fixed jceks

Author: deatil

jceks/bks_encode.go

@@ -532,7 +532,7 @@ func (this *BKS) Marshal(password string, opts ...BKSOpts) ([]byte, error) {
 
     salt, err := genRandom(opt.SaltSize)
     if err != nil {
-        return nil, errors.New("failed to generate salt")
+        return nil, errors.New("go-cryptobin/jceks: failed to generate salt")
     }
 
     err = writeBytes(buf, salt)

jceks/bks_entry.go

@@ -6,7 +6,6 @@ import (
     "bytes"
     "errors"
     "crypto"
-    "encoding/asn1"
 )
 
 type BksDataEntry interface {
@@ -219,15 +218,7 @@ func (this *bksSealedKeyEntry) Decrypt(password string) error {
         return errors.New("decrypt EOF")
     }
 
-    params, err := asn1.Marshal(pbeParam{
-        Salt:           salt,
-        IterationCount: int(iterationCount),
-    })
-    if err != nil {
-        return errors.New("decrypt marshal error")
-    }
-
-    decrypted, err := CipherSHA1And3DESForBKS.Decrypt([]byte(password), params, encryptedBlob)
+    decrypted, err := CipherSHA1And3DESForBKS.decrypt([]byte(password), salt, int(iterationCount), encryptedBlob)
     if err != nil {
         return errors.New("decrypt EOF")
     }
@@ -262,24 +253,19 @@ func (this *bksSealedKeyEntry) Encrypt() ([]byte, error) {
 
     plaintext := bksBuf.Bytes()
 
-    encrypted, params, err := CipherSHA1And3DESForBKS.Encrypt([]byte(this.password), plaintext)
+    encrypted, salt, iterationCount, err := CipherSHA1And3DESForBKS.encrypt([]byte(this.password), plaintext)
     if err != nil {
         return nil, err
     }
 
-    var param pbeParam
-    if _, err := asn1.Unmarshal(params, &param); err != nil {
-        return nil, err
-    }
-
     buf := bytes.NewBuffer(nil)
 
-    err = writeBytes(buf, param.Salt)
+    err = writeBytes(buf, salt)
     if err != nil {
         return nil, err
     }
 
-    err = writeInt32(buf, int32(param.IterationCount))
+    err = writeInt32(buf, int32(iterationCount))
     if err != nil {
         return nil, err
     }

jceks/cipher_blockcbc.go

@@ -8,13 +8,13 @@ import (
     "encoding/asn1"
 )
 
-// pbe 数据
+// pbe parameters
 type pbeParam struct {
     Salt           []byte
     IterationCount int
 }
 
-// cbc 模式加密
+// Cipher Block CBC mode
 type CipherBlockCBC struct {
     // 对称加密
     cipherFunc     func(key []byte) (cipher.Block, error)
@@ -34,7 +34,7 @@ type CipherBlockCBC struct {
     oid            asn1.ObjectIdentifier
 }
 
-// 值大小
+// Key Size
 func (this CipherBlockCBC) KeySize() int {
     return this.keySize
 }
@@ -44,85 +44,103 @@ func (this CipherBlockCBC) OID() asn1.ObjectIdentifier {
     return this.oid
 }
 
-// 加密
+// with saltSize
+func (this CipherBlockCBC) WithSaltSize(saltSize int) CipherBlockCBC {
+    this.saltSize = saltSize
+
+    return this
+}
+
+// Encrypt data
 func (this CipherBlockCBC) Encrypt(password, plaintext []byte) ([]byte, []byte, error) {
-    // 加密数据补码
+    encrypted, salt, iterationCount, err := this.encrypt(password, plaintext)
+    if err != nil {
+        return nil, nil, err
+    }
+
+    // Marshal pbe param
+    paramBytes, err := asn1.Marshal(pbeParam{
+        Salt:           salt,
+        IterationCount: iterationCount,
+    })
+    if err != nil {
+        return nil, nil, err
+    }
+
+    return encrypted, paramBytes, nil
+}
+
+// Decrypt data
+func (this CipherBlockCBC) Decrypt(password, params, ciphertext []byte) ([]byte, error) {
+    var param pbeParam
+    if _, err := asn1.Unmarshal(params, &param); err != nil {
+        return nil, errors.New("go-cryptobin/jceks: invalid PBE parameters")
+    }
+
+    return this.decrypt(password, param.Salt, param.IterationCount, ciphertext)
+}
+
+func (this CipherBlockCBC) encrypt(password, plaintext []byte) (encrypted, salt []byte, iterationCount int, err error) {
+    // pkcs7 padding
     plaintext = pkcs7Padding(plaintext, this.blockSize)
 
