func TestKDF(t *testing.T) {
kdf1 := kdf.KDF([]byte("aardvark"), kdf.DefaultSalt, kdf.DefaultReps)
kdf2 := kdf.KDF([]byte("aardvark"), kdf.DefaultSalt, kdf.DefaultReps)
if !hmac.Equal(kdf1, kdf2) {
t.Error("Expected kdf's to be equal")
}
if hmac.Equal(kdf1, kdf.KDF([]byte("sailboat"), kdf.DefaultSalt, kdf.DefaultReps)) {
t.Error("Expected kdf's not to be equal")
}
if len(kdf1) != 32 {
t.Error("Expected key to be 32 bytes")
}
}
// ChangePassword changes the password of this user.
func (u *User) ChangePassword(oldPass, newPass string) error {
var key []byte
var err error
if key, err = u.verifyPassword(oldPass); err != nil {
return err
}
u.Key, err = aes.EncryptB(key, kdf.KDF([]byte(newPass), kdf.DefaultSalt, kdf.DefaultReps))
return err
}
// InitWithKey initializes this user instance with a user name and password
// so that the user uses key as its key.
func (u *User) InitWithKey(name, password string, key *Key) (err error) {
u.Owner = key.Id
u.Name = name
if u.Key, err = aes.EncryptB(
key.Value,
kdf.KDF(
[]byte(password),
kdf.DefaultSalt,
kdf.DefaultReps)); err != nil {
return
}
u.Checksum = base64.StdEncoding.EncodeToString(
kdf.NewHMAC(key.Value, kdf.DefaultReps))
return
}
func (u *User) verifyPassword(password string) ([]byte, error) {
var key []byte
var err error
key, err = aes.DecryptB(u.Key, kdf.KDF([]byte(password), kdf.DefaultSalt, kdf.DefaultReps))
if err != nil {
return nil, err
}
var checksum []byte
checksum, err = base64.StdEncoding.DecodeString(u.Checksum)
if err != nil {
return nil, err
}
if !kdf.VerifyHMAC(key, checksum, kdf.DefaultReps) {
return nil, ErrWrongPassword
}
return key, nil
}