Crate ash_core

Crate ash_core 

Source
Expand description

§ASH Core

ASH (Anti-tamper Security Hash) is a request integrity and anti-replay protection library.

This crate provides the core functionality for:

  • Deterministic JSON and URL-encoded payload canonicalization
  • Cryptographic proof generation and verification
  • Constant-time comparison for timing-attack resistance
  • Binding normalization for endpoint protection

§Features

  • Tamper Detection: Cryptographic proof ensures payload integrity
  • Replay Prevention: One-time contexts prevent request replay
  • Deterministic: Byte-identical output across all platforms
  • WASM Compatible: Works in browsers and server environments

§Example

use ash_core::{canonicalize_json, build_proof, AshMode};

// Canonicalize a JSON payload
let canonical = canonicalize_json(r#"{"z":1,"a":2}"#).unwrap();
assert_eq!(canonical, r#"{"a":2,"z":1}"#);

// Build a proof
let proof = build_proof(
    AshMode::Balanced,
    "POST /api/update",
    "context-id-123",
    None,
    &canonical,
).unwrap();

§Security Notes

ASH verifies what is being submitted, not who is submitting it. It should be used alongside authentication systems (JWT, OAuth, etc.).

Structs§

AshError
Main error type for ASH operations.
BuildProofInput
Input for building a proof.
UnifiedProofResult
Result from unified proof generation.
VerifyInput
Input for verifying a proof.

Enums§

AshErrorCode
Error codes for ASH protocol.
AshMode
Security mode for ASH verification.

Functions§

build_proof
Build a cryptographic proof for request integrity.
build_proof_v21
Build v2.1 cryptographic proof (client-side).
build_proof_v21_scoped
Build v2.2 cryptographic proof with scoped fields.
build_proof_v21_unified
Build unified v2.3 cryptographic proof (client-side).
canonicalize_json
Canonicalize a JSON string to deterministic form.
canonicalize_urlencoded
Canonicalize URL-encoded form data.
derive_client_secret
Derive client secret from server nonce (v2.1).
extract_scoped_fields
Extract scoped fields from a JSON value.
generate_context_id
Generate a unique context ID with “ash_” prefix.
generate_nonce
Generate a cryptographically secure random nonce.
hash_body
Compute SHA-256 hash of canonical body.
hash_proof
Hash a proof for chaining purposes.
hash_scoped_body
Hash scoped payload for client-side use.
normalize_binding
Normalize a binding string to canonical form.
timing_safe_equal
Perform a constant-time comparison of two byte slices.
verify_proof
Verify a proof using constant-time comparison.
verify_proof_v21
Verify v2.1 proof (server-side).
verify_proof_v21_scoped
Verify v2.2 proof with scoped fields.
verify_proof_v21_unified
Verify unified v2.3 proof (server-side).