cryptutil: move to pkg dir, add token generator (#1029)

* cryptutil: move to pkg dir, add token generator * add gitignored files * add tests
2025-06-05 04:13:11 +02:00 · 2020-06-30 15:55:33 -06:00 · 2020-06-30 15:55:33 -06:00 · fae02791f5
commit fae02791f5
parent b90885b4c1
48 changed files with 175 additions and 35 deletions
--- a/pkg/cryptutil/hash.go
+++ b/pkg/cryptutil/hash.go
@ -0,0 +1,30 @@
+package cryptutil
+
+import (
+	"crypto/hmac"
+	"crypto/sha512"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+// Hash generates a hash of data using HMAC-SHA-512/256. The tag is intended to
+// be a natural-language string describing the purpose of the hash, such as
+// "hash file for lookup key" or "master secret to client secret".  It serves
+// as an HMAC "key" and ensures that different purposes will have different
+// hash output. This function is NOT suitable for hashing passwords.
+func Hash(tag string, data []byte) []byte {
+	h := hmac.New(sha512.New512_256, []byte(tag))
+	h.Write(data)
+	return h.Sum(nil)
+}
+
+// HashPassword generates a bcrypt hash of the password using work factor 14.
+func HashPassword(password []byte) ([]byte, error) {
+	return bcrypt.GenerateFromPassword(password, 14)
+}
+
+// CheckPasswordHash securely compares a bcrypt hashed password with its possible
+// plaintext equivalent.  Returns nil on success, or an error on failure.
+func CheckPasswordHash(hash, password []byte) error {
+	return bcrypt.CompareHashAndPassword(hash, password)
+}