samehabouelsaad/sal-modular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Feat: simplify vault API and update docs

Browse Source
This commit is contained in:
Sameh Abouelsaad
2025-05-15 22:27:46 +03:00
parent cea2d7e655
commit 791752c3a5
21 changed files with 533 additions and 1106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
vault/src/crypto.rs
View File

@@ -2,9 +2,9 @@
//! Crypto utilities for the vault crate
use chacha20poly1305::{ChaCha20Poly1305, KeyInit as ChaChaKeyInit, aead::{Aead, generic_array::GenericArray}};
use aes_gcm::Aes256Gcm;
use pbkdf2::pbkdf2_hmac;
use scrypt::{scrypt, Params as ScryptParams};
use sha2::Sha256;
use rand_core::{RngCore, OsRng as RandOsRng};
@@ -12,12 +12,7 @@ pub mod kdf {
use super::*;
pub fn derive_key_scrypt(password: &[u8], salt: &[u8], key_len: usize) -> Result<Vec<u8>, String> {
let params = ScryptParams::recommended();
let mut key = vec![0u8; key_len];
scrypt(password, salt, &params, &mut key).map_err(|e| e.to_string())?;
Ok(key)
}
pub fn derive_key_pbkdf2(password: &[u8], salt: &[u8], key_len: usize, iterations: u32) -> Vec<u8> {
let mut key = vec![0u8; key_len];
@@ -42,17 +37,9 @@ pub mod cipher {
.map_err(|e| format!("decryption error: {e}"))
}
pub fn encrypt_aes_gcm(key: &[u8], plaintext: &[u8], nonce: &[u8]) -> Result<Vec<u8>, String> {
let cipher = Aes256Gcm::new(GenericArray::from_slice(key));
cipher.encrypt(GenericArray::from_slice(nonce), plaintext)
.map_err(|e| format!("encryption error: {e}"))
}
pub fn decrypt_aes_gcm(key: &[u8], ciphertext: &[u8], nonce: &[u8]) -> Result<Vec<u8>, String> {
let cipher = Aes256Gcm::new(GenericArray::from_slice(key));
cipher.decrypt(GenericArray::from_slice(nonce), ciphertext)
.map_err(|e| format!("decryption error: {e}"))
}
}
pub fn random_salt(len: usize) -> Vec<u8> {

2
vault/src/data.rs
View File

@@ -11,8 +11,6 @@ pub struct VaultMetadata {
pub struct KeyspaceMetadata {
pub name: String,
pub salt: [u8; 16], // Unique salt for this keyspace
pub kdf: String, // e.g. "scrypt" or "pbkdf2"
pub cipher: String, // e.g. "chacha20poly1305" or "aes-gcm"
pub encrypted_blob: Vec<u8>,
pub created_at: Option<u64>, // Unix timestamp
pub tags: Option<Vec<String>>,

