private_key.go

Documentation: github.com/ProtonMail/go-crypto/openpgp/packet

     1  // Copyright 2011 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package packet
     6  
     7  import (
     8  	"bytes"
     9  	"crypto"
    10  	"crypto/cipher"
    11  	"crypto/dsa"
    12  	"crypto/rand"
    13  	"crypto/rsa"
    14  	"crypto/sha1"
    15  	"io"
    16  	"io/ioutil"
    17  	"math/big"
    18  	"strconv"
    19  	"time"
    20  
    21  	"github.com/ProtonMail/go-crypto/openpgp/ecdh"
    22  	"github.com/ProtonMail/go-crypto/openpgp/ecdsa"
    23  	"github.com/ProtonMail/go-crypto/openpgp/eddsa"
    24  	"github.com/ProtonMail/go-crypto/openpgp/elgamal"
    25  	"github.com/ProtonMail/go-crypto/openpgp/errors"
    26  	"github.com/ProtonMail/go-crypto/openpgp/internal/encoding"
    27  	"github.com/ProtonMail/go-crypto/openpgp/s2k"
    28  )
    29  
    30  // PrivateKey represents a possibly encrypted private key. See RFC 4880,
    31  // section 5.5.3.
    32  type PrivateKey struct {
    33  	PublicKey
    34  	Encrypted     bool // if true then the private key is unavailable until Decrypt has been called.
    35  	encryptedData []byte
    36  	cipher        CipherFunction
    37  	s2k           func(out, in []byte)
    38  	// An *{rsa|dsa|elgamal|ecdh|ecdsa|ed25519}.PrivateKey or
    39  	// crypto.Signer/crypto.Decrypter (Decryptor RSA only).
    40  	PrivateKey   interface{}
    41  	sha1Checksum bool
    42  	iv           []byte
    43  
    44  	// Type of encryption of the S2K packet
    45  	// Allowed values are 0 (Not encrypted), 254 (SHA1), or
    46  	// 255 (2-byte checksum)
    47  	s2kType S2KType
    48  	// Full parameters of the S2K packet
    49  	s2kParams *s2k.Params
    50  }
    51  
    52  // S2KType s2k packet type
    53  type S2KType uint8
    54  
    55  const (
    56  	// S2KNON unencrypt
    57  	S2KNON S2KType = 0
    58  	// S2KSHA1 sha1 sum check
    59  	S2KSHA1 S2KType = 254
    60  	// S2KCHECKSUM sum check
    61  	S2KCHECKSUM S2KType = 255
    62  )
    63  
    64  func NewRSAPrivateKey(creationTime time.Time, priv *rsa.PrivateKey) *PrivateKey {
    65  	pk := new(PrivateKey)
    66  	pk.PublicKey = *NewRSAPublicKey(creationTime, &priv.PublicKey)
    67  	pk.PrivateKey = priv
    68  	return pk
    69  }
    70  
    71  func NewDSAPrivateKey(creationTime time.Time, priv *dsa.PrivateKey) *PrivateKey {
    72  	pk := new(PrivateKey)
    73  	pk.PublicKey = *NewDSAPublicKey(creationTime, &priv.PublicKey)
    74  	pk.PrivateKey = priv
    75  	return pk
    76  }
    77  
    78  func NewElGamalPrivateKey(creationTime time.Time, priv *elgamal.PrivateKey) *PrivateKey {
    79  	pk := new(PrivateKey)
    80  	pk.PublicKey = *NewElGamalPublicKey(creationTime, &priv.PublicKey)
    81  	pk.PrivateKey = priv
    82  	return pk
    83  }
    84  
    85  func NewECDSAPrivateKey(creationTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey {
    86  	pk := new(PrivateKey)
    87  	pk.PublicKey = *NewECDSAPublicKey(creationTime, &priv.PublicKey)
    88  	pk.PrivateKey = priv
    89  	return pk
    90  }
    91  
    92  func NewEdDSAPrivateKey(creationTime time.Time, priv *eddsa.PrivateKey) *PrivateKey {
    93  	pk := new(PrivateKey)
    94  	pk.PublicKey = *NewEdDSAPublicKey(creationTime, &priv.PublicKey)
    95  	pk.PrivateKey = priv
    96  	return pk
    97  }
    98  
    99  func NewECDHPrivateKey(creationTime time.Time, priv *ecdh.PrivateKey) *PrivateKey {
   100  	pk := new(PrivateKey)
   101  	pk.PublicKey = *NewECDHPublicKey(creationTime, &priv.PublicKey)
   102  	pk.PrivateKey = priv
   103  	return pk
   104  }
   105  
   106  // NewSignerPrivateKey creates a PrivateKey from a crypto.Signer that
   107  // implements RSA, ECDSA or EdDSA.
