Skip to main content

Crate alterion_encrypt

Crate alterion_encrypt 

Source
Expand description

§alterion-encrypt

The primary entry point is interceptor::Interceptor: mount it as an Actix-web middleware and every encrypted request is transparently decrypted, and every response re-encrypted, using the X25519 ECDH + AES-256-GCM + HMAC-SHA256 pipeline.

§Example

use alterion_encrypt::{init_key_store, init_handshake_store, start_rotation};
use alterion_encrypt::interceptor::{Interceptor, DecryptedBody};
use actix_web::{web, App, HttpServer, HttpRequest, HttpMessage, HttpResponse, post, get};

#[post("/api/example")]
async fn example_handler(req: HttpRequest) -> HttpResponse {
    let body = match req.extensions().get::<DecryptedBody>().cloned() {
        Some(b) => b,
        None    => return HttpResponse::BadRequest().body("missing encrypted body"),
    };
    // body.0 is the raw decrypted bytes — deserialise however you like
    HttpResponse::Ok().json(serde_json::json!({ "ok": true }))
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    // Rotate ECDH keys every hour; keep the previous key live for 5 minutes.
    let store = init_key_store(3600);
    let hs    = init_handshake_store();
    start_rotation(store.clone(), 3600, hs.clone());

    HttpServer::new(move || {
        App::new()
            .wrap(Interceptor { key_store: store.clone(), handshake_store: hs.clone(), replay_store: None })
            .service(example_handler)
    })
    .bind("0.0.0.0:8080")?
    .run()
    .await
}

Modules§

interceptor
tools

Structs§

HandshakeStore
Thread-safe store of pending ephemeral handshake entries, keyed by handshake ID.
KeyEntry
KeyStore

Enums§

EcdhError

Functions§

ecdh
Performs X25519 ECDH using the server key identified by key_id and the client’s ephemeral public key bytes. Returns (shared_secret, server_public_key_bytes).
ecdh_ephemeral
Performs a use-once X25519 ECDH using a handshake entry created by init_handshake. Removes the entry on success — replaying the same handshake ID returns EcdhError::KeyExpired.
get_current_public_key
Returns (key_id, base64_public_key) for the currently active key.
init_handshake
Generates a fresh ephemeral X25519 key pair, stores the private key in hs with a 60-second TTL, and returns (handshake_id, base64_public_key).
init_handshake_store
Creates an empty HandshakeStore. Call once at startup and share the handle across all workers.
init_key_store
Generates an initial X25519 key pair and wraps it in a shared, RwLock-guarded KeyStore.
prune_handshakes
Removes all expired handshake entries from hs. Call periodically (e.g. every 30 seconds).
start_rotation
Spawns two background tasks: