nklave-storage 0.1.0

Persistence layer for Nklave: append-only decision logs, checkpoints, and EIP-3076 interchange
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562

//! Secure decision log with encryption and integrity chain
//!
//! This module extends the basic decision log with:
//! - Optional AES-256-CTR encryption for confidentiality
//! - HMAC-SHA256 integrity chain for tamper detection
//!
//! Each log entry is formatted as:
//! `<sequence>|<hmac>|<encrypted_or_plain_data>`
//!
//! The HMAC chain ensures that any modification to past entries is detectable.

use hmac::{Hmac, Mac};
use nklave_core::state::integrity::DecisionRecord;
use sha2::Sha256;
use std::fs::{File, OpenOptions};
use std::io::{BufRead, BufReader, BufWriter, Write};
use std::path::{Path, PathBuf};
use thiserror::Error;
use tracing::debug;

type HmacSha256 = Hmac<Sha256>;

/// Configuration for the secure log
#[derive(Debug, Clone)]
pub struct SecureLogConfig {
    /// Path to the log file
    pub path: PathBuf,

    /// Encryption key (32 bytes for AES-256). If None, no encryption.
    pub encryption_key: Option<[u8; 32]>,

    /// HMAC key for integrity chain (32 bytes)
    pub hmac_key: [u8; 32],
}

impl SecureLogConfig {
    /// Create a new config with encryption enabled
    pub fn with_encryption(path: impl AsRef<Path>, encryption_key: [u8; 32], hmac_key: [u8; 32]) -> Self {
        Self {
            path: path.as_ref().to_path_buf(),
            encryption_key: Some(encryption_key),
            hmac_key,
        }
    }

    /// Create a new config with integrity only (no encryption)
    pub fn integrity_only(path: impl AsRef<Path>, hmac_key: [u8; 32]) -> Self {
        Self {
            path: path.as_ref().to_path_buf(),
            encryption_key: None,
            hmac_key,
        }
    }
}

/// Secure append-only decision log with encryption and integrity chain
pub struct SecureDecisionLog {
    config: SecureLogConfig,
    writer: BufWriter<File>,
    last_sequence: u64,
    last_hmac: [u8; 32],
}

impl SecureDecisionLog {
    /// Open or create a secure decision log
    pub fn open(config: SecureLogConfig) -> Result<Self, SecureLogError> {
        // Determine last sequence and HMAC by reading existing log
        let (last_sequence, last_hmac) = if config.path.exists() {
            Self::read_last_entry(&config)?
        } else {
            // Initial HMAC is HMAC of the HMAC key itself (genesis)
            let mut mac = HmacSha256::new_from_slice(&config.hmac_key)
                .map_err(|e| SecureLogError::Crypto(e.to_string()))?;
            mac.update(b"nklave-secure-log-genesis");
            let genesis_hmac: [u8; 32] = mac.finalize().into_bytes().into();
            (0, genesis_hmac)
        };

        // Open for appending
        let file = OpenOptions::new()
            .create(true)
            .append(true)
            .open(&config.path)
            .map_err(|e| SecureLogError::Io(e.to_string()))?;

        let writer = BufWriter::new(file);

        Ok(Self {
            config,
            writer,
            last_sequence,
            last_hmac,
        })
    }

    /// Read the last entry from an existing log
    fn read_last_entry(config: &SecureLogConfig) -> Result<(u64, [u8; 32]), SecureLogError> {
        let file = File::open(&config.path).map_err(|e| SecureLogError::Io(e.to_string()))?;
        let reader = BufReader::new(file);

        let mut last_sequence = 0u64;
        let mut last_hmac: [u8; 32] = {
            let mut mac = HmacSha256::new_from_slice(&config.hmac_key)
                .map_err(|e| SecureLogError::Crypto(e.to_string()))?;
            mac.update(b"nklave-secure-log-genesis");
            mac.finalize().into_bytes().into()
        };

        for line in reader.lines() {
            let line = line.map_err(|e| SecureLogError::Io(e.to_string()))?;
            if line.is_empty() {
                continue;
            }

            let parts: Vec<&str> = line.splitn(3, '|').collect();
            if parts.len() != 3 {
                return Err(SecureLogError::Parse("Invalid line format".to_string()));
            }

