-
Notifications
You must be signed in to change notification settings - Fork 0
/
sign_request.go
118 lines (89 loc) · 2.53 KB
/
sign_request.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package octokey
import (
"errors"
"github.com/octokey/octokey-go/buffer"
"math/big"
"strings"
)
// A SignRequest represents a request to perform a partial mRSA sign, and also
// the result of that computation. It is represented as a Buffer of
// ("ssh-rsa" // || E || N || M) where E is the public exponent (MPint 65537)
// N is the modulus (a 2048 bit MPint), and M is the message (a 2048 bit MPInt
// strictly less than N)
type SignRequest struct {
Key *PublicKey
M *big.Int
}
const (
SIGN_REQUEST_HEADER = "-----BEGIN MRSA PARTIAL SIGN-----"
SIGN_REQUEST_FOOTER = "-----END MRSA PARTIAL SIGN-----"
)
var (
ErrSignRequestFormat = errors.New("escrow/signing_request: invalid format")
)
// NewSignRequest reads a sign request from a string.
func NewSignRequest(text string) (*SignRequest, error) {
text = strings.TrimSpace(text)
if !strings.HasPrefix(text, SIGN_REQUEST_HEADER) {
return nil, ErrSignRequestFormat
}
text = strings.TrimPrefix(text, SIGN_REQUEST_HEADER)
if !strings.HasSuffix(text, SIGN_REQUEST_FOOTER) {
return nil, ErrSignRequestFormat
}
text = strings.TrimSuffix(text, SIGN_REQUEST_FOOTER)
split := strings.Split(text, "\n\n")
if len(split) > 2 {
return nil, ErrSignRequestFormat
}
base64 := split[len(split)-1]
b := buffer.NewBuffer(base64)
request := new(SignRequest)
err := request.ReadBuffer(b)
if err != nil {
return nil, err
}
b.ScanEof()
if b.Error != nil {
return nil, b.Error
}
return request, nil
}
// ReadBuffer reads a SignRequest from a buffer.
func (request *SignRequest) ReadBuffer(b *buffer.Buffer) error {
publicKey := new(PublicKey)
err := publicKey.ReadBuffer(b)
if err != nil {
return err
}
msg := b.ScanMPInt()
if msg.Cmp(publicKey.N) >= 0 {
return errors.New("cannot sign message > N")
}
request.Key = publicKey
request.M = msg
return nil
}
// Sign partially signs the request with the given key.
func (request *SignRequest) Sign(key *PartialKey) error {
m, err := key.PartialDecrypt(request.M)
if err != nil {
return err
}
request.M = m
return nil
}
// String produces the line-wrapped base-64 version of the challenge,
// suitable for being passed to NewSignRequest()
func (request *SignRequest) String() string {
b := new(buffer.Buffer)
request.WriteBuffer(b)
if b.Error != nil {
panic(errors.New("invalid sign request: " + b.Error.Error()))
}
return SIGN_REQUEST_HEADER + "\n" + lineWrap(b.String(), 64) + SIGN_REQUEST_FOOTER + "\n"
}
func (request *SignRequest) WriteBuffer(b *buffer.Buffer) {
request.Key.WriteBuffer(b)
b.AddMPInt(request.M)
}