You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mynewt.apache.org by ut...@apache.org on 2018/10/12 16:07:58 UTC
[mynewt-newt] 02/04: Add vendored go-aes-key-wrap

This is an automated email from the ASF dual-hosted git repository.

utzig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mynewt-newt.git

commit d7f1c69a6817ee5a2670101a183e30298780a9b2
Author: Fabio Utzig <ut...@apache.org>
AuthorDate: Tue Sep 11 20:26:55 2018 -0300

    Add vendored go-aes-key-wrap
---
 .rat-excludes                                      |   3 +
 .../github.com/NickBall/go-aes-key-wrap/.gitignore |  14 +++
 .../NickBall/go-aes-key-wrap/.travis.yml           |   7 ++
 vendor/github.com/NickBall/go-aes-key-wrap/LICENSE |  21 ++++
 .../github.com/NickBall/go-aes-key-wrap/README.md  |   4 +
 .../github.com/NickBall/go-aes-key-wrap/keywrap.go | 111 +++++++++++++++++++++
 6 files changed, 160 insertions(+)

diff --git a/.rat-excludes b/.rat-excludes
index e305895..bc81e58 100644
--- a/.rat-excludes
+++ b/.rat-excludes
@@ -71,3 +71,6 @@ ugorji
 
 # go-coap - MIT license.
 go-coap
+
+# go-aes-key-wrap - MIT license.
+go-aes-key-wrap
diff --git a/vendor/github.com/NickBall/go-aes-key-wrap/.gitignore b/vendor/github.com/NickBall/go-aes-key-wrap/.gitignore
new file mode 100644
index 0000000..a1338d6
--- /dev/null
+++ b/vendor/github.com/NickBall/go-aes-key-wrap/.gitignore
@@ -0,0 +1,14 @@
+# Binaries for programs and plugins
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736
+.glide/
diff --git a/vendor/github.com/NickBall/go-aes-key-wrap/.travis.yml b/vendor/github.com/NickBall/go-aes-key-wrap/.travis.yml
new file mode 100644
index 0000000..714bd3d
--- /dev/null
+++ b/vendor/github.com/NickBall/go-aes-key-wrap/.travis.yml
@@ -0,0 +1,7 @@
+language: go
+go:
+  - 1.x
+script:
+  - go test -race -coverprofile=coverage.txt -covermode=atomic
+after_success:
+  - bash <(curl -s https://codecov.io/bash)
diff --git a/vendor/github.com/NickBall/go-aes-key-wrap/LICENSE b/vendor/github.com/NickBall/go-aes-key-wrap/LICENSE
new file mode 100644
index 0000000..1ccb4e1
--- /dev/null
+++ b/vendor/github.com/NickBall/go-aes-key-wrap/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Nick Ball
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/vendor/github.com/NickBall/go-aes-key-wrap/README.md b/vendor/github.com/NickBall/go-aes-key-wrap/README.md
new file mode 100644
index 0000000..d29469e
--- /dev/null
+++ b/vendor/github.com/NickBall/go-aes-key-wrap/README.md
@@ -0,0 +1,4 @@
+[![Build Status](https://travis-ci.org/NickBall/go-aes-key-wrap.svg?branch=master)](https://travis-ci.org/NickBall/go-aes-key-wrap) [![Go Report Card](https://goreportcard.com/badge/github.com/nickball/go-aes-key-wrap)](https://goreportcard.com/report/github.com/nickball/go-aes-key-wrap) [![codecov](https://codecov.io/gh/nickball/go-aes-key-wrap/branch/master/graph/badge.svg)](https://codecov.io/gh/nickball/go-aes-key-wrap)
+
+# go-aes-key-wrap
