ = os.ReadFile(certPath)
return nil
}
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return err
}
s.Priv = key
pubASN1, _ := x509.MarshalPKIXPublicKey(&s.Priv.PublicKey)
s.PubPEM = pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: pubASN1})
cert, err := generateSelfSignedCert(s.Priv)
if err != nil {
return err
}
s.CertPEM = cert
if err := os.MkdirAll(s.dir, 0o700); err != nil {
return err
}
if err := os.WriteFile(privPath, pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(s.Priv)}), fs.FileMode(0o600)); err != nil {
return err
}
if err := os.WriteFile(pubPath, s.PubPEM, 0o644); err != nil {
return err
}
if err := os.WriteFile(certPath, s.CertPEM, 0o644); err != nil {
return err
}
return nil
}
func generateSelfSignedCert(priv *rsa.PrivateKey) ([]byte, error) {
tpl := &x509.Certificate{
SerialNumber: big.NewInt(time.Now().UnixNano()),
Subject: pkix.Name{CommonName: "Encryptor Local Identity"},
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().AddDate(1, 0, 0),
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
BasicConstraintsValid: true,
}
der, err := x509.CreateCertificate(rand.Reader, tpl, tpl, &priv.PublicKey, priv)
if err != nil {
return nil, err
}
buf := &bytes.Buffer{}
_ = pem.Encode(buf, &pem.Block{Type: "CERTIFICATE", Bytes: der})
return buf.Bytes(), nil
}
func fileExists(p string) bool {
info, err := os.Stat(p)
return err == nil && !info.IsDir()
}
Reference in New Issue View Git Blame Copy Permalink