1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
use crate::software_vault::SoftwareVault;
use crate::VaultError;
use arrayref::array_ref;
use ockam_vault_core::{
Hasher, Secret, SecretAttributes, SecretType, SecretVault, AES128_SECRET_LENGTH,
AES256_SECRET_LENGTH,
};
use sha2::{Digest, Sha256};
impl Hasher for SoftwareVault {
fn sha256(&self, data: &[u8]) -> ockam_core::Result<[u8; 32]> {
let digest = Sha256::digest(data);
Ok(*array_ref![digest, 0, 32])
}
fn hkdf_sha256(
&mut self,
salt: &Secret,
info: &[u8],
ikm: Option<&Secret>,
output_attributes: Vec<SecretAttributes>,
) -> ockam_core::Result<Vec<Secret>> {
let ikm: ockam_core::Result<&[u8]> = match ikm {
Some(ikm) => {
let ikm = self.get_entry(ikm)?;
if ikm.key_attributes().stype() == SecretType::Buffer {
Ok(ikm.key().as_ref())
} else {
Err(VaultError::InvalidKeyType.into())
}
}
None => Ok(&[0u8; 0]),
};
let ikm = ikm?;
let salt = self.get_entry(salt)?;
if salt.key_attributes().stype() != SecretType::Buffer {
return Err(VaultError::InvalidKeyType.into());
}
let okm_len = output_attributes.len() * 32;
let okm = {
let mut okm = vec![0u8; okm_len];
let prk = hkdf::Hkdf::<Sha256>::new(Some(salt.key().as_ref()), ikm);
prk.expand(info, okm.as_mut_slice())
.map_err(|_| Into::<ockam_core::Error>::into(VaultError::HkdfExpandError))?;
okm
};
let mut secrets = Vec::<Secret>::new();
let mut index = 0;
for attributes in output_attributes {
let length = attributes.length();
if attributes.stype() == SecretType::Aes {
if length != AES256_SECRET_LENGTH && length != AES128_SECRET_LENGTH {
return Err(VaultError::InvalidAesKeyLength.into());
}
} else if attributes.stype() != SecretType::Buffer {
return Err(VaultError::InvalidHkdfOutputType.into());
}
let secret = &okm[index..index + length];
let secret = self.secret_import(&secret, attributes)?;
secrets.push(secret);
index += 32;
}
Ok(secrets)
}
}
#[cfg(test)]
mod tests {
use crate::SoftwareVault;
use ockam_core::hex::encode;
use ockam_vault_core::{Hasher, SecretAttributes, SecretPersistence, SecretType, SecretVault};
#[test]
fn sha256() {
let vault = SoftwareVault::default();
let res = vault.sha256(b"a");
assert!(res.is_ok());
let digest = res.unwrap();
assert_eq!(
encode(digest),
"ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb"
);
}
#[test]
fn hkdf() {
let mut vault = SoftwareVault::default();
let salt_value = b"hkdf_test";
let attributes = SecretAttributes::new(
SecretType::Buffer,
SecretPersistence::Ephemeral,
salt_value.len(),
);
let salt = vault.secret_import(&salt_value[..], attributes).unwrap();
let ikm_value = b"a";
let attributes = SecretAttributes::new(
SecretType::Buffer,
SecretPersistence::Ephemeral,
ikm_value.len(),
);
let ikm = vault.secret_import(&ikm_value[..], attributes).unwrap();
let attributes =
SecretAttributes::new(SecretType::Buffer, SecretPersistence::Ephemeral, 24);
let res = vault.hkdf_sha256(&salt, b"", Some(&ikm), vec![attributes]);
assert!(res.is_ok());
let digest = res.unwrap();
assert_eq!(digest.len(), 1);
let digest = vault.secret_export(&digest[0]).unwrap();
assert_eq!(
encode(digest.as_ref()),
"921ab9f260544b71941dbac2ca2d42c417aa07b53e055a8f"
);
}
}