   108  func NewSignerPrivateKey(creationTime time.Time, signer interface{}) *PrivateKey {
   109  	pk := new(PrivateKey)
   110  	// In general, the public Keys should be used as pointers. We still
   111  	// type-switch on the values, for backwards-compatibility.
   112  	switch pubkey := signer.(type) {
   113  	case *rsa.PrivateKey:
   114  		pk.PublicKey = *NewRSAPublicKey(creationTime, &pubkey.PublicKey)
   115  	case rsa.PrivateKey:
   116  		pk.PublicKey = *NewRSAPublicKey(creationTime, &pubkey.PublicKey)
   117  	case *ecdsa.PrivateKey:
   118  		pk.PublicKey = *NewECDSAPublicKey(creationTime, &pubkey.PublicKey)
   119  	case ecdsa.PrivateKey:
   120  		pk.PublicKey = *NewECDSAPublicKey(creationTime, &pubkey.PublicKey)
   121  	case *eddsa.PrivateKey:
   122  		pk.PublicKey = *NewEdDSAPublicKey(creationTime, &pubkey.PublicKey)
   123  	case eddsa.PrivateKey:
   124  		pk.PublicKey = *NewEdDSAPublicKey(creationTime, &pubkey.PublicKey)
   125  	default:
   126  		panic("openpgp: unknown signer type in NewSignerPrivateKey")
   127  	}
   128  	pk.PrivateKey = signer
   129  	return pk
   130  }
   131  
   132  // NewDecrypterPrivateKey creates a PrivateKey from a *{rsa|elgamal|ecdh}.PrivateKey.
   133  func NewDecrypterPrivateKey(creationTime time.Time, decrypter interface{}) *PrivateKey {
   134  	pk := new(PrivateKey)
   135  	switch priv := decrypter.(type) {
   136  	case *rsa.PrivateKey:
   137  		pk.PublicKey = *NewRSAPublicKey(creationTime, &priv.PublicKey)
   138  	case *elgamal.PrivateKey:
   139  		pk.PublicKey = *NewElGamalPublicKey(creationTime, &priv.PublicKey)
   140  	case *ecdh.PrivateKey:
   141  		pk.PublicKey = *NewECDHPublicKey(creationTime, &priv.PublicKey)
   142  	default:
   143  		panic("openpgp: unknown decrypter type in NewDecrypterPrivateKey")
   144  	}
   145  	pk.PrivateKey = decrypter
   146  	return pk
   147  }
   148  
   149  func (pk *PrivateKey) parse(r io.Reader) (err error) {
   150  	err = (&pk.PublicKey).parse(r)
   151  	if err != nil {
   152  		return
   153  	}
   154  	v5 := pk.PublicKey.Version == 5
   155  
   156  	var buf [1]byte
   157  	_, err = readFull(r, buf[:])
   158  	if err != nil {
   159  		return
   160  	}
   161  	pk.s2kType = S2KType(buf[0])
   162  	var optCount [1]byte
   163  	if v5 {
   164  		if _, err = readFull(r, optCount[:]); err != nil {
   165  			return
   166  		}
   167  	}
   168  
   169  	switch pk.s2kType {
   170  	case S2KNON:
   171  		pk.s2k = nil
   172  		pk.Encrypted = false
   173  	case S2KSHA1, S2KCHECKSUM:
   174  		if v5 && pk.s2kType == S2KCHECKSUM {
   175  			return errors.StructuralError("wrong s2k identifier for version 5")
   176  		}
   177  		_, err = readFull(r, buf[:])
   178  		if err != nil {
   179  			return
   180  		}
   181  		pk.cipher = CipherFunction(buf[0])
   182  		if pk.cipher != 0 && !pk.cipher.IsSupported() {
   183  			return errors.UnsupportedError("unsupported cipher function in private key")
   184  		}
   185  		pk.s2kParams, err = s2k.ParseIntoParams(r)
   186  		if err != nil {
   187  			return
   188  		}
   189  		if pk.s2kParams.Dummy() {
   190  			return
   191  		}
   192  		pk.s2k, err = pk.s2kParams.Function()
   193  		if err != nil {
   194  			return
   195  		}
   196  		pk.Encrypted = true
   197  		if pk.s2kType == S2KSHA1 {
   198  			pk.sha1Checksum = true
   199  		}
   200  	default:
   201  		return errors.UnsupportedError("deprecated s2k function in private key")
   202  	}
   203  
   204  	if pk.Encrypted {
   205  		blockSize := pk.cipher.blockSize()
   206  		if blockSize == 0 {
   207  			return errors.UnsupportedError("unsupported cipher in private key: " + strconv.Itoa(int(pk.cipher)))
   208  		}
   209  		pk.iv = make([]byte, blockSize)
   210  		_, err = readFull(r, pk.iv)
   211  		if err != nil {
   212  			return
