@@ -2,6 +2,9 @@ package goodkey
22
33import (
44 "crypto"
5+ "crypto/sha256"
6+ "encoding/base64"
7+ "encoding/hex"
58 "errors"
69 "io/ioutil"
710
@@ -10,13 +13,15 @@ import (
1013 yaml "gopkg.in/yaml.v2"
1114)
1215
13- // blockedKeys is a type for maintaining a map of Base64 encoded SHA256 hashes
16+ // blockedKeys is a type for maintaining a map of SHA256 hashes
1417// of SubjectPublicKeyInfo's that should be considered blocked.
1518// blockedKeys are created by using loadBlockedKeysList.
16- type blockedKeys map [string ]bool
19+ type blockedKeys map [core.Sha256Digest ]bool
20+
21+ var ErrWrongDecodedSize = errors .New ("not enough bytes decoded for sha256 hash" )
1722
1823// blocked checks if the given public key is considered administratively
19- // blocked based on a Base64 encoded SHA256 hash of the SubjectPublicKeyInfo.
24+ // blocked based on a SHA256 hash of the SubjectPublicKeyInfo.
2025// Important: blocked should not be called except on a blockedKeys instance
2126// returned from loadBlockedKeysList.
2227// function should not be used until after `loadBlockedKeysList` has returned.
@@ -33,7 +38,7 @@ func (b blockedKeys) blocked(key crypto.PublicKey) (bool, error) {
3338}
3439
3540// loadBlockedKeysList creates a blockedKeys object that can be used to check if
36- // a key is blocked. It creates a lookup map from a list of Base64 encoded
41+ // a key is blocked. It creates a lookup map from a list of
3742// SHA256 hashes of SubjectPublicKeyInfo's in the input YAML file
3843// with the expected format:
3944//
@@ -52,19 +57,41 @@ func loadBlockedKeysList(filename string) (*blockedKeys, error) {
5257 }
5358
5459 var list struct {
55- BlockedHashes []string `yaml:"blocked"`
60+ BlockedHashes []string `yaml:"blocked"`
61+ BlockedHashesHex []string `yaml:"blockedHashesHex"`
5662 }
5763 if err := yaml .Unmarshal (yamlBytes , & list ); err != nil {
5864 return nil , err
5965 }
6066
61- if len (list .BlockedHashes ) == 0 {
67+ if len (list .BlockedHashes ) == 0 && len ( list . BlockedHashesHex ) == 0 {
6268 return nil , errors .New ("no blocked hashes in YAML" )
6369 }
6470
65- blockedKeys := make (blockedKeys , len (list .BlockedHashes ))
66- for _ , hash := range list .BlockedHashes {
67- blockedKeys [hash ] = true
71+ blockedKeys := make (blockedKeys , len (list .BlockedHashes )+ len (list .BlockedHashesHex ))
72+ for _ , b64Hash := range list .BlockedHashes {
73+ decoded , err := base64 .StdEncoding .DecodeString (b64Hash )
74+ if err != nil {
75+ return nil , err
76+ }
77+ if len (decoded ) != sha256 .Size {
78+ return nil , ErrWrongDecodedSize
79+ }
80+ var sha256Digest core.Sha256Digest
81+ copy (sha256Digest [:], decoded [0 :sha256 .Size ])
82+ blockedKeys [sha256Digest ] = true
83+ }
84+ for _ , hexHash := range list .BlockedHashesHex {
85+ decoded , err := hex .DecodeString (hexHash )
86+ if err != nil {
87+ return nil , err
88+ }
89+ if len (decoded ) != sha256 .Size {
90+ return nil , ErrWrongDecodedSize
91+ }
92+ var sha256Digest core.Sha256Digest
93+ copy (sha256Digest [:], decoded [0 :sha256 .Size ])
94+ blockedKeys [sha256Digest ] = true
6895 }
6996 return & blockedKeys , nil
7097}
0 commit comments