417
vault/src/lib.rs
View File

@@ -14,11 +14,12 @@ use kvstore::KVStore;
use data::*;
use error::VaultError;
use crate::crypto::random_salt;
use crate::crypto::kdf;
use crate::crypto::cipher::{encrypt_chacha20, decrypt_chacha20, encrypt_aes_gcm, decrypt_aes_gcm};
use crate::crypto::cipher::{encrypt_chacha20, decrypt_chacha20};
use signature::SignatureEncoding;
// TEMP: File-based debug logger for crypto troubleshooting
use log::{debug, info, error};
use log::{debug};
/// Vault: Cryptographic keyspace and operations
pub struct Vault<S: KVStore> {
@@ -27,31 +28,16 @@ pub struct Vault<S: KVStore> {
}
/// Helper to encrypt and prepend nonce to ciphertext for keyspace storage
fn encrypt_with_nonce_prepended(key: &[u8], plaintext: &[u8], cipher: &str) -> Result<Vec<u8>, VaultError> {
use crate::crypto::random_salt;
use crate::crypto;
/// Helper to encrypt and prepend nonce to ciphertext for keyspace storage
/// Always uses ChaCha20Poly1305.
fn encrypt_with_nonce_prepended(key: &[u8], plaintext: &[u8]) -> Result<Vec<u8>, VaultError> {
let nonce = random_salt(12);
debug!("nonce: {}", hex::encode(&nonce));
let (ct, _key_hex) = match cipher {
"chacha20poly1305" => {
let ct = encrypt_chacha20(key, plaintext, &nonce)
.map_err(|e| VaultError::Crypto(e))?;
debug!("ct: {}", hex::encode(&ct));
debug!("key: {}", hex::encode(key));
(ct, hex::encode(key))
},
"aes-gcm" => {
let ct = encrypt_aes_gcm(key, plaintext, &nonce)
.map_err(|e| VaultError::Crypto(e))?;
debug!("ct: {}", hex::encode(&ct));
debug!("key: {}", hex::encode(key));
(ct, hex::encode(key))
},
_ => {
debug!("unsupported cipher: {}", cipher);
return Err(VaultError::Other(format!("Unsupported cipher: {cipher}")));
}
};
// Always use ChaCha20Poly1305 for encryption
let ct = encrypt_chacha20(key, plaintext, &nonce)
.map_err(|e| VaultError::Crypto(e))?;
debug!("ct: {}", hex::encode(&ct));
debug!("key: {}", hex::encode(key));
let mut blob = nonce.clone();
blob.extend_from_slice(&ct);
debug!("ENCRYPTED (nonce|ct): {}", hex::encode(&blob));
@@ -64,7 +50,8 @@ impl<S: KVStore> Vault<S> {
}
/// Create a new keyspace with the given name, password, and options.
pub async fn create_keyspace(&mut self, name: &str, password: &[u8], kdf: &str, cipher: &str, tags: Option<Vec<String>>) -> Result<(), VaultError> {
/// Create a new keyspace with the given name and password. Always uses PBKDF2 and ChaCha20Poly1305.
pub async fn create_keyspace(&mut self, name: &str, password: &[u8], tags: Option<Vec<String>>) -> Result<(), VaultError> {
// Check if keyspace already exists
if self.storage.get(name).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?.is_some() {
debug!("keyspace '{}' already exists", name);
@@ -79,20 +66,8 @@ impl<S: KVStore> Vault<S> {
let salt = random_salt(16);
debug!("salt: {:?}", salt);
// 2. Derive key
let key = match kdf {
"scrypt" => match kdf::derive_key_scrypt(password, &salt, 32) {
Ok(val) => val,
Err(e) => {
debug!("kdf scrypt error: {}", e);
return Err(VaultError::Crypto(e));
}
},
"pbkdf2" => kdf::derive_key_pbkdf2(password, &salt, 32, 10_000),
_ => {
debug!("unsupported KDF: {}", kdf);
return Err(VaultError::Other(format!("Unsupported KDF: {kdf}")));
}
};
// Always use PBKDF2 for key derivation
let key = kdf::derive_key_pbkdf2(password, &salt, 32, 10_000);
debug!("derived key: {} bytes", key.len());
// 3. Prepare initial keyspace data
let keyspace_data = KeyspaceData { keypairs: vec![] };
@@ -108,15 +83,14 @@ impl<S: KVStore> Vault<S> {
let nonce = random_salt(12);
debug!("nonce: {}", hex::encode(&nonce));
// 5. Encrypt
let encrypted_blob = encrypt_with_nonce_prepended(&key, &plaintext, cipher)?;