   213  		}
   214  	}
   215  
   216  	var privateKeyData []byte
   217  	if v5 {
   218  		var n [4]byte /* secret material four octet count */
   219  		_, err = readFull(r, n[:])
   220  		if err != nil {
   221  			return
   222  		}
   223  		count := uint32(uint32(n[0])<<24 | uint32(n[1])<<16 | uint32(n[2])<<8 | uint32(n[3]))
   224  		if !pk.Encrypted {
   225  			count = count + 2 /* two octet checksum */
   226  		}
   227  		privateKeyData = make([]byte, count)
   228  		_, err = readFull(r, privateKeyData)
   229  		if err != nil {
   230  			return
   231  		}
   232  	} else {
   233  		privateKeyData, err = ioutil.ReadAll(r)
   234  		if err != nil {
   235  			return
   236  		}
   237  	}
   238  	if !pk.Encrypted {
   239  		if len(privateKeyData) < 2 {
   240  			return errors.StructuralError("truncated private key data")
   241  		}
   242  		var sum uint16
   243  		for i := 0; i < len(privateKeyData)-2; i++ {
   244  			sum += uint16(privateKeyData[i])
   245  		}
   246  		if privateKeyData[len(privateKeyData)-2] != uint8(sum>>8) ||
   247  			privateKeyData[len(privateKeyData)-1] != uint8(sum) {
   248  			return errors.StructuralError("private key checksum failure")
   249  		}
   250  		privateKeyData = privateKeyData[:len(privateKeyData)-2]
   251  		return pk.parsePrivateKey(privateKeyData)
   252  	}
   253  
   254  	pk.encryptedData = privateKeyData
   255  	return
   256  }
   257  
   258  // Dummy returns true if the private key is a dummy key. This is a GNU extension.
   259  func (pk *PrivateKey) Dummy() bool {
   260  	return pk.s2kParams.Dummy()
   261  }
   262  
   263  func mod64kHash(d []byte) uint16 {
   264  	var h uint16
   265  	for _, b := range d {
   266  		h += uint16(b)
   267  	}
   268  	return h
   269  }
   270  
   271  func (pk *PrivateKey) Serialize(w io.Writer) (err error) {
   272  	contents := bytes.NewBuffer(nil)
   273  	err = pk.PublicKey.serializeWithoutHeaders(contents)
   274  	if err != nil {
   275  		return
   276  	}
   277  	if _, err = contents.Write([]byte{uint8(pk.s2kType)}); err != nil {
   278  		return
   279  	}
   280  
   281  	optional := bytes.NewBuffer(nil)
   282  	if pk.Encrypted || pk.Dummy() {
   283  		optional.Write([]byte{uint8(pk.cipher)})
   284  		if err := pk.s2kParams.Serialize(optional); err != nil {
   285  			return err
   286  		}
   287  		if pk.Encrypted {
   288  			optional.Write(pk.iv)
   289  		}
   290  	}
   291  	if pk.Version == 5 {
   292  		contents.Write([]byte{uint8(optional.Len())})
   293  	}
   294  	io.Copy(contents, optional)
   295  
   296  	if !pk.Dummy() {
   297  		l := 0
   298  		var priv []byte
   299  		if !pk.Encrypted {
   300  			buf := bytes.NewBuffer(nil)
   301  			err = pk.serializePrivateKey(buf)
   302  			if err != nil {
   303  				return err
   304  			}
   305  			l = buf.Len()
   306  			checksum := mod64kHash(buf.Bytes())
   307  			buf.Write([]byte{byte(checksum >> 8), byte(checksum)})
   308  			priv = buf.Bytes()
   309  		} else {
   310  			priv, l = pk.encryptedData, len(pk.encryptedData)
   311  		}
   312  
   313  		if pk.Version == 5 {
   314  			contents.Write([]byte{byte(l >> 24), byte(l >> 16), byte(l >> 8), byte(l)})
   315  		}
   316  		contents.Write(priv)
   317  	}
   318  
   319  	ptype := packetTypePrivateKey
   320  	if pk.IsSubkey {
   321  		ptype = packetTypePrivateSubkey
   322  	}
   323  	err = serializeHeader(w, ptype, contents.Len())
   324  	if err != nil {
   325  		return
   326  	}
   327  	_, err = io.Copy(w, contents)
   328  	if err != nil {
   329  		return
   330  	}
   331  	return
   332  }
   333  
   334  func serializeRSAPrivateKey(w io.Writer, priv *rsa.PrivateKey) error {
   335  	if _, err := w.Write(new(encoding.MPI).SetBig(priv.D).EncodedBytes()); err != nil {
   336  		return err
   337  	}
