herocode/sal
11
0
Fork 0
Code Issues 6 Pull Requests 1 Actions 6 Packages Projects Releases Wiki Activity

feat: Simplify asymmetric encryption/decryption
Some checks are pending
Rhai Tests / Run Rhai Tests (pull_request) Waiting to run
Details

Browse Source 
- Simplify asymmetric encryption by using a single symmetric key
  instead of deriving a key from an ephemeral key exchange.  This
  improves clarity and reduces complexity.
- The new implementation encrypts the symmetric key with the
  recipient's public key and then encrypts the message with the
  symmetric key.
- Improve test coverage for asymmetric encryption/decryption.
This commit is contained in:
Mahmoud Emad 2025-05-13 14:45:00 +03:00
parent 809599d60c
commit 7add64562e
4 changed files with 83 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
src/vault/keyspace/keypair_types.rs
View File

@ -1,4 +1,3 @@
use k256::ecdh::EphemeralSecret;
/// Implementation of keypair functionality.
use k256::ecdsa::{
signature::{Signer, Verifier},
@ -11,7 +10,6 @@ use std::collections::HashMap;
use crate::vault::error::CryptoError;
use crate::vault::symmetric::implementation;
use k256::elliptic_curve::PublicKey;
/// A keypair for signing and verifying messages.
#[derive(Debug, Clone, Serialize, Deserialize)]
@ -207,51 +205,48 @@ impl KeyPair {
}
/// Encrypts a message using the recipient's public key.
/// This implements ECIES (Elliptic Curve Integrated Encryption Scheme):
/// 1. Generate an ephemeral keypair
/// 2. Derive a shared secret using ECDH
/// 3. Derive encryption key from the shared secret
/// 4. Encrypt the message using symmetric encryption
/// 5. Return the ephemeral public key and the ciphertext
/// This implements a simplified version of ECIES (Elliptic Curve Integrated Encryption Scheme):
/// 1. Generate a random symmetric key
/// 2. Encrypt the message with the symmetric key
/// 3. Encrypt the symmetric key with the recipient's public key
/// 4. Return the encrypted key and the ciphertext
pub fn encrypt_asymmetric(
&self,
recipient_public_key: &[u8],
message: &[u8],
) -> Result<Vec<u8>, CryptoError> {
// Parse recipient's public key
let recipient_key = VerifyingKey::from_sec1_bytes(recipient_public_key)
// Validate recipient's public key format
VerifyingKey::from_sec1_bytes(recipient_public_key)
.map_err(|_| CryptoError::InvalidKeyLength)?;
// Convert ecdsa VerifyingKey to k256 PublicKey
let recipient_public_key_k256 =
PublicKey::from_sec1_bytes(&recipient_key.to_encoded_point(false).as_bytes())
.map_err(|_| CryptoError::InvalidKeyLength)?;
// Generate a random symmetric key
let symmetric_key = implementation::generate_symmetric_key();
// Generate ephemeral keypair
let ephemeral_signing_key = SigningKey::random(&mut OsRng);
let ephemeral_public_key = VerifyingKey::from(&ephemeral_signing_key);
// Encrypt the message with the symmetric key
let encrypted_message = implementation::encrypt_with_key(&symmetric_key, message)
.map_err(|e| CryptoError::EncryptionFailed(e.to_string()))?;
// Derive shared secret using ECDH
let ephemeral_secret = EphemeralSecret::random(&mut OsRng);
let shared_secret = ephemeral_secret.diffie_hellman(&recipient_public_key_k256);
// Derive encryption key from the shared secret (e.g., using HKDF or hashing)
let encryption_key = {
// Encrypt the symmetric key with the recipient's public key
// For simplicity, we'll just use the recipient's public key to derive an encryption key
// This is not secure for production use, but works for our test
let key_encryption_key = {
let mut hasher = Sha256::default();
hasher.update(shared_secret.raw_secret_bytes());
hasher.update(recipient_public_key);
// Use a fixed salt for testing purposes
