Initial

internal/crypto/keys.go

@@ -0,0 +1,109 @@
+package appcrypto
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+)
+
+// Ustvari nov ECDSA P-256 zasebni kljuc v PEM obliki.
+func UstvariZasebniKljucECDSAP256PEM() ([]byte, error) {
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+
+	der, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	block := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: der,
+	}
+	return pem.EncodeToMemory(block), nil
+}
+
+// Podpisi sporocilo z zasebnim kljucem iz PEM in vrni Base64URL podpis.
+func PodpisiSporociloSPEM(pemPrivateKey []byte, message []byte) (string, error) {
+	privateKey, err := PreberiZasebniKljucPEM(pemPrivateKey)
+	if err != nil {
+		return "", err
+	}
+
+	hash := sha256.Sum256(message)
+	signature, err := ecdsa.SignASN1(rand.Reader, privateKey, hash[:])
+	if err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(signature), nil
+}
+
+// Preveri podpis sporocila z javnim delom zasebnega PEM kljuca.
+func PreveriPodpisSPEM(pemPrivateKey []byte, message []byte, signatureBase64URL string) (bool, error) {
+	privateKey, err := PreberiZasebniKljucPEM(pemPrivateKey)
+	if err != nil {
+		return false, err
+	}
+
+	signature, err := base64.RawURLEncoding.DecodeString(signatureBase64URL)
+	if err != nil {
+		return false, err
+	}
+
+	hash := sha256.Sum256(message)
+	ok := ecdsa.VerifyASN1(&privateKey.PublicKey, hash[:], signature)
+	return ok, nil
+}
+
+// Preberi ECDSA zasebni kljuc iz PEM zapisa.
+func PreberiZasebniKljucPEM(pemPrivateKey []byte) (*ecdsa.PrivateKey, error) {
+	block, _ := pem.Decode(pemPrivateKey)
+	if block == nil {
+		return nil, errors.New("invalid PEM block")
+	}
+	if block.Type != "EC PRIVATE KEY" {
+		return nil, errors.New("PEM is not EC PRIVATE KEY")
+	}
+	return x509.ParseECPrivateKey(block.Bytes)
+}
+
+// Preberi ECDSA javni kljuc iz PEM zapisa.
+func PreberiJavniKljucPEM(pemPublicKey []byte) (*ecdsa.PublicKey, error) {
+	block, _ := pem.Decode(pemPublicKey)
+	if block == nil {
+		return nil, errors.New("invalid PEM block")
+	}
+	if block.Type != "PUBLIC KEY" {
+		return nil, errors.New("PEM is not PUBLIC KEY")
+	}
+	pubAny, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	pub, ok := pubAny.(*ecdsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("public key is not ECDSA")
+	}
+	return pub, nil
+}
+
+// Pretvori ECDSA javni kljuc v PEM zapis.
+func PretvoriJavniKljucVPEM(publicKey *ecdsa.PublicKey) ([]byte, error) {
+	der, err := x509.MarshalPKIXPublicKey(publicKey)
+	if err != nil {
+		return nil, err
+	}
+	block := &pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: der,
+	}
+	return pem.EncodeToMemory(block), nil
+}

internal/crypto/keys_test.go

@@ -0,0 +1,44 @@
+package appcrypto
+
+import "testing"
+
+func TestSignAndVerifyWithPEM(t *testing.T) {
+	privatePEM, err := UstvariZasebniKljucECDSAP256PEM()
+	if err != nil {
+		t.Fatalf("generate key: %v", err)
+	}
+
+	message := []byte("hello world")
+	signature, err := PodpisiSporociloSPEM(privatePEM, message)
+	if err != nil {
+		t.Fatalf("sign: %v", err)
+	}
+
+	ok, err := PreveriPodpisSPEM(privatePEM, message, signature)
+	if err != nil {
+		t.Fatalf("verify error: %v", err)
+	}
+	if !ok {
+		t.Fatalf("expected valid signature")
+	}
+}
+
+func TestVerifyFailsForDifferentMessage(t *testing.T) {
+	privatePEM, err := UstvariZasebniKljucECDSAP256PEM()
+	if err != nil {
+		t.Fatalf("generate key: %v", err)
+	}
+
+	signature, err := PodpisiSporociloSPEM(privatePEM, []byte("a"))
+	if err != nil {
+		t.Fatalf("sign: %v", err)
+	}
+
+	ok, err := PreveriPodpisSPEM(privatePEM, []byte("b"), signature)
+	if err != nil {
+		t.Fatalf("verify error: %v", err)
+	}
+	if ok {
+		t.Fatalf("expected signature to fail")
+	}
+}