123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608 |
- /*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
- package jose
- import (
- "crypto"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rsa"
- "crypto/x509"
- "encoding/base64"
- "errors"
- "fmt"
- "math/big"
- "reflect"
- "strings"
- "golang.org/x/crypto/ed25519"
- "gopkg.in/square/go-jose.v2/json"
- )
- // rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
- type rawJSONWebKey struct {
- Use string `json:"use,omitempty"`
- Kty string `json:"kty,omitempty"`
- Kid string `json:"kid,omitempty"`
- Crv string `json:"crv,omitempty"`
- Alg string `json:"alg,omitempty"`
- K *byteBuffer `json:"k,omitempty"`
- X *byteBuffer `json:"x,omitempty"`
- Y *byteBuffer `json:"y,omitempty"`
- N *byteBuffer `json:"n,omitempty"`
- E *byteBuffer `json:"e,omitempty"`
- // -- Following fields are only used for private keys --
- // RSA uses D, P and Q, while ECDSA uses only D. Fields Dp, Dq, and Qi are
- // completely optional. Therefore for RSA/ECDSA, D != nil is a contract that
- // we have a private key whereas D == nil means we have only a public key.
- D *byteBuffer `json:"d,omitempty"`
- P *byteBuffer `json:"p,omitempty"`
- Q *byteBuffer `json:"q,omitempty"`
- Dp *byteBuffer `json:"dp,omitempty"`
- Dq *byteBuffer `json:"dq,omitempty"`
- Qi *byteBuffer `json:"qi,omitempty"`
- // Certificates
- X5c []string `json:"x5c,omitempty"`
- }
- // JSONWebKey represents a public or private key in JWK format.
- type JSONWebKey struct {
- Key interface{}
- Certificates []*x509.Certificate
- KeyID string
- Algorithm string
- Use string
- }
- // MarshalJSON serializes the given key to its JSON representation.
- func (k JSONWebKey) MarshalJSON() ([]byte, error) {
- var raw *rawJSONWebKey
- var err error
- switch key := k.Key.(type) {
- case ed25519.PublicKey:
- raw = fromEdPublicKey(key)
- case *ecdsa.PublicKey:
- raw, err = fromEcPublicKey(key)
- case *rsa.PublicKey:
- raw = fromRsaPublicKey(key)
- case ed25519.PrivateKey:
- raw, err = fromEdPrivateKey(key)
- case *ecdsa.PrivateKey:
- raw, err = fromEcPrivateKey(key)
- case *rsa.PrivateKey:
- raw, err = fromRsaPrivateKey(key)
- case []byte:
- raw, err = fromSymmetricKey(key)
- default:
- return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
- }
- if err != nil {
- return nil, err
- }
- raw.Kid = k.KeyID
- raw.Alg = k.Algorithm
- raw.Use = k.Use
- for _, cert := range k.Certificates {
- raw.X5c = append(raw.X5c, base64.StdEncoding.EncodeToString(cert.Raw))
- }
- return json.Marshal(raw)
- }
- // UnmarshalJSON reads a key from its JSON representation.
- func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
- var raw rawJSONWebKey
- err = json.Unmarshal(data, &raw)
- if err != nil {
- return err
- }
- var key interface{}
- switch raw.Kty {
- case "EC":
- if raw.D != nil {
- key, err = raw.ecPrivateKey()
- } else {
- key, err = raw.ecPublicKey()
- }
- case "RSA":
- if raw.D != nil {
- key, err = raw.rsaPrivateKey()
- } else {
- key, err = raw.rsaPublicKey()
- }
- case "oct":
- key, err = raw.symmetricKey()
- case "OKP":
- if raw.Crv == "Ed25519" && raw.X != nil {
- if raw.D != nil {
- key, err = raw.edPrivateKey()
- } else {
- key, err = raw.edPublicKey()
- }
- } else {
- err = fmt.Errorf("square/go-jose: unknown curve %s'", raw.Crv)
- }
- default:
- err = fmt.Errorf("square/go-jose: unknown json web key type '%s'", raw.Kty)
- }
- if err == nil {
- *k = JSONWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use}
- k.Certificates, err = parseCertificateChain(raw.X5c)
- if err != nil {
- return fmt.Errorf("failed to unmarshal x5c field: %s", err)
- }
- }
- return
- }
- // JSONWebKeySet represents a JWK Set object.