   338  	if _, err := w.Write(new(encoding.MPI).SetBig(priv.Primes[1]).EncodedBytes()); err != nil {
   339  		return err
   340  	}
   341  	if _, err := w.Write(new(encoding.MPI).SetBig(priv.Primes[0]).EncodedBytes()); err != nil {
   342  		return err
   343  	}
   344  	_, err := w.Write(new(encoding.MPI).SetBig(priv.Precomputed.Qinv).EncodedBytes())
   345  	return err
   346  }
   347  
   348  func serializeDSAPrivateKey(w io.Writer, priv *dsa.PrivateKey) error {
   349  	_, err := w.Write(new(encoding.MPI).SetBig(priv.X).EncodedBytes())
   350  	return err
   351  }
   352  
   353  func serializeElGamalPrivateKey(w io.Writer, priv *elgamal.PrivateKey) error {
   354  	_, err := w.Write(new(encoding.MPI).SetBig(priv.X).EncodedBytes())
   355  	return err
   356  }
   357  
   358  func serializeECDSAPrivateKey(w io.Writer, priv *ecdsa.PrivateKey) error {
   359  	_, err := w.Write(encoding.NewMPI(priv.MarshalIntegerSecret()).EncodedBytes())
   360  	return err
   361  }
   362  
   363  func serializeEdDSAPrivateKey(w io.Writer, priv *eddsa.PrivateKey) error {
   364  	_, err := w.Write(encoding.NewMPI(priv.MarshalByteSecret()).EncodedBytes())
   365  	return err
   366  }
   367  
   368  func serializeECDHPrivateKey(w io.Writer, priv *ecdh.PrivateKey) error {
   369  	_, err := w.Write(encoding.NewMPI(priv.MarshalByteSecret()).EncodedBytes())
   370  	return err
   371  }
   372  
   373  // decrypt decrypts an encrypted private key using a decryption key.
   374  func (pk *PrivateKey) decrypt(decryptionKey []byte) error {
   375  	if pk.Dummy() {
   376  		return errors.ErrDummyPrivateKey("dummy key found")
   377  	}
   378  	if !pk.Encrypted {
   379  		return nil
   380  	}
   381  
   382  	block := pk.cipher.new(decryptionKey)
   383  	cfb := cipher.NewCFBDecrypter(block, pk.iv)
   384  
   385  	data := make([]byte, len(pk.encryptedData))
   386  	cfb.XORKeyStream(data, pk.encryptedData)
   387  
   388  	if pk.sha1Checksum {
   389  		if len(data) < sha1.Size {
   390  			return errors.StructuralError("truncated private key data")
   391  		}
   392  		h := sha1.New()
   393  		h.Write(data[:len(data)-sha1.Size])
   394  		sum := h.Sum(nil)
   395  		if !bytes.Equal(sum, data[len(data)-sha1.Size:]) {
   396  			return errors.StructuralError("private key checksum failure")
   397  		}
   398  		data = data[:len(data)-sha1.Size]
   399  	} else {
   400  		if len(data) < 2 {
   401  			return errors.StructuralError("truncated private key data")
   402  		}
   403  		var sum uint16
   404  		for i := 0; i < len(data)-2; i++ {
   405  			sum += uint16(data[i])
   406  		}
   407  		if data[len(data)-2] != uint8(sum>>8) ||
   408  			data[len(data)-1] != uint8(sum) {
   409  			return errors.StructuralError("private key checksum failure")
   410  		}
   411  		data = data[:len(data)-2]
   412  	}
   413  
   414  	err := pk.parsePrivateKey(data)
   415  	if _, ok := err.(errors.KeyInvalidError); ok {
   416  		return errors.KeyInvalidError("invalid key parameters")
   417  	}
   418  	if err != nil {
   419  		return err
   420  	}
   421  
   422  	// Mark key as unencrypted
   423  	pk.s2kType = S2KNON
   424  	pk.s2k = nil
   425  	pk.Encrypted = false
   426  	pk.encryptedData = nil
   427  
   428  	return nil
   429  }
   430  
   431  func (pk *PrivateKey) decryptWithCache(passphrase []byte, keyCache *s2k.Cache) error {
   432  	if pk.Dummy() {
   433  		return errors.ErrDummyPrivateKey("dummy key found")
   434  	}
   435  	if !pk.Encrypted {
   436  		return nil
   437  	}
   438  
   439  	key, err := keyCache.GetOrComputeDerivedKey(passphrase, pk.s2kParams, pk.cipher.KeySize())
   440  	if err != nil {
   441  		return err
   442  	}
   443  	return pk.decrypt(key)
   444  }
   445  
   446  // Decrypt decrypts an encrypted private key using a passphrase.
