dhsd 0.5.0

SCION endhost SDK observability utilities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

// Copyright 2025 Anapaya Systems
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//! DHSD state

use std::iter::IntoIterator;

use ring::hmac;

/// DhsdState
#[derive(zeroize::ZeroizeOnDrop, Clone, PartialEq, Eq, PartialOrd, Ord)]
pub struct DhsdSecret([u8; 32]);

/// A label for a node in a secret tree.
#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
pub struct NodeLabel([u8; 32]);

impl DhsdSecret {
    /// Create a new DhsdSecret from the root secret.
    pub fn from_root_secret(root_secret: [u8; 32]) -> Self {
        Self::from(root_secret)
    }

    /// Derive a new secret state based on a single node label.
    pub fn derive(&self, label: NodeLabel) -> Self {
        let mut key = hmac::Key::new(hmac::HMAC_SHA256, &self.0);
        let mut tag = hmac::sign(&key, &label.0);

        let mut inner = [0u8; 32];
        inner.copy_from_slice(tag.as_ref());
        unsafe {
            // ring::hmac::Tag does _not_ implement Zeroize, so we do it
            // manually here.
            zeroize::zeroize_flat_type(&mut key);
            zeroize::zeroize_flat_type(&mut tag);
        }
        Self(inner)
    }

    /// Derive new secret state based on path.
    pub fn derive_from_iter<P: IntoIterator<Item = NodeLabel>>(&self, path: P) -> Self {
        path.into_iter()
            .fold(self.clone(), |a, label| a.derive(label))
    }

    /// Returns the secret as a byte slice.
    pub fn as_array(&self) -> [u8; 32] {
        self.0
    }
}

impl From<[u8; 32]> for DhsdSecret {
    fn from(value: [u8; 32]) -> Self {
        Self(value)
    }
}

impl From<[u8; 32]> for NodeLabel {
    fn from(value: [u8; 32]) -> Self {
        Self(value)
    }
}

impl From<DhsdSecret> for [u8; 32] {
    fn from(value: DhsdSecret) -> Self {
        value.0
    }
}

impl From<&DhsdSecret> for [u8; 32] {
    fn from(value: &DhsdSecret) -> Self {
        value.0
    }
}

impl std::fmt::Debug for DhsdSecret {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_tuple("DhsdState").field(&"...").finish()
    }
}

impl From<&str> for NodeLabel {
    fn from(value: &str) -> Self {
        let d = ring::digest::digest(&ring::digest::SHA256, value.as_bytes());
        let mut inner = [0u8; 32];
        inner.copy_from_slice(d.as_ref());
        Self(inner)
    }
}

impl From<String> for NodeLabel {
    fn from(value: String) -> Self {
        Self::from(value.as_str())
    }
}

impl From<&String> for NodeLabel {
    fn from(value: &String) -> Self {
        Self::from(value.as_str())
    }
}