From 8f91c777559748fa6e857d9fc1f4ae079a532813 Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Mon, 3 Oct 2016 16:03:15 -0400 Subject: Adding ability to serve TLS directly from Mattermost server (#4119) --- .../gopkg.in/square/go-jose.v1/jose-util/README.md | 59 +++++++ .../square/go-jose.v1/jose-util/jose-util.t | 94 ++++++++++ .../gopkg.in/square/go-jose.v1/jose-util/main.go | 189 +++++++++++++++++++++ 3 files changed, 342 insertions(+) create mode 100644 vendor/gopkg.in/square/go-jose.v1/jose-util/README.md create mode 100644 vendor/gopkg.in/square/go-jose.v1/jose-util/jose-util.t create mode 100644 vendor/gopkg.in/square/go-jose.v1/jose-util/main.go (limited to 'vendor/gopkg.in/square/go-jose.v1/jose-util') diff --git a/vendor/gopkg.in/square/go-jose.v1/jose-util/README.md b/vendor/gopkg.in/square/go-jose.v1/jose-util/README.md new file mode 100644 index 000000000..6cfe6a718 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v1/jose-util/README.md @@ -0,0 +1,59 @@ +# JOSE CLI + +The `jose-util` command line utility allows for encryption, decryption, signing +and verification of JOSE messages. Its main purpose is to facilitate dealing +with JOSE messages when testing or debugging. + +## Usage + +The utility includes the subcommands `encrypt`, `decrypt`, `sign`, `verify` and +`expand`. Examples for each command can be found below. + +Algorithms are selected via the `--alg` and `--enc` flags, which influence the +`alg` and `enc` headers in respectively. For JWE, `--alg` specifies the key +managment algorithm (e.g. `RSA-OAEP`) and `--enc` specifies the content +encryption algorithm (e.g. `A128GCM`). For JWS, `--alg` specifies the +signature algorithm (e.g. `PS256`). + +Input and output files can be specified via the `--in` and `--out` flags. +Either flag can be omitted, in which case `jose-util` uses stdin/stdout for +input/output respectively. By default each command will output a compact +message, but it's possible to get the full serialization by supplying the +`--full` flag. + +Keys are specified via the `--key` flag. Supported key types are naked RSA/EC +keys and X.509 certificates with embedded RSA/EC keys. Keys must be in PEM +or DER formats. + +## Examples + +### Encrypt + +Takes a plaintext as input, encrypts, and prints the encrypted message. + + jose-util encrypt -k public-key.pem --alg RSA-OAEP --enc A128GCM + +### Decrypt + +Takes an encrypted message (JWE) as input, decrypts, and prints the plaintext. + + jose-util decrypt -k private-key.pem + +### Sign + +Takes a payload as input, signs it, and prints the signed message with the embedded payload. + + jose-util sign -k private-key.pem --alg PS256 + +### Verify + +Reads a signed message (JWS), verifies it, and extracts the payload. + + jose-util verify -k public-key.pem + +### Expand + +Expands a compact message to the full serialization format. + + jose-util expand --format JWE # Expands a compact JWE to full format + jose-util expand --format JWS # Expands a compact JWS to full format diff --git a/vendor/gopkg.in/square/go-jose.v1/jose-util/jose-util.t b/vendor/gopkg.in/square/go-jose.v1/jose-util/jose-util.t new file mode 100644 index 000000000..c0d747bb0 