constellation/internal/crypto/crypto.go

// Package crypto provides functions to for cryptography and random numbers.
package crypto

import (
	"crypto/rand"
	"crypto/sha256"
	"io"
	"math/big"

	"golang.org/x/crypto/hkdf"
)

const (
	StateDiskKeyLength = 32
	// DerivedKeyLengthDefault is the default length in bytes for KMS derived keys.
	DerivedKeyLengthDefault = 32
	// MasterSecretLengthDefault is the default length in bytes for CLI generated master secrets.
	MasterSecretLengthDefault = 32
	// MasterSecretLengthMin is the minimal length in bytes for user provided master secrets.
	MasterSecretLengthMin = 16
	// RNGLengthDefault is the number of bytes used for generating nonces.
	RNGLengthDefault = 32
	// HKDFInfoPrefix is the prefix used for the info parameter in HKDF.
	HKDFInfoPrefix = "key-"
)

// DeriveKey derives a key from a secret.
func DeriveKey(secret, salt, info []byte, length uint) ([]byte, error) {
	hkdf := hkdf.New(sha256.New, secret, salt, info)
	key := make([]byte, length)
	if _, err := io.ReadFull(hkdf, key); err != nil {
		return nil, err
	}
	return key, nil
}

// GenerateCertificateSerialNumber generates a random serial number for an X.509 certificate.
func GenerateCertificateSerialNumber() (*big.Int, error) {
	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	return rand.Int(rand.Reader, serialNumberLimit)
}

// GenerateRandomBytes reads length bytes from getrandom(2) if available, /dev/urandom otherwise.
func GenerateRandomBytes(length int) ([]byte, error) {
	nonce := make([]byte, length)
	if _, err := rand.Read(nonce); err != nil {
		return nil, err
	}
	return nonce, nil
}
AB#2200 Merge Owner and Cluster ID (#282) * Merge Owner and Cluster ID into single value * Remove aTLS from KMS, as it is no longer used for cluster external communication * Update verify command to use cluster-id instead of unique-id flag * Remove owner ID from init output Signed-off-by: Daniel Weiße <dw@edgeless.systems> 2022-07-26 04:58:39 -04:00			`// Package crypto provides functions to for cryptography and random numbers.`
			`package crypto`

			`import (`
			`"crypto/rand"`
			`"crypto/sha256"`
			`"io"`
			`"math/big"`

			`"golang.org/x/crypto/hkdf"`
			`)`

			`const (`
			`StateDiskKeyLength = 32`
			`// DerivedKeyLengthDefault is the default length in bytes for KMS derived keys.`
			`DerivedKeyLengthDefault = 32`
			`// MasterSecretLengthDefault is the default length in bytes for CLI generated master secrets.`
			`MasterSecretLengthDefault = 32`
			`// MasterSecretLengthMin is the minimal length in bytes for user provided master secrets.`
			`MasterSecretLengthMin = 16`
			`// RNGLengthDefault is the number of bytes used for generating nonces.`
			`RNGLengthDefault = 32`
			`// HKDFInfoPrefix is the prefix used for the info parameter in HKDF.`
			`HKDFInfoPrefix = "key-"`
			`)`

			`// DeriveKey derives a key from a secret.`
			`func DeriveKey(secret, salt, info []byte, length uint) ([]byte, error) {`
			`hkdf := hkdf.New(sha256.New, secret, salt, info)`
			`key := make([]byte, length)`
			`if _, err := io.ReadFull(hkdf, key); err != nil {`
			`return nil, err`
			`}`
			`return key, nil`
			`}`

			`// GenerateCertificateSerialNumber generates a random serial number for an X.509 certificate.`
			`func GenerateCertificateSerialNumber() (*big.Int, error) {`
			`serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)`
			`return rand.Int(rand.Reader, serialNumberLimit)`
			`}`

			`// GenerateRandomBytes reads length bytes from getrandom(2) if available, /dev/urandom otherwise.`
			`func GenerateRandomBytes(length int) ([]byte, error) {`
			`nonce := make([]byte, length)`
			`if _, err := rand.Read(nonce); err != nil {`
			`return nil, err`
			`}`
			`return nonce, nil`
			`}`