   447  func (pk *PrivateKey) Decrypt(passphrase []byte) error {
   448  	if pk.Dummy() {
   449  		return errors.ErrDummyPrivateKey("dummy key found")
   450  	}
   451  	if !pk.Encrypted {
   452  		return nil
   453  	}
   454  
   455  	key := make([]byte, pk.cipher.KeySize())
   456  	pk.s2k(key, passphrase)
   457  	return pk.decrypt(key)
   458  }
   459  
   460  // DecryptPrivateKeys decrypts all encrypted keys with the given config and passphrase.
   461  // Avoids recomputation of similar s2k key derivations. 
   462  func DecryptPrivateKeys(keys []*PrivateKey, passphrase []byte) error {
   463  	// Create a cache to avoid recomputation of key derviations for the same passphrase.
   464  	s2kCache := &s2k.Cache{}
   465  	for _, key := range keys {
   466  		if key != nil && !key.Dummy() && key.Encrypted {
   467  			err := key.decryptWithCache(passphrase, s2kCache)
   468  			if err != nil {
   469  				return err
   470  			}
   471  		}
   472  	}
   473  	return nil
   474  }
   475  
   476  // encrypt encrypts an unencrypted private key.
   477  func (pk *PrivateKey) encrypt(key []byte, params *s2k.Params, cipherFunction CipherFunction) error {
   478  	if pk.Dummy() {
   479  		return errors.ErrDummyPrivateKey("dummy key found")
   480  	}
   481  	if pk.Encrypted {
   482  		return nil
   483  	}
   484  	// check if encryptionKey has the correct size
   485  	if len(key) != cipherFunction.KeySize() {
   486  		return errors.InvalidArgumentError("supplied encryption key has the wrong size")
   487  	}
   488  	
   489  	priv := bytes.NewBuffer(nil)
   490  	err := pk.serializePrivateKey(priv)
   491  	if err != nil {
   492  		return err
   493  	}
   494  
   495  	pk.cipher = cipherFunction
   496  	pk.s2kParams = params
   497  	pk.s2k, err = pk.s2kParams.Function()
   498  	if err != nil {
   499  		return err
   500  	} 
   501  
   502  	privateKeyBytes := priv.Bytes()
   503  	pk.sha1Checksum = true
   504  	block := pk.cipher.new(key)
   505  	pk.iv = make([]byte, pk.cipher.blockSize())
   506  	_, err = rand.Read(pk.iv)
   507  	if err != nil {
   508  		return err
   509  	}
   510  	cfb := cipher.NewCFBEncrypter(block, pk.iv)
   511  
   512  	if pk.sha1Checksum {
   513  		pk.s2kType = S2KSHA1
   514  		h := sha1.New()
   515  		h.Write(privateKeyBytes)
   516  		sum := h.Sum(nil)
   517  		privateKeyBytes = append(privateKeyBytes, sum...)
   518  	} else {
   519  		pk.s2kType = S2KCHECKSUM
   520  		var sum uint16
   521  		for _, b := range privateKeyBytes {
   522  			sum += uint16(b)
   523  		}
   524  		priv.Write([]byte{uint8(sum >> 8), uint8(sum)})
   525  	}
   526  
   527  	pk.encryptedData = make([]byte, len(privateKeyBytes))
   528  	cfb.XORKeyStream(pk.encryptedData, privateKeyBytes)
   529  	pk.Encrypted = true
   530  	pk.PrivateKey = nil
   531  	return err
   532  }
   533  
   534  // EncryptWithConfig encrypts an unencrypted private key using the passphrase and the config.