// Always use ChaCha20Poly1305 for encryption
let encrypted_blob = encrypt_with_nonce_prepended(&key, &plaintext)?;
debug!("encrypted_blob: {} bytes", encrypted_blob.len());
debug!("encrypted_blob (hex): {}", hex::encode(&encrypted_blob));
// 6. Compose metadata
let metadata = KeyspaceMetadata {
name: name.to_string(),
salt: salt.try_into().unwrap_or([0u8; 16]),
kdf: kdf.to_string(),
cipher: cipher.to_string(),
encrypted_blob,
created_at: Some(crate::utils::now()),
tags,
@@ -151,9 +125,11 @@ impl<S: KVStore> Vault<S> {
}
/// Unlock a keyspace by name and password, returning the decrypted data
/// Unlock a keyspace by name and password, returning the decrypted data
/// Always uses PBKDF2 and ChaCha20Poly1305.
pub async fn unlock_keyspace(&self, name: &str, password: &[u8]) -> Result<KeyspaceData, VaultError> {
debug!("unlock_keyspace entry: name={}", name);
use crate::crypto::{kdf};
// use crate::crypto::kdf; // removed if not needed
use serde_json;
// 1. Fetch keyspace metadata
let meta_bytes = self.storage.get(name).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?;
@@ -164,51 +140,18 @@ impl<S: KVStore> Vault<S> {
return Err(VaultError::Crypto("Salt length must be 16 bytes".to_string()));
}
// 2. Derive key
let key = match metadata.kdf.as_str() {
"scrypt" => match kdf::derive_key_scrypt(password, &metadata.salt, 32) {
Ok(val) => val,
Err(e) => {
debug!("kdf scrypt error: {}", e);
return Err(VaultError::Crypto(e));
}
},
"pbkdf2" => kdf::derive_key_pbkdf2(password, &metadata.salt, 32, 10_000),
_ => {
debug!("unsupported KDF: {}", metadata.kdf);
return Err(VaultError::Other(format!("Unsupported KDF: {}", metadata.kdf)));
}
};
let key = kdf::derive_key_pbkdf2(password, &metadata.salt, 32, 10_000);
debug!("derived key: {} bytes", key.len());
debug!("derived key (hex): {}", hex::encode(&key));
// 3. Split nonce and ciphertext
let ciphertext = &metadata.encrypted_blob;
if ciphertext.len() < 12 {
debug!("ciphertext too short: {}", ciphertext.len());
return Err(VaultError::Crypto("Ciphertext too short".to_string()));
}
let (nonce, ct) = ciphertext.split_at(12);
debug!("nonce: {}", hex::encode(nonce));
// 4. Decrypt
let plaintext = match metadata.cipher.as_str() {
"chacha20poly1305" => match decrypt_chacha20(&key, ct, nonce) {
Ok(val) => val,
Err(e) => {
debug!("chacha20poly1305 error: {}", e);
return Err(VaultError::Crypto(e));
}
},
"aes-gcm" => match decrypt_aes_gcm(&key, ct, nonce) {
Ok(val) => val,
Err(e) => {
debug!("aes-gcm error: {}", e);
return Err(VaultError::Crypto(e));
}
},
_ => {
debug!("unsupported cipher: {}", metadata.cipher);
return Err(VaultError::Other(format!("Unsupported cipher: {}", metadata.cipher)));
}
};
debug!("nonce: {}", hex::encode(nonce));
let plaintext = decrypt_chacha20(&key, ct, nonce).map_err(VaultError::Crypto)?;
debug!("plaintext decrypted: {} bytes", plaintext.len());
// 4. Deserialize keyspace data
let keyspace_data: KeyspaceData = match serde_json::from_slice(&plaintext) {
@@ -231,7 +174,9 @@ impl<S: KVStore> Vault<S> {
// --- Keypair Management APIs ---
/// Add a new keypair to a keyspace (generates and stores a new keypair)
pub async fn add_keypair(&mut self, keyspace: &str, password: &[u8], key_type: KeyType, metadata: Option<KeyMetadata>) -> Result<String, VaultError> {
/// Add a new keypair to a keyspace (generates and stores a new keypair)
/// If key_type is None, defaults to Secp256k1.
pub async fn add_keypair(&mut self, keyspace: &str, password: &[u8], key_type: Option<KeyType>, metadata: Option<KeyMetadata>) -> Result<String, VaultError> {
