/
pw.go
70 lines (60 loc) · 1.48 KB
/
pw.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package auth
import (
"time"
"github.com/getchill-app/keyring/auth/api"
"github.com/keys-pub/keys"
"github.com/keys-pub/keys/encoding"
"github.com/pkg/errors"
)
func NewPassword(password string, mk *[32]byte) (*Auth, error) {
id := encoding.MustEncode(keys.RandBytes(32), encoding.Base62)
salt := keys.RandBytes(24)
key, err := keys.KeyForPassword(password, salt)
if err != nil {
return nil, err
}
ek := secretBoxSeal(mk[:], key)
return &Auth{
ID: id,
Type: api.PasswordType,
EncryptedKey: ek,
Salt: salt,
CreatedAt: time.Now(),
}, nil
}
// RegisterPassword registers a password.
func (d *DB) RegisterPassword(password string, mk *[32]byte) (*Auth, error) {
if mk == nil {
return nil, errors.Errorf("nil master key")
}
auth, err := NewPassword(password, mk)
if err != nil {
return nil, err
}
if err := d.Set(auth); err != nil {
return nil, err
}
return auth, nil
}
// Password authenticates with a password.
func (d *DB) Password(password string) (*Auth, *[32]byte, error) {
if password == "" {
return nil, nil, ErrInvalidAuth
}
auths, err := d.ListByType(api.PasswordType)
if err != nil {
return nil, nil, errors.Wrapf(err, "failed to auth")
}
for _, auth := range auths {
key, err := keys.KeyForPassword(password, auth.Salt)
if err != nil {
return nil, nil, errors.Wrapf(err, "failed to auth")
}
mk := d.unlock(auth, key)
if mk == nil {
continue
}
return auth, mk, nil
}
return nil, nil, ErrInvalidAuth
}