   535  func (pk *PrivateKey) EncryptWithConfig(passphrase []byte, config *Config) error {
   536  	params, err := s2k.Generate(config.Random(), config.S2K())
   537  	if err != nil {
   538  		return err
   539  	}
   540  	// Derive an encryption key with the configured s2k function.
   541  	key := make([]byte, config.Cipher().KeySize())
   542  	s2k, err := params.Function()
   543  	if err != nil {
   544  		return err
   545  	}
   546  	s2k(key, passphrase)
   547  	// Encrypt the private key with the derived encryption key.
   548  	return pk.encrypt(key, params, config.Cipher())
   549  }
   550  
   551  // EncryptPrivateKeys encrypts all unencrypted keys with the given config and passphrase.
   552  // Only derives one key from the passphrase, which is then used to encrypt each key.
   553  func EncryptPrivateKeys(keys []*PrivateKey, passphrase []byte, config *Config) error {
   554  	params, err := s2k.Generate(config.Random(), config.S2K())
   555  	if err != nil {
   556  		return err
   557  	}
   558  	// Derive an encryption key with the configured s2k function.
   559  	encryptionKey := make([]byte, config.Cipher().KeySize())
   560  	s2k, err := params.Function()
   561  	if err != nil {
   562  		return err
   563  	}
   564  	s2k(encryptionKey, passphrase)
   565  	for _, key := range keys {
   566  		if key != nil && !key.Dummy() && !key.Encrypted {
   567  			err = key.encrypt(encryptionKey, params, config.Cipher())
   568  			if err != nil {
   569  				return err
   570  			}
   571  		}
   572  	}
   573  	return nil
   574  }
   575  
   576  // Encrypt encrypts an unencrypted private key using a passphrase.
   577  func (pk *PrivateKey) Encrypt(passphrase []byte) error {
   578  	// Default config of private key encryption
   579  	config := &Config{
   580  		S2KConfig: &s2k.Config{
   581  			S2KMode:  s2k.IteratedSaltedS2K,
   582  			S2KCount: 65536,
   583  			Hash:     crypto.SHA256,
   584  		} ,
   585  		DefaultCipher: CipherAES256,
   586  	}
   587  	return pk.EncryptWithConfig(passphrase, config)
   588  }
   589  
   590  func (pk *PrivateKey) serializePrivateKey(w io.Writer) (err error) {
   591  	switch priv := pk.PrivateKey.(type) {
   592  	case *rsa.PrivateKey:
   593  		err = serializeRSAPrivateKey(w, priv)
   594  	case *dsa.PrivateKey:
   595  		err = serializeDSAPrivateKey(w, priv)
   596  	case *elgamal.PrivateKey:
   597  		err = serializeElGamalPrivateKey(w, priv)
   598  	case *ecdsa.PrivateKey:
   599  		err = serializeECDSAPrivateKey(w, priv)
   600  	case *eddsa.PrivateKey:
   601  		err = serializeEdDSAPrivateKey(w, priv)
   602  	case *ecdh.PrivateKey:
   603  		err = serializeECDHPrivateKey(w, priv)
   604  	default:
   605  		err = errors.InvalidArgumentError("unknown private key type")
   606  	}
   607  	return
   608  }
   609  
   610  func (pk *PrivateKey) parsePrivateKey(data []byte) (err error) {
   611  	switch pk.PublicKey.PubKeyAlgo {
   612  	case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoRSAEncryptOnly:
   613  		return pk.parseRSAPrivateKey(data)
   614  	case PubKeyAlgoDSA:
   615  		return pk.parseDSAPrivateKey(data)
   616  	case PubKeyAlgoElGamal:
   617  		return pk.parseElGamalPrivateKey(data)
   618  	case PubKeyAlgoECDSA:
   619  		return pk.parseECDSAPrivateKey(data)
   620  	case PubKeyAlgoECDH:
   621  		return pk.parseECDHPrivateKey(data)
   622  	case PubKeyAlgoEdDSA:
   623  		return pk.parseEdDSAPrivateKey(data)
   624  	}
   625  	panic("impossible")
   626  }
   627  
