hsh-kms 0.0.10

Pepper / KMS integration for the hsh crate: HMAC-SHA-256 pepper application with versioned keys and pluggable KMS backends.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281

#![forbid(unsafe_code)]
#![cfg_attr(
    test,
    allow(clippy::unwrap_used, clippy::expect_used, clippy::panic)
)]
// Copyright © 2023-2026 Hash (HSH) library contributors. All rights reserved.
// SPDX-License-Identifier: Apache-2.0 OR MIT

//! # `hsh-kms` — pepper / KMS integration for `hsh`
//!
//! This crate provides the [`Pepper`] trait and a small set of
//! pluggable backends that let an application "pepper" its passwords
//! with a secret key held outside the password database — typically in
//! AWS KMS, Google Cloud KMS, Azure Key Vault, or HashiCorp Vault.
//!
//! ## The pepper pattern
//!
//! A *pepper* is a server-side secret applied to every password before
//! it is hashed. Unlike a per-password salt (which lives next to the
//! hash), the pepper is **the same for every password** and lives in a
//! separate trust boundary — usually a KMS / HSM that the password
//! database cannot read.
//!
//! Concretely, [`Pepper::apply`] computes
//! `HMAC-SHA-256(key_at(version), password)` and returns the 32-byte
//! tag, which the `hsh` crate then feeds into Argon2id / bcrypt /
//! scrypt as if it were the user's password.
//!
//! ### Why
//!
//! - **Defence in depth** — an attacker who steals only the password
//!   DB cannot brute-force credentials offline because they're missing
//!   the pepper.
//! - **Rotatable** — bump [`KeyVersion`] periodically; on each
//!   successful login under the old version, `hsh::api::verify_and_upgrade`
//!   re-hashes under the new version transparently.
//! - **Compliance** — PCI DSS 4.0 §3.5.1.1 effectively requires this
//!   for PAN hashing; many SOC 2 / ISO 27001 auditors expect it for
//!   password storage too.
//!
//! ## Backends
//!
//! - [`LocalPepper`] — keys held in process memory. Safe for tests,
//!   short-lived workloads, or apps without a KMS.
//! - `aws::fetch_pepper` (feature `aws-kms`) — fetch a key from AWS
//!   KMS via the `aws-sdk-kms` crate, returning a [`LocalPepper`]
//!   snapshot.
//! - `gcp::fetch_pepper` (feature `gcp-kms`) — likewise for GCP Cloud
//!   KMS.
//! - `azure::fetch_pepper` (feature `azure-key-vault`).
//! - `vault::fetch_pepper` (feature `hashicorp-vault`).
//!
//! Provider implementations are currently **stubs** that document the
//! intended interface; the real network calls land incrementally as
//! they get integration-tested against the cloud providers.
//!
//! ## Example
//!
//! ```
//! use hsh_kms::{KeyVersion, LocalPepper, Pepper};
//!
//! let pepper = LocalPepper::builder()
//!     .add(KeyVersion::new(1), b"the-server-pepper-v1-DO-NOT-COMMIT".to_vec())
//!     .current(KeyVersion::new(1))
//!     .build()
//!     .unwrap();
//!
//! let tag = pepper.apply(KeyVersion::new(1), b"correct horse").unwrap();
//! assert_eq!(tag.len(), 32);
//! ```

pub mod error;

#[cfg(feature = "aws-kms")]
pub mod aws;
#[cfg(feature = "azure-key-vault")]
pub mod azure;
#[cfg(feature = "gcp-kms")]
pub mod gcp;
#[cfg(feature = "hashicorp-vault")]
pub mod vault;

use std::collections::BTreeMap;
use std::fmt;

use hmac::{Hmac, Mac};
use sha2::Sha256;
use zeroize::Zeroize;

pub use error::PepperError;

/// A monotonically increasing key version used to identify which pepper
/// was applied to a given password hash. Stored alongside the hash so
/// rotation is non-destructive.
#[derive(Clone, Copy, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
pub struct KeyVersion(u32);

impl KeyVersion {
    /// Constructs a `KeyVersion`.
    #[must_use]
    pub const fn new(v: u32) -> Self {
        Self(v)
    }

    /// Returns the underlying `u32`.
    #[must_use]
    pub const fn get(self) -> u32 {
        self.0
    }
}

impl Default for KeyVersion {
    fn default() -> Self {
        Self(1)
    }
}

impl fmt::Display for KeyVersion {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "{}", self.0)
    }
}

