Add KDF config with per-file metadata

2025-09-09 07:48:57 +00:00 · 2025-08-19 09:53:46 -04:00
parent 1b6b0ab5c5
commit 06ca51993a
7 changed files with 221 additions and 76 deletions
--- a/src/tests/test_fuzz_key_derivation.py
+++ b/src/tests/test_fuzz_key_derivation.py
@@ -3,11 +3,15 @@ from pathlib import Path

 from hypothesis import given, strategies as st, settings, HealthCheck
 from mnemonic import Mnemonic
+import hashlib
+import base64
+import os

 from utils.key_derivation import (
    derive_key_from_password,
    derive_key_from_password_argon2,
    derive_index_key,
+    KdfConfig,
 )
 from utils.fingerprint import generate_fingerprint
 from seedpass.core.encryption import EncryptionManager
@@ -36,16 +40,27 @@ def test_fuzz_key_round_trip(password, seed_bytes, config, mode, tmp_path: Path)
    seed_phrase = Mnemonic("english").to_mnemonic(seed_bytes)
    fp = generate_fingerprint(seed_phrase)
    if mode == "argon2":
-        key = derive_key_from_password_argon2(
-            password, fp, time_cost=1, memory_cost=8, parallelism=1
+        cfg = KdfConfig(
+            params={"time_cost": 1, "memory_cost": 8, "parallelism": 1},
+            salt_b64=base64.b64encode(
+                hashlib.sha256(fp.encode()).digest()[:16]
+            ).decode(),
        )
+        key = derive_key_from_password_argon2(password, cfg)
    else:
        key = derive_key_from_password(password, fp, iterations=1)
+        cfg = KdfConfig(
+            name="pbkdf2",
+            params={"iterations": 1},
+            salt_b64=base64.b64encode(
+                hashlib.sha256(fp.encode()).digest()[:16]
+            ).decode(),
+        )

    enc_mgr = EncryptionManager(key, tmp_path)

    # Parent seed round trip
-    enc_mgr.encrypt_parent_seed(seed_phrase)
+    enc_mgr.encrypt_parent_seed(seed_phrase, kdf=cfg)
    assert enc_mgr.decrypt_parent_seed() == seed_phrase

    # JSON data round trip