security/pkg/pki/util/crypto.go - dubbo-go-pixiu - Git at Google

 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package util

 import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"reflect"
 	"strings"
 )

 const (
 	blockTypeECPrivateKey    = "EC PRIVATE KEY"
 	blockTypeRSAPrivateKey   = "RSA PRIVATE KEY" // PKCS#1 private key
 	blockTypePKCS8PrivateKey = "PRIVATE KEY"     // PKCS#8 plain private key
 )

 // ParsePemEncodedCertificate constructs a `x509.Certificate` object using the
 // given a PEM-encoded certificate.
 func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error) {
 	cb, _ := pem.Decode(certBytes)
 	if cb == nil {
 		return nil, fmt.Errorf("invalid PEM encoded certificate")
 	}

 	cert, err := x509.ParseCertificate(cb.Bytes)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse X.509 certificate")
 	}

 	return cert, nil
 }

 // ParsePemEncodedCertificateChain constructs a slice of `x509.Certificate`
 // objects using the given a PEM-encoded certificate chain.
 func ParsePemEncodedCertificateChain(certBytes []byte) ([]*x509.Certificate, error) {
 	var (
 		certs []*x509.Certificate
 		cb    *pem.Block
 	)
 	for {
 		cb, certBytes = pem.Decode(certBytes)
 		if cb == nil {
 			break
 		}
 		cert, err := x509.ParseCertificate(cb.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse X.509 certificate")
 		}
 		certs = append(certs, cert)
 	}
 	if len(certs) == 0 {
 		return nil, fmt.Errorf("no PEM encoded X.509 certificates parsed")
 	}
 	return certs, nil
 }

 // ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the
 // given PEM-encoded certificate signing request.
 func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error) {
 	block, _ := pem.Decode(csrBytes)
 	if block == nil {
 		return nil, fmt.Errorf("certificate signing request is not properly encoded")
 	}
 	csr, err := x509.ParseCertificateRequest(block.Bytes)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse X.509 certificate signing request")
 	}
 	return csr, nil
 }

 // ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.
 func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error) {
 	kb, _ := pem.Decode(keyBytes)
 	if kb == nil {
 		return nil, fmt.Errorf("invalid PEM-encoded key")
 	}

 	switch kb.Type {
 	case blockTypeECPrivateKey:
 		key, err := x509.ParseECPrivateKey(kb.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse the ECDSA private key")
 		}
 		return key, nil
 	case blockTypeRSAPrivateKey:
 		key, err := x509.ParsePKCS1PrivateKey(kb.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse the RSA private key")
 		}
 		return key, nil
 	case blockTypePKCS8PrivateKey:
 		key, err := x509.ParsePKCS8PrivateKey(kb.Bytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse the PKCS8 private key")
 		}
 		return key, nil
 	default:
 		return nil, fmt.Errorf("unsupported PEM block type for a private key: %s", kb.Type)
 	}
 }

 // GetRSAKeySize returns the size if it is RSA key, otherwise it returns an error.
 func GetRSAKeySize(privKey crypto.PrivateKey) (int, error) {
 	if t := reflect.TypeOf(privKey); t != reflect.TypeOf(&rsa.PrivateKey{}) {
 		return 0, fmt.Errorf("key type is not RSA: %v", t)
 	}
 	pkey := privKey.(*rsa.PrivateKey)
 	return pkey.N.BitLen(), nil
 }

 // IsSupportedECPrivateKey is a predicate returning true if the private key is EC based
 func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool {
 	switch (*privKey).(type) {
 	// this should agree with var SupportedECSignatureAlgorithms
 	case *ecdsa.PrivateKey:
 		return true
 	default:
 		return false
 	}
 }

 // PemCertBytestoString: takes an array of PEM certs in bytes and returns a string array in the same order with
 // trailing newline characters removed
 func PemCertBytestoString(caCerts []byte) []string {
 	certs := []string{}
 	var cert string
 	pemBlock := caCerts
 	for block, rest := pem.Decode(pemBlock); block != nil && len(block.Bytes) != 0; block, rest = pem.Decode(pemBlock) {
 		if len(rest) == 0 {
 			cert = strings.TrimPrefix(strings.TrimSuffix(string(pemBlock), "\n"), "\n")
 			certs = append(certs, cert)
 			break
 		}
 		cert = string(pemBlock[0 : len(pemBlock)-len(rest)])
 		cert = strings.TrimPrefix(strings.TrimSuffix(cert, "\n"), "\n")
 		certs = append(certs, cert)
 		pemBlock = rest
 	}
 	return certs
 }
	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package util

	import (
	"crypto"
	"crypto/ecdsa"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"reflect"
	"strings"
	)

	const (
	blockTypeECPrivateKey = "EC PRIVATE KEY"
	blockTypeRSAPrivateKey = "RSA PRIVATE KEY" // PKCS#1 private key
	blockTypePKCS8PrivateKey = "PRIVATE KEY" // PKCS#8 plain private key
	)

