sneak/secret
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: replace magic file permissions and add crypto constant comments

Browse Source 
Replace hardcoded 0o600 with secret.FilePerms constant for consistency.
Add explanatory comments for cryptographic constants (32-byte keys,
bech32 encoding parameters) rather than extracting them as they are
well-known cryptographic standard values.
This commit is contained in:
Jeffrey Paul 2025-06-20 09:23:50 -07:00
parent c450e1c13d
commit dd2e95f8af
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/cli/vault.go
View File

@ -219,7 +219,7 @@ func (cli *Instance) VaultImport(cmd *cobra.Command, vaultName string) error {
ltPublicKey := ltIdentity.Recipient().String() ltPublicKey := ltIdentity.Recipient().String()
secret.Debug("Storing long-term public key", "pubkey", ltPublicKey, "vault_dir", vaultDir) secret.Debug("Storing long-term public key", "pubkey", ltPublicKey, "vault_dir", vaultDir)
if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), 0o600); err != nil { if err := afero.WriteFile(cli.fs, pubKeyPath, []byte(ltPublicKey), secret.FilePerms); err != nil {
return fmt.Errorf("failed to store long-term public key: %w", err) return fmt.Errorf("failed to store long-term public key: %w", err)
} }

10
pkg/agehd/agehd.go
View File

@ -37,16 +37,16 @@ func clamp(k []byte) {
// IdentityFromEntropy converts 32 deterministic bytes into an // IdentityFromEntropy converts 32 deterministic bytes into an
// *age.X25519Identity by round-tripping through Bech32. // *age.X25519Identity by round-tripping through Bech32.
func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) { func IdentityFromEntropy(ent []byte) (*age.X25519Identity, error) {
if len(ent) != 32 { if len(ent) != 32 { // 32 bytes = 256-bit key size for X25519
return nil, fmt.Errorf("need 32-byte scalar, got %d", len(ent)) return nil, fmt.Errorf("need 32-byte scalar, got %d", len(ent))
} }
// Make a copy to avoid modifying the original // Make a copy to avoid modifying the original
key := make([]byte, 32) key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519 // 32 bytes = 256-bit key size for X25519
copy(key, ent) copy(key, ent)
clamp(key) clamp(key)
data, err := bech32.ConvertBits(key, 8, 5, true) data, err := bech32.ConvertBits(key, 8, 5, true) // Convert from 8-bit to 5-bit encoding for bech32
if err != nil { if err != nil {
return nil, fmt.Errorf("bech32 convert: %w", err) return nil, fmt.Errorf("bech32 convert: %w", err)
} }
@ -80,7 +80,7 @@ func DeriveEntropy(mnemonic string, n uint32) ([]byte, error) {
// Use BIP85 DRNG to generate deterministic 32 bytes for the age key // Use BIP85 DRNG to generate deterministic 32 bytes for the age key
drng := bip85.NewBIP85DRNG(entropy) drng := bip85.NewBIP85DRNG(entropy)
key := make([]byte, 32) key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519
_, err = drng.Read(key) _, err = drng.Read(key)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read from DRNG: %w", err) return nil, fmt.Errorf("failed to read from DRNG: %w", err)
@ -109,7 +109,7 @@ func DeriveEntropyFromXPRV(xprv string, n uint32) ([]byte, error) {
// Use BIP85 DRNG to generate deterministic 32 bytes for the age key // Use BIP85 DRNG to generate deterministic 32 bytes for the age key
drng := bip85.NewBIP85DRNG(entropy) drng := bip85.NewBIP85DRNG(entropy)
key := make([]byte, 32) key := make([]byte, 32) // 32 bytes = 256-bit key size for X25519
_, err = drng.Read(key) _, err = drng.Read(key)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read from DRNG: %w", err) return nil, fmt.Errorf("failed to read from DRNG: %w", err)