Documentation ¶
Overview ¶
Package crypto provides functions for managing encryption, keys, etc.
Index ¶
- Constants
- Variables
- func CorrectPassword(hash string, password string) bool
- func Decrypt(key, ciphertext []byte) ([]byte, error)
- func DeriveKey(password string, salt []byte) []byte
- func Encrypt(key, plaintext []byte) ([]byte, error)
- func GenerateBackupCodes() []string
- func GenerateCertificate(certPath, keyPath, host, method string) error
- func GenerateMasterToken(key []byte) (string, error)
- func GenerateSalt() []byte
- func GenerateSecretKey(accountName string) (*otp.Key, error)
- func GetAPIPrivateKey(t *jwt.Token) (interface{}, error)
- func GetFakeAPIKey(tok *jwt.Token) (interface{}, error)
- func GetGithubKey(pemFile io.Reader) (ssh.AuthMethod, error)
- func HashPassword(password string) (string, error)
- func IsCredentialFormatError(err error) bool
- func IsLegalString(str string) bool
- func ValidateCredentialValues(username, password string) error
- func ValidatePasscode(passcode string, secret string) bool
- func ValidateSignature(signature string, payload, secretKey []byte) error
- type TokenClaims
Constants ¶
const ( // KeyDerivationSaltLength is the length of the salt in bytes KeyDerivationSaltLength = 8 // KeyDerivationKeyLength is the length of the key derived in bytes KeyDerivationKeyLength = 32 )
const ( // TokenInvalidErrorMsg says that the token is invalid TokenInvalidErrorMsg = "token invalid" // TokenExpiredErrorMsg says that the token is expired TokenExpiredErrorMsg = "token expired" )
const (
// SymmetricKeyLength is the length of the symmetric key in bytes
SymmetricKeyLength = 32
)
Variables ¶
var ( // TestPrivateKey is an example key for testing purposes TestPrivateKey = []byte("very_sekrit_key") // TestMasterToken is an example token for testing purposes. This is // generated by TestGenerateMasterToken, and is a master token. TestMasterToken = "" /* 185-byte string literal not displayed */ // TestInertiaKeyPath the path to Inertia's test RSA key TestInertiaKeyPath = "../../../test/keys/id_rsa" )
var ( // DaemonGithubKeyLocation is the default path of the generated deploy key DaemonGithubKeyLocation = os.Getenv("INERTIA_GH_KEY_PATH") //"/app/host/.ssh/id_rsa_inertia_deploy" )
Functions ¶
func CorrectPassword ¶
CorrectPassword checks if given password maps correctly to the given hash
func DeriveKey ¶ added in v0.5.0
DeriveKey derives an AES encryption key based on salt + user's password using PBKDF2 with HMAC-SHA256
func GenerateBackupCodes ¶ added in v0.5.0
func GenerateBackupCodes() []string
GenerateBackupCodes generates an array of backup code strings in Github format.
Example: b2e03-ffbcf cebe6-b1bdd ...
func GenerateCertificate ¶
GenerateCertificate creates an SSL certificate for HTTPS use
func GenerateMasterToken ¶
GenerateMasterToken creates a "master" JSON Web Token (JWT) for a client to use when sending HTTP requests to the daemon server.
func GenerateSalt ¶ added in v0.5.0
func GenerateSalt() []byte
GenerateSalt returns a random hex encoded salt for KD algorithm
func GenerateSecretKey ¶ added in v0.5.0
GenerateSecretKey creates a new key which can be turned into string or image
func GetAPIPrivateKey ¶
GetAPIPrivateKey returns the private RSA key to authenticate HTTP requests sent to the daemon. For now, we simply use the GitHub deploy key. Retrieves from default DaemonGithubKeyLocation.
func GetFakeAPIKey ¶
GetFakeAPIKey is a helper function that implements jwt.keyFunc and returns the test private key
func GetGithubKey ¶
func GetGithubKey(pemFile io.Reader) (ssh.AuthMethod, error)
GetGithubKey returns an ssh.AuthMethod from the given io.Reader for use with the go-git library
func HashPassword ¶
HashPassword generates a bcrypt-encrypted hash from given password
func IsCredentialFormatError ¶ added in v0.5.0
IsCredentialFormatError returns true if the given error is one related to username/password format
func IsLegalString ¶
IsLegalString returns true if `str` only contains characters [A-Z], [a-z], or '_' or '-'
func ValidateCredentialValues ¶
ValidateCredentialValues takes a username and password and verifies if they are of sufficient length and if they only contain legal characters
func ValidatePasscode ¶ added in v0.5.0
ValidatePasscode validates one-time passcode against original secret key
func ValidateSignature ¶ added in v0.5.0
ValidateSignature validates the HMAC signature for the given payload. Based off of https://github.com/google/go-github
Types ¶
type TokenClaims ¶
type TokenClaims struct { SessionID string `json:"session_id"` User string `json:"user"` Admin bool `json:"admin"` Expiry time.Time `json:"expiry"` }
TokenClaims represents a JWT token's claims
func ValidateToken ¶
func ValidateToken(tokenString string, lookup jwt.Keyfunc) (*TokenClaims, error)
ValidateToken ensures token is valid and returns its metadata
func (*TokenClaims) GenerateToken ¶
func (t *TokenClaims) GenerateToken(key []byte) (string, error)
GenerateToken creates a JWT token from this claim, signed with given key
func (*TokenClaims) IsMaster ¶
func (t *TokenClaims) IsMaster() bool
IsMaster returns true if this is a master key