use crate::data::KeyEntry;
use rand_core::OsRng;
use rand_core::RngCore;
@@ -239,7 +184,8 @@ impl<S: KVStore> Vault<S> {
// 1. Unlock keyspace
let mut data = self.unlock_keyspace(keyspace, password).await?;
// 2. Generate keypair
let (private_key, public_key, id) = match key_type {
let key_type = key_type.unwrap_or(KeyType::Secp256k1);
let (private_key, public_key, id) = match key_type {
KeyType::Ed25519 => {
use ed25519_dalek::{SigningKey, VerifyingKey};
let mut bytes = [0u8; 32];
@@ -301,123 +247,108 @@ impl<S: KVStore> Vault<S> {
debug!("save_keyspace entry: keyspace={}", keyspace);
use crate::crypto::kdf;
use serde_json;
// 1. Fetch metadata
let meta_bytes = self.storage.get(keyspace).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?;
debug!("got meta_bytes: {}", meta_bytes.as_ref().map(|v| v.len()).unwrap_or(0));
let meta_bytes = meta_bytes.ok_or(VaultError::KeyspaceNotFound(keyspace.to_string()))?;
let mut metadata: KeyspaceMetadata = serde_json::from_slice(&meta_bytes).map_err(|e| VaultError::Serialization(e.to_string()))?;
debug!("metadata: kdf={} cipher={} salt={:?}", metadata.kdf, metadata.cipher, metadata.salt);
if metadata.salt.len() != 16 {
debug!("salt length {} != 16", metadata.salt.len());
return Err(VaultError::Crypto("Salt length must be 16 bytes".to_string()));
}
// 2. Derive key
let key = match metadata.kdf.as_str() {
"scrypt" => match kdf::derive_key_scrypt(password, &metadata.salt, 32) {
Ok(val) => val,
Err(e) => {
debug!("kdf scrypt error: {}", e);
return Err(VaultError::Crypto(e));
}
},
"pbkdf2" => kdf::derive_key_pbkdf2(password, &metadata.salt, 32, 10_000),
_ => {
debug!("unsupported KDF: {}", metadata.kdf);
return Err(VaultError::Other(format!("Unsupported KDF: {}", metadata.kdf)));
}
};
debug!("derived key: {} bytes", key.len());
// 3. Serialize plaintext
let plaintext = match serde_json::to_vec(data) {
Ok(val) => val,
Err(e) => {
debug!("serde_json data error: {}", e);
return Err(VaultError::Serialization(e.to_string()));
}
};
debug!("plaintext serialized: {} bytes", plaintext.len());
// 4. Generate nonce
let nonce = random_salt(12);
debug!("nonce: {}", hex::encode(&nonce));
// 5. Encrypt
let encrypted_blob = encrypt_with_nonce_prepended(&key, &plaintext, &metadata.cipher)?;
debug!("encrypted_blob: {} bytes", encrypted_blob.len());
// 6. Store new encrypted blob
metadata.encrypted_blob = encrypted_blob;
let meta_bytes = match serde_json::to_vec(&metadata) {
Ok(val) => val,
Err(e) => {
debug!("serde_json metadata error: {}", e);
return Err(VaultError::Serialization(e.to_string()));
}
};
self.storage.set(keyspace, &meta_bytes).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?;
debug!("success");
Ok(())
}
/// Sign a message with a stored keypair in a keyspace
///
/// # Arguments
/// * `keyspace` - Keyspace name
/// * `password` - Keyspace password
/// * `key_id` - Keypair ID
/// * `message` - Message to sign
pub async fn sign(&self, keyspace: &str, password: &[u8], key_id: &str, message: &[u8]) -> Result<Vec<u8>, VaultError> {
let data = self.unlock_keyspace(keyspace, password).await?;
let key = data.keypairs.iter().find(|k| k.id == key_id).ok_or(VaultError::KeyNotFound(key_id.to_string()))?;
match key.key_type {
KeyType::Ed25519 => {
use ed25519_dalek::{SigningKey, Signer};
let signing = SigningKey::from_bytes(&key.private_key.clone().try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 private key length".to_string()))?);
let sig = signing.sign(message);
Ok(sig.to_bytes().to_vec())
}
KeyType::Secp256k1 => {
use k256::ecdsa::{SigningKey, signature::Signer};