   628  func (pk *PrivateKey) parseRSAPrivateKey(data []byte) (err error) {
   629  	rsaPub := pk.PublicKey.PublicKey.(*rsa.PublicKey)
   630  	rsaPriv := new(rsa.PrivateKey)
   631  	rsaPriv.PublicKey = *rsaPub
   632  
   633  	buf := bytes.NewBuffer(data)
   634  	d := new(encoding.MPI)
   635  	if _, err := d.ReadFrom(buf); err != nil {
   636  		return err
   637  	}
   638  
   639  	p := new(encoding.MPI)
   640  	if _, err := p.ReadFrom(buf); err != nil {
   641  		return err
   642  	}
   643  
   644  	q := new(encoding.MPI)
   645  	if _, err := q.ReadFrom(buf); err != nil {
   646  		return err
   647  	}
   648  
   649  	rsaPriv.D = new(big.Int).SetBytes(d.Bytes())
   650  	rsaPriv.Primes = make([]*big.Int, 2)
   651  	rsaPriv.Primes[0] = new(big.Int).SetBytes(p.Bytes())
   652  	rsaPriv.Primes[1] = new(big.Int).SetBytes(q.Bytes())
   653  	if err := rsaPriv.Validate(); err != nil {
   654  		return errors.KeyInvalidError(err.Error())
   655  	}
   656  	rsaPriv.Precompute()
   657  	pk.PrivateKey = rsaPriv
   658  
   659  	return nil
   660  }
   661  
   662  func (pk *PrivateKey) parseDSAPrivateKey(data []byte) (err error) {
   663  	dsaPub := pk.PublicKey.PublicKey.(*dsa.PublicKey)
   664  	dsaPriv := new(dsa.PrivateKey)
   665  	dsaPriv.PublicKey = *dsaPub
   666  
   667  	buf := bytes.NewBuffer(data)
   668  	x := new(encoding.MPI)
   669  	if _, err := x.ReadFrom(buf); err != nil {
   670  		return err
   671  	}
   672  
   673  	dsaPriv.X = new(big.Int).SetBytes(x.Bytes())
   674  	if err := validateDSAParameters(dsaPriv); err != nil {
   675  		return err
   676  	}
   677  	pk.PrivateKey = dsaPriv
   678  
   679  	return nil
   680  }
   681  
   682  func (pk *PrivateKey) parseElGamalPrivateKey(data []byte) (err error) {
   683  	pub := pk.PublicKey.PublicKey.(*elgamal.PublicKey)
   684  	priv := new(elgamal.PrivateKey)
   685  	priv.PublicKey = *pub
   686  
   687  	buf := bytes.NewBuffer(data)
   688  	x := new(encoding.MPI)
   689  	if _, err := x.ReadFrom(buf); err != nil {
   690  		return err
   691  	}
   692  
   693  	priv.X = new(big.Int).SetBytes(x.Bytes())
   694  	if err := validateElGamalParameters(priv); err != nil {
   695  		return err
   696  	}
   697  	pk.PrivateKey = priv
   698  
   699  	return nil
   700  }
   701  
   702  func (pk *PrivateKey) parseECDSAPrivateKey(data []byte) (err error) {
   703  	ecdsaPub := pk.PublicKey.PublicKey.(*ecdsa.PublicKey)
   704  	ecdsaPriv := ecdsa.NewPrivateKey(*ecdsaPub)
   705  
   706  	buf := bytes.NewBuffer(data)
   707  	d := new(encoding.MPI)
   708  	if _, err := d.ReadFrom(buf); err != nil {
   709  		return err
   710  	}
   711  
   712  	if err := ecdsaPriv.UnmarshalIntegerSecret(d.Bytes()); err != nil {
   713  		return err
   714  	}
   715  	if err := ecdsa.Validate(ecdsaPriv); err != nil {
   716  		return err
   717  	}
   718  	pk.PrivateKey = ecdsaPriv
   719  
   720  	return nil
   721  }
   722  
   723  func (pk *PrivateKey) parseECDHPrivateKey(data []byte) (err error) {
   724  	ecdhPub := pk.PublicKey.PublicKey.(*ecdh.PublicKey)
   725  	ecdhPriv := ecdh.NewPrivateKey(*ecdhPub)
   726  
   727  	buf := bytes.NewBuffer(data)
   728  	d := new(encoding.MPI)
   729  	if _, err := d.ReadFrom(buf); err != nil {
   730  		return err
   731  	}
   732  
   733  	if err := ecdhPriv.UnmarshalByteSecret(d.Bytes()); err != nil {
   734  		return err
   735  	}
   736  
   737  	if err := ecdh.Validate(ecdhPriv); err != nil {
   738  		return err
   739  	}
   740  
   741  	pk.PrivateKey = ecdhPriv
