package vault

import (
	"crypto/rand"
	"crypto/sha256"

	"golang.org/x/crypto/pbkdf2"
)

func Pbkdf2Deriver() KeyDeriver {
	const (
		saltLength = 8
		iterations = 1000
		keyLength  = 32
	)
	return KeyDeriverFunc(func(passphrase string, existingSalt []byte) (key []byte, salt []byte) {
		salt = make([]byte, saltLength)
		if existingSalt == nil {
			// http://www.ietf.org/rfc/rfc2898.txt
			// Salt.
			_, _ = rand.Read(salt)
		} else if len(existingSalt) >= saltLength {
			copy(salt, existingSalt[:saltLength])
		} else {
			copy(salt, existingSalt)
			_, _ = rand.Read(salt[len(existingSalt):])
		}

		return pbkdf2.Key([]byte(passphrase), salt, iterations, keyLength, sha256.New), salt
	})
}