go-mockid/mockid/mockid.go

package mockid

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"io"
	"math/big"
	"net/url"
	"os"
	"strconv"
	"time"

	"git.coolaj86.com/coolaj86/go-mockid/xkeypairs"
	"git.rootprojects.org/root/keypairs"
	//jwt "github.com/dgrijalva/jwt-go"
)

// TestMain will overwrite this
var rndsrc io.Reader = rand.Reader

type PublicJWK struct {
	Crv   string `json:"crv"`
	KeyID string `json:"kid,omitempty"`
	Kty   string `json:"kty,omitempty"`
	X     string `json:"x"`
	Y     string `json:"y"`
}

type KVDB interface {
	Load(key interface{}) (value interface{}, ok bool, err error)
	Store(key interface{}, value interface{}) (err error)
	Delete(key interface{}) (err error)
	Vacuum() (err error)
}

type InspectableToken struct {
	Public    keypairs.PublicKey     `json:"jwk"`
	Protected map[string]interface{} `json:"protected"`
	Payload   map[string]interface{} `json:"payload"`
	Signature string                 `json:"signature"`
	Verified  bool                   `json:"verified"`
	Errors    []string               `json:"errors"`
}

func (t *InspectableToken) MarshalJSON() ([]byte, error) {
	pub := keypairs.MarshalJWKPublicKey(t.Public)
	header, _ := json.Marshal(t.Protected)
	payload, _ := json.Marshal(t.Payload)
	errs, _ := json.Marshal(t.Errors)
	return []byte(fmt.Sprintf(
		`{"jwk":%s,"protected":%s,"payload":%s,"signature":%q,"verified":%t,"errors":%s}`,
		pub, header, payload, t.Signature, t.Verified, errs,
	)), nil
}

var defaultFrom string
var defaultReplyTo string

var salt []byte

func Init() {
	var err error
	salt64 := os.Getenv("SALT")
	salt, err = base64.RawURLEncoding.DecodeString(salt64)
	if len(salt64) < 22 || nil != err {
		panic("SALT must be set as 22+ character base64")
	}
	defaultFrom = os.Getenv("MAILER_FROM")
	defaultReplyTo = os.Getenv("MAILER_REPLY_TO")
	//nonces = make(map[string]int64)
	//nonCh = make(chan string)

	/*
		  go func() {
		    for {
		      nonce := <- nonCh
			    nonces[nonce] = time.Now().Unix()
		    }
		  }()
	*/

	go func() {
		for {
			time.Sleep(15 * time.Second)
			hashcashes.vacuum()
		}
	}()
}

func GenToken(host string, privkey keypairs.PrivateKey, query url.Values) (string, string, string) {
	thumbprint := keypairs.ThumbprintPublicKey(keypairs.NewPublicKey(privkey.Public()))
	// TODO keypairs.Alg(key)
	alg := "ES256"
	switch privkey.(type) {
	case *rsa.PrivateKey:
		alg = "RS256"
	}
	protected := fmt.Sprintf(`{"typ":"JWT","alg":%q,"kid":"%s"}`, alg, thumbprint)
	protected64 := base64.RawURLEncoding.EncodeToString([]byte(protected))

	exp, err := xkeypairs.ParseDuration(query.Get("exp"))
	if nil != err {
		// cryptic error code
		// TODO propagate error
		exp = 422
	}

	payload := fmt.Sprintf(
		`{"iss":"%s/","sub":"dummy","exp":%s}`,
		host, strconv.FormatInt(time.Now().Add(time.Duration(exp)*time.Second).Unix(), 10),
	)
	payload64 := base64.RawURLEncoding.EncodeToString([]byte(payload))

	hash := sha256.Sum256([]byte(fmt.Sprintf(`%s.%s`, protected64, payload64)))
	sig := JOSESign(privkey, hash[:])
	sig64 := base64.RawURLEncoding.EncodeToString(sig)
	token := fmt.Sprintf("%s.%s.%s\n", protected64, payload64, sig64)
	return protected, payload, token
}

func JOSESign(privkey keypairs.PrivateKey, hash []byte) []byte {
	var sig []byte

	switch k := privkey.(type) {
	case *rsa.PrivateKey:
		panic("TODO: implement rsa sign")
	case *ecdsa.PrivateKey:
		r, s, _ := ecdsa.Sign(rndsrc, k, hash[:])
		rb := r.Bytes()
		fmt.Println("debug:")
		fmt.Println(r, s)
		for len(rb) < 32 {
			rb = append([]byte{0}, rb...)
		}
		sb := s.Bytes()
		for len(rb) < 32 {
			sb = append([]byte{0}, sb...)
		}
		sig = append(rb, sb...)
	}
	return sig
}