- type JSONWebKeySet struct {
- Keys []JSONWebKey `json:"keys"`
- }
- // Key convenience method returns keys by key ID. Specification states
- // that a JWK Set "SHOULD" use distinct key IDs, but allows for some
- // cases where they are not distinct. Hence method returns a slice
- // of JSONWebKeys.
- func (s *JSONWebKeySet) Key(kid string) []JSONWebKey {
- var keys []JSONWebKey
- for _, key := range s.Keys {
- if key.KeyID == kid {
- keys = append(keys, key)
- }
- }
- return keys
- }
- const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}`
- const ecThumbprintTemplate = `{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`
- const edThumbprintTemplate = `{"crv":"%s","kty":"OKP",x":"%s"}`
- func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) {
- coordLength := curveSize(curve)
- crv, err := curveName(curve)
- if err != nil {
- return "", err
- }
- if len(x.Bytes()) > coordLength || len(y.Bytes()) > coordLength {
- return "", errors.New("square/go-jose: invalid elliptic key (too large)")
- }
- return fmt.Sprintf(ecThumbprintTemplate, crv,
- newFixedSizeBuffer(x.Bytes(), coordLength).base64(),
- newFixedSizeBuffer(y.Bytes(), coordLength).base64()), nil
- }
- func rsaThumbprintInput(n *big.Int, e int) (string, error) {
- return fmt.Sprintf(rsaThumbprintTemplate,
- newBufferFromInt(uint64(e)).base64(),
- newBuffer(n.Bytes()).base64()), nil
- }
- func edThumbprintInput(ed ed25519.PublicKey) (string, error) {
- crv := "Ed25519"
- if len(ed) > 32 {
- return "", errors.New("square/go-jose: invalid elliptic key (too large)")
- }
- return fmt.Sprintf(edThumbprintTemplate, crv,
- newFixedSizeBuffer(ed, 32).base64()), nil
- }
- // Thumbprint computes the JWK Thumbprint of a key using the
- // indicated hash algorithm.
- func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
- var input string
- var err error
- switch key := k.Key.(type) {
- case ed25519.PublicKey:
- input, err = edThumbprintInput(key)
- case *ecdsa.PublicKey:
- input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
- case *ecdsa.PrivateKey:
- input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
- case *rsa.PublicKey:
- input, err = rsaThumbprintInput(key.N, key.E)
- case *rsa.PrivateKey:
- input, err = rsaThumbprintInput(key.N, key.E)
- case ed25519.PrivateKey:
- input, err = edThumbprintInput(ed25519.PublicKey(key[32:]))
- default:
- return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
- }
- if err != nil {
- return nil, err
- }
- h := hash.New()
- h.Write([]byte(input))
- return h.Sum(nil), nil
- }
- // IsPublic returns true if the JWK represents a public key (not symmetric, not private).
- func (k *JSONWebKey) IsPublic() bool {
- switch k.Key.(type) {
- case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
- return true
- default:
- return false
- }
- }
- // Public creates JSONWebKey with corresponding publik key if JWK represents asymmetric private key.
- func (k *JSONWebKey) Public() JSONWebKey {
- if k.IsPublic() {
- return *k
- }
- ret := *k
- switch key := k.Key.(type) {
- case *ecdsa.PrivateKey:
- ret.Key = key.Public()
- case *rsa.PrivateKey:
- ret.Key = key.Public()
- case ed25519.PrivateKey:
- ret.Key = key.Public()
- default:
- return JSONWebKey{} // returning invalid key
- }
- return ret
- }
- // Valid checks that the key contains the expected parameters.
