69 lines
2.5 KiB
Go
69 lines
2.5 KiB
Go
// monorepo/cloud/maplefile-backend/internal/domain/crypto/domain/keys/kdf.go
|
|
package crypto
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/crypto"
|
|
)
|
|
|
|
// KDFParams stores the key derivation function parameters
|
|
type KDFParams struct {
|
|
Algorithm string `json:"algorithm" bson:"algorithm"` // "argon2id", "pbkdf2", "scrypt"
|
|
Version string `json:"version" bson:"version"` // "1.0", "1.1", etc.
|
|
Iterations uint32 `json:"iterations" bson:"iterations"` // For PBKDF2 or Argon2 time cost
|
|
Memory uint32 `json:"memory" bson:"memory"` // For Argon2 memory in KB
|
|
Parallelism uint8 `json:"parallelism" bson:"parallelism"` // For Argon2 threads
|
|
SaltLength uint32 `json:"salt_length" bson:"salt_length"` // Salt size in bytes
|
|
KeyLength uint32 `json:"key_length" bson:"key_length"` // Output key size in bytes
|
|
}
|
|
|
|
// DefaultKDFParams returns the current recommended KDF parameters
|
|
func DefaultKDFParams() KDFParams {
|
|
return KDFParams{
|
|
Algorithm: crypto.Argon2IDAlgorithm,
|
|
Version: "1.0", // Always starts at 1.0
|
|
Iterations: crypto.Argon2OpsLimit, // Time cost
|
|
Memory: crypto.Argon2MemLimit,
|
|
Parallelism: crypto.Argon2Parallelism,
|
|
SaltLength: crypto.Argon2SaltSize,
|
|
KeyLength: crypto.Argon2KeySize,
|
|
}
|
|
}
|
|
|
|
// Validate checks if KDF parameters are valid
|
|
func (k KDFParams) Validate() error {
|
|
switch k.Algorithm {
|
|
case crypto.Argon2IDAlgorithm:
|
|
if k.Iterations < 1 {
|
|
return fmt.Errorf("argon2id time cost must be >= 1")
|
|
}
|
|
if k.Memory < 1024 {
|
|
return fmt.Errorf("argon2id memory must be >= 1024 KB")
|
|
}
|
|
if k.Parallelism < 1 {
|
|
return fmt.Errorf("argon2id parallelism must be >= 1")
|
|
}
|
|
default:
|
|
return fmt.Errorf("unsupported KDF algorithm: %s", k.Algorithm)
|
|
}
|
|
|
|
if k.SaltLength < 8 {
|
|
return fmt.Errorf("salt length must be >= 8 bytes")
|
|
}
|
|
if k.KeyLength < 16 {
|
|
return fmt.Errorf("key length must be >= 16 bytes")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// KDFUpgradePolicy defines when to upgrade KDF parameters
|
|
type KDFUpgradePolicy struct {
|
|
MinimumParams KDFParams `json:"minimum_params" bson:"minimum_params"`
|
|
RecommendedParams KDFParams `json:"recommended_params" bson:"recommended_params"`
|
|
MaxPasswordAge time.Duration `json:"max_password_age" bson:"max_password_age"`
|
|
UpgradeOnNextLogin bool `json:"upgrade_on_next_login" bson:"upgrade_on_next_login"`
|
|
LastUpgradeCheck time.Time `json:"last_upgrade_check" bson:"last_upgrade_check"`
|
|
}
|