-    salt, err := genRandom(this.saltSize)
+    salt, err = genRandom(this.saltSize)
     if err != nil {
-        return nil, nil, errors.New(err.Error() + " failed to generate salt")
+        err = errors.New("go-cryptobin/jceks: failed to generate salt")
+        return
     }
 
     key, iv := this.derivedKeyFunc(string(password), string(salt), this.iterationCount, this.keySize, this.blockSize, this.hashFunc)
     if key == nil && iv == nil {
-        return nil, nil, fmt.Errorf("unexpected salt length: %d", len(salt))
+        err = fmt.Errorf("go-cryptobin/jceks: unexpected salt length: %d", len(salt))
+        return
     }
 
     block, err := this.cipherFunc(key)
     if err != nil {
-        return nil, nil, errors.New("pkcs8:" + err.Error() + " failed to create cipher")
+        err = fmt.Errorf("go-cryptobin/jceks: failed to create cipher: %s", err.Error())
+        return
     }
 
     // 需要保存的加密数据
-    encrypted := make([]byte, len(plaintext))
+    encrypted = make([]byte, len(plaintext))
 
     enc := cipher.NewCBCEncrypter(block, iv)
     enc.CryptBlocks(encrypted, plaintext)
 
-    // 返回数据
-    paramBytes, err := asn1.Marshal(pbeParam{
-        Salt:           salt,
-        IterationCount: this.iterationCount,
-    })
-    if err != nil {
-        return nil, nil, err
-    }
+    iterationCount = this.iterationCount
 
-    return encrypted, paramBytes, nil
+    return
 }
 
-// 解密
-func (this CipherBlockCBC) Decrypt(password, params, ciphertext []byte) ([]byte, error) {
-    var param pbeParam
-    if _, err := asn1.Unmarshal(params, &param); err != nil {
-        return nil, errors.New("pkcs8: invalid PBES2 parameters")
-    }
-
-    key, iv := this.derivedKeyFunc(string(password), string(param.Salt), param.IterationCount, this.keySize, this.blockSize, this.hashFunc)
+func (this CipherBlockCBC) decrypt(password, salt []byte, iterationCount int, ciphertext []byte) ([]byte, error) {
+    key, iv := this.derivedKeyFunc(string(password), string(salt), iterationCount, this.keySize, this.blockSize, this.hashFunc)
     if key == nil && iv == nil {
-        return nil, fmt.Errorf("unexpected salt length: %d", len(param.Salt))
+        return nil, fmt.Errorf("go-cryptobin/jceks: unexpected salt length: %d", len(salt))
     }
 
     block, err := this.cipherFunc(key)
     if err != nil {
         return nil, err
     }
 
-    // 判断数据是否为填充数据
+    // check ciphertext length
     blockSize := block.BlockSize()
     dlen := len(ciphertext)
     if dlen == 0 || dlen%blockSize != 0 {
-        return nil, errors.New("pkcs8: invalid padding")
+        return nil, errors.New("go-cryptobin/jceks: invalid padding")
     }
 
     plaintext := make([]byte, len(ciphertext))
 
     mode := cipher.NewCBCDecrypter(block, iv)
     mode.CryptBlocks(plaintext, ciphertext)
 
-    // 解析加密数据
+    // pkcs7 UnPadding
     plaintext, err = pkcs7UnPadding(plaintext)
     if err != nil {
         return nil, err
     }
 
     return plaintext, nil
 }
-
-// 设置 saltSize
-func (this CipherBlockCBC) WithSaltSize(saltSize int) CipherBlockCBC {
-    this.saltSize = saltSize
-
-    return this
-}

jceks/cipher_setting.go

@@ -42,7 +42,7 @@ var CipherSHA1And3DES = CipherBlockCBC{
     oid:            oidPbeWithSHA1And3DES,
 }
 
