hkdfinfo

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 22, 2026 License: MIT Imports: 0 Imported by: 0

Documentation

Overview

Package hkdfinfo is the central registry of HKDF info strings used throughout cryptkey. Every domain that derives keys via HKDF MUST use a distinct info string so that keys derived in one domain cannot be confused with keys derived in another, even when sharing input key material.

When adding a new provider or crypto operation that performs key derivation, add a new constant here and reference it — do not inline a string literal at the call site, and never reuse an existing constant for a new purpose. The constant values are part of cryptkey's on-disk compatibility surface: changing a value invalidates every profile that was enrolled with the old value.

Index

Constants

View Source 
const (
	// ConfigIntegrity is the HKDF info for the HMAC key that protects
	// the profile TOML's integrity digest. Used by crypto.ConfigHMAC.
	ConfigIntegrity = "cryptkey-config-integrity"

	// ShareEncryption is the HKDF info for the AES-256-GCM key that
	// protects each Shamir share. Used by crypto.EncryptShare and
	// crypto.DecryptShare.
	ShareEncryption = "cryptkey-share-encryption"

	// OutputKeyPrefix is prepended to the --use label to form the HKDF
	// info for the user-visible output key. The full info is
	// "cryptkey:" + label (e.g. "cryptkey:default", "cryptkey:disk").
	OutputKeyPrefix = "cryptkey:"
)
View Source 
const (
	ProviderPIV      = "cryptkey-piv-provider"
	ProviderTPM      = "cryptkey-tpm-provider"
	ProviderSSHAgent = "cryptkey-sshagent-provider"
	ProviderSSHKey   = "cryptkey-ssh-provider"
)

Per-provider secret derivation. Each provider runs its raw material through HKDF with these info strings to isolate providers from one another, so the same input material can never yield the same secret across two different provider types.

View Source 
const (
	// PIVECDHScalar binds the ECDH scalar derivation inside the PIV
	// provider so the scalar is specific to this tool rather than
	// reusable elsewhere.
	PIVECDHScalar = "cryptkey-piv-ecdh-scalar"

	// TPMChallenge binds the challenge value fed into the TPM so the
	// TPM's resulting HMAC is specific to this tool.
	TPMChallenge = "cryptkey-tpm-challenge"

	// SSHAgentChallenge binds the challenge the SSH agent signs so its
	// signature is specific to this tool.
	SSHAgentChallenge = "cryptkey-sshagent-challenge"
)

Domain-specific info strings used inside a provider's own derivation chain, independent of the provider-isolation HKDF above.

Variables

This section is empty.

Functions

This section is empty.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.