let arr: &[u8; 32] = key.private_key.as_slice().try_into().map_err(|_| VaultError::Crypto("Invalid secp256k1 private key length".to_string()))?;
let sk = SigningKey::from_bytes(arr.into()).map_err(|e| VaultError::Crypto(e.to_string()))?;
let sig: k256::ecdsa::DerSignature = sk.sign(message);
Ok(sig.to_vec())
}
let meta_bytes = self.storage.get(keyspace).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?;
debug!("got meta_bytes: {}", meta_bytes.as_ref().map(|v| v.len()).unwrap_or(0));
let meta_bytes = meta_bytes.ok_or(VaultError::KeyspaceNotFound(keyspace.to_string()))?;
let mut metadata: KeyspaceMetadata = serde_json::from_slice(&meta_bytes).map_err(|e| VaultError::Serialization(e.to_string()))?;
debug!("metadata: salt={:?}", metadata.salt);
if metadata.salt.len() != 16 {
debug!("salt length {} != 16", metadata.salt.len());
return Err(VaultError::Crypto("Salt length must be 16 bytes".to_string()));
}
// 2. Derive key
let key = kdf::derive_key_pbkdf2(password, &metadata.salt, 32, 10_000);
debug!("derived key: {} bytes", key.len());
// 3. Serialize plaintext
let plaintext = match serde_json::to_vec(data) {
Ok(val) => val,
Err(e) => {
debug!("serde_json data error: {}", e);
return Err(VaultError::Serialization(e.to_string()));
}
};
debug!("plaintext serialized: {} bytes", plaintext.len());
// 4. Generate nonce
let nonce = random_salt(12);
debug!("nonce: {}", hex::encode(&nonce));
// 5. Encrypt
let encrypted_blob = encrypt_with_nonce_prepended(&key, &plaintext)?;
debug!("encrypted_blob: {} bytes", encrypted_blob.len());
// 6. Store new encrypted blob
metadata.encrypted_blob = encrypted_blob;
let meta_bytes = match serde_json::to_vec(&metadata) {
Ok(val) => val,
Err(e) => {
debug!("serde_json metadata error: {}", e);
return Err(VaultError::Serialization(e.to_string()));
}
};
self.storage.set(keyspace, &meta_bytes).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?;
debug!("success");
Ok(())
}
/// Sign a message with a stored keypair in a keyspace
///
/// # Arguments
/// * `keyspace` - Keyspace name
/// * `password` - Keyspace password
/// * `key_id` - Keypair ID
/// * `message` - Message to sign
pub async fn sign(&self, keyspace: &str, password: &[u8], key_id: &str, message: &[u8]) -> Result<Vec<u8>, VaultError> {
let data = self.unlock_keyspace(keyspace, password).await?;
let key = data.keypairs.iter().find(|k| k.id == key_id).ok_or(VaultError::KeyNotFound(key_id.to_string()))?;
match key.key_type {
KeyType::Ed25519 => {
use ed25519_dalek::{SigningKey, Signer};
let signing = SigningKey::from_bytes(&key.private_key.clone().try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 private key length".to_string()))?);
let sig = signing.sign(message);
Ok(sig.to_bytes().to_vec())
}
KeyType::Secp256k1 => {
use k256::ecdsa::{SigningKey, signature::Signer};
let arr: &[u8; 32] = key.private_key.as_slice().try_into().map_err(|_| VaultError::Crypto("Invalid secp256k1 private key length".to_string()))?;
let sk = SigningKey::from_bytes(arr.into()).map_err(|e| VaultError::Crypto(e.to_string()))?;
let sig: k256::ecdsa::DerSignature = sk.sign(message);
Ok(sig.to_vec())
}
}
}
/// Verify a signature with a stored keypair in a keyspace
///
/// # Arguments
/// * `keyspace` - Keyspace name
/// * `password` - Keyspace password
/// * `key_id` - Keypair ID
/// * `message` - Message that was signed
/// * `signature` - Signature to verify
pub async fn verify(&self, keyspace: &str, password: &[u8], key_id: &str, message: &[u8], signature: &[u8]) -> Result<bool, VaultError> {
let data = self.unlock_keyspace(keyspace, password).await?;