	// ParsePemEncodedCertificate constructs a `x509.Certificate` object using the
	// given a PEM-encoded certificate.
	func ParsePemEncodedCertificate(certBytes []byte) (*x509.Certificate, error) {
	cb, _ := pem.Decode(certBytes)
	if cb == nil {
	return nil, fmt.Errorf("invalid PEM encoded certificate")
	}

	cert, err := x509.ParseCertificate(cb.Bytes)
	if err != nil {
	return nil, fmt.Errorf("failed to parse X.509 certificate")
	}

	return cert, nil
	}

	// ParsePemEncodedCertificateChain constructs a slice of `x509.Certificate`
	// objects using the given a PEM-encoded certificate chain.
	func ParsePemEncodedCertificateChain(certBytes []byte) ([]*x509.Certificate, error) {
	var (
	certs []*x509.Certificate
	cb *pem.Block
	)
	for {
	cb, certBytes = pem.Decode(certBytes)
	if cb == nil {
	break
	}
	cert, err := x509.ParseCertificate(cb.Bytes)
	if err != nil {
	return nil, fmt.Errorf("failed to parse X.509 certificate")
	}
	certs = append(certs, cert)
	}
	if len(certs) == 0 {
	return nil, fmt.Errorf("no PEM encoded X.509 certificates parsed")
	}
	return certs, nil
	}

	// ParsePemEncodedCSR constructs a `x509.CertificateRequest` object using the
	// given PEM-encoded certificate signing request.
	func ParsePemEncodedCSR(csrBytes []byte) (*x509.CertificateRequest, error) {
	block, _ := pem.Decode(csrBytes)
	if block == nil {
	return nil, fmt.Errorf("certificate signing request is not properly encoded")
	}
	csr, err := x509.ParseCertificateRequest(block.Bytes)
	if err != nil {
	return nil, fmt.Errorf("failed to parse X.509 certificate signing request")
	}
	return csr, nil
	}

	// ParsePemEncodedKey takes a PEM-encoded key and parsed the bytes into a `crypto.PrivateKey`.
	func ParsePemEncodedKey(keyBytes []byte) (crypto.PrivateKey, error) {
	kb, _ := pem.Decode(keyBytes)
	if kb == nil {
	return nil, fmt.Errorf("invalid PEM-encoded key")
	}

	switch kb.Type {
	case blockTypeECPrivateKey:
	key, err := x509.ParseECPrivateKey(kb.Bytes)
	if err != nil {
	return nil, fmt.Errorf("failed to parse the ECDSA private key")
	}
	return key, nil
	case blockTypeRSAPrivateKey:
	key, err := x509.ParsePKCS1PrivateKey(kb.Bytes)
	if err != nil {
	return nil, fmt.Errorf("failed to parse the RSA private key")
	}
	return key, nil
	case blockTypePKCS8PrivateKey:
	key, err := x509.ParsePKCS8PrivateKey(kb.Bytes)
	if err != nil {
	return nil, fmt.Errorf("failed to parse the PKCS8 private key")
	}
	return key, nil
	default:
	return nil, fmt.Errorf("unsupported PEM block type for a private key: %s", kb.Type)
	}
	}

	// GetRSAKeySize returns the size if it is RSA key, otherwise it returns an error.
	func GetRSAKeySize(privKey crypto.PrivateKey) (int, error) {
	if t := reflect.TypeOf(privKey); t != reflect.TypeOf(&rsa.PrivateKey{}) {
	return 0, fmt.Errorf("key type is not RSA: %v", t)
	}
	pkey := privKey.(*rsa.PrivateKey)
	return pkey.N.BitLen(), nil
	}

	// IsSupportedECPrivateKey is a predicate returning true if the private key is EC based
	func IsSupportedECPrivateKey(privKey *crypto.PrivateKey) bool {
	switch (*privKey).(type) {
	// this should agree with var SupportedECSignatureAlgorithms
	case *ecdsa.PrivateKey:
	return true
	default:
	return false
	}
	}

	// PemCertBytestoString: takes an array of PEM certs in bytes and returns a string array in the same order with
	// trailing newline characters removed
	func PemCertBytestoString(caCerts []byte) []string {
	certs := []string{}
	var cert string
	pemBlock := caCerts
	for block, rest := pem.Decode(pemBlock); block != nil && len(block.Bytes) != 0; block, rest = pem.Decode(pemBlock) {
	if len(rest) == 0 {
	cert = strings.TrimPrefix(strings.TrimSuffix(string(pemBlock), "\n"), "\n")
	certs = append(certs, cert)
	break
	}
	cert = string(pemBlock[0 : len(pemBlock)-len(rest)])
	cert = strings.TrimPrefix(strings.TrimSuffix(cert, "\n"), "\n")
	certs = append(certs, cert)
	pemBlock = rest
	}
	return certs
	}