It seems that the salt for the wrapping of the key split(s) is a constant: asym_encryption.go#L63
digest := sha256.New()
digest.Write([]byte("TDF"))
salt := digest.Sum(nil)
I'm not sure how much of a problem that is. The splits are already nonces, so there is already randomness. However, if two KASes for the same split share the same asymmetric key (e.g. KAS1 kid A == KAS2 kid B), then the KAOs would contain identical wrapped keys which leaks the information that "KAS1 kid A == KAS2 kid B".
It seems sensible to make the salt random.
It seems that the salt for the wrapping of the key split(s) is a constant: asym_encryption.go#L63
I'm not sure how much of a problem that is. The splits are already nonces, so there is already randomness. However, if two KASes for the same split share the same asymmetric key (e.g. KAS1 kid A == KAS2 kid B), then the KAOs would contain identical wrapped keys which leaks the information that "KAS1 kid A == KAS2 kid B".
It seems sensible to make the salt random.