-
-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathv3.go
125 lines (87 loc) · 3.53 KB
/
v3.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
package paseto
import (
"crypto/aes"
"crypto/cipher"
"crypto/ecdsa"
"crypto/hmac"
"crypto/rand"
"crypto/sha512"
"math/big"
"aidanwoods.dev/go-paseto/v2/internal/encoding"
"aidanwoods.dev/go-paseto/v2/internal/random"
t "aidanwoods.dev/go-result"
)
func v3PublicSign(packet TokenClaimsAndFooter, key V3AsymmetricSecretKey, implicit []byte) message {
data, footer := packet.Claims, packet.Footer
header := []byte(V3Public.Header())
m2 := encoding.Pae(key.Public().compressed(), header, data, footer, implicit)
hash := sha512.Sum384(m2)
r, s := t.NewTupleResult(ecdsa.Sign(rand.Reader, &key.material, hash[:])).
Expect("sign should always succeed").
Destructure()
var rBytes [48]byte
var sBytes [48]byte
r.FillBytes(rBytes[:])
s.FillBytes(sBytes[:])
sig := append(rBytes[:], sBytes[:]...)
if len(sig) != 96 {
panic("Bad signature length")
}
var signature [96]byte
copy(signature[:], sig)
return newMessageFromPayloadAndFooter(v3PublicPayload{data, signature}, footer)
}
func v3PublicVerify(msg message, key V3AsymmetricPublicKey, implicit []byte) t.Result[TokenClaimsAndFooter] {
payload, ok := msg.p.(v3PublicPayload)
if msg.header() != V3Public.Header() || !ok {
return t.Err[TokenClaimsAndFooter](errorMessageHeaderVerify(V3Public, msg.header()))
}
header, footer := []byte(msg.header()), msg.footer
data := payload.message
m2 := encoding.Pae(key.compressed(), header, data, footer, implicit)
hash := sha512.Sum384(m2)
r := new(big.Int).SetBytes(payload.signature[:48])
s := new(big.Int).SetBytes(payload.signature[48:])
if !ecdsa.Verify(&key.material, hash[:], r, s) {
return t.Err[TokenClaimsAndFooter](errorBadSignature)
}
return t.Ok(TokenClaimsAndFooter{data, footer})
}
func v3LocalEncrypt(p TokenClaimsAndFooter, key V3SymmetricKey, implicit []byte, unitTestNonce []byte) message {
var nonce [32]byte
random.UseProvidedOrFillBytes(unitTestNonce, nonce[:])
encKey, authKey, nonce2 := key.split(nonce)
blockCipher := t.NewResult(aes.NewCipher(encKey[:])).
Expect("cipher should construct")
cipherText := make([]byte, len(p.Claims))
cipher.NewCTR(blockCipher, nonce2[:]).XORKeyStream(cipherText, p.Claims)
header := []byte(V3Local.Header())
preAuth := encoding.Pae(header, nonce[:], cipherText, p.Footer, implicit)
hm := hmac.New(sha512.New384, authKey[:])
t.NewResult(hm.Write(preAuth)).Expect("hmac write should succeed")
var tag [48]byte
copy(tag[:], hm.Sum(nil))
return newMessageFromPayloadAndFooter(v3LocalPayload{nonce, cipherText, tag}, p.Footer)
}
func v3LocalDecrypt(msg message, key V3SymmetricKey, implicit []byte) t.Result[TokenClaimsAndFooter] {
payload, ok := msg.p.(v3LocalPayload)
if msg.header() != V3Local.Header() || !ok {
return t.Err[TokenClaimsAndFooter](errorMessageHeaderDecrypt(V3Local, msg.header()))
}
nonce, cipherText, givenTag := payload.nonce, payload.cipherText, payload.tag
encKey, authKey, nonce2 := key.split(nonce)
header := []byte(msg.header())
preAuth := encoding.Pae(header, nonce[:], cipherText, msg.footer, implicit)
hm := hmac.New(sha512.New384, authKey[:])
t.NewResult(hm.Write(preAuth)).Expect("hmac write should succeed")
var expectedTag [48]byte
copy(expectedTag[:], hm.Sum(nil))
if !hmac.Equal(expectedTag[:], givenTag[:]) {
return t.Err[TokenClaimsAndFooter](errorBadMAC)
}
blockCipher := t.NewResult(aes.NewCipher(encKey[:])).
Expect("cipher should construct")
plainText := make([]byte, len(cipherText))
cipher.NewCTR(blockCipher, nonce2[:]).XORKeyStream(plainText, cipherText)
return t.Ok(TokenClaimsAndFooter{plainText, msg.footer})
}