refactor(general): make purpose a string parameter (#5015)

Make purpose parameter a string. Refactor TestDeriveKeyFromMasterKey - make variables local to the test and rename accordingly - make the purpose a `const (untyped) string`
2025-12-23 22:57:50 -05:00 · 2025-11-19 19:40:59 -08:00
parent 7b64425ab1
commit 3d4cd24117
7 changed files with 23 additions and 21 deletions
--- a/internal/crypto/aesgcm.go
+++ b/internal/crypto/aesgcm.go
@@ -11,9 +11,9 @@
 )

 //nolint:gochecknoglobals
-var (
-	purposeAESKey   = []byte("AES")
-	purposeAuthData = []byte("CHECKSUM")
+const (
+	purposeAESKey   = "AES"
+	purposeAuthData = "CHECKSUM"
 )

 func initCrypto(masterKey, salt []byte) (cipher.AEAD, []byte, error) {
--- a/internal/crypto/key_derivation.go
+++ b/internal/crypto/key_derivation.go
@@ -10,12 +10,12 @@
 var errInvalidMasterKey = errors.New("invalid primary key")

 // DeriveKeyFromMasterKey computes a key for a specific purpose and length using HKDF based on the master key.
-func DeriveKeyFromMasterKey(masterKey, salt, purpose []byte, length int) (derivedKey []byte, err error) {
+func DeriveKeyFromMasterKey(masterKey, salt []byte, purpose string, length int) (derivedKey []byte, err error) {
 	if len(masterKey) == 0 {
 		return nil, errors.Wrap(errInvalidMasterKey, "empty key")
 	}

-	if derivedKey, err = hkdf.Key(sha256.New, masterKey, salt, string(purpose), length); err != nil {
+	if derivedKey, err = hkdf.Key(sha256.New, masterKey, salt, purpose, length); err != nil {
 		return nil, errors.Wrap(err, "unable to derive key")
 	}

--- a/internal/crypto/key_derivation_test.go
+++ b/internal/crypto/key_derivation_test.go
@@ -9,15 +9,16 @@
 	"github.com/kopia/kopia/internal/crypto"
 )

-var (
-	TestMasterKey = []byte("ABCDEFGHIJKLMNOP")
-	TestSalt      = []byte("0123456789012345")
-	TestPurpose   = []byte("the-test-purpose")
-)
-
 func TestDeriveKeyFromMasterKey(t *testing.T) {
+	const testPurpose = "the-test-purpose"
+
+	var (
+		testMasterKey = []byte("ABCDEFGHIJKLMNOP")
+		testSalt      = []byte("0123456789012345")
+	)
+
 	t.Run("ReturnsKey", func(t *testing.T) {
-		key, err := crypto.DeriveKeyFromMasterKey(TestMasterKey, TestSalt, TestPurpose, 32)
+		key, err := crypto.DeriveKeyFromMasterKey(testMasterKey, testSalt, testPurpose, 32)
 		require.NoError(t, err)

 		expected := "828769ee8969bc37f11dbaa32838f8db6c19daa6e3ae5f5eed2da2d94d8faddb"
@@ -26,13 +27,13 @@ func TestDeriveKeyFromMasterKey(t *testing.T) {
 	})

 	t.Run("ErrorOnNilMasterKey", func(t *testing.T) {
-		k, err := crypto.DeriveKeyFromMasterKey(nil, TestSalt, TestPurpose, 32)
+		k, err := crypto.DeriveKeyFromMasterKey(nil, testSalt, testPurpose, 32)
 		require.Error(t, err)
 		require.Nil(t, k)
 	})

 	t.Run("ErrorOnEmptyMasterKey", func(t *testing.T) {
-		k, err := crypto.DeriveKeyFromMasterKey([]byte{}, TestSalt, TestPurpose, 32)
+		k, err := crypto.DeriveKeyFromMasterKey([]byte{}, testSalt, testPurpose, 32)
 		require.Error(t, err)
 		require.Nil(t, k)
 	})
--- a/repo/maintenance/maintenance_schedule.go
+++ b/repo/maintenance/maintenance_schedule.go
@@ -18,13 +18,13 @@
 )

 const (
-	maintenanceScheduleKeySize = 32
-	maintenanceScheduleBlobID  = "kopia.maintenance"
+	maintenanceScheduleKeySize    = 32
+	maintenanceScheduleBlobID     = "kopia.maintenance"
+	maintenanceScheduleKeyPurpose = "maintenance schedule"
 )

 //nolint:gochecknoglobals
 var (
-	maintenanceScheduleKeyPurpose    = []byte("maintenance schedule")
 	maintenanceScheduleAEADExtraData = []byte("maintenance")
 )

--- a/repo/open.go
+++ b/repo/open.go
@@ -63,7 +63,7 @@
 const localCacheIntegrityHMACSecretLength = 16

 //nolint:gochecknoglobals
-var localCacheIntegrityPurpose = []byte("local-cache-integrity")
+const localCacheIntegrityPurpose = "local-cache-integrity"

 var log = logging.Module("kopia/repo")

--- a/repo/repository.go
+++ b/repo/repository.go
@@ -84,7 +84,7 @@ type DirectRepository interface {
 	NewDirectWriter(ctx context.Context, opt WriteSessionOptions) (context.Context, DirectRepositoryWriter, error)
 	UniqueID() []byte
 	ConfigFilename() string
-	DeriveKey(purpose []byte, keyLength int) ([]byte, error)
+	DeriveKey(purpose string, keyLength int) ([]byte, error)
 	Token(password string) (string, error)
 	Throttler() throttling.SettableThrottler
 	DisableIndexRefresh()
@@ -141,7 +141,7 @@ type directRepository struct {
 }

 // DeriveKey derives encryption key of the provided length from the master key.
-func (r *directRepository) DeriveKey(purpose []byte, keyLength int) (derivedKey []byte, err error) {
+func (r *directRepository) DeriveKey(purpose string, keyLength int) (derivedKey []byte, err error) {
 	if r.cmgr.ContentFormat().SupportsPasswordChange() {
 		derivedKey, err = crypto.DeriveKeyFromMasterKey(r.cmgr.ContentFormat().GetMasterKey(), r.UniqueID(), purpose, keyLength)
 		if err != nil {
--- a/repo/repository_test.go
+++ b/repo/repository_test.go
@@ -857,7 +857,8 @@ func TestAllRegistryMetricsAreMapped(t *testing.T) {
 }

 func TestDeriveKey(t *testing.T) {
-	testPurpose := []byte{0, 0, 0, 0}
+	const testPurpose = "test purpose"
+
 	testKeyLength := 8
 	masterKey := []byte("01234567890123456789012345678901")
 	uniqueID := []byte("a5ba5d2da4b14b518b9501b64b5d87ca")