// TODO: move to keypairs

func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {

	switch pub := pubkey.Key().(type) {
	case *rsa.PublicKey:
		// TODO keypairs.Size(key) to detect key size ?
		//alg := "SHA256"
		// TODO: this hasn't been tested yet
		if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err {
			return false
		}
		return true
	case *ecdsa.PublicKey:
		r := &big.Int{}
		r.SetBytes(sig[0:32])
		s := &big.Int{}
		s.SetBytes(sig[32:])
		fmt.Println("debug: sig len:", len(sig))
		fmt.Println("debug: r, s:", r, s)
		return ecdsa.Verify(pub, hash, r, s)
	default:
		panic("impossible condition: non-rsa/non-ecdsa key")
		return false
	}
}
refactor 2020-04-10 19:29:01 +00:00			`package mockid`

			`import (`
implement EC verify 2020-05-11 05:26:32 +00:00			`"crypto"`
refactor 2020-04-10 19:29:01 +00:00			`"crypto/ecdsa"`
			`"crypto/rand"`
switch to keypairs 2020-05-11 04:40:46 +00:00			`"crypto/rsa"`
refactor 2020-04-10 19:29:01 +00:00			`"crypto/sha256"`
			`"encoding/base64"`
			`"encoding/json"`
			`"fmt"`
add debug routes for PEM and DER private keys 2020-08-01 07:32:17 +00:00			`"io"`
refactor 2020-04-10 19:29:01 +00:00			`"math/big"`
			`"net/url"`
demo email verification 2020-05-13 09:41:03 +00:00			`"os"`
refactor 2020-04-10 19:29:01 +00:00			`"strconv"`
			`"time"`
add inspect_token endpoint, minor cleanup 2020-05-10 21:22:40 +00:00
add seed for random key generator (tested) 2020-08-01 23:59:20 +00:00			`"git.coolaj86.com/coolaj86/go-mockid/xkeypairs"`
add inspect_token endpoint, minor cleanup 2020-05-10 21:22:40 +00:00			`"git.rootprojects.org/root/keypairs"`
switch to keypairs 2020-05-11 04:40:46 +00:00			`//jwt "github.com/dgrijalva/jwt-go"`
refactor 2020-04-10 19:29:01 +00:00			`)`

add debug routes for PEM and DER private keys 2020-08-01 07:32:17 +00:00			`// TestMain will overwrite this`
			`var rndsrc io.Reader = rand.Reader`

refactor 2020-04-10 19:29:01 +00:00			`type PublicJWK struct {`
			Crv string `json:"crv"`
			KeyID string `json:"kid,omitempty"`
			Kty string `json:"kty,omitempty"`
			X string `json:"x"`
			Y string `json:"y"`
			`}`

wip: ready new-account for email and google verification 2020-08-17 23:14:09 +00:00			`type KVDB interface {`
			`Load(key interface{}) (value interface{}, ok bool, err error)`
first draft of login exchanges complete 2020-09-13 05:55:12 +00:00			`Store(key interface{}, value interface{}) (err error)`
wip: ready new-account for email and google verification 2020-08-17 23:14:09 +00:00			`Delete(key interface{}) (err error)`
first draft of login exchanges complete 2020-09-13 05:55:12 +00:00			`Vacuum() (err error)`
wip: ready new-account for email and google verification 2020-08-17 23:14:09 +00:00			`}`

switch to keypairs 2020-05-11 04:40:46 +00:00			`type InspectableToken struct {`
burn some logs 2020-05-11 04:58:12 +00:00			Public keypairs.PublicKey `json:"jwk"`
switch to keypairs 2020-05-11 04:40:46 +00:00			Protected map[string]interface{} `json:"protected"`
			Payload map[string]interface{} `json:"payload"`
			Signature string `json:"signature"`
			Verified bool `json:"verified"`
			Errors []string `json:"errors"`
			`}`

			`func (t *InspectableToken) MarshalJSON() ([]byte, error) {`
			`pub := keypairs.MarshalJWKPublicKey(t.Public)`
			`header, _ := json.Marshal(t.Protected)`
			`payload, _ := json.Marshal(t.Payload)`
			`errs, _ := json.Marshal(t.Errors)`
			`return []byte(fmt.Sprintf(`
burn some logs 2020-05-11 04:58:12 +00:00			`{"jwk":%s,"protected":%s,"payload":%s,"signature":%q,"verified":%t,"errors":%s}`,
switch to keypairs 2020-05-11 04:40:46 +00:00			`pub, header, payload, t.Signature, t.Verified, errs,`
			`)), nil`
			`}`

demo email verification 2020-05-13 09:41:03 +00:00			`var defaultFrom string`
			`var defaultReplyTo string`

			`var salt []byte`
refactor 2020-04-10 19:29:01 +00:00
add private keygen endpoint, minor refactor, add first test 2020-07-25 09:13:19 +00:00			`func Init() {`
demo email verification 2020-05-13 09:41:03 +00:00			`var err error`
			`salt64 := os.Getenv("SALT")`
			`salt, err = base64.RawURLEncoding.DecodeString(salt64)`
			`if len(salt64) < 22 \|\| nil != err {`
			`panic("SALT must be set as 22+ character base64")`
			`}`
			`defaultFrom = os.Getenv("MAILER_FROM")`
			`defaultReplyTo = os.Getenv("MAILER_REPLY_TO")`
			`//nonces = make(map[string]int64)`
			`//nonCh = make(chan string)`