-// bks 使用
+// for BKS and UBER
 var CipherSHA1And3DESForBKS = CipherBlockCBC{
     cipherFunc:     des.NewTripleDESCipher,
     hashFunc:       sha1.New,

jceks/jks_encryptkey.go

@@ -41,7 +41,7 @@ func jksDecryptKey(encryptedPKI []byte, passwd []byte) ([]byte, error) {
     sha.Write(key)
 
     if subtle.ConstantTimeCompare(check, sha.Sum(nil)) != 1 {
-        return nil, errors.New("keystore was tampered with or password was incorrect")
+        return nil, errors.New("go-cryptobin/jceks: keystore was tampered with or password was incorrect")
     }
 
     return key, nil

jceks/key.go

@@ -32,7 +32,7 @@ func ParsePKCS8PrivateKey(pkData []byte) (privateKey crypto.PrivateKey, err erro
         }
     }
 
-    return nil, errors.New("jceks: error parsing PKCS#8 private key: " + err.Error())
+    return nil, errors.New("go-cryptobin/jceks: error parsing PKCS#8 private key: " + err.Error())
 }
 
 // 从注册的 key 列表编码证书
@@ -41,7 +41,7 @@ func MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error) {
 
     key, ok := keys[keytype]
     if !ok {
-        return nil, errors.New("jceks: unsupported private key type " + keytype)
+        return nil, errors.New("go-cryptobin/jceks: unsupported private key type " + keytype)
     }
 
     return key().MarshalPKCS8PrivateKey(privateKey)
@@ -55,7 +55,7 @@ func ParsePKCS8PublicKey(pkData []byte) (publicKey crypto.PublicKey, err error)
         }
     }
 
-    return nil, errors.New("jceks: error parsing PKCS#8 public key: " + err.Error())
+    return nil, errors.New("go-cryptobin/jceks: error parsing PKCS#8 public key: " + err.Error())
 }
 
 // 从注册的 key 列表编码公钥证书
@@ -64,7 +64,7 @@ func MarshalPKCS8PublicKey(publicKey crypto.PublicKey) ([]byte, error) {
 
     key, ok := keys[keytype]
     if !ok {
-        return nil, errors.New("jceks: unsupported public key type " + keytype)
+        return nil, errors.New("go-cryptobin/jceks: unsupported public key type " + keytype)
     }
 
     return key().MarshalPKCS8PublicKey(publicKey)
@@ -76,7 +76,7 @@ func GetPKCS8PrivateKeyAlgorithm(privateKey crypto.PrivateKey) (string, error) {
 
     key, ok := keys[keytype]
     if !ok {
-        return "", errors.New("jceks: unsupported private key type " + keytype)
+        return "", errors.New("go-cryptobin/jceks: unsupported private key type " + keytype)
     }
 
     return key().Algorithm(), nil
@@ -88,7 +88,7 @@ func GetPKCS8PublicKeyAlgorithm(publicKey crypto.PublicKey) (string, error) {
 
     key, ok := keys[keytype]
     if !ok {
-        return "", errors.New("jceks: unsupported private key type " + keytype)
+        return "", errors.New("go-cryptobin/jceks: unsupported private key type " + keytype)
     }
 
     return key().Algorithm(), nil

jceks/key_dsa.go

@@ -15,12 +15,12 @@ type KeyDSA struct {}
 func (this KeyDSA) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error) {
     priKey, ok := privateKey.(*dsa.PrivateKey)
     if !ok {
-        return nil, errors.New("jceks: private key is err")
+        return nil, errors.New("go-cryptobin/jceks: private key is err")
     }
 
     pkData, err := cryptobin_dsa.MarshalPKCS8PrivateKey(priKey)
     if err != nil {
-        return nil, errors.New("jceks: error encoding PKCS#8 private key: " + err.Error())
+        return nil, errors.New("go-cryptobin/jceks: error encoding PKCS#8 private key: " + err.Error())
     }
 