/// A pepper provider — produces an HMAC-SHA-256 tag over the password
/// keyed by the secret material for a given [`KeyVersion`].
///
/// Implementations must be `Send + Sync` so a `Policy` carrying a
/// pepper can be shared across worker threads.
pub trait Pepper: fmt::Debug + Send + Sync {
    /// Computes `HMAC-SHA-256(key_at(version), password)` and returns
    /// the 32-byte tag. Errors if the requested `version` is not
    /// available in this provider.
    ///
    /// # Errors
    ///
    /// Returns [`PepperError::UnknownVersion`] if the version isn't
    /// stored, or [`PepperError::Backend`] if the backend (KMS) fails.
    fn apply(
        &self,
        version: KeyVersion,
        password: &[u8],
    ) -> Result<[u8; 32], PepperError>;

    /// Returns the key version to use for *new* hashes. Older versions
    /// remain usable via [`Pepper::apply`] for verifying existing
    /// hashes; rotation is handled by `hsh::api::verify_and_upgrade`.
    fn current(&self) -> KeyVersion;
}

/// In-memory pepper provider. **Keys live in process memory** — use a
/// real KMS for production secrets.
pub struct LocalPepper {
    keys: BTreeMap<KeyVersion, Vec<u8>>,
    current: KeyVersion,
}

impl LocalPepper {
    /// Starts building a `LocalPepper`.
    #[must_use]
    pub fn builder() -> LocalPepperBuilder {
        LocalPepperBuilder::default()
    }

    /// Returns the set of key versions held in memory, sorted ascending.
    #[must_use]
    pub fn versions(&self) -> Vec<KeyVersion> {
        self.keys.keys().copied().collect()
    }
}

impl Pepper for LocalPepper {
    fn apply(
        &self,
        version: KeyVersion,
        password: &[u8],
    ) -> Result<[u8; 32], PepperError> {
        let key = self
            .keys
            .get(&version)
            .ok_or(PepperError::UnknownVersion(version))?;

        let mut mac = <Hmac<Sha256> as Mac>::new_from_slice(key)
            .map_err(|e| PepperError::Backend(e.to_string()))?;
        mac.update(password);
        let tag = mac.finalize().into_bytes();
        let mut out = [0u8; 32];
        out.copy_from_slice(&tag);
        Ok(out)
    }

    fn current(&self) -> KeyVersion {
        self.current
    }
}

impl fmt::Debug for LocalPepper {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        // Never expose the raw key bytes — only metadata.
        f.debug_struct("LocalPepper")
            .field("versions", &self.keys.keys().collect::<Vec<_>>())
            .field("current", &self.current)
            .finish()
    }
}

impl Drop for LocalPepper {
    fn drop(&mut self) {
        for k in self.keys.values_mut() {
            k.zeroize();
        }
    }
}

/// Builder for [`LocalPepper`].
#[derive(Debug, Default)]
pub struct LocalPepperBuilder {
    keys: BTreeMap<KeyVersion, Vec<u8>>,
    current: Option<KeyVersion>,
}

impl LocalPepperBuilder {
    /// Registers a key at `version`. Keys should be at least 32 bytes
    /// of cryptographic-quality entropy (typically the OS CSPRNG).
    #[must_use]
    pub fn add(mut self, version: KeyVersion, key: Vec<u8>) -> Self {
        let _ = self.keys.insert(version, key);
        self
    }

    /// Sets the current key version used for new hashes. Must match
    /// one of the versions registered via [`add`](Self::add).
    #[must_use]
    pub fn current(mut self, version: KeyVersion) -> Self {
        self.current = Some(version);
        self
    }

    /// Finalises the builder.
    ///
    /// # Errors
    ///
    /// - [`PepperError::EmptyKeyset`] if no keys were added.
    /// - [`PepperError::UnknownVersion`] if the `current` version
    ///   isn't in the keyset.
    /// - [`PepperError::KeyTooShort`] if any registered key is shorter
    ///   than 16 bytes (a sanity floor — production keys should be 32+).
    pub fn build(self) -> Result<LocalPepper, PepperError> {
        if self.keys.is_empty() {
            return Err(PepperError::EmptyKeyset);
        }
        for (v, k) in &self.keys {
            if k.len() < 16 {
                return Err(PepperError::KeyTooShort {
                    version: *v,
                    actual: k.len(),
                    minimum: 16,
                });
            }
        }
        let current = self
            .current
            .or_else(|| self.keys.keys().last().copied())
            .ok_or(PepperError::EmptyKeyset)?;
        if !self.keys.contains_key(&current) {
            return Err(PepperError::UnknownVersion(current));
        }
        Ok(LocalPepper {
            keys: self.keys,
            current,
        })
    }
}

// Note: the historical `#[cfg(test)] mod tests { ... }` block lived
// here and exercised LocalPepper / KeyVersion / PepperError through
// the public surface. CodeQL's `rust/hard-coded-cryptographic-value`
// heuristic flagged the test fixtures (deterministic byte literals
// passed to `Pepper::apply`) because inline tests in `src/` aren't
// caught by the path-exclusion config that covers `tests/`. The
// tests moved to `crates/hsh-kms/tests/coverage.rs` for that reason;
// no test was deleted, only relocated.