token

package
v0.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 24, 2026 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

View Source 
const TokenEntropy = 32

TokenEntropy defines token size in bytes (32 bytes = 256 bits) Matches AES-256 key length, provides ample collision resistance

Variables

This section is empty.

Functions

func DeriveCAEncryptionKey 

func DeriveCAEncryptionKey(bootstrapToken SecureToken) []byte

DeriveCAEncryptionKey derives AES-256 key for CA private key encryption. Uses same Argon2id parameters as Raft PSK transport (RFC 9106 compliant).

Parameters (from Phase 15):

  • time: 1 iteration (Argon2id maximizes attack cost with 1 pass)
  • memory: 64 MiB (resistant to GPU attacks)
  • parallelism: 4 threads (multi-core optimization)
  • keyLen: 32 bytes (AES-256)

Salt: "neuwerk-ca-encryption-v1" (domain separation from Raft transport)

This function will be used in Phase 17 for encrypting CA private keys before storing them in JetStream. The derived key is suitable for AES-256-GCM encryption via youmark/pkcs8 package.

func Generate 

func Generate() (string, error)

Generate creates a cryptographically random bootstrap token Returns base64-encoded string (44 characters for 32 bytes)

Uses crypto/rand which provides:

  • Linux: getrandom(2) or /dev/urandom
  • macOS/iOS: arc4random_buf(3)
  • Windows: ProcessPrng API

The token has 256 bits of entropy, sufficient for:

  • AES-256 key derivation via Argon2id
  • Collision resistance (negligible probability < 2^-128)

func ValidateToken 

func ValidateToken(token string) error

ValidateToken checks token format and entropy

Types

type SecureToken 

type SecureToken struct {
	// contains filtered or unexported fields
}

SecureToken wraps bootstrap token with leak prevention Implements String(), GoString(), and MarshalJSON() to prevent accidental token exposure in logs, debuggers, or structured logging

func NewSecureToken 

func NewSecureToken(value string) SecureToken

NewSecureToken creates token wrapper from string

func (SecureToken) GoString 

func (t SecureToken) GoString() string

GoString implements fmt.GoStringer - REDACTS token in debugger Prevents leakage via fmt.Printf("%#v", token) or spew.Dump()

func (SecureToken) IsEmpty 

func (t SecureToken) IsEmpty() bool

IsEmpty checks if token is uninitialized

func (SecureToken) MarshalJSON 

func (t SecureToken) MarshalJSON() ([]byte, error)

MarshalJSON prevents token from appearing in JSON logs

func (SecureToken) String 

func (t SecureToken) String() string

String implements fmt.Stringer - REDACTS token value Prevents leakage via fmt.Printf("%v", token) or log.Info(token)

func (SecureToken) Value 

func (t SecureToken) Value() string

Value returns raw token (use sparingly, only for crypto operations)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.