     return pkData, nil
@@ -30,7 +30,7 @@ func (this KeyDSA) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte,
 func (this KeyDSA) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error) {
     privateKey, err := cryptobin_dsa.ParsePKCS8PrivateKey(pkData)
     if err != nil {
-        return nil, errors.New("jceks: error parsing PKCS#8 private key: " + err.Error())
+        return nil, errors.New("go-cryptobin/jceks: error parsing PKCS#8 private key: " + err.Error())
     }
 
     return privateKey, nil
@@ -42,12 +42,12 @@ func (this KeyDSA) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error
 func (this KeyDSA) MarshalPKCS8PublicKey(publicKey crypto.PublicKey) ([]byte, error) {
     pubKey, ok := publicKey.(*dsa.PublicKey)
     if !ok {
-        return nil, errors.New("jceks: public key is err")
+        return nil, errors.New("go-cryptobin/jceks: public key is err")
     }
 
     pkData, err := cryptobin_dsa.MarshalPKCS8PublicKey(pubKey)
     if err != nil {
-        return nil, errors.New("jceks: error encoding PKCS#8 public key: " + err.Error())
+        return nil, errors.New("go-cryptobin/jceks: error encoding PKCS#8 public key: " + err.Error())
     }
 
     return pkData, nil
@@ -57,7 +57,7 @@ func (this KeyDSA) MarshalPKCS8PublicKey(publicKey crypto.PublicKey) ([]byte, er
 func (this KeyDSA) ParsePKCS8PublicKey(pkData []byte) (crypto.PublicKey, error) {
     publicKey, err := cryptobin_dsa.ParsePKCS8PublicKey(pkData)
     if err != nil {
-        return nil, errors.New("jceks: error parsing PKCS#8 public key: " + err.Error())
+        return nil, errors.New("go-cryptobin/jceks: error parsing PKCS#8 public key: " + err.Error())
     }
 
     return publicKey, nil

jceks/key_ecdsa.go

@@ -13,7 +13,7 @@ type KeyEcdsa struct {}
 func (this KeyEcdsa) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byte, error) {
     pkData, err := x509.MarshalPKCS8PrivateKey(privateKey)
     if err != nil {
-        return nil, errors.New("jceks: error encoding PKCS#8 private key: " + err.Error())
+        return nil, errors.New("go-cryptobin/jceks: error encoding PKCS#8 private key: " + err.Error())
     }
 
     return pkData, nil
@@ -23,7 +23,7 @@ func (this KeyEcdsa) MarshalPKCS8PrivateKey(privateKey crypto.PrivateKey) ([]byt
 func (this KeyEcdsa) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, error) {
     privateKey, err := x509.ParsePKCS8PrivateKey(pkData)
     if err != nil {
-        return nil, errors.New("jceks: error parsing PKCS#8 private key: " + err.Error())
+        return nil, errors.New("go-cryptobin/jceks: error parsing PKCS#8 private key: " + err.Error())
     }
 
     return privateKey, nil
@@ -35,7 +35,7 @@ func (this KeyEcdsa) ParsePKCS8PrivateKey(pkData []byte) (crypto.PrivateKey, err
 func (this KeyEcdsa) MarshalPKCS8PublicKey(publicKey crypto.PublicKey) ([]byte, error) {
     pkData, err := x509.MarshalPKIXPublicKey(publicKey)
     if err != nil {
-        return nil, errors.New("jceks: error encoding PKCS#8 public key: " + err.Error())
+        return nil, errors.New("go-cryptobin/jceks: error encoding PKCS#8 public key: " + err.Error())
     }
 
     return pkData, nil
@@ -45,7 +45,7 @@ func (this KeyEcdsa) MarshalPKCS8PublicKey(publicKey crypto.PublicKey) ([]byte,
 func (this KeyEcdsa) ParsePKCS8PublicKey(pkData []byte) (crypto.PublicKey, error) {
     publicKey, err := x509.ParsePKIXPublicKey(pkData)
     if err != nil {
-        return nil, errors.New("jceks: error parsing PKCS#8 public key: " + err.Error())
+        return nil, errors.New("go-cryptobin/jceks: error parsing PKCS#8 public key: " + err.Error())
     }
 
     return publicKey, nil