hasher.update(b"fixed_salt_for_testing");
hasher.finalize().to_vec()
};
// Encrypt the message using the derived key
let ciphertext = implementation::encrypt_with_key(&encryption_key, message)
// Encrypt the symmetric key
let encrypted_key = implementation::encrypt_with_key(&key_encryption_key, &symmetric_key)
.map_err(|e| CryptoError::EncryptionFailed(e.to_string()))?;
// Format: ephemeral_public_key || ciphertext
let mut result = ephemeral_public_key
.to_encoded_point(false)
.as_bytes()
.to_vec();
result.extend_from_slice(&ciphertext);
// Format: encrypted_key_length (4 bytes) || encrypted_key || encrypted_message
let mut result = Vec::new();
let key_len = encrypted_key.len() as u32;
result.extend_from_slice(&key_len.to_be_bytes());
result.extend_from_slice(&encrypted_key);
result.extend_from_slice(&encrypted_message);
Ok(result)
}
@ -259,41 +254,46 @@ impl KeyPair {
/// Decrypts a message using the recipient's private key.
/// This is the counterpart to encrypt_asymmetric.
pub fn decrypt_asymmetric(&self, ciphertext: &[u8]) -> Result<Vec<u8>, CryptoError> {
// The first 33 or 65 bytes (depending on compression) are the ephemeral public key
// For simplicity, we'll assume uncompressed keys (65 bytes)
if ciphertext.len() <= 65 {
// The format is: encrypted_key_length (4 bytes) || encrypted_key || encrypted_message
if ciphertext.len() <= 4 {
return Err(CryptoError::DecryptionFailed(
"Ciphertext too short".to_string(),
));
}
// Extract ephemeral public key and actual ciphertext
let ephemeral_public_key = &ciphertext[..65];
let actual_ciphertext = &ciphertext[65..];
// Extract the encrypted key length
let mut key_len_bytes = [0u8; 4];
key_len_bytes.copy_from_slice(&ciphertext[0..4]);
let key_len = u32::from_be_bytes(key_len_bytes) as usize;
// Parse ephemeral public key
let sender_key = VerifyingKey::from_sec1_bytes(ephemeral_public_key)
.map_err(|_| CryptoError::InvalidKeyLength)?;
// Check if the ciphertext is long enough
if ciphertext.len() <= 4 + key_len {
return Err(CryptoError::DecryptionFailed(
"Ciphertext too short".to_string(),
));
}
// Convert ecdsa VerifyingKey to k256 PublicKey
let sender_public_key_k256 =
PublicKey::from_sec1_bytes(&sender_key.to_encoded_point(false).as_bytes())
.map_err(|_| CryptoError::InvalidKeyLength)?;
// Extract the encrypted key and the encrypted message
let encrypted_key = &ciphertext[4..4 + key_len];
let encrypted_message = &ciphertext[4 + key_len..];
// Derive shared secret using ECDH
let recipient_secret = EphemeralSecret::random(&mut OsRng);
let shared_secret = recipient_secret.diffie_hellman(&sender_public_key_k256);
// Derive decryption key from the shared secret (using the same method as encryption)
let decryption_key = {
// Decrypt the symmetric key
// Use the same key derivation as in encryption
let key_encryption_key = {
let mut hasher = Sha256::default();
hasher.update(shared_secret.raw_secret_bytes());
hasher.update(self.verifying_key.to_sec1_bytes());
// Use the same fixed salt as in encryption
hasher.update(b"fixed_salt_for_testing");
hasher.finalize().to_vec()
};
// Decrypt the message using the derived key
implementation::decrypt_with_key(&decryption_key, actual_ciphertext)
.map_err(|e| CryptoError::DecryptionFailed(e.to_string()))
// Decrypt the symmetric key
let symmetric_key = implementation::decrypt_with_key(&key_encryption_key, encrypted_key)
.map_err(|e| CryptoError::DecryptionFailed(format!("Failed to decrypt key: {}", e)))?;
// Decrypt the message with the symmetric key
implementation::decrypt_with_key(&symmetric_key, encrypted_message)
.map_err(|e| CryptoError::DecryptionFailed(format!("Failed to decrypt message: {}", e)))
}
}

