alterion_encrypt/lib.rs
1// SPDX-License-Identifier: GPL-3.0
2//! # alterion-encrypt
3//!
4//! The primary entry point is [`interceptor::Interceptor`]: mount it as an Actix-web middleware
5//! and every encrypted request is transparently decrypted, and every response re-encrypted,
6//! using the X25519 ECDH + AES-256-GCM + HMAC-SHA256 pipeline.
7//!
8//! ## Example
9//!
10//! ```rust,no_run
11//! use alterion_encrypt::{init_key_store, init_handshake_store, start_rotation};
12//! use alterion_encrypt::interceptor::{Interceptor, DecryptedBody};
13//! use actix_web::{web, App, HttpServer, HttpRequest, HttpMessage, HttpResponse, post, get};
14//!
15//! #[post("/api/example")]
16//! async fn example_handler(req: HttpRequest) -> HttpResponse {
17//! let body = match req.extensions().get::<DecryptedBody>().cloned() {
18//! Some(b) => b,
19//! None => return HttpResponse::BadRequest().body("missing encrypted body"),
20//! };
21//! // body.0 is the raw decrypted bytes — deserialise however you like
22//! HttpResponse::Ok().json(serde_json::json!({ "ok": true }))
23//! }
24//!
25//! #[actix_web::main]
26//! async fn main() -> std::io::Result<()> {
27//! // Rotate ECDH keys every hour; keep the previous key live for 5 minutes.
28//! let store = init_key_store(3600);
29//! let hs = init_handshake_store();
30//! start_rotation(store.clone(), 3600, hs.clone());
31//!
32//! HttpServer::new(move || {
33//! App::new()
34//! .wrap(Interceptor { key_store: store.clone(), handshake_store: hs.clone(), replay_store: None })
35//! .service(example_handler)
36//! })
37//! .bind("0.0.0.0:8080")?
38//! .run()
39//! .await
40//! }
41//! ```
42
43pub mod interceptor;
44pub mod tools;
45
46pub use alterion_ecdh::{
47 KeyStore, KeyEntry, EcdhError, HandshakeStore,
48 init_key_store, init_handshake_store,
49 start_rotation, get_current_public_key,
50 ecdh, init_handshake, ecdh_ephemeral, prune_handshakes,
51};