fix sals for vault #8

New Issue

Open

opened 2025-05-13 04:41:21 +00:00 by despiegk · 2 comments

despiegk commented 2025-05-13 04:41:21 +00:00

Owner

Copy Link

src/vault/keyspace

• is a secure container to store private keys
• they are organized per keyspace, a keyspace is loaded with 1 secret
• a keyspace has a private key
• easy methods to encrypt/decrypt
• more info see src/vault/keyspace/spec.md

this module should work in webassembly and native, there seems to be issues with how we do it
we also need to add symmetric encryption/decryption

src/vault/symmetric is wrong, should be linked to the secret of the keyspace, so its trivial for a user to do the encryption/decryption, prob implemented in the keyspace

the original intent can be seen in https://git.ourworld.tf/herocode/webassembly
see branch 'origin/rework', see start.sh and webbrowser example (there is still bug)

this needs all to be ported to keyspace

src/vault/kvs

• should use something like serde or better when using on normal os (windows, linux, ...)
• should use indexdb when used in webassembly

compilation should change depending which platform we compile for

src/vault/ethereum

• how can we get this to work in webassembly and native?

# src/vault/keyspace - is a secure container to store private keys - they are organized per keyspace, a keyspace is loaded with 1 secret - a keyspace has a private key - easy methods to encrypt/decrypt - more info see src/vault/keyspace/spec.md this module should work in webassembly and native, there seems to be issues with how we do it we also need to add symmetric encryption/decryption src/vault/symmetric is wrong, should be linked to the secret of the keyspace, so its trivial for a user to do the encryption/decryption, prob implemented in the keyspace the original intent can be seen in https://git.ourworld.tf/herocode/webassembly see branch 'origin/rework', see start.sh and webbrowser example (there is still bug) this needs all to be ported to keyspace # src/vault/kvs - should use something like serde or better when using on normal os (windows, linux, ...) - should use indexdb when used in webassembly compilation should change depending which platform we compile for # src/vault/ethereum - how can we get this to work in webassembly and native?

lee commented 2025-05-13 15:47:00 +00:00

Member

Copy Link

Compiling for wasm is hard in the current codebase as there are a lot of dependencies, some of which just don't work on wasm. To fix this, I'm moving the vault code to a separate module (created a workspace), to limit the dependency tree involved in the vault and to be able to provide a clean minimal isolated API.

Additionally, add rewrite the implementations for (a)symmetric encryption and signing manually, since the existing ones are broken/feature blaring security holes.

Compiling for wasm is hard in the current codebase as there are a lot of dependencies, some of which just don't work on wasm. To fix this, I'm moving the vault code to a separate module (created a workspace), to limit the dependency tree involved in the vault and to be able to provide a clean minimal isolated API. Additionally, add rewrite the implementations for (a)symmetric encryption and signing manually, since the existing ones are broken/feature blaring security holes.

❤️ 1

lee commented 2025-05-16 14:04:43 +00:00

Member

Copy Link

Code is on branch development_lee. There is 1 Vault type, which is the entry point. A vault can open a keyspace with a password. The password is used to derive a symmetric encryption key using pbkdf2 with a custom salt at 100000 rounds (now is the time to reduce this is this is deemed too much). In the keyspace generic Key's are saved, which can be upcast into the correct types (symmetric, asymmetric, and signing keys). The existing algorithms have been used for this (ChaCha20Poly1305 AEAD encryption for symmetric, secp256k1 ecdh for asymmetric key exchange which derives a symmetric key using the afforementioned ChaCha20Poly1305, and secp256k1 ECDSA for signing).

Code works on both native (using tokio, requires feature native) and wasm (requires feature wasm). The type is the same for all platforms, and it's a struct, so no trait and generics are needed. The database layers are done by sameh in https://git.ourworld.tf/samehabouelsaad/sal-modular. As I understand from our talk he will also work on the ethereum part.

Code is on [branch development_lee](https://git.ourworld.tf/herocode/sal/src/branch/development_lee). There is 1 Vault type, which is the entry point. A vault can open a keyspace with a password. The password is used to derive a symmetric encryption key using pbkdf2 with a custom salt at 100000 rounds (now is the time to reduce this is this is deemed too much). In the keyspace generic `Key`'s are saved, which can be upcast into the correct types (symmetric, asymmetric, and signing keys). The existing algorithms have been used for this (ChaCha20Poly1305 AEAD encryption for symmetric, secp256k1 ecdh for asymmetric key exchange which derives a symmetric key using the afforementioned ChaCha20Poly1305, and secp256k1 ECDSA for signing). Code works on both native (using tokio, requires feature `native`) and wasm (requires feature `wasm`). The type is the same for all platforms, and it's a struct, so no trait and generics are needed. The database layers are done by sameh in https://git.ourworld.tf/samehabouelsaad/sal-modular. As I understand from our talk he will also work on the ethereum part.

❤️ 1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

development_lee

development_keypair_tests

development_maxime

No results found.

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: herocode/sal#8

No description provided.