Documentation ¶
Overview ¶
---------------------------------------------------------------------------------------------- // -- Copyright (c) 2024 Braden Hitchcock - MIT License (https://opensource.org/licenses/MIT) -- // ---------------------------------------------------------------------------------------------- //
---------------------------------------------------------------------------------------------- // -- Copyright (c) 2024 Braden Hitchcock - MIT License (https://opensource.org/licenses/MIT) -- // ---------------------------------------------------------------------------------------------- //
Index ¶
- Constants
- func CheckDataHash(data []byte, hash DataHash) bool
- func CheckPasswordHash(password Password, hash PassHash) bool
- func Decrypt(key Key, ciphertext []byte) (plaintext []byte, err error)
- func Encrypt(key Key, plaintext []byte) (ciphertext []byte, err error)
- type Agent
- type DataHash
- type Key
- type PassHash
- type Password
- type Salt
Constants ¶
const ( // Iterations is the number of iterations used when generating a key with PBKDF2. Iterations = 1000000 // KeyLength is the length of the key generated by PBKDF2 for encrypting data. KeyLength = 32 // SaltLength is the length of the salt used by PBKDF2 when generating a key. SaltLength = 32 // MinPasswordLength is the minimum number of characters that must be contained in a // user-provided password. MinPasswordLength = 16 // MaxPasswordLength is the maximum number of bytes a password can contain. This restriction is // imposed by the Bcrypt algorithm used to hash the password. MaxPasswordLength = 72 // HashCost is the cost used by the Bcrypt algorithm when hashing a password. HashCost = 14 )
Variables ¶
This section is empty.
Functions ¶
func CheckDataHash ¶
CheckDataHash compares a slice of byte data with a hash using SHA-256. If using this algorithm to hash the provided data would produce the provided hash, then the function returns true. Otherwise the function returns false.
func CheckPasswordHash ¶
HashPassword compares a plain-text password against a byte hash of a password hashed using the Bcrypt algorithm. If using Bcrypt to hash the provided password would produce a string equal to the provided hash, then the function returns true. Otherwise the function returns false.
See https://www.usenix.org/legacy/event/usenix99/provos/provos.pdf for algorithm specifics.
Types ¶
type DataHash ¶
type DataHash [32]byte
DataHash is a hash of arbitrary data using SHA-256 represented as a 32-byte slice of bytes
type Key ¶
type Key []byte
Key is the slice of keylen bytes used to encrypt data with AES-256.
func NewDerivedKey ¶
NewDerivedKey uses the PBKDF2 key derivation algorithm to create a 256-bit key that can be used by the AES algorithm for encrypting and decrypting data.
func NewRandomKey ¶
NewRandomKey uses a cryptographically strong random generator to create a 256-bit key that can be used by the AES algorithm for encrypting and decrypting data.
type PassHash ¶
type PassHash []byte
PassHash is a hash of a password performed by Bcrypt represented as a slice of bytes.
func HashPassword ¶
HashPassword produces a byte hash of the provided password using the Bcrypt algorithm.
See https://www.usenix.org/legacy/event/usenix99/provos/provos.pdf for algorithm specifics.
type Password ¶
type Password string
Password is a user-provided string that has been validated and meets all criteria for a password.
func NewPassword ¶
NewPassword verifies the provided string value meets the criteria for a password and then wraps it in the Password type to indicate the string has been validated. If the provided string does not meet the password criteria for Kolob, then the function will return an error explaining which criteria failed.
Note that although the function only returns a single error value, the message inside that error value is dynamic depending on which criteria for the password were not met.
type Salt ¶
type Salt []byte
Salt is the slice of saltlen bytes used when generating a key from a user-provided password.
func LoadSalt ¶
LoadSalt verifies that an existing byte slice only contains saltlen bytes. This ensures that a bytes loaded from authentication information can be used to recreate the original key used to encrypt data.