authenticate: encrypt & mac oauth2 callback state

- cryptutil: add hmac & tests - cryptutil: rename cipher / encoders to be more clear - cryptutil: simplify SecureEncoder interface - cryptutil: renamed NewCipherFromBase64 to NewAEADCipherFromBase64 - cryptutil: move key & random generators to helpers Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-06-03 19:32:48 +02:00 · 2019-09-19 08:56:48 -07:00 · 2019-09-19 08:56:48 -07:00 · 7c755d833f
commit 7c755d833f
parent 3a806c6dfc
26 changed files with 539 additions and 464 deletions
--- a/internal/cryptutil/helpers.go
+++ b/internal/cryptutil/helpers.go
@ -0,0 +1,45 @@
+package cryptutil // import "github.com/pomerium/pomerium/internal/cryptutil"
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+)
+
+// DefaultKeySize is the default key size in bytes.
+const DefaultKeySize = 32
+
+// NewKey generates a random 32-byte (256 bit) key.
+//
+// Panics if source of randomness fails.
+func NewKey() []byte {
+	return randomBytes(DefaultKeySize)
+}
+
+// NewBase64Key generates a random base64 encoded 32-byte key.
+//
+// Panics if source of randomness fails.
+func NewBase64Key() string {
+	return NewRandomStringN(DefaultKeySize)
+}
+
+// NewRandomStringN returns base64 encoded random string of a given num of bytes.
+//
+// Panics if source of randomness fails.
+func NewRandomStringN(c int) string {
+	return base64.StdEncoding.EncodeToString(randomBytes(c))
+}
+
+// randomBytes generates C number of random bytes suitable for cryptographic
+// operations.
+//
+// Panics if source of randomness fails.
+func randomBytes(c int) []byte {
+	if c < 0 {
+		c = DefaultKeySize
+	}
+	b := make([]byte, c)
+	if _, err := rand.Read(b); err != nil {
+		panic(err)
+	}
+	return b
+}