            let seq: u64 = parts[0]
                .parse()
                .map_err(|_| SecureLogError::Parse("Invalid sequence number".to_string()))?;

            let hmac_hex = parts[1];
            let hmac_bytes = hex::decode(hmac_hex)
                .map_err(|e| SecureLogError::Parse(format!("Invalid HMAC hex: {}", e)))?;

            if hmac_bytes.len() != 32 {
                return Err(SecureLogError::Parse("Invalid HMAC length".to_string()));
            }

            last_sequence = seq;
            last_hmac.copy_from_slice(&hmac_bytes);
        }

        Ok((last_sequence, last_hmac))
    }

    /// Append a decision record to the log
    pub fn append(&mut self, record: &DecisionRecord) -> Result<(), SecureLogError> {
        // Verify sequence continuity
        if record.sequence != self.last_sequence + 1 {
            return Err(SecureLogError::SequenceGap {
                expected: self.last_sequence + 1,
                actual: record.sequence,
            });
        }

        // Serialize the record
        let json =
            serde_json::to_string(record).map_err(|e| SecureLogError::Serialize(e.to_string()))?;

        // Optionally encrypt
        let data = if let Some(ref key) = self.config.encryption_key {
            Self::encrypt_data(key, record.sequence, json.as_bytes())?
        } else {
            json
        };

        // Compute HMAC chain: HMAC(prev_hmac || sequence || data)
        let mut mac = HmacSha256::new_from_slice(&self.config.hmac_key)
            .map_err(|e| SecureLogError::Crypto(e.to_string()))?;
        mac.update(&self.last_hmac);
        mac.update(&record.sequence.to_be_bytes());
        mac.update(data.as_bytes());
        let new_hmac: [u8; 32] = mac.finalize().into_bytes().into();

        // Write: sequence|hmac|data
        let line = format!(
            "{}|{}|{}",
            record.sequence,
            hex::encode(new_hmac),
            data
        );
        writeln!(self.writer, "{}", line).map_err(|e| SecureLogError::Io(e.to_string()))?;

        // Flush to ensure durability
        self.writer
            .flush()
            .map_err(|e| SecureLogError::Io(e.to_string()))?;

        self.last_sequence = record.sequence;
        self.last_hmac = new_hmac;

        Ok(())
    }

    /// Encrypt data using AES-256-CTR
    fn encrypt_data(key: &[u8; 32], nonce_base: u64, plaintext: &[u8]) -> Result<String, SecureLogError> {
        use aes::Aes256;
        use aes::cipher::{KeyIvInit, StreamCipher};
        use ctr::Ctr64BE;

        // Create nonce from sequence number (padded to 16 bytes)
        let mut nonce = [0u8; 16];
        nonce[8..16].copy_from_slice(&nonce_base.to_be_bytes());

        let mut cipher = Ctr64BE::<Aes256>::new(key.into(), &nonce.into());

        let mut ciphertext = plaintext.to_vec();
        cipher.apply_keystream(&mut ciphertext);

        Ok(hex::encode(ciphertext))
    }

    /// Decrypt data using AES-256-CTR
    fn decrypt_data(key: &[u8; 32], nonce_base: u64, ciphertext_hex: &str) -> Result<String, SecureLogError> {
        use aes::Aes256;
        use aes::cipher::{KeyIvInit, StreamCipher};
        use ctr::Ctr64BE;

        let ciphertext = hex::decode(ciphertext_hex)
            .map_err(|e| SecureLogError::Parse(format!("Invalid ciphertext hex: {}", e)))?;

        // Create nonce from sequence number (padded to 16 bytes)
        let mut nonce = [0u8; 16];
        nonce[8..16].copy_from_slice(&nonce_base.to_be_bytes());

        let mut cipher = Ctr64BE::<Aes256>::new(key.into(), &nonce.into());

        let mut plaintext = ciphertext;
        cipher.apply_keystream(&mut plaintext);

        String::from_utf8(plaintext)
            .map_err(|e| SecureLogError::Parse(format!("Invalid UTF-8 after decryption: {}", e)))
    }

