agent-vault 0.1.0

Zero-trust credential manager for AI agents
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

use std::io::{Read, Write};

use secrecy::{ExposeSecret, SecretString};

use crate::error::VaultError;

/// Generate a new age X25519 keypair. Returns (secret_key_string, public_key_string).
pub fn generate_keypair() -> (SecretString, String) {
    let identity = age::x25519::Identity::generate();
    let secret = identity.to_string();
    let public = identity.to_public().to_string();
    (SecretString::from(secret.expose_secret().to_string()), public)
}

/// Parse an age identity (private key) from its string representation.
pub fn parse_identity(key_str: &str) -> Result<age::x25519::Identity, VaultError> {
    key_str
        .parse::<age::x25519::Identity>()
        .map_err(|e| VaultError::AgeKey(e.to_string()))
}

/// Parse an age recipient (public key) from its string representation.
pub fn parse_recipient(key_str: &str) -> Result<age::x25519::Recipient, VaultError> {
    key_str
        .parse::<age::x25519::Recipient>()
        .map_err(|e| VaultError::AgeKey(e.to_string()))
}

/// Encrypt plaintext for multiple recipients. Returns the encrypted bytes.
pub fn encrypt(plaintext: &[u8], recipients: &[age::x25519::Recipient]) -> Result<Vec<u8>, VaultError> {
    let encryptor = age::Encryptor::with_recipients(
        recipients.iter().map(|r| r as &dyn age::Recipient),
    )
    .map_err(|e| VaultError::AgeEncrypt(e.to_string()))?;

    let mut encrypted = vec![];
    let mut writer = encryptor
        .wrap_output(&mut encrypted)
        .map_err(|e| VaultError::AgeEncrypt(e.to_string()))?;
    writer
        .write_all(plaintext)
        .map_err(|e| VaultError::AgeEncrypt(e.to_string()))?;
    writer
        .finish()
        .map_err(|e| VaultError::AgeEncrypt(e.to_string()))?;

    Ok(encrypted)
}

/// Decrypt ciphertext using an identity. Returns the plaintext as a SecretString.
pub fn decrypt(ciphertext: &[u8], identity: &age::x25519::Identity) -> Result<SecretString, VaultError> {
    let decryptor = age::Decryptor::new(ciphertext)
        .map_err(|e| VaultError::AgeDecrypt(e.to_string()))?;

    let mut reader = decryptor
        .decrypt(std::iter::once(identity as &dyn age::Identity))
        .map_err(|e| VaultError::AgeDecrypt(e.to_string()))?;

    let mut plaintext = String::new();
    reader
        .read_to_string(&mut plaintext)
        .map_err(|e| VaultError::AgeDecrypt(e.to_string()))?;

    Ok(SecretString::from(plaintext))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_roundtrip() {
        let (secret, public) = generate_keypair();
        let recipient = parse_recipient(&public).unwrap();
        let identity = parse_identity(secret.expose_secret()).unwrap();

        let plaintext = b"hello world";
        let ciphertext = encrypt(plaintext, &[recipient]).unwrap();
        let decrypted = decrypt(&ciphertext, &identity).unwrap();
        assert_eq!(decrypted.expose_secret(), "hello world");
    }

    #[test]
    fn test_multi_recipient() {
        let (secret1, public1) = generate_keypair();
        let (secret2, public2) = generate_keypair();
        let r1 = parse_recipient(&public1).unwrap();
        let r2 = parse_recipient(&public2).unwrap();
        let id1 = parse_identity(secret1.expose_secret()).unwrap();
        let id2 = parse_identity(secret2.expose_secret()).unwrap();

        let ciphertext = encrypt(b"multi", &[r1, r2]).unwrap();
        assert_eq!(decrypt(&ciphertext, &id1).unwrap().expose_secret(), "multi");
        assert_eq!(decrypt(&ciphertext, &id2).unwrap().expose_secret(), "multi");
    }
}