- func (k *JSONWebKey) Valid() bool {
- if k.Key == nil {
- return false
- }
- switch key := k.Key.(type) {
- case *ecdsa.PublicKey:
- if key.Curve == nil || key.X == nil || key.Y == nil {
- return false
- }
- case *ecdsa.PrivateKey:
- if key.Curve == nil || key.X == nil || key.Y == nil || key.D == nil {
- return false
- }
- case *rsa.PublicKey:
- if key.N == nil || key.E == 0 {
- return false
- }
- case *rsa.PrivateKey:
- if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 {
- return false
- }
- case ed25519.PublicKey:
- if len(key) != 32 {
- return false
- }
- case ed25519.PrivateKey:
- if len(key) != 64 {
- return false
- }
- default:
- return false
- }
- return true
- }
- func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
- if key.N == nil || key.E == nil {
- return nil, fmt.Errorf("square/go-jose: invalid RSA key, missing n/e values")
- }
- return &rsa.PublicKey{
- N: key.N.bigInt(),
- E: key.E.toInt(),
- }, nil
- }
- func fromEdPublicKey(pub ed25519.PublicKey) *rawJSONWebKey {
- return &rawJSONWebKey{
- Kty: "OKP",
- Crv: "Ed25519",
- X: newBuffer(pub),
- }
- }
- func fromRsaPublicKey(pub *rsa.PublicKey) *rawJSONWebKey {
- return &rawJSONWebKey{
- Kty: "RSA",
- N: newBuffer(pub.N.Bytes()),
- E: newBufferFromInt(uint64(pub.E)),
- }
- }
- func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
- var curve elliptic.Curve
- switch key.Crv {
- case "P-256":
- curve = elliptic.P256()
- case "P-384":
- curve = elliptic.P384()
- case "P-521":
- curve = elliptic.P521()
- default:
- return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
- }
- if key.X == nil || key.Y == nil {
- return nil, errors.New("square/go-jose: invalid EC key, missing x/y values")
- }
- // The length of this octet string MUST be the full size of a coordinate for
- // the curve specified in the "crv" parameter.
- // https://tools.ietf.org/html/rfc7518#section-
- if curveSize(curve) != len(key.X.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC public key, wrong length for x")
- }
- if curveSize(curve) != len(key.Y.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC public key, wrong length for y")
- }
- x := key.X.bigInt()
- y := key.Y.bigInt()
- if !curve.IsOnCurve(x, y) {
- return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
- }
- return &ecdsa.PublicKey{
- Curve: curve,
- X: x,
- Y: y,
- }, nil
- }
- func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
- if pub == nil || pub.X == nil || pub.Y == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC key (nil, or X/Y missing)")
- }
- name, err := curveName(pub.Curve)
- if err != nil {
- return nil, err
- }
- size := curveSize(pub.Curve)
- xBytes := pub.X.Bytes()
- yBytes := pub.Y.Bytes()
- if len(xBytes) > size || len(yBytes) > size {
- return nil, fmt.Errorf("square/go-jose: invalid EC key (X/Y too large)")
- }
- key := &rawJSONWebKey{
- Kty: "EC",
- Crv: name,
- X: newFixedSizeBuffer(xBytes, size),
- Y: newFixedSizeBuffer(yBytes, size),
- }
- return key, nil
- }
- func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
- var missing []string
- switch {
- case key.D == nil:
- missing = append(missing, "D")
- case key.X == nil:
- missing = append(missing, "X")
- }
- if len(missing) > 0 {
- return nil, fmt.Errorf("square/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
- }
- privateKey := make([]byte, ed25519.PrivateKeySize)
- copy(privateKey[0:32], key.D.bytes())
- copy(privateKey[32:], key.X.bytes())
- rv := ed25519.PrivateKey(privateKey)
- return rv, nil
- }
- func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
- if key.X == nil {
- return nil, fmt.Errorf("square/go-jose: invalid Ed key, missing x value")
- }
- publicKey := make([]byte, ed25519.PublicKeySize)
- copy(publicKey[0:32], key.X.bytes())
- rv := ed25519.PublicKey(publicKey)
- return rv, nil
- }
- func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
- var missing []string
- switch {
- case key.N == nil:
