V3 feat needed: Load keys manually if the passphrases are not allowed be saved locally

[chencc1988]

In my SNMPV3 use case, the passphrases can not be saved locally for cyber security reason. So it is impossible initialize the passphrases at the beginning. Another service can provide the keys when the function setSecurityParameters is called.

Could the following code in function setSecurityParameters be replaced by a callback function that allows the users loading their existing keys? The logic keeps the same if the cb equals nil or returns an error.

sp.SecretKey = nil
sp.PrivacyKey = nil

func (sp *UsmSecurityParameters) setSecurityParameters(in SnmpV3SecurityParameters) error {
	var insp *UsmSecurityParameters
	var err error

	sp.mu.Lock()
	defer sp.mu.Unlock()

	if insp, err = castUsmSecParams(in); err != nil {
		return err
	}

	if sp.AuthoritativeEngineID != insp.AuthoritativeEngineID {
		sp.AuthoritativeEngineID = insp.AuthoritativeEngineID
		sp.SecretKey = nil
		sp.PrivacyKey = nil

		err = sp.initSecurityKeysNoLock()
		if err != nil {
			return err
		}
	}
	sp.AuthoritativeEngineBoots = insp.AuthoritativeEngineBoots
	sp.AuthoritativeEngineTime = insp.AuthoritativeEngineTime

	return nil
}

The keys are generated in the unmarshal function in v3_usm.go as well. Here also need to load the keys form the other services

func (sp *UsmSecurityParameters) unmarshal(flags SnmpV3MsgFlags, packet []byte, cursor int) (int, error) 
...
sp.SecretKey = nil
sp.PrivacyKey = nil
...

[upsampled]

@chencc1988 there is another issue, and that is that there is a caching mechanism for the password as well that is stored in a global map.

//from v3_usm.go
var (
	passwordKeyHashCache = make(map[string][]byte) //nolint:gochecknoglobals
	passwordKeyHashMutex sync.RWMutex              //nolint:gochecknoglobals
)

I think you may want to change this ticket to:

Feature Request: allow a callback for private key generation and flag to disable password caching