Documentation
¶
Overview ¶
Package crypto provides secure cryptographic operations for TinyVault. It implements AES-256-GCM for symmetric encryption and Argon2id for key derivation.
Index ¶
- Constants
- Variables
- func CompareTokens(hash1, hash2 []byte) bool
- func DecodeKey(encoded string) ([]byte, error)
- func Decrypt(key, ciphertext []byte) ([]byte, error)
- func DecryptString(key []byte, ciphertextB64 string) (string, error)
- func DeriveKey(password, salt []byte) ([]byte, error)
- func EncodeKey(key []byte) string
- func Encrypt(key, plaintext []byte) ([]byte, error)
- func EncryptString(key []byte, plaintext string) (string, error)
- func GenerateKey() ([]byte, error)
- func GenerateSalt() ([]byte, error)
- func GenerateToken(length int) ([]byte, error)
- func GenerateTokenString(length int) (string, error)
- func HashPassword(password string) (string, error)
- func HashToken(token []byte) []byte
- func HashTokenString(token string) []byte
- func VerifyPassword(password, encodedHash string) bool
- func ZeroBytes(b []byte)
Constants ¶
const ( // KeySize is the size of AES-256 keys in bytes. KeySize = 32 // NonceSize is the size of GCM nonces in bytes. NonceSize = 12 // TagSize is the size of GCM authentication tags in bytes. TagSize = 16 // SaltSize is the size of salts for key derivation in bytes. SaltSize = 16 // Argon2Time is the time parameter for Argon2id. Argon2Time = 3 // Argon2Memory is the memory parameter for Argon2id in KiB. Argon2Memory = 64 * 1024 // Argon2Threads is the parallelism parameter for Argon2id. Argon2Threads = 4 )
const PasswordHashSize = 32
PasswordHashSize is the size of the derived key for password hashing.
Variables ¶
var ( // ErrInvalidKeySize is returned when a key has an incorrect size. ErrInvalidKeySize = errors.New("key must be 32 bytes") // ErrInvalidCiphertext is returned when ciphertext is malformed. ErrInvalidCiphertext = errors.New("ciphertext too short") // ErrDecryptionFailed is returned when decryption fails (authentication error). ErrDecryptionFailed = errors.New("decryption failed: authentication error") // ErrInvalidSaltSize is returned when a salt has an incorrect size. ErrInvalidSaltSize = errors.New("salt must be 16 bytes") )
Functions ¶
func CompareTokens ¶
CompareTokens compares two token hashes in constant time. Returns true if they are equal, false otherwise.
func Decrypt ¶
Decrypt decrypts ciphertext using AES-256-GCM. It expects the nonce to be prepended to the ciphertext.
func DecryptString ¶
DecryptString decrypts base64-encoded ciphertext and returns the plaintext string.
func DeriveKey ¶
DeriveKey derives a 32-byte key from a password using Argon2id. The salt must be 16 bytes.
func Encrypt ¶
Encrypt encrypts plaintext using AES-256-GCM. It generates a random nonce and prepends it to the ciphertext. The result is: nonce (12 bytes) + ciphertext + tag (16 bytes).
func EncryptString ¶
EncryptString encrypts a string and returns base64-encoded ciphertext.
func GenerateKey ¶
GenerateKey generates a cryptographically secure random 32-byte key.
func GenerateSalt ¶
GenerateSalt generates a cryptographically secure random 16-byte salt.
func GenerateToken ¶
GenerateToken generates a random token of the specified length in bytes. Returns the raw bytes.
func GenerateTokenString ¶
GenerateTokenString generates a random token and returns it as a base64 string.
func HashPassword ¶
HashPassword hashes a password using Argon2id and returns a base64-encoded string. The format is: base64(salt || hash) where salt is 16 bytes and hash is 32 bytes.
func HashToken ¶
HashToken creates a SHA-256 hash of a token. Use this to hash tokens before storing them in the database.
func HashTokenString ¶
HashTokenString is a convenience function that hashes a string token.
func VerifyPassword ¶
VerifyPassword verifies a password against a hash created by HashPassword. Returns true if the password matches, false otherwise.
Types ¶
This section is empty.
Source Files