Documentation ¶
Overview ¶
Package stronghold provides a secure way to store and verify secrets.
The package provides a way to store a secret in a secure way. The secret is stored as a hash and can be verified later. The package uses a key derivation function to derive a key from the secret and a salt. The key is used to encrypt the secret using an authenticated encryption with associated data (AEAD) scheme. The encrypted secret is then hashed using a remote hardware security module (HSM).
This is inspirred by the Facebook Onion PRF service.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrEmptySecret is returned when the secret is empty. ErrEmptySecret = errors.New("empty secret") // ErrSecretTooLong is returned when the secret is too long. ErrSecretTooLong = errors.New("secret too long") // ErrAADTooLong is returned when the additional data is too long. ErrAADTooLong = errors.New("aad too long") // ErrStoredHashTooShort is returned when the stored hash is too short. ErrStoredHashTooShort = errors.New("stored hash too short") // ErrContextMismatch is returned when the context does not match the stored context. ErrContextMismatch = errors.New("context mismatch") // ErrHashMismatch is returned when the hash does not match the stored hash. ErrHashMismatch = errors.New("hash mismatch") )
Functions ¶
This section is empty.
Types ¶
type Hash ¶
type Hash struct { // Remote is the remote HSM. RemoteHashFunc func(context.Context, []byte) ([]byte, error) // KeyDerivation is the key derivation function. KeyDerivation KDF // Encryption is the authenticated encryption with associated data. Encryption AEAD }
Hash is a hash implementation that uses a remote HSM to hash the password.
func (*Hash) Seal ¶
Seal hashes the secret and seals the context with the provided additional data. It returns the sealed context.
The AAD is the additional data that is used to seal the context. Consider to use a canonical representation of the context to prevent mismatches. The result is expected to be in the format SALT || ENCRYPTED_HASH.
func (*Hash) Verify ¶
Verify verifies the secret against the stored hash and additional data. It returns nil if the secret matches the stored hash, ErrHashMismatch if the hash does not match, or ErrContextMismatch if the context does not match the stored context.
The stored hash is expected to be in the format SALT || ENCRYPTED_HASH. AAD is the additional data that was used to seal the context. Consider to use a canonical representation of the context to prevent mismatches.