- missing = append(missing, "N")
- case key.E == nil:
- missing = append(missing, "E")
- case key.D == nil:
- missing = append(missing, "D")
- case key.P == nil:
- missing = append(missing, "P")
- case key.Q == nil:
- missing = append(missing, "Q")
- }
- if len(missing) > 0 {
- return nil, fmt.Errorf("square/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
- }
- rv := &rsa.PrivateKey{
- PublicKey: rsa.PublicKey{
- N: key.N.bigInt(),
- E: key.E.toInt(),
- },
- D: key.D.bigInt(),
- Primes: []*big.Int{
- key.P.bigInt(),
- key.Q.bigInt(),
- },
- }
- if key.Dp != nil {
- rv.Precomputed.Dp = key.Dp.bigInt()
- }
- if key.Dq != nil {
- rv.Precomputed.Dq = key.Dq.bigInt()
- }
- if key.Qi != nil {
- rv.Precomputed.Qinv = key.Qi.bigInt()
- }
- err := rv.Validate()
- return rv, err
- }
- func fromEdPrivateKey(ed ed25519.PrivateKey) (*rawJSONWebKey, error) {
- raw := fromEdPublicKey(ed25519.PublicKey(ed[32:]))
- raw.D = newBuffer(ed[0:32])
- return raw, nil
- }
- func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJSONWebKey, error) {
- if len(rsa.Primes) != 2 {
- return nil, ErrUnsupportedKeyType
- }
- raw := fromRsaPublicKey(&rsa.PublicKey)
- raw.D = newBuffer(rsa.D.Bytes())
- raw.P = newBuffer(rsa.Primes[0].Bytes())
- raw.Q = newBuffer(rsa.Primes[1].Bytes())
- if rsa.Precomputed.Dp != nil {
- raw.Dp = newBuffer(rsa.Precomputed.Dp.Bytes())
- }
- if rsa.Precomputed.Dq != nil {
- raw.Dq = newBuffer(rsa.Precomputed.Dq.Bytes())
- }
- if rsa.Precomputed.Qinv != nil {
- raw.Qi = newBuffer(rsa.Precomputed.Qinv.Bytes())
- }
- return raw, nil
- }
- func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
- var curve elliptic.Curve
- switch key.Crv {
- case "P-256":
- curve = elliptic.P256()
- case "P-384":
- curve = elliptic.P384()
- case "P-521":
- curve = elliptic.P521()
- default:
- return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
- }
- if key.X == nil || key.Y == nil || key.D == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, missing x/y/d values")
- }
- // The length of this octet string MUST be the full size of a coordinate for
- // the curve specified in the "crv" parameter.
- // https://tools.ietf.org/html/rfc7518#section-
- if curveSize(curve) != len(key.X.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for x")
- }
- if curveSize(curve) != len(key.Y.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for y")
- }
- // https://tools.ietf.org/html/rfc7518#section-
- if dSize(curve) != len(key.D.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for d")
- }
- x := key.X.bigInt()
- y := key.Y.bigInt()
- if !curve.IsOnCurve(x, y) {
- return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
- }
- return &ecdsa.PrivateKey{
- PublicKey: ecdsa.PublicKey{
- Curve: curve,
- X: x,
- Y: y,
- },
- D: key.D.bigInt(),
- }, nil
- }
- func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJSONWebKey, error) {
- raw, err := fromEcPublicKey(&ec.PublicKey)
- if err != nil {
- return nil, err
- }
- if ec.D == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key")
- }
- raw.D = newFixedSizeBuffer(ec.D.Bytes(), dSize(ec.PublicKey.Curve))
- return raw, nil
- }
- // dSize returns the size in octets for the "d" member of an elliptic curve
- // private key.
- // The length of this octet string MUST be ceiling(log-base-2(n)/8)
- // octets (where n is the order of the curve).
- // https://tools.ietf.org/html/rfc7518#section-
- func dSize(curve elliptic.Curve) int {
- order := curve.Params().P
- bitLen := order.BitLen()
- size := bitLen / 8
- if bitLen%8 != 0 {
- size = size + 1
- }
- return size
- }
- func fromSymmetricKey(key []byte) (*rawJSONWebKey, error) {
- return &rawJSONWebKey{
- Kty: "oct",
- K: newBuffer(key),
- }, nil
- }
- func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
- if key.K == nil {
- return nil, fmt.Errorf("square/go-jose: invalid OCT (symmetric) key, missing k value")
- }
- return key.K.bytes(), nil
- }