    /// Get the last recorded sequence number
    pub fn last_sequence(&self) -> u64 {
        self.last_sequence
    }

    /// Verify and replay all records from the log
    ///
    /// This method verifies the HMAC chain integrity while replaying.
    /// Any tampering will be detected.
    pub fn replay_and_verify(&self) -> Result<Vec<DecisionRecord>, SecureLogError> {
        let file = File::open(&self.config.path).map_err(|e| SecureLogError::Io(e.to_string()))?;
        let reader = BufReader::new(file);

        let mut records = Vec::new();
        let mut expected_hmac = {
            let mut mac = HmacSha256::new_from_slice(&self.config.hmac_key)
                .map_err(|e| SecureLogError::Crypto(e.to_string()))?;
            mac.update(b"nklave-secure-log-genesis");
            mac.finalize().into_bytes()
        };

        for (line_num, line) in reader.lines().enumerate() {
            let line = line.map_err(|e| SecureLogError::Io(e.to_string()))?;
            if line.is_empty() {
                continue;
            }

            let parts: Vec<&str> = line.splitn(3, '|').collect();
            if parts.len() != 3 {
                return Err(SecureLogError::Parse(format!(
                    "Invalid line format at line {}",
                    line_num + 1
                )));
            }

            let seq: u64 = parts[0]
                .parse()
                .map_err(|_| SecureLogError::Parse("Invalid sequence number".to_string()))?;

            let hmac_hex = parts[1];
            let stored_hmac = hex::decode(hmac_hex)
                .map_err(|e| SecureLogError::Parse(format!("Invalid HMAC hex: {}", e)))?;

            let data = parts[2];

            // Verify HMAC chain
            let mut mac = HmacSha256::new_from_slice(&self.config.hmac_key)
                .map_err(|e| SecureLogError::Crypto(e.to_string()))?;
            mac.update(&expected_hmac);
            mac.update(&seq.to_be_bytes());
            mac.update(data.as_bytes());
            let computed_hmac = mac.finalize().into_bytes();

            if computed_hmac.as_slice() != stored_hmac.as_slice() {
                return Err(SecureLogError::IntegrityViolation {
                    sequence: seq,
                    expected: hex::encode(computed_hmac),
                    actual: hex::encode(&stored_hmac),
                });
            }

            // Decrypt if needed
            let json = if self.config.encryption_key.is_some() {
                Self::decrypt_data(self.config.encryption_key.as_ref().unwrap(), seq, data)?
            } else {
                data.to_string()
            };

            // Parse record
            let record: DecisionRecord =
                serde_json::from_str(&json).map_err(|e| SecureLogError::Parse(e.to_string()))?;

            if record.sequence != seq {
                return Err(SecureLogError::Parse(format!(
                    "Sequence mismatch: header says {}, record says {}",
                    seq, record.sequence
                )));
            }

            records.push(record);
            expected_hmac = computed_hmac;
        }

        debug!(
            record_count = records.len(),
            "Verified and replayed secure log"
        );

        Ok(records)
    }

    /// Replay records starting from a specific sequence (with verification)
    pub fn replay_from(&self, start_sequence: u64) -> Result<Vec<DecisionRecord>, SecureLogError> {
        let records = self.replay_and_verify()?;
        Ok(records
            .into_iter()
            .filter(|r| r.sequence >= start_sequence)
            .collect())
    }

    /// Sync the log to disk
    pub fn sync(&mut self) -> Result<(), SecureLogError> {
        self.writer
            .flush()
            .map_err(|e| SecureLogError::Io(e.to_string()))?;
        self.writer
            .get_ref()
            .sync_all()
            .map_err(|e| SecureLogError::Io(e.to_string()))?;
        Ok(())
    }

    /// Check if encryption is enabled
    pub fn is_encrypted(&self) -> bool {
        self.config.encryption_key.is_some()
    }
}

/// Errors related to the secure decision log
#[derive(Debug, Error)]
pub enum SecureLogError {
    #[error("I/O error: {0}")]
    Io(String),

    #[error("Parse error: {0}")]
    Parse(String),

    #[error("Serialization error: {0}")]
    Serialize(String),

    #[error("Crypto error: {0}")]
    Crypto(String),

    #[error("Sequence gap: expected {expected}, got {actual}")]
    SequenceGap { expected: u64, actual: u64 },

