hexvault 1.1.2

Cascading cell-partitioned encryption architecture.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250

//! Layered encryption sequencing.
//!
//! The stack defines how encryption is applied (bottom-up) and removed
//! (top-down). Each layer corresponds to a different trust boundary and
//! requires specific context to peel.

use serde::{Deserialize, Serialize};

use crate::crypto;
use crate::error::HexvaultError;
use crate::keys::{self, PartitionKey};

/// The three layers of the hexvault encryption stack.
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
pub enum Layer {
    /// Layer 0: Base data protection (at-rest).
    AtRest = 0,
    /// Layer 1: Access policy enforcement.
    AccessGated = 1,
    /// Layer 2: Session lifetime enforcement.
    SessionBound = 2,
}

impl Layer {
    /// Returns the tag used for key derivation for this layer.
    fn tag(&self) -> &'static str {
        match self {
            Self::AtRest => keys::layer_tag::AT_REST,
            Self::AccessGated => keys::layer_tag::ACCESS_GATED,
            Self::SessionBound => keys::layer_tag::SESSION_BOUND,
        }
    }
}

/// Context required to peel or seal specific layers.
///
/// Fields are validated on construction: `Some("")` (empty string) is rejected
/// to prevent silent key-derivation collisions.
///
/// Callers must use a `TokenResolver` to generate instances, or construct
/// via `LayerContext::new()` / `LayerContext::empty()`.
#[derive(Debug, Clone, Default)]
pub struct LayerContext {
    access_policy_id: Option<String>,
    session_id: Option<String>,
}

impl LayerContext {
    /// Create an empty context for Layer 0 (AtRest) operations.
    pub fn empty() -> Self {
        Self::default()
    }

    /// Create a new `LayerContext`.
    ///
    /// # Errors
    ///
    /// Returns `HexvaultError::MissingOrInvalidContext` if either ID is
    /// `Some("")` (empty string). An empty string would derive the same
    /// Layer 2 key for all sessions or the same Layer 1 key for all
    /// access policies — collapsing the isolation guarantee.
    pub fn new(
        access_policy_id: Option<String>,
        session_id: Option<String>,
    ) -> Result<Self, HexvaultError> {
        if let Some(ref id) = access_policy_id {
            if id.is_empty() {
                return Err(HexvaultError::MissingOrInvalidContext);
            }
        }
        if let Some(ref id) = session_id {
            if id.is_empty() {
                return Err(HexvaultError::MissingOrInvalidContext);
            }
        }
        Ok(Self {
            access_policy_id,
            session_id,
        })
    }
}

/// Resolves opaque authentication/capability tokens into structured `LayerContext`s.
pub trait TokenResolver: Send + Sync {
    /// Exchange a token for a LayerContext representing the active security policies.
    fn resolve(&self, token: &str) -> Result<LayerContext, HexvaultError>;
}

impl LayerContext {
    /// Get the context ID string for a specific layer.
    fn get_id_for_layer(&self, layer: Layer) -> Result<String, HexvaultError> {
        match layer {
            Layer::AtRest => Ok(String::new()),
            Layer::AccessGated => self
                .access_policy_id
                .clone()
                .ok_or(HexvaultError::MissingOrInvalidContext),
            Layer::SessionBound => self
                .session_id
                .clone()
                .ok_or(HexvaultError::MissingOrInvalidContext),
        }
    }
}

/// Build the AAD (Additional Authenticated Data) for a specific cell and layer.
///
/// The AAD binds the ciphertext to its cell and layer, preventing cross-cell
/// and cross-layer replay attacks. Even if two cells share identical keys
/// (impossible under correct HKDF usage), the AAD check would still reject
/// replayed ciphertext.
fn build_aad(cell_id: &str, layer: Layer) -> Vec<u8> {
    format!("hexvault:{}:{}", cell_id, layer.tag()).into_bytes()
}