   742  
   743  	return nil
   744  }
   745  
   746  func (pk *PrivateKey) parseEdDSAPrivateKey(data []byte) (err error) {
   747  	eddsaPub := pk.PublicKey.PublicKey.(*eddsa.PublicKey)
   748  	eddsaPriv := eddsa.NewPrivateKey(*eddsaPub)
   749  	eddsaPriv.PublicKey = *eddsaPub
   750  
   751  	buf := bytes.NewBuffer(data)
   752  	d := new(encoding.MPI)
   753  	if _, err := d.ReadFrom(buf); err != nil {
   754  		return err
   755  	}
   756  
   757  	if err = eddsaPriv.UnmarshalByteSecret(d.Bytes()); err != nil {
   758  		return err
   759  	}
   760  
   761  	if err := eddsa.Validate(eddsaPriv); err != nil {
   762  		return err
   763  	}
   764  
   765  	pk.PrivateKey = eddsaPriv
   766  
   767  	return nil
   768  }
   769  
   770  func validateDSAParameters(priv *dsa.PrivateKey) error {
   771  	p := priv.P // group prime
   772  	q := priv.Q // subgroup order
   773  	g := priv.G // g has order q mod p
   774  	x := priv.X // secret
   775  	y := priv.Y // y == g**x mod p
   776  	one := big.NewInt(1)
   777  	// expect g, y >= 2 and g < p
   778  	if g.Cmp(one) <= 0 || y.Cmp(one) <= 0 || g.Cmp(p) > 0 {
   779  		return errors.KeyInvalidError("dsa: invalid group")
   780  	}
   781  	// expect p > q
   782  	if p.Cmp(q) <= 0 {
   783  		return errors.KeyInvalidError("dsa: invalid group prime")
   784  	}
   785  	// q should be large enough and divide p-1
   786  	pSub1 := new(big.Int).Sub(p, one)
   787  	if q.BitLen() < 150 || new(big.Int).Mod(pSub1, q).Cmp(big.NewInt(0)) != 0 {
   788  		return errors.KeyInvalidError("dsa: invalid order")
   789  	}
   790  	// confirm that g has order q mod p
   791  	if !q.ProbablyPrime(32) || new(big.Int).Exp(g, q, p).Cmp(one) != 0 {
   792  		return errors.KeyInvalidError("dsa: invalid order")
   793  	}
   794  	// check y
   795  	if new(big.Int).Exp(g, x, p).Cmp(y) != 0 {
   796  		return errors.KeyInvalidError("dsa: mismatching values")
   797  	}
   798  
   799  	return nil
   800  }
   801  
   802  func validateElGamalParameters(priv *elgamal.PrivateKey) error {
   803  	p := priv.P // group prime
   804  	g := priv.G // g has order p-1 mod p
   805  	x := priv.X // secret
   806  	y := priv.Y // y == g**x mod p
   807  	one := big.NewInt(1)
   808  	// Expect g, y >= 2 and g < p
   809  	if g.Cmp(one) <= 0 || y.Cmp(one) <= 0 || g.Cmp(p) > 0 {
   810  		return errors.KeyInvalidError("elgamal: invalid group")
   811  	}
   812  	if p.BitLen() < 1024 {
   813  		return errors.KeyInvalidError("elgamal: group order too small")
   814  	}
   815  	pSub1 := new(big.Int).Sub(p, one)
   816  	if new(big.Int).Exp(g, pSub1, p).Cmp(one) != 0 {
   817  		return errors.KeyInvalidError("elgamal: invalid group")
   818  	}
   819  	// Since p-1 is not prime, g might have a smaller order that divides p-1.
   820  	// We cannot confirm the exact order of g, but we make sure it is not too small.
   821  	gExpI := new(big.Int).Set(g)
   822  	i := 1
   823  	threshold := 2 << 17 // we want order > threshold
   824  	for i < threshold {
   825  		i++ // we check every order to make sure key validation is not easily bypassed by guessing y'
   826  		gExpI.Mod(new(big.Int).Mul(gExpI, g), p)
   827  		if gExpI.Cmp(one) == 0 {
   828  			return errors.KeyInvalidError("elgamal: order too small")
   829  		}
   830  	}
   831  	// Check y
   832  	if new(big.Int).Exp(g, x, p).Cmp(y) != 0 {
   833  		return errors.KeyInvalidError("elgamal: mismatching values")
   834  	}
   835  
   836  	return nil
   837  }
   838
View as plain text