deriveKeys static method

DerivedKeys deriveKeys({
  1. required Uint8List masterKey,
  2. Uint8List? salt,
  3. Uint8List? info,
})

One-shot HKDF: derive encKey and macKey (32B each) from a master key.

masterKey IKM; MUST be at least 32 bytes (enforced by higher-level config). salt Optional salt (recommended random, protocol-wide constant). info Optional info/context (binds keys to protocol).

RETURNS: { encKey: 32B, macKey: 32B }

HINT:

  • Keep salt and info consistent across Dart/PHP for interoperability.

Implementation

static DerivedKeys deriveKeys({
  required Uint8List masterKey,
  Uint8List? salt,
  Uint8List? info,
}) {
  final prk = extract(ikm: masterKey, salt: salt);
  final okm = expand(prk: prk, info: info, length: 64);

  // Split into two 32B keys: first for AES, second for HMAC.
  final encKey = Uint8List.sublistView(okm, 0, 32);
  final macKey = Uint8List.sublistView(okm, 32, 64);

  // Defensive copies (sublistView is backed by `okm`).
  final encKeyCopy = Uint8List.fromList(encKey);
  final macKeyCopy = Uint8List.fromList(macKey);

  // Best-effort scrubbing of intermediates.
  Bytes.secureZero(prk);
  Bytes.secureZero(okm);

  return DerivedKeys(encKeyCopy, macKeyCopy);
}