session_lock

package

v0.50.0 Latest Latest Go to latest Published: Apr 28, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/s4wave/spacewave

Links

Open Source Insights

Documentation ¶

Overview ¶

Package session_lock provides shared lock/unlock operations for session private keys. Both local and spacewave providers use this package.

Index ¶

Variables
func DecryptAutoUnlock(storageKey [32]byte, encrypted []byte) ([]byte, error)
func DeriveStorageKey(volPeerPrivKey crypto.PrivKey) ([32]byte, error)
func EncryptAutoUnlock(storageKey [32]byte, privPEM []byte) ([]byte, error)
func MakeKey(sessionID string, suffix []byte) []byte
func ReadAutoUnlockKey(ctx context.Context, objStore object.ObjectStore, sessionID string) ([]byte, bool, error)
func UnlockPIN(encPriv, encSymKey []byte, config *LockConfig, pin []byte) ([]byte, error)
func WriteAutoUnlock(ctx context.Context, objStore object.ObjectStore, sessionID string, ...) error
func WriteEnvelope(ctx context.Context, objStore object.ObjectStore, sessionID string, ...) error
func WritePINLock(ctx context.Context, objStore object.ObjectStore, sessionID string, ...) error
type LockConfig
- func CreatePINLock(privPEM, pin []byte) (encPriv, encSymKey []byte, config *LockConfig, err error)
- func ReadPINLockFiles(ctx context.Context, objStore object.ObjectStore, sessionID string) (encPriv, encSymKey []byte, config *LockConfig, err error)
- func (c *LockConfig) MarshalVT() ([]byte, error)
- func (c *LockConfig) UnmarshalVT(data []byte) error
type SessionLockMode
- func ReadLockMode(ctx context.Context, objStore object.ObjectStore, sessionID string) (SessionLockMode, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	SuffixPK         = []byte("/pk")
	SuffixEnvelope   = []byte("/env")
	SuffixLocked     = []byte("/locked")
	SuffixLockKey    = []byte("/lock-key")
	SuffixLockParams = []byte("/lock-params")
	SuffixSetupDone  = []byte("/setup-done")
)

ObjectStore key suffixes.

Functions ¶

func DecryptAutoUnlock ¶

func DecryptAutoUnlock(storageKey [32]byte, encrypted []byte) ([]byte, error)

DecryptAutoUnlock decrypts session privkey PEM with the storage key.

func DeriveStorageKey ¶

func DeriveStorageKey(volPeerPrivKey crypto.PrivKey) ([32]byte, error)

DeriveStorageKey derives the auto-unlock storage key from the volume's persistent peer private key via blake3 key derivation.

func EncryptAutoUnlock ¶

func EncryptAutoUnlock(storageKey [32]byte, privPEM []byte) ([]byte, error)

EncryptAutoUnlock encrypts session privkey PEM with the storage key.

func MakeKey ¶

func MakeKey(sessionID string, suffix []byte) []byte

MakeKey constructs an ObjectStore key from a session ID and suffix.

func ReadAutoUnlockKey ¶

func ReadAutoUnlockKey(ctx context.Context, objStore object.ObjectStore, sessionID string) ([]byte, bool, error)

ReadAutoUnlockKey reads the encrypted privkey for auto-unlock mode.

func UnlockPIN ¶

func UnlockPIN(encPriv, encSymKey []byte, config *LockConfig, pin []byte) ([]byte, error)

UnlockPIN decrypts a PIN-locked session key.

func WriteAutoUnlock ¶

func WriteAutoUnlock(ctx context.Context, objStore object.ObjectStore, sessionID string, encPriv []byte) error

WriteAutoUnlock writes encrypted privkey for auto-unlock mode and deletes any PIN lock files.

func WriteEnvelope ¶

func WriteEnvelope(ctx context.Context, objStore object.ObjectStore, sessionID string, envData []byte) error

WriteEnvelope writes the Shamir envelope bytes to ObjectStore.

func WritePINLock ¶

func WritePINLock(ctx context.Context, objStore object.ObjectStore, sessionID string, encPriv, encSymKey []byte, config *LockConfig) error

WritePINLock writes PIN-encrypted lock files and deletes auto-unlock /pk file.

Types ¶

type LockConfig ¶

type LockConfig struct {
	// ScryptN is the scrypt N parameter (cost factor as power of 2).
	ScryptN uint32
	// Salt is the random salt for PIN key derivation (16 bytes).
	Salt []byte
}

LockConfig is stored at {sessionID}/lock-params in ObjectStore.

func CreatePINLock ¶

func CreatePINLock(privPEM, pin []byte) (encPriv, encSymKey []byte, config *LockConfig, err error)

CreatePINLock creates PIN-encrypted lock files for a session private key. Returns encrypted privkey, encrypted symmetric key, and lock config.

func ReadPINLockFiles ¶

func ReadPINLockFiles(ctx context.Context, objStore object.ObjectStore, sessionID string) (encPriv, encSymKey []byte, config *LockConfig, err error)

ReadPINLockFiles reads the encrypted privkey, encrypted symkey, and lock config.

func (*LockConfig) MarshalVT ¶

func (c *LockConfig) MarshalVT() ([]byte, error)

MarshalVT serializes LockConfig to bytes. Format: 4 bytes scryptN (big-endian) + salt bytes.

func (*LockConfig) UnmarshalVT ¶

func (c *LockConfig) UnmarshalVT(data []byte) error

UnmarshalVT deserializes LockConfig from bytes.

type SessionLockMode ¶

type SessionLockMode int32

SessionLockMode identifies how a session private key is protected at rest.

const (
	// SessionLockMode_AUTO_UNLOCK is encrypted with volume-derived key.
	SessionLockMode_AUTO_UNLOCK SessionLockMode = 0
	// SessionLockMode_PIN_ENCRYPTED is encrypted with PIN-derived key.
	SessionLockMode_PIN_ENCRYPTED SessionLockMode = 1
)

func ReadLockMode ¶

func ReadLockMode(ctx context.Context, objStore object.ObjectStore, sessionID string) (SessionLockMode, error)

ReadLockMode checks ObjectStore to determine lock mode. Returns PIN_ENCRYPTED if lock-params exists, AUTO_UNLOCK otherwise.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL