src/pqc_agent_wallet/kdf.py
| 1 | """Key derivation - derive a 32-byte symmetric key from a passphrase.""" |
| 2 | |
| 3 | from __future__ import annotations |
| 4 | |
| 5 | from cryptography.hazmat.primitives import hashes |
| 6 | from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC |
| 7 | |
| 8 | DEFAULT_ITERATIONS = 600_000 # OWASP 2023 recommendation for PBKDF2-SHA256 |
| 9 | |
| 10 | |
| 11 | def derive_key_from_passphrase( |
| 12 | passphrase: str, |
| 13 | salt: bytes, |
| 14 | iterations: int = DEFAULT_ITERATIONS, |
| 15 | length: int = 32, |
| 16 | ) -> bytes: |
| 17 | """Derive a symmetric key from a passphrase using PBKDF2-SHA256.""" |
| 18 | kdf = PBKDF2HMAC( |
| 19 | algorithm=hashes.SHA256(), |
| 20 | length=length, |
| 21 | salt=salt, |
| 22 | iterations=iterations, |
| 23 | ) |
| 24 | return kdf.derive(passphrase.encode("utf-8")) |
| 25 | |