let key = data.keypairs.iter().find(|k| k.id == key_id).ok_or(VaultError::KeyNotFound(key_id.to_string()))?;
match key.key_type {
KeyType::Ed25519 => {
use ed25519_dalek::{VerifyingKey, Signature, Verifier};
let verifying = VerifyingKey::from_bytes(&key.public_key.clone().try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 public key length".to_string()))?)
.map_err(|e| VaultError::Crypto(e.to_string()))?;
let sig = Signature::from_bytes(&signature.try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 signature length".to_string()))?);
Ok(verifying.verify(message, &sig).is_ok())
}
KeyType::Secp256k1 => {
use k256::ecdsa::{VerifyingKey, Signature, signature::Verifier};
let pk = VerifyingKey::from_sec1_bytes(&key.public_key).map_err(|e| VaultError::Crypto(e.to_string()))?;
let sig = Signature::from_der(signature).map_err(|e| VaultError::Crypto(e.to_string()))?;
Ok(pk.verify(message, &sig).is_ok())
}
/// Verify a signature with a stored keypair in a keyspace
///
/// # Arguments
/// * `keyspace` - Keyspace name
/// * `password` - Keyspace password
/// * `key_id` - Keypair ID
/// * `message` - Message that was signed
/// * `signature` - Signature to verify
pub async fn verify(&self, keyspace: &str, password: &[u8], key_id: &str, message: &[u8], signature: &[u8]) -> Result<bool, VaultError> {
let data = self.unlock_keyspace(keyspace, password).await?;
let key = data.keypairs.iter().find(|k| k.id == key_id).ok_or(VaultError::KeyNotFound(key_id.to_string()))?;
match key.key_type {
KeyType::Ed25519 => {
use ed25519_dalek::{VerifyingKey, Signature, Verifier};
let verifying = VerifyingKey::from_bytes(&key.public_key.clone().try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 public key length".to_string()))?)
.map_err(|e| VaultError::Crypto(e.to_string()))?;
let sig = Signature::from_bytes(&signature.try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 signature length".to_string()))?);
Ok(verifying.verify(message, &sig).is_ok())
}
KeyType::Secp256k1 => {
use k256::ecdsa::{VerifyingKey, Signature, signature::Verifier};
let pk = VerifyingKey::from_sec1_bytes(&key.public_key).map_err(|e| VaultError::Crypto(e.to_string()))?;
let sig = Signature::from_der(signature).map_err(|e| VaultError::Crypto(e.to_string()))?;
Ok(pk.verify(message, &sig).is_ok())
}
}
}
/// Encrypt a message using the keyspace symmetric cipher
/// (for simplicity, uses keyspace password-derived key)
pub async fn encrypt(&self, keyspace: &str, password: &[u8], plaintext: &[u8]) -> Result<Vec<u8>, VaultError> {
debug!("encrypt");
debug!("keyspace={}", keyspace);
use crate::crypto::{kdf};
// 1. Load keyspace metadata
let meta_bytes = self.storage.get(keyspace).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?;
let meta_bytes = match meta_bytes {
@@ -434,47 +365,14 @@ pub async fn encrypt(&self, keyspace: &str, password: &[u8], plaintext: &[u8]) -
return Err(VaultError::Serialization(e.to_string()));
}
};
debug!("salt={:?} cipher={} (hex salt: {})", meta.salt, meta.cipher, hex::encode(&meta.salt));
debug!("salt={:?} (hex salt: {})", meta.salt, hex::encode(&meta.salt));
// 2. Derive key
let key = match meta.kdf.as_str() {
"scrypt" => match kdf::derive_key_scrypt(password, &meta.salt, 32) {
Ok(val) => val,
Err(e) => {
debug!("kdf scrypt error: {}", e);
return Err(VaultError::Crypto(e));
}
},
"pbkdf2" => kdf::derive_key_pbkdf2(password, &meta.salt, 32, 10_000),
_ => {
debug!("unsupported KDF: {}", meta.kdf);
return Err(VaultError::Other(format!("Unsupported KDF: {}", meta.kdf)));
}
};
let key = kdf::derive_key_pbkdf2(password, &meta.salt, 32, 10_000);
// 3. Generate nonce
let nonce = random_salt(12);
