Expand description
§ASH Core
ASH (Anti-tamper Security Hash) is a request integrity and anti-replay protection library.
This crate provides the core functionality for:
- Deterministic JSON and URL-encoded payload canonicalization
- Cryptographic proof generation and verification
- Constant-time comparison for timing-attack resistance
- Binding normalization for endpoint protection
§Features
- Tamper Detection: Cryptographic proof ensures payload integrity
- Replay Prevention: One-time contexts prevent request replay
- Deterministic: Byte-identical output across all platforms
- WASM Compatible: Works in browsers and server environments
§Example
use ash_core::{canonicalize_json, build_proof, AshMode};
// Canonicalize a JSON payload
let canonical = canonicalize_json(r#"{"z":1,"a":2}"#).unwrap();
assert_eq!(canonical, r#"{"a":2,"z":1}"#);
// Build a proof
let proof = build_proof(
AshMode::Balanced,
"POST /api/update",
"context-id-123",
None,
&canonical,
).unwrap();§Security Notes
ASH verifies what is being submitted, not who is submitting it. It should be used alongside authentication systems (JWT, OAuth, etc.).
Modules§
- config
- ASH Configuration Module.
Structs§
- AshError
- Main error type for ASH operations.
- Build
Proof Input - Input for building a proof.
- Unified
Proof Result - Result from unified proof generation.
- Verify
Input - Input for verifying a proof.
Enums§
- AshError
Code - Error codes for ASH protocol.
- AshMode
- Security mode for ASH verification.
Constants§
- ASH_
SDK_ VERSION - ASH SDK version (library version).
- ASH_
VERSION_ PREFIX - ASH v1 protocol version prefix.
- ASH_
VERSION_ PREFIX_ V21 - ASH v2.1 protocol version prefix.
Functions§
- build_
proof - Build a cryptographic proof for request integrity.
- build_
proof_ v21 - Build v2.1 cryptographic proof (client-side).
- build_
proof_ v21_ scoped - Build v2.2 cryptographic proof with scoped fields.
- build_
proof_ v21_ unified - Build unified v2.3 cryptographic proof (client-side).
- canonicalize_
json - Canonicalize a JSON string to deterministic form.
- canonicalize_
query - Canonicalize a URL query string according to ASH v2.3.1 specification.
- canonicalize_
urlencoded - Canonicalize URL-encoded form data.
- derive_
client_ secret - Derive client secret from server nonce (v2.1).
- extract_
scoped_ fields - Extract scoped fields from a JSON value.
- generate_
context_ id - Generate a unique context ID with “ash_” prefix.
- generate_
nonce - Generate a cryptographically secure random nonce.
- hash_
body - Compute SHA-256 hash of canonical body.
- hash_
proof - Hash a proof for chaining purposes.
- hash_
scoped_ body - Hash scoped payload for client-side use.
- normalize_
binding - Normalize a binding string to canonical form (v2.3.2+ format).
- normalize_
binding_ from_ url - Normalize a binding from a full URL path (including query string).
- timing_
safe_ equal - Perform a constant-time comparison of two byte slices.
- verify_
proof - Verify a proof using constant-time comparison.
- verify_
proof_ v21 - Verify v2.1 proof (server-side).
- verify_
proof_ v21_ scoped - Verify v2.2 proof with scoped fields.
- verify_
proof_ v21_ unified - Verify unified v2.3 proof (server-side).