decrypt: support for RSA keys from piv-go and other generic RSA signers/decrypters #3
Conversation
[action] First pass at common CI
|
Thanks for the suggestions! I'll update in the morning. |
|
@maraino about the PR to Mozilla: yes, that's a good idea, but I haven't seen any movement there for over a year, so I doubt it'll be merged anytime soon. Also check this: mozilla-services#73. Also, merging this into master won't be enough. In I think we're at a point where we may want to go forward with our own fork and tag our own versions now. What do you think? This subject was also briefly discussed during our meeting with MicroMDM. They've also been patching the PKCS7 library for their use cases and it may be an option to work on this as co-maintainers somehow. |
983c0ac to
bd4cd75
Compare
decrypt.go
Outdated
|
|
||
| case crypto.Decrypter: | ||
| // Generic case to handle anything that provides the crypto.Decrypter interface. | ||
| var contentKey []byte | ||
| contentKey, err := pkey.Decrypt(rand.Reader, recipient.EncryptedKey, nil) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| return data.EncryptedContentInfo.decrypt(contentKey) |
There was a problem hiding this comment.
*rsa.PrivateKey also implements the crypto.Decrypter interface, and when you pass nil to the options on an rsa key, Go just call rsa.DecryptPKCS1v15(), we can do both of these cases like this:
Your changes look ok, but as *rsa.PrivateKey implements decrypter we can merge those two cases with:
if dec, ok := pkey.(crypto.Decrypter); ok {
contentKey, err := pkey.Decrypt(rand.Reader, recipient.EncryptedKey, nil)
if err != nil {
return nil, err
}
return data.EncryptedContentInfo.decrypt(contentKey)
}
return nil, ErrUnsupportedAlgorithm
}And there is no need to do var contentKey []byte if you are creating it later with :=
|
@hslatman Should we change the base branch to |
|
Probably the best at this time |
|
@fuhry I've changed the base, from master to patches, there are some new files, do not worry about them. |
bd4cd75 to
3bc3305
Compare
|
@maraino All changes are done, please take another look when you have a chance. Thank you! |
…rs/decrypters Make smallstep's pkcs7 fork support RSA key handles returned from any private key type that returns an RSA public key. Specifically, this addresses the need to use key handles returned by piv-go that are of the `piv.keyRSA` type. Signed-Off-By: Dan Fuhry <dan@fuhry.com>
3bc3305 to
e6d0478
Compare
|
@fuhry here it is smallstep/certificates#1139 |
|
Noting for future reference: the changes from this PR seem to have the same functional results as this PR: mozilla-services#41. |
Make smallstep's pkcs7 fork support RSA key handles returned from any private key type that returns an RSA public key.
Specifically, this addresses the need to use key handles returned by piv-go that are of the
piv.keyRSAtype.Signed-Off-By: Dan Fuhry dan@fuhry.com