From e425269f0ee5ddf457988ed14c68d80f970338e0 Mon Sep 17 00:00:00 2001 From: Liyi Meng Date: Sat, 8 Oct 2022 21:15:47 +0200 Subject: [PATCH] Use chinese crypto --- cert/cert.go | 22 ++++++++++++++++------ cert/cert_test.go | 39 +++++++++++++++++++++++++++++++++++++++ cert/csr.go | 8 ++++++-- cert/pem.go | 25 +++++++++++++++++++------ 4 files changed, 80 insertions(+), 14 deletions(-) create mode 100644 cert/cert_test.go diff --git a/cert/cert.go b/cert/cert.go index 35c2bf7..d541741 100644 --- a/cert/cert.go +++ b/cert/cert.go @@ -66,11 +66,16 @@ type AltNames struct { IPs []net.IP } -// NewPrivateKey creates an RSA private key -func NewPrivateKey() (*rsa.PrivateKey, error) { +// NewRSAPrivateKey creates an RSA private key +func NewRSAPrivateKey() (*rsa.PrivateKey, error) { return rsa.GenerateKey(cryptorand.Reader, rsaKeySize) } +// NewPrivateKey creates an RSA private key +func NewPrivateKey() (*ecdsa.PrivateKey, error) { + return ecdsa.GenerateKey(elliptic.P256Sm2(), cryptorand.Reader) +} + // NewSelfSignedCACert creates a CA certificate func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, error) { now := time.Now() @@ -153,7 +158,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe // MakeEllipticPrivateKeyPEM creates an ECDSA private key func MakeEllipticPrivateKeyPEM() ([]byte, error) { - privateKey, err := ecdsa.GenerateKey(elliptic.P256(), cryptorand.Reader) + privateKey, err := ecdsa.GenerateKey(elliptic.P256Sm2(), cryptorand.Reader) if err != nil { return nil, err } @@ -204,7 +209,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a maxAge = 100 * time.Hour * 24 * 365 // 100 years fixtures } - caKey, err := rsa.GenerateKey(cryptorand.Reader, 2048) + caKey, err := NewPrivateKey() if err != nil { return nil, nil, err } @@ -232,7 +237,7 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a return nil, nil, err } - priv, err := rsa.GenerateKey(cryptorand.Reader, 2048) + priv, err := NewPrivateKey() if err != nil { return nil, nil, err } @@ -275,7 +280,12 @@ func GenerateSelfSignedCertKeyWithFixtures(host string, alternateIPs []net.IP, a // Generate key keyBuffer := bytes.Buffer{} - if err := pem.Encode(&keyBuffer, &pem.Block{Type: RSAPrivateKeyBlockType, Bytes: x509.MarshalPKCS1PrivateKey(priv)}); err != nil { + privBuf, err := x509.MarshalECPrivateKey(priv) + if err != nil { + return nil, nil, err + } + + if err := pem.Encode(&keyBuffer, &pem.Block{Type: ECPrivateKeyBlockType, Bytes: privBuf}); err != nil { return nil, nil, err } diff --git a/cert/cert_test.go b/cert/cert_test.go new file mode 100644 index 0000000..b3d5eef --- /dev/null +++ b/cert/cert_test.go @@ -0,0 +1,39 @@ +package cert + +import ( + "crypto/ecdsa" + "fmt" + "os" + "testing" +) + +func TestCreateAndReadCert(t *testing.T) { + kFile := "service.key" + defer os.Remove(kFile) + key, err := NewPrivateKey() + if err != nil { + t.Errorf("failed to create private key: %v", err) + } + + if err := WriteKey(kFile, EncodePrivateKeyPEM(key)); err != nil { + t.Errorf("failed to encode private key to pem: %v", err) + } + + keyR, err := PrivateKeyFromFile(kFile) + if err != nil { + t.Errorf("failed to load private key from file: %v", err) + } + + switch k := keyR.(type) { + case *ecdsa.PrivateKey: + fmt.Println("loaded back ecdsa private key") + default: + t.Errorf("load back a wrong private key %v", k) + } + + buf := EncodePrivateKeyPEM(key) + _, err = ParsePrivateKeyPEM(buf) + if err != nil { + t.Errorf("failed to parse private key from pem: %v", err) + } +} diff --git a/cert/csr.go b/cert/csr.go index 39a6751..d1d04b6 100644 --- a/cert/csr.go +++ b/cert/csr.go @@ -17,6 +17,7 @@ limitations under the License. package cert import ( + "crypto/ecdsa" cryptorand "crypto/rand" "crypto/rsa" "crypto/x509" @@ -60,8 +61,11 @@ func MakeCSRFromTemplate(privateKey interface{}, template *x509.CertificateReque func sigType(privateKey interface{}) x509.SignatureAlgorithm { // Customize the signature for RSA keys, depending on the key size - if privateKey, ok := privateKey.(*rsa.PrivateKey); ok { - keySize := privateKey.N.BitLen() + switch privK := privateKey.(type) { + case *ecdsa.PrivateKey: + return x509.ECDSAWithSHA256 + case *rsa.PrivateKey: + keySize := privK.N.BitLen() switch { case keySize >= 4096: return x509.SHA512WithRSA diff --git a/cert/pem.go b/cert/pem.go index b99e366..590867c 100644 --- a/cert/pem.go +++ b/cert/pem.go @@ -41,7 +41,7 @@ const ( ) // EncodePublicKeyPEM returns PEM-encoded public data -func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) { +func EncodePublicKeyPEM(key interface{}) ([]byte, error) { der, err := x509.MarshalPKIXPublicKey(key) if err != nil { return []byte{}, err @@ -54,12 +54,25 @@ func EncodePublicKeyPEM(key *rsa.PublicKey) ([]byte, error) { } // EncodePrivateKeyPEM returns PEM-encoded private key data -func EncodePrivateKeyPEM(key *rsa.PrivateKey) []byte { - block := pem.Block{ - Type: RSAPrivateKeyBlockType, - Bytes: x509.MarshalPKCS1PrivateKey(key), +func EncodePrivateKeyPEM(key interface{}) []byte { + var block *pem.Block + switch privKey := key.(type) { + case *ecdsa.PrivateKey: + derBytes, _ := x509.MarshalECPrivateKey(privKey) + block = &pem.Block{ + Type: ECPrivateKeyBlockType, + Bytes: derBytes, + } + case *rsa.PrivateKey: + block = &pem.Block{ + Type: RSAPrivateKeyBlockType, + Bytes: x509.MarshalPKCS1PrivateKey(privKey), + } } - return pem.EncodeToMemory(&block) + if block != nil { + return pem.EncodeToMemory(block) + } + return []byte{} } // EncodeCertPEM returns PEM-endcoded certificate data