1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
use clear_on_drop::clear::Clear;
use failure::Error;
#[cfg(feature = "hmac")]
use hmac::Hmac;
#[cfg(feature = "pbkdf2")]
use pbkdf2::pbkdf2;
#[cfg(feature = "sha2")]
use sha2::Sha256;
use std::fmt::{self, Debug};
use object::ObjectId;
pub const AUTH_KEY_SIZE: usize = 32;
pub const AUTH_KEY_PBKDF2_SALT: &[u8] = b"Yubico";
pub const AUTH_KEY_PBKDF2_ITERATIONS: usize = 10_000;
pub const AUTH_KEY_DEFAULT_ID: ObjectId = 1;
pub const AUTH_KEY_DEFAULT_PASSWORD: &[u8] = b"password";
#[derive(Clone)]
pub struct AuthKey(pub(crate) [u8; AUTH_KEY_SIZE]);
impl AuthKey {
#[cfg(feature = "passwords")]
pub fn derive_from_password(password: &[u8]) -> Self {
let mut kdf_output = [0u8; AUTH_KEY_SIZE];
pbkdf2::<Hmac<Sha256>>(
password,
AUTH_KEY_PBKDF2_SALT,
AUTH_KEY_PBKDF2_ITERATIONS,
&mut kdf_output,
);
Self::new(kdf_output)
}
pub fn from_slice(key_slice: &[u8]) -> Result<Self, Error> {
ensure!(
key_slice.len() == AUTH_KEY_SIZE,
"expected {}-byte key, got {}",
AUTH_KEY_SIZE,
key_slice.len()
);
let mut key_bytes = [0u8; AUTH_KEY_SIZE];
key_bytes.copy_from_slice(key_slice);
Ok(AuthKey(key_bytes))
}
pub fn new(key_bytes: [u8; AUTH_KEY_SIZE]) -> Self {
AuthKey(key_bytes)
}
pub(crate) fn enc_key(&self) -> &[u8] {
&self.0[..16]
}
pub(crate) fn mac_key(&self) -> &[u8] {
&self.0[16..]
}
}
impl Debug for AuthKey {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "yubihsm::AuthKey(...)")
}
}
#[cfg(feature = "passwords")]
impl Default for AuthKey {
fn default() -> Self {
AuthKey::derive_from_password(AUTH_KEY_DEFAULT_PASSWORD)
}
}
impl Drop for AuthKey {
fn drop(&mut self) {
self.0.clear();
}
}
impl From<[u8; AUTH_KEY_SIZE]> for AuthKey {
fn from(key_bytes: [u8; AUTH_KEY_SIZE]) -> AuthKey {
AuthKey::new(key_bytes)
}
}
impl_array_serializers!(AuthKey, AUTH_KEY_SIZE);