pomerium/internal/cryptutil/hmac.go
Bobby DeSimone 7c755d833f
authenticate: encrypt & mac oauth2 callback state
- cryptutil: add hmac & tests
- cryptutil: rename cipher / encoders to be more clear
- cryptutil: simplify SecureEncoder interface
- cryptutil: renamed NewCipherFromBase64 to NewAEADCipherFromBase64
- cryptutil: move key & random generators to helpers

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-09-23 19:15:52 -07:00

50 lines
1.4 KiB
Go

package cryptutil // import "github.com/pomerium/pomerium/internal/cryptutil"
import (
"crypto/hmac"
"crypto/sha512"
"errors"
"strconv"
"time"
)
var (
errTimestampMalformed = errors.New("internal/cryptutil: timestamp malformed")
errTimestampExpired = errors.New("internal/cryptutil: timestamp expired")
errTimestampTooSoon = errors.New("internal/cryptutil: timestamp too soon")
)
// GenerateHMAC produces a symmetric signature using a shared secret key.
func GenerateHMAC(data []byte, key string) []byte {
h := hmac.New(sha512.New512_256, []byte(key))
h.Write(data)
return h.Sum(nil)
}
// CheckHMAC securely checks the supplied MAC against a message using the
// shared secret key.
func CheckHMAC(data, suppliedMAC []byte, key string) bool {
expectedMAC := GenerateHMAC(data, key)
return hmac.Equal(expectedMAC, suppliedMAC)
}
// ValidTimestamp is a helper function often used in conjunction with an HMAC
// function to verify that the timestamp (in unix seconds) is within leeway
// period.
// todo(bdd) : should leeway be configurable?
func ValidTimestamp(ts string) error {
var timeStamp int64
var err error
if timeStamp, err = strconv.ParseInt(ts, 10, 64); err != nil {
return errTimestampMalformed
}
// unix time in seconds
tm := time.Unix(timeStamp, 0)
if time.Since(tm) > DefaultLeeway {
return errTimestampExpired
}
if time.Until(tm) > DefaultLeeway {
return errTimestampTooSoon
}
return nil
}