Add ECDSA support for policy keys

The update implements ECDSA support for policy keys in NanoTDF configuration. A new function ECPubKeyFromPemECDSA was added to generate an ECDSA public key from a PEM format. This also introduces changes in the nanotdf_config.go where the Policy key is now recognized as the KAS Key. Additional error handling has also been put into place in nanotdf.go for any errors during the process.
opentdf · Jul 23, 2024 · 0c348c8 · 0c348c8
1 parent b97cefc
commit 0c348c8
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 1 deletion.
diff --git a/lib/ocrypto/ec_key_pair.go b/lib/ocrypto/ec_key_pair.go
@@ -217,6 +217,42 @@ func VerifyECDSASig(digest, r, s []byte, pubKey *ecdsa.PublicKey) bool {
 	return ecdsa.Verify(pubKey, digest, rAsBigInt, sAsBigInt)
 }
 
+// ECPubKeyFromPemECDSA generate ec public from pem format
+func ECPubKeyFromPemECDSA(pemECPubKey []byte) (*ecdsa.PublicKey, error) {
+	block, _ := pem.Decode(pemECPubKey)
+	if block == nil {
+		return nil, fmt.Errorf("failed to parse PEM formatted public key")
+	}
+
+	var pub any
+	if strings.Contains(string(pemECPubKey), "BEGIN CERTIFICATE") {
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("x509.ParseCertificate failed: %w", err)
+		}
+
+		var ok bool
+		if pub, ok = cert.PublicKey.(*ecdsa.PublicKey); !ok {
+			return nil, fmt.Errorf("failed to parse PEM formatted public key")
+		}
+	} else {
+		var err error
+		pub, err = x509.ParsePKIXPublicKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("x509.ParsePKIXPublicKey failed: %w", err)
+		}
+	}
+
+	switch pub := pub.(type) {
+	case *ecdsa.PublicKey:
+		return pub, nil
+	default:
+		break
+	}
+
+	return nil, fmt.Errorf("not an ec PEM formatted public key")
+}
+
 // ECPubKeyFromPem generate ec public from pem format
 func ECPubKeyFromPem(pemECPubKey []byte) (*ecdh.PublicKey, error) {
 	block, _ := pem.Decode(pemECPubKey)

diff --git a/sdk/nanotdf.go b/sdk/nanotdf.go
@@ -222,7 +222,8 @@ type signatureConfig struct {
 }
 
 type policyInfo struct {
-	body PolicyBody
+	body   PolicyBody
+	pkaCfg PolicyKeyAccess
 	//	binding *eccSignature
 }
 
@@ -752,6 +753,11 @@ func (s SDK) CreateNanoTDF(writer io.Writer, reader io.Reader, config NanoTDFCon
 	if err != nil {
 		return 0, fmt.Errorf("ocrypto.ECPubKeyFromPem failed: %w", err)
 	}
+	kasPublicKeyECDSA, err := ocrypto.ECPubKeyFromPemECDSA([]byte(kasPublicKey))
+	if err != nil {
+		return 0, fmt.Errorf("ocrypto.ECPubKeyFromPem failed: %w", err)
+	}
+	config.policy.pkaCfg.PublicKeyBytes, err = ocrypto.CompressedECPublicKey(config.bindCfg.eccMode, *kasPublicKeyECDSA)
 
 	// Create nano tdf header
 	key, totalSize, err := writeNanoTDFHeader(writer, config)

diff --git a/sdk/nanotdf_config.go b/sdk/nanotdf_config.go
@@ -58,6 +58,11 @@ func (s SDK) NewNanoTDFConfig() (*NanoTDFConfig, error) {
 
 // SetKasURL - set the URL of the KAS endpoint to be used for this nanoTDF
 func (config *NanoTDFConfig) SetKasURL(url string) error {
+	// Policy Key is the KAS Key
+	err := config.policy.pkaCfg.ResourceLocator.setURL(url)
+	if err != nil {
+		return err
+	}
 	return config.kasURL.setURL(url)
 }