Package crypto provides functions for managing encryption, keys, etc.



View Source
const (
	// KeyDerivationSaltLength is the length of the salt in bytes
	KeyDerivationSaltLength = 8
	// KeyDerivationKeyLength is the length of the key derived in bytes
	KeyDerivationKeyLength = 32
View Source
const (
	// SymmetricKeyLength is the length of the symmetric key in bytes
	SymmetricKeyLength = 32


View Source
var (
	// TestPrivateKey is an example key for testing purposes
	TestPrivateKey = []byte("very_sekrit_key")

	// TestMasterToken is an example token for testing purposes. This is
	// generated by TestGenerateMasterToken, and is a master token.
	TestMasterToken = "" /* 185-byte string literal not displayed */

	// TestInertiaKeyPath the path to Inertia's test RSA key
	TestInertiaKeyPath = "../../../test/keys/id_rsa"
View Source
var (
	// ErrInvalidToken says that the token is invalid
	ErrInvalidToken = errors.New("token invalid")

	// ErrTokenExpired says that the token is expired
	ErrTokenExpired = errors.New("token expired")
View Source
var (
	// DaemonInertiaKeyLocation is the default path of the generated deploy key
	DaemonInertiaKeyLocation = os.Getenv("INERTIA_GH_KEY_PATH") //"/app/host/.ssh/id_rsa_inertia_deploy"


func CorrectPassword

func CorrectPassword(hash string, password string) bool

CorrectPassword checks if given password maps correctly to the given hash

func Decrypt

func Decrypt(key, ciphertext []byte) ([]byte, error)

Decrypt decrypts ciphertext using given key in AES GCM mode

func DeriveKey

func DeriveKey(password string, salt []byte) []byte

DeriveKey derives an AES encryption key based on salt + user's password using PBKDF2 with HMAC-SHA256

func Encrypt

func Encrypt(key, plaintext []byte) ([]byte, error)

Encrypt encrypts plaintext using given key in AES GCM mode

func GenerateBackupCodes

func GenerateBackupCodes() []string

GenerateBackupCodes generates an array of backup code strings in Github format.

Example: b2e03-ffbcf cebe6-b1bdd ...

func GenerateCertificate

func GenerateCertificate(certPath, keyPath, host, method string) error

GenerateCertificate creates an SSL certificate for HTTPS use

func GenerateMasterToken

func GenerateMasterToken(key []byte) (string, error)

GenerateMasterToken creates a "master" JSON Web Token (JWT) for a client to use when sending HTTP requests to the daemon server.

func GenerateSalt

func GenerateSalt() []byte

GenerateSalt returns a random hex encoded salt for KD algorithm

func GenerateSecretKey

func GenerateSecretKey(accountName string) (*otp.Key, error)

GenerateSecretKey creates a new key which can be turned into string or image

func GetAPIPrivateKey

func GetAPIPrivateKey(t *jwt.Token) (interface{}, error)

GetAPIPrivateKey returns the private RSA key to authenticate HTTP requests sent to the daemon. For now, we simply use the GitHub deploy key. Retrieves from default DaemonInertiaKeyLocation.

func GetFakeAPIKey

func GetFakeAPIKey(tok *jwt.Token) (interface{}, error)

GetFakeAPIKey is a helper function that implements jwt.keyFunc and returns the test private key

func GetInertiaKey

func GetInertiaKey(pemFile io.Reader) (ssh.AuthMethod, error)

GetInertiaKey returns an ssh.AuthMethod from the given io.Reader for use with the go-git library

func HashPassword

func HashPassword(password string) (string, error)

HashPassword generates a bcrypt-encrypted hash from given password

func IsCredentialFormatError

func IsCredentialFormatError(err error) bool

IsCredentialFormatError returns true if the given error is one related to username/password format

func IsLegalString

func IsLegalString(str string) bool

IsLegalString returns true if `str` only contains characters [A-Z], [a-z], or '_' or '-'

func ValidateCredentialValues

func ValidateCredentialValues(username, password string) error

ValidateCredentialValues takes a username and password and verifies if they are of sufficient length and if they only contain legal characters

func ValidatePasscode

func ValidatePasscode(passcode string, secret string) bool

ValidatePasscode validates one-time passcode against original secret key

func ValidateSignature

func ValidateSignature(signature string, payload, secretKey []byte) error

ValidateSignature validates the HMAC signature for the given payload. Based off of


type TokenClaims

type TokenClaims struct {
	SessionID string    `json:"session_id"`
	User      string    `json:"user"`
	Admin     bool      `json:"admin"`
	Expiry    time.Time `json:"expiry"`

TokenClaims represents a JWT token's claims

func ValidateToken

func ValidateToken(tokenString string, lookup jwt.Keyfunc) (*TokenClaims, error)

ValidateToken ensures token is valid and returns its metadata

func (*TokenClaims) GenerateToken

func (t *TokenClaims) GenerateToken(key []byte) (string, error)

GenerateToken creates a JWT token from this claim, signed with given key

func (*TokenClaims) IsMaster

func (t *TokenClaims) IsMaster() bool

IsMaster returns true if this is a master key

func (*TokenClaims) Valid

func (t *TokenClaims) Valid() error

Valid checks if token is authentic