-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathgenerate_key.go
111 lines (102 loc) · 2.65 KB
/
generate_key.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package main
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"github.com/pkg/errors"
"github.com/rakutentech/jwk-go/jwk"
"github.com/rakutentech/jwk-go/okp"
"log"
)
var normalizationSettings = jwk.NormalizationSettings{
RequireKeyID: true,
}
func generateKeyPair() (interface{}, interface{}, *jwk.KeySpec, *jwk.KeySpec) {
priv, err := generateKey()
if err != nil {
log.Fatalf("failed to generate private key: %s", err)
}
pub := publicKey(priv)
if pub == nil {
log.Fatal("failed to deduce public key from private key")
}
privJwk := jwk.NewSpec(priv)
if err := privJwk.Normalize(normalizationSettings); err != nil {
panic(err)
}
pubJwk := jwk.NewSpec(pub)
if err := pubJwk.Normalize(normalizationSettings); err != nil {
panic(err)
}
return priv, pub, privJwk, pubJwk
}
func generateKey() (interface{}, error) {
switch *keyType {
case "ec":
return generateECKey()
case "rsa":
return generateRSAKey()
default:
return nil, errors.Errorf("Unknown key type: %s", *keyType)
}
}
func generateOctKey() *jwk.KeySpec {
if *bits < 128 && !*allowUnsafe {
log.Fatalf("Symmetric key size (%d) is too small. NIST recommends at least 128 bits.", *bits)
}
if *bits%8 != 0 {
log.Fatalf("Symmetric octet key bits must be multiple of 8")
}
bytes := *bits / 8
b := make([]byte, bytes)
_, err := rand.Read(b)
if err != nil {
log.Fatal("failed to generate symmetric key", err)
}
key := jwk.NewSpec(b)
if err := key.Normalize(normalizationSettings); err != nil {
panic(err)
}
return key
}
func generateECKey() (interface{}, error) {
switch *curve {
case "P256", "P-256":
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
case "P384", "P-384":
return ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
case "P521", "P-521":
return ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
case "Ed25519":
return okp.GenerateEd25519(rand.Reader)
case "X25519":
return okp.GenerateCurve25519(rand.Reader)
default:
return nil, errors.Errorf("Unknown Elliptic Curve: %s", *curve)
}
}
func generateRSAKey() (interface{}, error) {
if *bits < 512 || *bits > 8192 {
return nil, errors.Errorf("Invalid RSA key size: %d", *bits)
} else if *bits < 2048 && !*allowUnsafe {
return nil, errors.Errorf("RSA key size (%d) is too small. NIST recommends at least 2048 bits.", *bits)
}
return rsa.GenerateKey(rand.Reader, *bits)
}
func publicKey(priv interface{}) interface{} {
switch k := priv.(type) {
case okp.CurveOctetKeyPair:
pubKey, err := okp.CurveExtractPublic(k)
if err != nil {
panic(err)
}
return pubKey
case *rsa.PrivateKey:
return &k.PublicKey
case *ecdsa.PrivateKey:
return &k.PublicKey
default:
return nil
}
}