43 lines
1.2 KiB
Go
43 lines
1.2 KiB
Go
package lib
|
|
|
|
import (
|
|
"fmt"
|
|
)
|
|
|
|
// ValidateL0L1 validates that L0 and L1 are valid vault credentials.
|
|
// L0 is the 4-byte vault identifier (first 4 bytes of PRF).
|
|
// L1 is the 8-byte vault encryption key (bytes 4-11 of PRF).
|
|
// Returns the vault DB handle if valid, or error if invalid.
|
|
// The validation is done by attempting to open the vault DB with L1.
|
|
func ValidateL0L1(dataDir string, l0, l1 []byte) (*DB, error) {
|
|
// Validate lengths
|
|
if len(l0) != 4 {
|
|
return nil, fmt.Errorf("L0 must be 4 bytes, got %d", len(l0))
|
|
}
|
|
if len(l1) != 8 {
|
|
return nil, fmt.Errorf("L1 must be 8 bytes, got %d", len(l1))
|
|
}
|
|
|
|
// Derive vault prefix from L0
|
|
vaultPrefix := Base64URLEncode(l0)
|
|
dbPath := dataDir + "/clavitor-" + vaultPrefix
|
|
|
|
// Open DB
|
|
db, err := OpenDB(dbPath)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("cannot open vault: %w", err)
|
|
}
|
|
|
|
// Validate L1 by attempting a simple operation
|
|
// Try to read an entry - this will fail if L1 is wrong
|
|
l1Key := NormalizeKey(l1)
|
|
_, err = EntryGet(db, l1Key, 0) // Entry 0 doesn't exist, but decryption will be attempted
|
|
// We expect "not found" error, not decryption error
|
|
if err != nil && err != ErrNotFound {
|
|
db.Close()
|
|
return nil, fmt.Errorf("L1 validation failed: %w", err)
|
|
}
|
|
|
|
return db, nil
|
|
}
|