Implement v1.local (#5)

Author: cristaloleg

common.go

@@ -0,0 +1,117 @@
+package paseto
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/binary"
+	"encoding/json"
+	"fmt"
+	"strings"
+)
+
+func pae(pieces ...[]byte) []byte {
+	var buf bytes.Buffer
+	binary.Write(&buf, binary.LittleEndian, int64(len(pieces)))
+
+	for _, p := range pieces {
+		binary.Write(&buf, binary.LittleEndian, int64(len(p)))
+		buf.Write(p)
+	}
+	return buf.Bytes()
+}
+
+func toBytes(x any) ([]byte, error) {
+	switch v := x.(type) {
+	case nil:
+		return nil, nil
+	case string:
+		return []byte(v), nil
+	case []byte:
+		return v, nil
+	default:
+		return json.Marshal(v)
+	}
+}
+
+func fromBytes(data []byte, x any) error {
+	switch f := x.(type) {
+	case *string:
+		*f = string(data)
+	case *[]byte:
+		*f = append(*f, data...)
+	default:
+		if err := json.Unmarshal(data, x); err != nil {
+			return fmt.Errorf("%v: %w", err, ErrDataUnmarshal)
+		}
+	}
+	return nil
+}
+
+func splitToken(token, header string) ([]byte, []byte, error) {
+	if !strings.HasPrefix(token, header) {
+		return nil, nil, ErrIncorrectTokenHeader
+	}
+
+	parts := bytes.Split([]byte(token[len(header):]), []byte("."))
+
+	var rawPayload, rawFooter []byte
+	switch len(parts) {
+	case 1:
+		rawPayload = parts[0]
+	case 2:
+		rawPayload = parts[0]
+		rawFooter = parts[1]
+	default:
+		return nil, nil, ErrIncorrectTokenFormat
+	}
+
+	payload := make([]byte, b64DecodedLen(len(rawPayload)))
+	if _, err := b64Decode(payload, rawPayload); err != nil {
+		return nil, nil, fmt.Errorf("decode payload: %w", err)
+	}
+
+	var footer []byte
+	if rawFooter != nil {
+		footer = make([]byte, b64DecodedLen(len(rawFooter)))
+		if _, err := b64Decode(footer, rawFooter); err != nil {
+			return nil, nil, fmt.Errorf("decode footer: %w", err)
+		}
+	}
+	return payload, footer, nil
+}
+
+func buildToken(header string, body, footer []byte) string {
+	size := len(header) + b64EncodedLen(len(body))
+	if len(footer) > 0 {
+		size += 1 + b64EncodedLen(len(footer))
+	}
+
+	token := make([]byte, size)
+	offset := 0
+	offset += copy(token[offset:], header)
+
+	b64Encode(token[offset:], body)
+	offset += b64EncodedLen(len(body))
+
+	if len(footer) > 0 {
+		offset += copy(token[offset:], ".")
+		b64Encode(token[offset:], footer)
+	}
+	return string(token)
+}
+
+func b64Decode(dst, src []byte) (n int, err error) {
+	return base64.RawURLEncoding.Decode(dst, src)
+}
+
+func b64DecodedLen(n int) int {
+	return base64.RawURLEncoding.DecodedLen(n)
+}
+
+func b64Encode(dst, src []byte) {
+	base64.RawURLEncoding.Encode(dst, src)
+}
+
+func b64EncodedLen(n int) int {
+	return base64.RawURLEncoding.EncodedLen(n)
+}

errors.go

@@ -0,0 +1,10 @@
+package paseto
+
+import "errors"
+
+var (
+	ErrDataUnmarshal        = errors.New("can't unmarshal token data to the given type of value")
+	ErrInvalidTokenAuth     = errors.New("invalid token authentication")
+	ErrIncorrectTokenFormat = errors.New("incorrect token format")
+	ErrIncorrectTokenHeader = errors.New("incorrect token header")
+)

go.mod

@@ -1,3 +1,5 @@
-module paseto
+module github.com/cristalhq/paseto
 
 go 1.21
+
+require golang.org/x/crypto v0.22.0

go.sum

@@ -0,0 +1,2 @@
+golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
+golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=

paseto_test.go

@@ -0,0 +1,86 @@
+package paseto
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"os"
+	"reflect"
+	"testing"
+)
+
+type GoldenCases struct {
+	Tests []GoldenCase `json:"tests"`
+}
+
+type GoldenCase struct {
+	Name              string `json:"name"`
+	ExpectFail        bool   `json:"expect-fail"`
+	Nonce             string `json:"nonce"`
+	Key               string `json:"key"`
+	PublicKey         string `json:"public-key"`
+	SecretKey         string `json:"secret-key"`
+	SecretKeySeed     string `json:"secret-key-seed"`
+	SecretKeyPem      string `json:"secret-key-pem"`
+	PublicKeyPem      string `json:"public-key-pem"`
+	Token             string `json:"token"`
+	Payload           string `json:"payload"`
+	Footer            string `json:"footer"`
+	ImplicitAssertion string `json:"implicit-assertion"`
+}
+
+func loadGoldenFile(filename string) GoldenCases {
+	f, err := os.Open(filename)
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+
+	var tc GoldenCases
+	if err := json.NewDecoder(f).Decode(&tc); err != nil {
+		panic(err)
+	}
+	return tc
+}
+
+func must[T any](v T, err error) T {
+	if err != nil {
+		panic(err)
+	}
+	return v
+}
+
+func mustHex(raw string) []byte {
+	return must(hex.DecodeString(raw))
+}
+
+func mustJSON(raw string) any {
+	if len(raw) == 0 || string(raw) == "" {
+		return nil
+	}
+	var dst any
+	if err := json.Unmarshal([]byte(raw), &dst); err != nil {
+		return string(raw)
+	}
+	return dst
+}
+
+func mustOk(tb testing.TB, err error) {
+	tb.Helper()
+	if err != nil {
+		tb.Fatal(err)
+	}
+}
+
+func mustFail(tb testing.TB, err error) {
+	tb.Helper()
+	if err == nil {
+		tb.Fatal()
+	}
+}
+
+func mustEqual[T any](tb testing.TB, have, want T) {
+	tb.Helper()
+	if !reflect.DeepEqual(have, want) {
+		tb.Fatalf("\nhave: %+v\nwant: %+v\n", have, want)
+	}
+}

