summaryrefslogtreecommitdiff
path: root/internal/goaes.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/goaes.go')
-rw-r--r--internal/goaes.go30
1 files changed, 25 insertions, 5 deletions
diff --git a/internal/goaes.go b/internal/goaes.go
index ce054e8..f9e2f3e 100644
--- a/internal/goaes.go
+++ b/internal/goaes.go
@@ -4,24 +4,44 @@ import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
+ "crypto/sha256"
"encoding/base64"
"errors"
"fmt"
"io"
"os"
+
+ "golang.org/x/crypto/pbkdf2"
+)
+
+const (
+ keyIterations = 600_000
+ keyLength = 32
)
-func NewKEKFromEnvB64(envVar string) (KEK, error) {
- b64 := os.Getenv(envVar)
+func NewKEKFromEnvB64(passphraseEnvVar, saltEnvVar string) (KEK, error) {
+ b64 := os.Getenv(passphraseEnvVar)
if b64 == "" {
- return nil, fmt.Errorf("%s is not set", envVar)
+ return nil, fmt.Errorf("%s is not set", passphraseEnvVar)
+ }
+
+ b64Salt := os.Getenv(saltEnvVar)
+ if b64Salt == "" {
+ return nil, fmt.Errorf("%s is not set", saltEnvVar)
}
- raw, err := base64.StdEncoding.DecodeString(b64)
+ passphrase, err := base64.StdEncoding.DecodeString(b64)
if err != nil {
- return nil, fmt.Errorf("decode %s base64: %w", envVar, err)
+ return nil, fmt.Errorf("decode %s base64: %w", passphraseEnvVar, err)
}
+ salt, err := base64.StdEncoding.DecodeString(b64Salt)
+ if err != nil {
+ return nil, fmt.Errorf("decode %s base64: %w", saltEnvVar, err)
+ }
+
+ raw := pbkdf2.Key(passphrase, salt, keyIterations, keyLength, sha256.New)
+
if !validAESKeyLen(len(raw)) {
return nil, errBadKeyLn
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-12 01:05:18 +0000