Use neutral arguments in `Vault.create_hash` signature (eb649f6) - derivepassphrase.git

@@ -145,17 +145,24 @@ class Vault:
 
     @classmethod
     def create_hash(
-        cls, key: bytes | bytearray, message: bytes | bytearray, *,
+        cls, phrase: bytes | bytearray, service: bytes | bytearray, *,
         length: int = 32,
     ) -> bytes:
-        """Create a pseudorandom byte stream from key and message.
+        r"""Create a pseudorandom byte stream from phrase and service.
+
+        Create a pseudorandom byte stream from `phrase` and `service` by
+        feeding them into the key-derivation function PBKDF2
+        (8 iterations, using SHA-1).
 
         Args:
-            key:
-                A cryptographic key.  Typically a master passphrase, or
-                an SSH signature.
-            message:
-                A message.  Typically a vault service name.
+            phrase:
+                A master passphrase, or sometimes an SSH signature.
+                Used as the key for PBKDF2, the underlying cryptographic
+                primitive.
+            service:
+                A vault service name.  Will be suffixed with
+                `Vault._UUID`, and then used as the salt value for
+                PBKDF2.
             length:
                 The length of the byte stream to generate.
 
@@ -170,9 +177,27 @@ class Vault:
             call this method with the same input with ever-increasing
             target lengths.
 
+        Examples:
+            >>> # See also Vault.phrase_from_signature examples.
+            >>> phrase = bytes.fromhex('''
+            ... 00 00 00 0b 73 73 68 2d 65 64 32 35 35 31 39
+            ... 00 00 00 40
+            ... f0 98 19 80 6c 1a 97 d5 26 03 6e cc e3 65 8f 86
+            ... 66 07 13 19 13 09 21 33 33 f9 e4 36 53 1d af fd
+            ... 0d 08 1f ec f8 73 9b 8c 5f 55 39 16 7c 53 54 2c
+            ... 1e 52 bb 30 ed 7f 89 e2 2f 69 51 55 d8 9e a6 02
+            ... ''')
+            >>> Vault.create_hash(phrase, b'some_service', length=4)
+            b'M\xb1<S'
+            >>> Vault.create_hash(phrase, b'some_service', length=16)
+            b'M\xb1<S\x827E\xd1M\xaf\xf8~\xc8n\x10\xcc'
+            >>> Vault.create_hash(phrase, b'NOSUCHSERVICE', length=16)
+            b'\x1c\xc3\x9c\xd9\xb6\x1a\x99CS\x07\xc41\xf4\x85#s'
+
         """
-        return hashlib.pbkdf2_hmac(hash_name='sha1', password=key,
-                                   salt=message, iterations=8, dklen=length)
+        salt = bytes(service) + cls._UUID
+        return hashlib.pbkdf2_hmac(hash_name='sha1', password=phrase,
+                                   salt=salt, iterations=8, dklen=length)
 
     def generate(
         self, service_name: str | bytes | bytearray, /, *,
@@ -220,8 +245,7 @@ class Vault:
             try:
                 required = self._required[:]
                 seq = sequin.Sequin(self.create_hash(
-                    key=phrase, message=(service_name + self._UUID),
-                    length=hash_length))
+                    phrase=phrase, service=service_name, length=hash_length))
                 result = bytearray()
                 while len(result) < self._length:
                     pos = seq.generate(len(required))


...	...	@@ -145,17 +145,24 @@ class Vault:
145	145
146	146	@classmethod
147	147	def create_hash(
148		- cls, key: bytes \| bytearray, message: bytes \| bytearray, *,
	148	+ cls, phrase: bytes \| bytearray, service: bytes \| bytearray, *,
149	149	length: int = 32,
150	150	) -> bytes:
151		- """Create a pseudorandom byte stream from key and message.
	151	+ r"""Create a pseudorandom byte stream from phrase and service.
	152	+
	153	+ Create a pseudorandom byte stream from `phrase` and `service` by
	154	+ feeding them into the key-derivation function PBKDF2
	155	+ (8 iterations, using SHA-1).
152	156
153	157	Args:
154		- key:
155		- A cryptographic key. Typically a master passphrase, or
156		- an SSH signature.
157		- message:
158		- A message. Typically a vault service name.
	158	+ phrase:
	159	+ A master passphrase, or sometimes an SSH signature.
	160	+ Used as the key for PBKDF2, the underlying cryptographic
	161	+ primitive.
	162	+ service:
	163	+ A vault service name. Will be suffixed with
	164	+ `Vault._UUID`, and then used as the salt value for
	165	+ PBKDF2.
159	166	length:
160	167	The length of the byte stream to generate.
161	168
...	...	@@ -170,9 +177,27 @@ class Vault:
170	177	call this method with the same input with ever-increasing
171	178	target lengths.
172	179
	180	+ Examples:
	181	+ >>> # See also Vault.phrase_from_signature examples.
	182	+ >>> phrase = bytes.fromhex('''
	183	+ ... 00 00 00 0b 73 73 68 2d 65 64 32 35 35 31 39
	184	+ ... 00 00 00 40
	185	+ ... f0 98 19 80 6c 1a 97 d5 26 03 6e cc e3 65 8f 86
	186	+ ... 66 07 13 19 13 09 21 33 33 f9 e4 36 53 1d af fd
	187	+ ... 0d 08 1f ec f8 73 9b 8c 5f 55 39 16 7c 53 54 2c
	188	+ ... 1e 52 bb 30 ed 7f 89 e2 2f 69 51 55 d8 9e a6 02
	189	+ ... ''')
	190	+ >>> Vault.create_hash(phrase, b'some_service', length=4)
	191	+ b'M\xb1<S'
	192	+ >>> Vault.create_hash(phrase, b'some_service', length=16)
	193	+ b'M\xb1<S\x827E\xd1M\xaf\xf8~\xc8n\x10\xcc'
	194	+ >>> Vault.create_hash(phrase, b'NOSUCHSERVICE', length=16)
	195	+ b'\x1c\xc3\x9c\xd9\xb6\x1a\x99CS\x07\xc41\xf4\x85#s'
	196	+
173	197	"""
174		- return hashlib.pbkdf2_hmac(hash_name='sha1', password=key,
175		- salt=message, iterations=8, dklen=length)
	198	+ salt = bytes(service) + cls._UUID
	199	+ return hashlib.pbkdf2_hmac(hash_name='sha1', password=phrase,
	200	+ salt=salt, iterations=8, dklen=length)
176	201
177	202	def generate(
178	203	self, service_name: str \| bytes \| bytearray, /, *,
...	...	@@ -220,8 +245,7 @@ class Vault:
220	245	try:
221	246	required = self._required[:]
222	247	seq = sequin.Sequin(self.create_hash(
223		- key=phrase, message=(service_name + self._UUID),
224		- length=hash_length))
	248	+ phrase=phrase, service=service_name, length=hash_length))
225	249	result = bytearray()
226	250	while len(result) < self._length:
227	251	pos = seq.generate(len(required))
228	252