lazy-locker 0.0.7

A secure local secrets manager with TUI interface and SDK support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

use aes_gcm::aead::{Aead, KeyInit};
use aes_gcm::{Aes256Gcm, Key, Nonce};
use anyhow::Result;
use rand::Rng;

pub fn encrypt(data: &[u8], key: &[u8]) -> Result<Vec<u8>> {
    let key = Key::<Aes256Gcm>::from_slice(key);
    let cipher = Aes256Gcm::new(key);
    let nonce: [u8; 12] = rand::rng().random();
    let ciphertext = cipher
        .encrypt(Nonce::from_slice(&nonce), data)
        .map_err(|e| anyhow::anyhow!("Encryption error: {}", e))?;
    let mut result = nonce.to_vec();
    result.extend(ciphertext);
    Ok(result)
}

pub fn decrypt(data: &[u8], key: &[u8]) -> Result<Vec<u8>> {
    let key = Key::<Aes256Gcm>::from_slice(key);
    let cipher = Aes256Gcm::new(key);
    let (nonce, ciphertext) = data.split_at(12);
    let plaintext = cipher
        .decrypt(Nonce::from_slice(nonce), ciphertext)
        .map_err(|e| anyhow::anyhow!("Decryption error: {}", e))?;
    Ok(plaintext)
}

#[cfg(test)]
mod tests {
    use super::*;

    /// Generates a valid 32-byte test key
    fn test_key() -> [u8; 32] {
        [0x42u8; 32] // Deterministic key for testing
    }

    #[test]
    fn test_encrypt_produces_different_output() {
        let key = test_key();
        let plaintext = b"my_secret_value";

        let encrypted = encrypt(plaintext, &key).expect("Encryption should succeed");

        // Encrypted data should be different from plaintext
        assert_ne!(encrypted.as_slice(), plaintext);
        // Encrypted data should include nonce (12 bytes) + ciphertext + tag (16 bytes)
        assert!(encrypted.len() > plaintext.len() + 12);
    }

    #[test]
    fn test_encrypt_decrypt_roundtrip() {
        let key = test_key();
        let plaintext = b"sensitive_api_key_12345";

        let encrypted = encrypt(plaintext, &key).expect("Encryption should succeed");
        let decrypted = decrypt(&encrypted, &key).expect("Decryption should succeed");

        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_encrypt_different_nonces() {
        let key = test_key();
        let plaintext = b"same_value";

        // Two encryptions of the same data should produce different ciphertexts
        // (due to random nonce)
        let encrypted1 = encrypt(plaintext, &key).expect("Encryption 1 should succeed");
        let encrypted2 = encrypt(plaintext, &key).expect("Encryption 2 should succeed");

        assert_ne!(
            encrypted1, encrypted2,
            "Same plaintext should encrypt to different ciphertext"
        );
    }

    #[test]
    fn test_decrypt_with_wrong_key_fails() {
        let key1 = test_key();
        let key2 = [0x99u8; 32]; // Different key
        let plaintext = b"secret";

        let encrypted = encrypt(plaintext, &key1).expect("Encryption should succeed");
        let result = decrypt(&encrypted, &key2);

        assert!(result.is_err(), "Decryption with wrong key should fail");
    }

    #[test]
    fn test_decrypt_corrupted_data_fails() {
        let key = test_key();
        let plaintext = b"secret";

        let mut encrypted = encrypt(plaintext, &key).expect("Encryption should succeed");
        // Corrupt the ciphertext (after the 12-byte nonce)
        if encrypted.len() > 15 {
            encrypted[15] ^= 0xFF;
        }

        let result = decrypt(&encrypted, &key);
        assert!(result.is_err(), "Decryption of corrupted data should fail");
    }

    #[test]
    fn test_encrypt_empty_data() {
        let key = test_key();
        let plaintext = b"";

        let encrypted = encrypt(plaintext, &key).expect("Encryption of empty data should succeed");
        let decrypted = decrypt(&encrypted, &key).expect("Decryption should succeed");

        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_encrypt_large_data() {
        let key = test_key();
        let plaintext: Vec<u8> = (0..10_000).map(|i| (i % 256) as u8).collect();

        let encrypted = encrypt(&plaintext, &key).expect("Encryption of large data should succeed");
        let decrypted = decrypt(&encrypted, &key).expect("Decryption should succeed");

        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_encrypt_unicode_data() {
        let key = test_key();
        let plaintext = "Clé secrète: 日本語 🔐 émojis".as_bytes();

        let encrypted = encrypt(plaintext, &key).expect("Encryption should succeed");
        let decrypted = decrypt(&encrypted, &key).expect("Decryption should succeed");

        assert_eq!(decrypted, plaintext);
        assert_eq!(
            String::from_utf8(decrypted).unwrap(),
            "Clé secrète: 日本語 🔐 émojis"
        );
    }
}