debug!("nonce={:?} (hex nonce: {})", nonce, hex::encode(&nonce));
// 4. Encrypt
let ciphertext = match meta.cipher.as_str() {
"chacha20poly1305" => match encrypt_chacha20(&key, plaintext, &nonce) {
Ok(val) => val,
Err(e) => {
debug!("chacha20poly1305 error: {}", e);
return Err(VaultError::Crypto(e));
}
},
"aes-gcm" => match encrypt_aes_gcm(&key, plaintext, &nonce) {
Ok(val) => val,
Err(e) => {
debug!("aes-gcm error: {}", e);
return Err(VaultError::Crypto(e));
}
},
_ => {
debug!("unsupported cipher: {}", meta.cipher);
return Err(VaultError::Other(format!("Unsupported cipher: {}", meta.cipher)));
}
};
// 5. Prepend nonce to ciphertext
let ciphertext = encrypt_chacha20(&key, plaintext, &nonce).map_err(VaultError::Crypto)?;
let mut out = nonce;
out.extend_from_slice(&ciphertext);
Ok(out)
@@ -484,56 +382,31 @@ pub async fn encrypt(&self, keyspace: &str, password: &[u8], plaintext: &[u8]) -
/// (for simplicity, uses keyspace password-derived key)
pub async fn decrypt(&self, keyspace: &str, password: &[u8], ciphertext: &[u8]) -> Result<Vec<u8>, VaultError> {
debug!("decrypt");
debug!("keyspace={}", keyspace);
use crate::crypto::{kdf};
// 1. Fetch metadata
// 1. Load keyspace metadata
let meta_bytes = self.storage.get(keyspace).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?;
let meta_bytes = meta_bytes.ok_or(VaultError::KeyspaceNotFound(keyspace.to_string()))?;
let metadata: KeyspaceMetadata = serde_json::from_slice(&meta_bytes).map_err(|e| VaultError::Serialization(e.to_string()))?;
debug!("salt={:?} cipher={} (hex salt: {})", metadata.salt, metadata.cipher, hex::encode(&metadata.salt));
// 2. Derive key
let key = match metadata.kdf.as_str() {
"scrypt" => match kdf::derive_key_scrypt(password, &metadata.salt, 32) {
Ok(val) => val,
Err(e) => {
debug!("storage error: {:?}", e);
return Err(VaultError::Crypto(e));
}
},
"pbkdf2" => kdf::derive_key_pbkdf2(password, &metadata.salt, 32, 10_000),
_ => {
debug!("unsupported KDF: {}", metadata.kdf);
return Err(VaultError::Other(format!("Unsupported KDF: {}", metadata.kdf)));
let meta_bytes = match meta_bytes {
Some(val) => val,
None => {
debug!("keyspace not found");
return Err(VaultError::Other("Keyspace not found".to_string()));
}
};
// 3. Split nonce and ciphertext
if ciphertext.len() < 12 {
debug!("ciphertext too short: {}", ciphertext.len());
return Err(VaultError::Crypto("Ciphertext too short".to_string()));
}
let (nonce, ct) = ciphertext.split_at(12);
let meta: KeyspaceMetadata = match serde_json::from_slice(&meta_bytes) {
Ok(val) => val,
Err(e) => {
debug!("serialization error: {}", e);
return Err(VaultError::Serialization(e.to_string()));
}
};
debug!("salt={:?} (hex salt: {})", meta.salt, hex::encode(&meta.salt));
// 2. Derive key
let key = kdf::derive_key_pbkdf2(password, &meta.salt, 32, 10_000);
// 3. Extract nonce
let nonce = &ciphertext[..12];
debug!("nonce={:?} (hex nonce: {})", nonce, hex::encode(nonce));
// 4. Decrypt
let plaintext = match metadata.cipher.as_str() {
"chacha20poly1305" => match decrypt_chacha20(&key, ct, nonce) {
Ok(val) => val,
Err(e) => {
debug!("chacha20poly1305 error: {}", e);
return Err(VaultError::Crypto(e));
}
},
"aes-gcm" => match decrypt_aes_gcm(&key, ct, nonce) {
Ok(val) => val,
Err(e) => {
debug!("aes-gcm error: {}", e);
return Err(VaultError::Crypto(e));
}
},
_ => {
debug!("unsupported cipher: {}", metadata.cipher);
return Err(VaultError::Other(format!("Unsupported cipher: {}", metadata.cipher)));
}
};
let plaintext = decrypt_chacha20(&key, &ciphertext[12..], nonce).map_err(VaultError::Crypto)?;
Ok(plaintext)
}
} // <-- Close the impl block
}

