162 lines
4.1 KiB
Go
162 lines
4.1 KiB
Go
package dhutil
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
|
|
"golang.org/x/crypto/hkdf"
|
|
|
|
"golang.org/x/crypto/curve25519"
|
|
)
|
|
|
|
type PublicKeyInfo struct {
|
|
Curve25519PublicKey []byte `json:"curve25519_public_key"`
|
|
}
|
|
|
|
type Envelope struct {
|
|
Curve25519PublicKey []byte `json:"curve25519_public_key"`
|
|
Nonce []byte `json:"nonce"`
|
|
EncryptedPayload []byte `json:"encrypted_payload"`
|
|
}
|
|
|
|
// generatePublicPrivateKey uses curve25519 to generate a public and private key
|
|
// pair.
|
|
func GeneratePublicPrivateKey() ([]byte, []byte, error) {
|
|
var scalar, public [32]byte
|
|
|
|
if _, err := io.ReadFull(rand.Reader, scalar[:]); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
curve25519.ScalarBaseMult(&public, &scalar)
|
|
return public[:], scalar[:], nil
|
|
}
|
|
|
|
// GenerateSharedSecret uses the private key and the other party's public key to
|
|
// generate the shared secret.
|
|
func GenerateSharedSecret(ourPrivate, theirPublic []byte) ([]byte, error) {
|
|
if len(ourPrivate) != 32 {
|
|
return nil, fmt.Errorf("invalid private key length: %d", len(ourPrivate))
|
|
}
|
|
if len(theirPublic) != 32 {
|
|
return nil, fmt.Errorf("invalid public key length: %d", len(theirPublic))
|
|
}
|
|
|
|
return curve25519.X25519(ourPrivate, theirPublic)
|
|
}
|
|
|
|
// DeriveSharedKey uses HKDF to derive a key from a shared secret and public keys
|
|
func DeriveSharedKey(secret, ourPublic, theirPublic []byte) ([]byte, error) {
|
|
// Derive the final key from the HKDF of the secret and public keys.
|
|
|
|
/*
|
|
Internally, HKDF hashes the secret and two public keys. If Alice and Bob are doing DH key exchange, Alice calculates:
|
|
|
|
HKDF(secret, A, B) since ourPublic is A.
|
|
|
|
Bob calculates HKDF(secret, B, A), since Bob's ours is B. That produces a different value. Now we only care
|
|
that both public keys participate in the derivation, so simply sorting them so they are in a consistent
|
|
numerical order (either one would do) arrives at an agreed value.
|
|
*/
|
|
|
|
var pub1 []byte
|
|
var pub2 []byte
|
|
switch bytes.Compare(ourPublic, theirPublic) {
|
|
case 0:
|
|
return nil, errors.New("same public key supplied for both participants")
|
|
case -1:
|
|
pub1 = ourPublic
|
|
pub2 = theirPublic
|
|
case 1:
|
|
pub1 = theirPublic
|
|
pub2 = ourPublic
|
|
}
|
|
|
|
kio := hkdf.New(sha256.New, secret, pub1, pub2)
|
|
|
|
var key [32]byte
|
|
n, err := io.ReadFull(kio, key[:])
|
|
if err != nil {
|
|
// Don't return the key along with the error to prevent misuse
|
|
return nil, err
|
|
}
|
|
if n != 32 {
|
|
return nil, errors.New("short read from hkdf")
|
|
}
|
|
|
|
return key[:], nil
|
|
}
|
|
|
|
// Use AES256-GCM to encrypt some plaintext with a provided key. The returned values are
|
|
// the ciphertext, the nonce, and error respectively.
|
|
func EncryptAES(key, plaintext, aad []byte) ([]byte, []byte, error) {
|
|
// We enforce AES-256, so check explicitly for 32 bytes on the key
|
|
if len(key) != 32 {
|
|
return nil, nil, fmt.Errorf("invalid key length: %d", len(key))
|
|
}
|
|
|
|
if len(plaintext) == 0 {
|
|
return nil, nil, errors.New("empty plaintext provided")
|
|
}
|
|
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
// Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
|
|
nonce := make([]byte, 12)
|
|
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
aesgcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
ciphertext := aesgcm.Seal(nil, nonce, plaintext, aad)
|
|
|
|
return ciphertext, nonce, nil
|
|
}
|
|
|
|
// Use AES256-GCM to decrypt some ciphertext with a provided key and nonce. The
|
|
// returned values are the plaintext and error respectively.
|
|
func DecryptAES(key, ciphertext, nonce, aad []byte) ([]byte, error) {
|
|
// We enforce AES-256, so check explicitly for 32 bytes on the key
|
|
if len(key) != 32 {
|
|
return nil, fmt.Errorf("invalid key length: %d", len(key))
|
|
}
|
|
|
|
if len(ciphertext) == 0 {
|
|
return nil, errors.New("empty ciphertext provided")
|
|
}
|
|
|
|
if len(nonce) == 0 {
|
|
return nil, errors.New("empty nonce provided")
|
|
}
|
|
|
|
block, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
aesgcm, err := cipher.NewGCM(block)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
plaintext, err := aesgcm.Open(nil, nonce, ciphertext, aad)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return plaintext, nil
|
|
}
|