testdata/v1.json

@@ -0,0 +1,139 @@
+package paseto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha512"
+	"fmt"
+	"io"
+
+	"golang.org/x/crypto/hkdf"
+)
+
+const (
+	v1LocNonceSize = 32
+	v1LocNonceHalf = v1LocNonceSize / 2
+	v1LocMacSize   = 48 // const for crypty.SHA384.Size()
+	v1LocHeader    = "v1.local."
+)
+
+func V1Encrypt(key []byte, payload, footer any, randBytes []byte) (string, error) {
+	if randBytes == nil {
+		randBytes = make([]byte, v1LocNonceSize)
+		if _, err := io.ReadFull(rand.Reader, randBytes); err != nil {
+			return "", fmt.Errorf("read from crypto/rand.Reader: %w", err)
+		}
+	}
+
+	payloadBytes, err := toBytes(payload)
+	if err != nil {
+		return "", fmt.Errorf("encode payload: %w", err)
+	}
+
+	footerBytes, err := toBytes(footer)
+	if err != nil {
+		return "", fmt.Errorf("encode footer: %w", err)
+	}
+
+	macN := hmac.New(sha512.New384, randBytes)
+	if _, err := macN.Write(payloadBytes); err != nil {
+		return "", fmt.Errorf("hash payload: %w", err)
+	}
+	nonce := macN.Sum(nil)[:v1LocNonceSize]
+
+	encKey, authKey, err := v1locSplitKey(key, nonce[:v1LocNonceHalf])
+	if err != nil {
+		return "", fmt.Errorf("create enc and auth keys: %w", err)
+	}
+
+	block, err := aes.NewCipher(encKey)
+	if err != nil {
+		return "", fmt.Errorf("create aes cipher: %w", err)
+	}
+
+	encryptedPayload := make([]byte, len(payloadBytes))
+	cipher.NewCTR(block, nonce[v1LocNonceHalf:]).
+		XORKeyStream(encryptedPayload, payloadBytes)
+
+	h := hmac.New(sha512.New384, authKey)
+	if _, err := h.Write(pae([]byte(v1LocHeader), nonce, encryptedPayload, footerBytes)); err != nil {
+		return "", fmt.Errorf("create signature: %w", err)
+	}
+	mac := h.Sum(nil)
+
+	body := make([]byte, 0, len(nonce)+len(encryptedPayload)+len(mac))
+	body = append(body, nonce...)
+	body = append(body, encryptedPayload...)
+	body = append(body, mac...)
+
+	return buildToken(v1LocHeader, body, footerBytes), nil
+}
+
+func V1Decrypt(token string, key []byte, payload, footer any) error {
+	data, footerBytes, err := splitToken(token, v1LocHeader)
+	if err != nil {
+		return fmt.Errorf("decode token: %w", err)
+	}
+	if len(data) < v1LocNonceSize+v1LocMacSize {
+		return ErrIncorrectTokenFormat
+	}
+
+	pivot := len(data) - v1LocMacSize
+	nonce := data[:v1LocNonceSize]
+	encryptedPayload, mac := data[v1LocNonceSize:pivot], data[pivot:]
+
+	encKey, authKey, err := v1locSplitKey(key, nonce[:v1LocNonceHalf])
+	if err != nil {
+		return fmt.Errorf("create enc and auth keys: %w", err)
+	}
+
+	body := pae([]byte(v1LocHeader), nonce, encryptedPayload, footerBytes)
+	h := hmac.New(sha512.New384, authKey)
+	if _, err := h.Write(body); err != nil {
+		return fmt.Errorf("create signature: %w", err)
+	}
+
+	if !hmac.Equal(h.Sum(nil), mac) {
+		return fmt.Errorf("token signature: %w", ErrInvalidTokenAuth)
+	}
+
+	block, err := aes.NewCipher(encKey)
+	if err != nil {
+		return fmt.Errorf("create aes cipher: %w", err)
+	}
+
+	decryptedPayload := make([]byte, len(encryptedPayload))
+	cipher.NewCTR(block, nonce[v1LocNonceHalf:]).
+		XORKeyStream(decryptedPayload, encryptedPayload)
+
+	if payload != nil {
+		if err := fromBytes(decryptedPayload, payload); err != nil {
+			return fmt.Errorf("decode payload: %w", err)
+		}
+	}
+
+	if footer != nil {
+		if err := fromBytes(footerBytes, footer); err != nil {
+			return fmt.Errorf("decode footer: %w", err)
+		}
+	}
+	return nil
+}
+
+func v1locSplitKey(key, salt []byte) ([]byte, []byte, error) {
+	eReader := hkdf.New(sha512.New384, key, salt, []byte("paseto-encryption-key"))
+	aReader := hkdf.New(sha512.New384, key, salt, []byte("paseto-auth-key-for-aead"))
+
+	encKey := make([]byte, 32)
+	authKey := make([]byte, 32)
+
+	if _, err := io.ReadFull(eReader, encKey); err != nil {
+		return nil, nil, err
+	}
+	if _, err := io.ReadFull(aReader, authKey); err != nil {
+		return nil, nil, err
+	}
+	return encKey, authKey, nil
+}