/// Seal a payload into the stack up to the target layer.
///
/// Encryption is applied bottom-up: Layer 0 -> Layer 1 -> ... -> target.
pub fn seal(
    partition_key: &PartitionKey,
    cell_id: &str,
    target: Layer,
    context: &LayerContext,
    plaintext: &[u8],
) -> Result<Vec<u8>, HexvaultError> {
    let mut current_data = plaintext.to_vec();

    // Iterate through layers from 0 up to and including the target layer.
    for i in 0..=(target as usize) {
        let layer = match i {
            0 => Layer::AtRest,
            1 => Layer::AccessGated,
            2 => Layer::SessionBound,
            _ => return Err(HexvaultError::InvalidLayer),
        };

        let context_id = context.get_id_for_layer(layer)?;
        let key = keys::derive_key(partition_key, cell_id, layer.tag(), &context_id)?;
        let aad = build_aad(cell_id, layer);

        current_data = crypto::encrypt(key.as_bytes(), &current_data, &aad)?;
    }

    Ok(current_data)
}

/// Peel a payload from its current top layer down to plaintext.
///
/// Decryption is applied top-down: current -> ... -> Layer 0.
pub fn peel(
    partition_key: &PartitionKey,
    cell_id: &str,
    current_top: Layer,
    context: &LayerContext,
    ciphertext: &[u8],
) -> Result<Vec<u8>, HexvaultError> {
    let mut current_data = ciphertext.to_vec();

    // Iterate through layers from the top layer down to 0.
    for i in (0..=(current_top as usize)).rev() {
        let layer = match i {
            0 => Layer::AtRest,
            1 => Layer::AccessGated,
            2 => Layer::SessionBound,
            _ => return Err(HexvaultError::InvalidLayer),
        };

        let context_id = context.get_id_for_layer(layer)?;
        let key = keys::derive_key(partition_key, cell_id, layer.tag(), &context_id)?;
        let aad = build_aad(cell_id, layer);

        current_data = crypto::decrypt(key.as_bytes(), &current_data, &aad)?;
    }

    Ok(current_data)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::keys::{self, MasterKey};

    #[test]
    fn test_seal_peel_roundtrip() {
        let master = MasterKey::from_bytes([0u8; 32]);
        let partition = keys::derive_partition_key(&master, "p1").unwrap();
        let cell_id = "test-cell";
        let plaintext = b"secret message";
        let context = LayerContext::new(
            Some("policy-123".to_string()),
            Some("session-456".to_string()),
        )
        .unwrap();

        // Test roundtrip for each layer depth.
        for layer in [Layer::AtRest, Layer::AccessGated, Layer::SessionBound] {
            let sealed = seal(&partition, cell_id, layer, &context, plaintext).unwrap();
            let peeled = peel(&partition, cell_id, layer, &context, &sealed).unwrap();
            assert_eq!(plaintext, &peeled[..]);
        }
    }

    #[test]
    fn test_peel_fails_with_wrong_context() {
        let master = MasterKey::from_bytes([0u8; 32]);
        let partition = keys::derive_partition_key(&master, "p1").unwrap();
        let cell_id = "test-cell";
        let plaintext = b"secret message";
        let context = LayerContext::new(
            Some("correct-policy".to_string()),
            Some("correct-session".to_string()),
        )
        .unwrap();

        let sealed = seal(
            &partition,
            cell_id,
            Layer::SessionBound,
            &context,
            plaintext,
        )
        .unwrap();

        // Wrong session ID
        let wrong_context = LayerContext::new(
            Some("correct-policy".to_string()),
            Some("wrong-session".to_string()),
        )
        .unwrap();
        assert!(peel(
            &partition,
            cell_id,
            Layer::SessionBound,
            &wrong_context,
            &sealed
        )
        .is_err());

        // Missing access policy
        let missing_context = LayerContext::new(None, None).unwrap();
        assert!(peel(
            &partition,
            cell_id,
            Layer::SessionBound,
            &missing_context,
            &sealed
        )
        .is_err());
    }
}