18
vault/src/session.rs
View File

@@ -1,22 +1,4 @@
//! Session manager for the vault crate (optional)
use crate::data::KeyspaceData;
use std::collections::HashMap;
pub struct SessionManager {
unlocked_keyspaces: HashMap<String, KeyspaceData>,
current_keyspace: Option<String>,
current_keypair: Option<String>,
// ...
}
impl SessionManager {
pub fn new() -> Self {
Self {
unlocked_keyspaces: HashMap::new(),
current_keyspace: None,
current_keypair: None,
}
}
// ... methods for unlock, lock, select, timeout, etc.
}

2
vault/src/utils.rs
View File

@@ -7,7 +7,7 @@ pub fn now() -> u64 {
#[cfg(target_arch = "wasm32")]
{
// Use JS Date.now() in milliseconds, convert to seconds
use wasm_bindgen::prelude::*;
let date = js_sys::Date::new_0();
(date.get_time() / 1000.0) as u64
}

10
vault/tests/keypair_management.rs
View File

@@ -3,7 +3,7 @@
use vault::{Vault, KeyType, KeyMetadata};
use kvstore::native::NativeStore;
use log::{debug, info, error};
use log::debug;
#[tokio::test]
async fn test_keypair_management_and_crypto() {
@@ -16,23 +16,23 @@ async fn test_keypair_management_and_crypto() {
let mut vault = Vault::new(store);
#[cfg(target_arch = "wasm32")]
compile_error!("This test is not intended for wasm32 targets");
let keyspace = &format!("testspace_{}", chrono::Utc::now().timestamp_nanos());
let keyspace = &format!("testspace_{}", chrono::Utc::now().timestamp_nanos_opt().unwrap());
let password = b"supersecret";
debug!("keyspace: {} password: {}", keyspace, hex::encode(password));
debug!("before create_keyspace");
vault.create_keyspace(keyspace, password, "pbkdf2", "chacha20poly1305", None).await.unwrap();
vault.create_keyspace(keyspace, password, None).await.unwrap();
debug!("after create_keyspace: keyspace={} password={}", keyspace, hex::encode(password));
debug!("before add Ed25519 keypair");
let key_id = vault.add_keypair(keyspace, password, KeyType::Ed25519, Some(KeyMetadata { name: Some("edkey".into()), created_at: None, tags: None })).await;
let key_id = vault.add_keypair(keyspace, password, Some(KeyType::Ed25519), Some(KeyMetadata { name: Some("edkey".into()), created_at: None, tags: None })).await;
match &key_id {
Ok(_) => debug!("after add Ed25519 keypair (Ok)"),
Err(e) => debug!("after add Ed25519 keypair (Err): {:?}", e),
}
let key_id = key_id.unwrap();
debug!("before add secp256k1 keypair");
let secp_id = vault.add_keypair(keyspace, password, KeyType::Secp256k1, Some(KeyMetadata { name: Some("secpkey".into()), created_at: None, tags: None })).await.unwrap();
let secp_id = vault.add_keypair(keyspace, password, None, Some(KeyMetadata { name: Some("secpkey".into()), created_at: None, tags: None })).await.unwrap();
debug!("before list_keypairs");
let keys = vault.list_keypairs(keyspace, password).await.unwrap();

6
vault/tests/wasm_keypair_management.rs
View File

@@ -18,19 +18,19 @@ async fn wasm_test_keypair_management_and_crypto() {
log::debug!("Initialized vault and IndexedDB store");
// Step 1: Create keyspace
match vault.create_keyspace(keyspace, password, "pbkdf2", "chacha20poly1305", None).await {
match vault.create_keyspace(keyspace, password, None).await {
Ok(_) => log::debug!("Created keyspace"),
Err(e) => { log::debug!("Failed to create keyspace: {:?}", e); return; }
}
// Step 2: Add Ed25519 keypair
let key_id = match vault.add_keypair(keyspace, password, KeyType::Ed25519, Some(KeyMetadata { name: Some("edkey".into()), created_at: None, tags: None })).await {
let key_id = match vault.add_keypair(keyspace, password, Some(KeyType::Ed25519), Some(KeyMetadata { name: Some("edkey".into()), created_at: None, tags: None })).await {
Ok(id) => { log::debug!("Added Ed25519 keypair: {}", id); id },
Err(e) => { log::debug!("Failed to add Ed25519 keypair: {:?}", e); return; }
};
// Step 3: Add Secp256k1 keypair
let secp_id = match vault.add_keypair(keyspace, password, KeyType::Secp256k1, Some(KeyMetadata { name: Some("secpkey".into()), created_at: None, tags: None })).await {
let secp_id = match vault.add_keypair(keyspace, password, None, Some(KeyMetadata { name: Some("secpkey".into()), created_at: None, tags: None })).await {
Ok(id) => { log::debug!("Added Secp256k1 keypair: {}", id); id },
Err(e) => { log::debug!("Failed to add Secp256k1 keypair: {:?}", e); return; }
};

4
vault/vault_native_test/conf
View File

@@ -1,4 +0,0 @@
segment_size: 524288
use_compression: false
version: 0.34
vQ<>

BIN
vault/vault_native_test/db
View File

Binary file not shown.

BIN
vault/vault_native_test/snap.000000000000E741
View File

Binary file not shown.