+Golang implementation of the AES Key Wrap algorithm as specified in RFC 3394
diff --git a/vendor/github.com/NickBall/go-aes-key-wrap/keywrap.go b/vendor/github.com/NickBall/go-aes-key-wrap/keywrap.go
new file mode 100644
index 0000000..0b90bd3
--- /dev/null
+++ b/vendor/github.com/NickBall/go-aes-key-wrap/keywrap.go
@@ -0,0 +1,111 @@
+//Package keywrap provides an AES-KW keywrap implementation as defined in RFC-3394
+package keywrap
+
+import (
+	"crypto/cipher"
+	"crypto/subtle"
+	"encoding/binary"
+	"errors"
+)
+
+//defaultIV as specified in RFC-3394
+var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}
+
+//Wrap encrypts the provided key data (cek) with the given AES cipher (and corresponding key), using the AES Key Wrap algorithm (RFC-3394)
+func Wrap(block cipher.Block, cek []byte) ([]byte, error) {
+	if len(cek)%8 != 0 {
+		return nil, errors.New("cek must be in 8-byte blocks")
+	}
+
+	//Initialize variables
+	a := make([]byte, 8)
+	copy(a, defaultIV)
+	n := len(cek) / 8
+
+	//Calculate intermediate
+	r := make([][]byte, n)
+	for i := range r {
+		r[i] = make([]byte, 8)
+		copy(r[i], cek[i*8:])
+	}
+
+	for j := 0; j <= 5; j++ {
+		for i := 1; i <= n; i++ {
+			b := arrConcat(a, r[i-1])
+			block.Encrypt(b, b)
+
+			t := (n * j) + i
+			tBytes := make([]byte, 8)
+			binary.BigEndian.PutUint64(tBytes, uint64(t))
+
+			copy(a, arrXor(b[:len(b)/2], tBytes))
+			copy(r[i-1], b[len(b)/2:])
+		}
+	}
+
+	//Output
+	c := make([]byte, (n+1)*8)
+	copy(c, a)
+	for i := 1; i <= n; i++ {
+		for j := range r[i-1] {
+			c[(i*8)+j] = r[i-1][j]
+		}
+	}
+	return c, nil
+}
+
+//Unwrap decrypts the provided cipher text with the given AES cipher (and corresponding key), using the AES Key Wrap algorithm (RFC-3394).
+//The decrypted cipher text is verified using the default IV and will return an error if validation fails.
+func Unwrap(block cipher.Block, cipherText []byte) ([]byte, error) {
+	//Initialize variables
+	a := make([]byte, 8)
+	n := (len(cipherText) / 8) - 1
+
+	r := make([][]byte, n)
+	for i := range r {
+		r[i] = make([]byte, 8)
+		copy(r[i], cipherText[(i+1)*8:])
+	}
+	copy(a, cipherText[:8])
+
+	//Compute intermediate values
+	for j := 5; j >= 0; j-- {
+		for i := n; i >= 1; i-- {
+			t := (n * j) + i
+			tBytes := make([]byte, 8)
+			binary.BigEndian.PutUint64(tBytes, uint64(t))
+
+			b := arrConcat(arrXor(a, tBytes), r[i-1])
+			block.Decrypt(b, b)
+
+			copy(a, b[:len(b)/2])
+			copy(r[i-1], b[len(b)/2:])
+		}
+	}
+
+	if subtle.ConstantTimeCompare(a, defaultIV) != 1 {
+		return nil, errors.New("integrity check failed - unexpected IV")
+	}
+
+	//Output
+	c := arrConcat(r...)
+	return c, nil
+}
+
+func arrConcat(arrays ...[]byte) []byte {
+	out := make([]byte, len(arrays[0]))
+	copy(out, arrays[0])
+	for _, array := range arrays[1:] {
+		out = append(out, array...)
+	}
+
+	return out
+}
+
+func arrXor(arrL []byte, arrR []byte) []byte {
+	out := make([]byte, len(arrL))
+	for x := range arrL {
+		out[x] = arrL[x] ^ arrR[x]
+	}
+	return out
+}