crypto

func BcryptCost ¶

func BcryptCost(hash string) (int, error)

BcryptCost returns the cost factor embedded in an existing bcrypt hash. Useful when deciding whether to rehash a stored hash at a higher cost.

func ECDSAPrivateKeyToPEM ¶

func ECDSAPrivateKeyToPEM(key *ecdsa.PrivateKey) ([]byte, error)

ECDSAPrivateKeyToPEM encodes an ECDSA private key to PKCS8 PEM format.

func ECDSAPublicKeyToPEM ¶

func ECDSAPublicKeyToPEM(key *ecdsa.PublicKey) ([]byte, error)

ECDSAPublicKeyToPEM encodes an ECDSA public key to PKIX PEM format.

func GenerateECDSAKeyPair ¶

func GenerateECDSAKeyPair(curve elliptic.Curve) (*ecdsa.PrivateKey, *ecdsa.PublicKey, error)

GenerateECDSAKeyPair generates an ECDSA key pair using the given curve. Recommended: elliptic.P256() (ES256) or elliptic.P521() (ES512).

func GenerateRSAKeyPair ¶

func GenerateRSAKeyPair(bits int) (*rsa.PrivateKey, *rsa.PublicKey, error)

GenerateRSAKeyPair generates an RSA key pair of the given bit size. Use 2048 as the minimum; prefer 4096 for long-lived keys.

func GenerateToken ¶

func GenerateToken(length int) (string, error)

GenerateToken returns a cryptographically secure random token of the given byte length, encoded as a base64url string (no padding). A length of 32 bytes provides 256 bits of entropy — suitable for session tokens, CSRF tokens, and API keys.

func HashPassword ¶

func HashPassword(password string) (string, error)

HashPassword hashes a plaintext password using Argon2id with the default configuration. The returned string is PHC-formatted and safe to store directly in a database.

func HashPasswordBcrypt ¶

func HashPasswordBcrypt(password string, cost int) (string, error)

HashPasswordBcrypt hashes password using bcrypt with the given cost factor. Pass 0 to use DefaultBcryptCost.

Prefer HashPassword (Argon2id) for new systems — bcrypt is provided for compatibility with existing databases that already store bcrypt hashes.

func HashPasswordWithConfig ¶

func HashPasswordWithConfig(password string, cfg PasswordConfig) (string, error)

HashPasswordWithConfig hashes a password using the given Argon2id configuration.

func MustGenerateToken ¶

func MustGenerateToken(length int) string

MustGenerateToken is like GenerateToken but panics on error. Only use in initialization code or tests where panicking is acceptable.

func ParseECDSAPrivateKeyPEM ¶

func ParseECDSAPrivateKeyPEM(data []byte) (*ecdsa.PrivateKey, error)

ParseECDSAPrivateKeyPEM parses a PEM-encoded PKCS8 ECDSA private key.

func ParseECDSAPublicKeyPEM ¶

func ParseECDSAPublicKeyPEM(data []byte) (*ecdsa.PublicKey, error)

ParseECDSAPublicKeyPEM parses a PEM-encoded PKIX ECDSA public key.

func ParseRSAPrivateKeyPEM ¶

func ParseRSAPrivateKeyPEM(data []byte) (*rsa.PrivateKey, error)

ParseRSAPrivateKeyPEM parses a PEM-encoded PKCS8 RSA private key.

func ParseRSAPublicKeyPEM ¶

func ParseRSAPublicKeyPEM(data []byte) (*rsa.PublicKey, error)

ParseRSAPublicKeyPEM parses a PEM-encoded PKIX RSA public key.

func RSAPrivateKeyToPEM ¶

func RSAPrivateKeyToPEM(key *rsa.PrivateKey) ([]byte, error)

RSAPrivateKeyToPEM encodes an RSA private key to PKCS8 PEM format.

func RSAPublicKeyToPEM ¶

func RSAPublicKeyToPEM(key *rsa.PublicKey) ([]byte, error)

RSAPublicKeyToPEM encodes an RSA public key to PKIX PEM format.

func VerifyPassword ¶

func VerifyPassword(password, encoded string) (bool, error)

VerifyPassword checks whether password matches the encoded Argon2id hash. Uses constant-time comparison to prevent timing attacks.

func VerifyPasswordBcrypt ¶

func VerifyPasswordBcrypt(password, hash string) (bool, error)

VerifyPasswordBcrypt checks whether password matches the stored bcrypt hash. Returns (false, nil) on mismatch — only returns an error on unexpected failure.