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v1/jose-util/jose-util.t @@ -0,0 +1,94 @@ +Set up test keys. + + $ cat > rsa.pub < -----BEGIN PUBLIC KEY----- + > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAslWybuiNYR7uOgKuvaBw + > qVk8saEutKhOAaW+3hWF65gJei+ZV8QFfYDxs9ZaRZlWAUMtncQPnw7ZQlXO9ogN + > 5cMcN50C6qMOOZzghK7danalhF5lUETC4Hk3Eisbi/PR3IfVyXaRmqL6X66MKj/J + > AKyD9NFIDVy52K8A198Jojnrw2+XXQW72U68fZtvlyl/BTBWQ9Re5JSTpEcVmpCR + > 8FrFc0RPMBm+G5dRs08vvhZNiTT2JACO5V+J5ZrgP3s5hnGFcQFZgDnXLInDUdoi + > 1MuCjaAU0ta8/08pHMijNix5kFofdPEB954MiZ9k4kQ5/utt02I9x2ssHqw71ojj + > vwIDAQAB + > -----END PUBLIC KEY----- + > EOF + + $ cat > rsa.key < -----BEGIN RSA PRIVATE KEY----- + > MIIEogIBAAKCAQEAslWybuiNYR7uOgKuvaBwqVk8saEutKhOAaW+3hWF65gJei+Z + > V8QFfYDxs9ZaRZlWAUMtncQPnw7ZQlXO9ogN5cMcN50C6qMOOZzghK7danalhF5l + > UETC4Hk3Eisbi/PR3IfVyXaRmqL6X66MKj/JAKyD9NFIDVy52K8A198Jojnrw2+X + > XQW72U68fZtvlyl/BTBWQ9Re5JSTpEcVmpCR8FrFc0RPMBm+G5dRs08vvhZNiTT2 + > JACO5V+J5ZrgP3s5hnGFcQFZgDnXLInDUdoi1MuCjaAU0ta8/08pHMijNix5kFof + > dPEB954MiZ9k4kQ5/utt02I9x2ssHqw71ojjvwIDAQABAoIBABrYDYDmXom1BzUS + > PE1s/ihvt1QhqA8nmn5i/aUeZkc9XofW7GUqq4zlwPxKEtKRL0IHY7Fw1s0hhhCX + > LA0uE7F3OiMg7lR1cOm5NI6kZ83jyCxxrRx1DUSO2nxQotfhPsDMbaDiyS4WxEts + > 0cp2SYJhdYd/jTH9uDfmt+DGwQN7Jixio1Dj3vwB7krDY+mdre4SFY7Gbk9VxkDg + > LgCLMoq52m+wYufP8CTgpKFpMb2/yJrbLhuJxYZrJ3qd/oYo/91k6v7xlBKEOkwD + > 2veGk9Dqi8YPNxaRktTEjnZb6ybhezat93+VVxq4Oem3wMwou1SfXrSUKtgM/p2H + > vfw/76ECgYEA2fNL9tC8u9M0wjA+kvvtDG96qO6O66Hksssy6RWInD+Iqk3MtHQt + > LeoCjvX+zERqwOb6SI6empk5pZ9E3/9vJ0dBqkxx3nqn4M/nRWnExGgngJsL959t + > f50cdxva8y1RjNhT4kCwTrupX/TP8lAG8SfG1Alo2VFR8iWd8hDQcTECgYEA0Xfj + > EgqAsVh4U0s3lFxKjOepEyp0G1Imty5J16SvcOEAD1Mrmz94aSSp0bYhXNVdbf7n + > Rk77htWC7SE29fGjOzZRS76wxj/SJHF+rktHB2Zt23k1jBeZ4uLMPMnGLY/BJ099 + > 5DTGo0yU0rrPbyXosx+ukfQLAHFuggX4RNeM5+8CgYB7M1J/hGMLcUpjcs4MXCgV + > XXbiw2c6v1r9zmtK4odEe42PZ0cNwpY/XAZyNZAAe7Q0stxL44K4NWEmxC80x7lX + > ZKozz96WOpNnO16qGC3IMHAT/JD5Or+04WTT14Ue7UEp8qcIQDTpbJ9DxKk/eglS + > jH+SIHeKULOXw7fSu7p4IQKBgBnyVchIUMSnBtCagpn4DKwDjif3nEY+GNmb/D2g + > ArNiy5UaYk5qwEmV5ws5GkzbiSU07AUDh5ieHgetk5dHhUayZcOSLWeBRFCLVnvU + > i0nZYEZNb1qZGdDG8zGcdNXz9qMd76Qy/WAA/nZT+Zn1AiweAovFxQ8a/etRPf2Z + > DbU1AoGAHpCgP7B/4GTBe49H0AQueQHBn4RIkgqMy9xiMeR+U+U0vaY0TlfLhnX+ + > 5PkNfkPXohXlfL7pxwZNYa6FZhCAubzvhKCdUASivkoGaIEk6g1VTVYS/eDVQ4CA + > slfl+elXtLq/l1kQ8C14jlHrQzSXx4PQvjDEnAmaHSJNz4mP9Fg= + > -----END RSA PRIVATE KEY----- + > EOF + + $ cat > ec.pub < -----BEGIN PUBLIC KEY----- + > MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE9yoUEAgxTd9svwe9oPqjhcP+f2jcdTL2 + > Wq8Aw2v9ht1dBy00tFRPNrCxFCkvMcJFhSPoDUV5NL7zfh3/psiSNYziGPrWEJYf + > gmYihjSeoOf0ru1erpBrTflImPrMftCy + > -----END PUBLIC KEY----- + > EOF + + $ cat > ec.key < -----BEGIN EC PRIVATE KEY----- + > MIGkAgEBBDDvoj/bM1HokUjYWO/IDFs26Jo0GIFtU3tMQQu7ZabKscDMK3dZA0mK + > v97ij7BBFbCgBwYFK4EEACKhZANiAAT3KhQQCDFN32y/B72g+qOFw/5/aNx1MvZa + > rwDDa/2G3V0HLTS0VE82sLEUKS8xwkWFI+gNRXk0vvN+Hf+myJI1jOIY+tYQlh+C + > ZiKGNJ6g5/Su7V6ukGtN+UiY+sx+0LI= + > -----END EC PRIVATE KEY----- + > EOF + +Encrypt and then decrypt a test message (RSA). + + $ echo "Lorem ipsum dolor sit amet" | + > jose-util encrypt --alg RSA-OAEP --enc A128GCM --key rsa.pub | + > jose-util decrypt --key rsa.key + Lorem ipsum dolor sit amet + +Encrypt and then decrypt a test message (EC). + + $ echo "Lorem ipsum dolor sit amet" | + > jose-util encrypt --alg ECDH-ES+A128KW --enc A128GCM --key ec.pub | + > jose-util decrypt --key ec.key + Lorem ipsum dolor sit amet + +Sign and verify a test message (RSA). + + $ echo "Lorem ipsum dolor sit amet" | + > jose-util sign --alg PS256 --key rsa.key | + > jose-util verify --key rsa.pub + Lorem ipsum dolor sit amet + +Sign and verify a test message (EC). + + $ echo "Lorem ipsum dolor sit amet" | + > jose-util sign --alg ES384 --key ec.key | + > jose-util verify --key ec.pub + Lorem ipsum dolor sit amet + +Expand a compact message to full format. + + $ echo "eyJhbGciOiJFUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQK.QPU35XY913Im7ZEaN2yHykfbtPqjHZvYp-lV8OcTAJZs67bJFSdTSkQhQWE9ch6tvYrj_7py6HKaWVFLll_s_Rm6bmwq3JszsHrIvFFm1NydruYHhvAnx7rjYiqwOu0W" | + > jose-util expand --format JWS + {"payload":"TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQK","protected":"eyJhbGciOiJFUzM4NCJ9","signature":"QPU35XY913Im7ZEaN2yHykfbtPqjHZvYp-lV8OcTAJZs67bJFSdTSkQhQWE9ch6tvYrj_7py6HKaWVFLll_s_Rm6bmwq3JszsHrIvFFm1NydruYHhvAnx7rjYiqwOu0W"} diff --git a/vendor/gopkg.in/square/go-jose.v1/jose-util/main.go b/vendor/gopkg.in/square/go-jose.v1/jose-util/main.go new file mode 100644 index 000000000..7ae93ee76 --- /dev/null +++ b/vendor/gopkg.in/square/go-jose.v1/jose-util/main.go @@ -0,0 +1,189 @@ +/*- + * Copyright 2014 Square Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package main + +import ( + "fmt" + "io/ioutil" + "os" + + "gopkg.in/alecthomas/kingpin.v2" + "gopkg.in/square/go-jose.v1" +) + +var ( + app = kingpin.New("jose-util", "A command-line utility for dealing with JOSE objects.") + + keyFile = app.Flag("key", "Path to key file (PEM or DER-encoded)").ExistingFile() + inFile = app.Flag("in", "Path to input file (stdin if missing)").ExistingFile() + outFile = app.Flag("out", "Path to output file (stdout if missing)").ExistingFile() + + encryptCommand = app.Command("encrypt", "Encrypt a plaintext, output ciphertext.") + algFlag = encryptCommand.Flag("alg", "Key management algorithm (e.g. RSA-OAEP)").Required().String() + encFlag = encryptCommand.Flag("enc", "Content encryption algorithm (e.g. A128GCM)").Required().String() + + decryptCommand = app.Command("decrypt", "Decrypt a ciphertext, output plaintext.") + + signCommand = app.Command("sign", "Sign a payload, output signed message.") + sigAlgFlag = signCommand.Flag("alg", "Key management algorithm (e.g. RSA-OAEP)").Required().String() + + verifyCommand = app.Command("verify", "Verify a signed message, output payload.") + + expandCommand = app.Command("expand", "Expand JOSE object to full serialization format.") + formatFlag = expandCommand.Flag("format", "Type of message to expand (JWS or JWE, defaults to JWE)").String() + + full = app.Flag("full", "Use full serialization format (instead of compact)").Bool() +) + +func main() { + app.Version("v1") + + command := kingpin.MustParse(app.Parse(os.Args[1:])) + + var keyBytes []byte + var err error + if command != "expand" { + keyBytes, err = ioutil.ReadFile(*keyFile) + exitOnError(err, "unable