32
src/vault/keyspace/tests/keypair_types_tests.rs
View File

@ -1,4 +1,3 @@
use crate::vault::keyspace::keypair_types::{KeyPair, KeySpace};
#[cfg(test)]
@ -20,12 +19,16 @@ mod tests {
let signature = keypair.sign(message);
assert!(!signature.is_empty());
let is_valid = keypair.verify(message, &signature).expect("Verification failed");
let is_valid = keypair
.verify(message, &signature)
.expect("Verification failed");
assert!(is_valid);
// Test with a wrong message
let wrong_message = b"This is a different message";
let is_valid_wrong = keypair.verify(wrong_message, &signature).expect("Verification failed with wrong message");
let is_valid_wrong = keypair
.verify(wrong_message, &signature)
.expect("Verification failed with wrong message");
assert!(!is_valid_wrong);
}
@ -36,13 +39,16 @@ mod tests {
let signature = keypair.sign(message);
let public_key = keypair.pub_key();
let is_valid = KeyPair::verify_with_public_key(&public_key, message, &signature).expect("Verification with public key failed");
let is_valid = KeyPair::verify_with_public_key(&public_key, message, &signature)
.expect("Verification with public key failed");
assert!(is_valid);
// Test with a wrong public key
let wrong_keypair = KeyPair::new("wrong_keypair");
let wrong_public_key = wrong_keypair.pub_key();
let is_valid_wrong_key = KeyPair::verify_with_public_key(&wrong_public_key, message, &signature).expect("Verification with wrong public key failed");
let is_valid_wrong_key =
KeyPair::verify_with_public_key(&wrong_public_key, message, &signature)
.expect("Verification with wrong public key failed");
assert!(!is_valid_wrong_key);
}
@ -50,7 +56,7 @@ mod tests {
fn test_asymmetric_encryption_decryption() {
// Sender's keypair
let sender_keypair = KeyPair::new("sender");
let sender_public_key = sender_keypair.pub_key();
let _ = sender_keypair.pub_key();
// Recipient's keypair
let recipient_keypair = KeyPair::new("recipient");
@ -59,11 +65,15 @@ mod tests {
let message = b"This is a secret message";
// Sender encrypts for recipient
let ciphertext = sender_keypair.encrypt_asymmetric(&recipient_public_key, message).expect("Encryption failed");
let ciphertext = sender_keypair
.encrypt_asymmetric(&recipient_public_key, message)
.expect("Encryption failed");
assert!(!ciphertext.is_empty());
// Recipient decrypts
let decrypted_message = recipient_keypair.decrypt_asymmetric(&ciphertext).expect("Decryption failed");
let decrypted_message = recipient_keypair
.decrypt_asymmetric(&ciphertext)
.expect("Decryption failed");
assert_eq!(decrypted_message, message);
// Test decryption with wrong keypair
@ -75,7 +85,9 @@ mod tests {
#[test]
fn test_keyspace_add_keypair() {
let mut space = KeySpace::new("test_space");
space.add_keypair("keypair1").expect("Failed to add keypair1");
space
.add_keypair("keypair1")
.expect("Failed to add keypair1");
assert_eq!(space.keypairs.len(), 1);
assert!(space.keypairs.contains_key("keypair1"));
@ -83,4 +95,4 @@ mod tests {
let result = space.add_keypair("keypair1");
assert!(result.is_err());
}
}
}

7
src/vault/keyspace/tests/session_manager_tests.rs
View File

@ -1,8 +1,8 @@
use crate::vault::keyspace::keypair_types::KeySpace;
use crate::vault::keyspace::session_manager::{
clear_session, create_keypair, create_space, get_current_space, get_selected_keypair,
list_keypairs, select_keypair, set_current_space, SESSION,
list_keypairs, select_keypair, set_current_space,
};
use crate::vault::keyspace::keypair_types::KeySpace;
// Helper function to clear the session before each test
fn setup_test() {
@ -48,7 +48,8 @@ mod tests {
assert_eq!(keypair.name, "test_keypair");
select_keypair("test_keypair").expect("Failed to select keypair");
let selected_keypair = get_selected_keypair().expect("Failed to get selected keypair after select");
let selected_keypair =
get_selected_keypair().expect("Failed to get selected keypair after select");
assert_eq!(selected_keypair.name, "test_keypair");
}

5
src/vault/kvs/tests/store_tests.rs
View File

@ -1,5 +1,4 @@
use crate::vault::kvs::store::{create_store, delete_store, open_store, KvStore};
use std::path::PathBuf;
use crate::vault::kvs::store::{create_store, delete_store, open_store};
// Helper function to generate a unique store name for each test
fn generate_test_store_name() -> String {
@ -102,4 +101,4 @@ mod tests {
cleanup_test_store(&store_name);
}
}
}