			`/*`
			`go func() {`
			`for {`
			`nonce := <- nonCh`
			`nonces[nonce] = time.Now().Unix()`
			`}`
			`}()`
			`*/`
wip: ready new-account for email and google verification 2020-08-17 23:14:09 +00:00
			`go func() {`
			`for {`
			`time.Sleep(15 * time.Second)`
			`hashcashes.vacuum()`
			`}`
			`}()`
refactor 2020-04-10 19:29:01 +00:00			`}`

switch to keypairs 2020-05-11 04:40:46 +00:00			`func GenToken(host string, privkey keypairs.PrivateKey, query url.Values) (string, string, string) {`
			`thumbprint := keypairs.ThumbprintPublicKey(keypairs.NewPublicKey(privkey.Public()))`
			`// TODO keypairs.Alg(key)`
			`alg := "ES256"`
			`switch privkey.(type) {`
			`case *rsa.PrivateKey:`
			`alg = "RS256"`
			`}`
			protected := fmt.Sprintf(`{"typ":"JWT","alg":%q,"kid":"%s"}`, alg, thumbprint)
refactor 2020-04-10 19:29:01 +00:00			`protected64 := base64.RawURLEncoding.EncodeToString([]byte(protected))`

add seed for random key generator (tested) 2020-08-01 23:59:20 +00:00			`exp, err := xkeypairs.ParseDuration(query.Get("exp"))`
refactor 2020-04-10 19:29:01 +00:00			`if nil != err {`
			`// cryptic error code`
			`// TODO propagate error`
			`exp = 422`
			`}`

			`payload := fmt.Sprintf(`
			`{"iss":"%s/","sub":"dummy","exp":%s}`,
			`host, strconv.FormatInt(time.Now().Add(time.Duration(exp)*time.Second).Unix(), 10),`
			`)`
			`payload64 := base64.RawURLEncoding.EncodeToString([]byte(payload))`

			hash := sha256.Sum256([]byte(fmt.Sprintf(`%s.%s`, protected64, payload64)))
switch to keypairs 2020-05-11 04:40:46 +00:00			`sig := JOSESign(privkey, hash[:])`
			`sig64 := base64.RawURLEncoding.EncodeToString(sig)`
add inspect_token endpoint, minor cleanup 2020-05-10 21:22:40 +00:00			`token := fmt.Sprintf("%s.%s.%s\n", protected64, payload64, sig64)`
refactor 2020-04-10 19:29:01 +00:00			`return protected, payload, token`
			`}`

can now self-sign JWS and JWT 2020-08-04 07:09:43 +00:00			`func JOSESign(privkey keypairs.PrivateKey, hash []byte) []byte {`
			`var sig []byte`

			`switch k := privkey.(type) {`
			`case *rsa.PrivateKey:`
			`panic("TODO: implement rsa sign")`
			`case *ecdsa.PrivateKey:`
			`r, s, _ := ecdsa.Sign(rndsrc, k, hash[:])`
			`rb := r.Bytes()`
			`fmt.Println("debug:")`
			`fmt.Println(r, s)`
			`for len(rb) < 32 {`
			`rb = append([]byte{0}, rb...)`
			`}`
			`sb := s.Bytes()`
			`for len(rb) < 32 {`
			`sb = append([]byte{0}, sb...)`
			`}`
			`sig = append(rb, sb...)`
			`}`
			`return sig`
			`}`

switch to keypairs 2020-05-11 04:40:46 +00:00			`// TODO: move to keypairs`
refactor 2020-04-10 19:29:01 +00:00
implement EC verify 2020-05-11 05:26:32 +00:00			`func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {`

			`switch pub := pubkey.Key().(type) {`
			`case *rsa.PublicKey:`
			`// TODO keypairs.Size(key) to detect key size ?`
			`//alg := "SHA256"`
demo email verification 2020-05-13 09:41:03 +00:00			`// TODO: this hasn't been tested yet`
implement EC verify 2020-05-11 05:26:32 +00:00			`if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err {`
WIP (passing) verifies RSA sig 2020-08-05 09:06:45 +00:00			`return false`
implement EC verify 2020-05-11 05:26:32 +00:00			`}`
WIP (passing) verifies RSA sig 2020-08-05 09:06:45 +00:00			`return true`
implement EC verify 2020-05-11 05:26:32 +00:00			`case *ecdsa.PublicKey:`
			`r := &big.Int{}`
			`r.SetBytes(sig[0:32])`
			`s := &big.Int{}`
			`s.SetBytes(sig[32:])`
			`fmt.Println("debug: sig len:", len(sig))`
			`fmt.Println("debug: r, s:", r, s)`
WIP (passing) verifies RSA sig 2020-08-05 09:06:45 +00:00			`return ecdsa.Verify(pub, hash, r, s)`
implement EC verify 2020-05-11 05:26:32 +00:00			`default:`
			`panic("impossible condition: non-rsa/non-ecdsa key")`
WIP (passing) verifies RSA sig 2020-08-05 09:06:45 +00:00			`return false`
implement EC verify 2020-05-11 05:26:32 +00:00			`}`
			`}`