to read key file") + } + + switch command { + case "encrypt": + pub, err := jose.LoadPublicKey(keyBytes) + exitOnError(err, "unable to read public key") + + alg := jose.KeyAlgorithm(*algFlag) + enc := jose.ContentEncryption(*encFlag) + + crypter, err := jose.NewEncrypter(alg, enc, pub) + exitOnError(err, "unable to instantiate encrypter") + + obj, err := crypter.Encrypt(readInput(*inFile)) + exitOnError(err, "unable to encrypt") + + var msg string + if *full { + msg = obj.FullSerialize() + } else { + msg, err = obj.CompactSerialize() + exitOnError(err, "unable to serialize message") + } + + writeOutput(*outFile, []byte(msg)) + case "decrypt": + priv, err := jose.LoadPrivateKey(keyBytes) + exitOnError(err, "unable to read private key") + + obj, err := jose.ParseEncrypted(string(readInput(*inFile))) + exitOnError(err, "unable to parse message") + + plaintext, err := obj.Decrypt(priv) + exitOnError(err, "unable to decrypt message") + + writeOutput(*outFile, plaintext) + case "sign": + signingKey, err := jose.LoadPrivateKey(keyBytes) + exitOnError(err, "unable to read private key") + + alg := jose.SignatureAlgorithm(*sigAlgFlag) + signer, err := jose.NewSigner(alg, signingKey) + exitOnError(err, "unable to make signer") + + obj, err := signer.Sign(readInput(*inFile)) + exitOnError(err, "unable to sign") + + var msg string + if *full { + msg = obj.FullSerialize() + } else { + msg, err = obj.CompactSerialize() + exitOnError(err, "unable to serialize message") + } + + writeOutput(*outFile, []byte(msg)) + case "verify": + verificationKey, err := jose.LoadPublicKey(keyBytes) + exitOnError(err, "unable to read private key") + + obj, err := jose.ParseSigned(string(readInput(*inFile))) + exitOnError(err, "unable to parse message") + + plaintext, err := obj.Verify(verificationKey) + exitOnError(err, "invalid signature") + + writeOutput(*outFile, plaintext) + case "expand": + input := string(readInput(*inFile)) + + var serialized string + var err error + switch *formatFlag { + case "", "JWE": + var jwe *jose.JsonWebEncryption + jwe, err = jose.ParseEncrypted(input) + if err == nil { + serialized = jwe.FullSerialize() + } + case "JWS": + var jws *jose.JsonWebSignature + jws, err = jose.ParseSigned(input) + if err == nil { + serialized = jws.FullSerialize() + } + } + + exitOnError(err, "unable to expand message") + writeOutput(*outFile, []byte(serialized)) + writeOutput(*outFile, []byte("\n")) + } +} + +// Exit and print error message if we encountered a problem +func exitOnError(err error, msg string) { + if err != nil { + fmt.Fprintf(os.Stderr, "%s: %s\n", msg, err) + os.Exit(1) + } +} + +// Read input from file or stdin +func readInput(path string) []byte { + var bytes []byte + var err error + + if path != "" { + bytes, err = ioutil.ReadFile(path) + } else { + bytes, err = ioutil.ReadAll(os.Stdin) + } + + exitOnError(err, "unable to read input") + return bytes +} + +// Write output to file or stdin +func writeOutput(path string, data []byte) { + var err error + + if path != "" { + err = ioutil.WriteFile(path, data, 0644) + } else { + _, err = os.Stdout.Write(data) + } + + exitOnError(err, "unable to write output") +} -- cgit v1.2.3-1-g7c22