    #[error("Integrity violation at sequence {sequence}: expected HMAC {expected}, got {actual}")]
    IntegrityViolation {
        sequence: u64,
        expected: String,
        actual: String,
    },
}

#[cfg(test)]
mod tests {
    use super::*;
    use nklave_core::policy::types::{PolicyDecision, SigningType};
    use tempfile::TempDir;

    fn make_record(seq: u64) -> DecisionRecord {
        DecisionRecord {
            sequence: seq,
            timestamp: 1234567890,
            validator_pubkey: [0u8; 48],
            request_type: SigningType::BlockProposal,
            decision: PolicyDecision::Allow,
            signing_root: [seq as u8; 32],
            prev_state_hash: [0u8; 32],
            signing_context: None,
        }
    }

    #[test]
    fn test_secure_log_integrity_only() {
        let dir = TempDir::new().unwrap();
        let log_path = dir.path().join("secure.log");
        let hmac_key = [1u8; 32];

        let config = SecureLogConfig::integrity_only(&log_path, hmac_key);
        let mut log = SecureDecisionLog::open(config).unwrap();

        assert_eq!(log.last_sequence(), 0);
        assert!(!log.is_encrypted());

        log.append(&make_record(1)).unwrap();
        log.append(&make_record(2)).unwrap();
        log.append(&make_record(3)).unwrap();

        assert_eq!(log.last_sequence(), 3);
    }

    #[test]
    fn test_secure_log_with_encryption() {
        let dir = TempDir::new().unwrap();
        let log_path = dir.path().join("encrypted.log");
        let encryption_key = [2u8; 32];
        let hmac_key = [3u8; 32];

        let config = SecureLogConfig::with_encryption(&log_path, encryption_key, hmac_key);
        let mut log = SecureDecisionLog::open(config).unwrap();

        assert!(log.is_encrypted());

        log.append(&make_record(1)).unwrap();
        log.append(&make_record(2)).unwrap();

        assert_eq!(log.last_sequence(), 2);
    }

    #[test]
    fn test_secure_log_replay_and_verify() {
        let dir = TempDir::new().unwrap();
        let log_path = dir.path().join("verify.log");
        let hmac_key = [4u8; 32];

        {
            let config = SecureLogConfig::integrity_only(&log_path, hmac_key);
            let mut log = SecureDecisionLog::open(config).unwrap();
            log.append(&make_record(1)).unwrap();
            log.append(&make_record(2)).unwrap();
            log.append(&make_record(3)).unwrap();
        }

        // Reopen and verify
        let config = SecureLogConfig::integrity_only(&log_path, hmac_key);
        let log = SecureDecisionLog::open(config).unwrap();

        let records = log.replay_and_verify().unwrap();
        assert_eq!(records.len(), 3);
        assert_eq!(records[0].sequence, 1);
        assert_eq!(records[1].sequence, 2);
        assert_eq!(records[2].sequence, 3);
    }

    #[test]
    fn test_encrypted_log_replay() {
        let dir = TempDir::new().unwrap();
        let log_path = dir.path().join("encrypted_replay.log");
        let encryption_key = [5u8; 32];
        let hmac_key = [6u8; 32];

        {
            let config = SecureLogConfig::with_encryption(&log_path, encryption_key, hmac_key);
            let mut log = SecureDecisionLog::open(config).unwrap();
            log.append(&make_record(1)).unwrap();
            log.append(&make_record(2)).unwrap();
        }

        // Reopen and verify
        let config = SecureLogConfig::with_encryption(&log_path, encryption_key, hmac_key);
        let log = SecureDecisionLog::open(config).unwrap();

        let records = log.replay_and_verify().unwrap();
        assert_eq!(records.len(), 2);
        assert_eq!(records[0].signing_root, [1u8; 32]);
        assert_eq!(records[1].signing_root, [2u8; 32]);
    }

    #[test]
    fn test_tamper_detection() {
        let dir = TempDir::new().unwrap();
        let log_path = dir.path().join("tamper.log");
        let hmac_key = [7u8; 32];

        {
            let config = SecureLogConfig::integrity_only(&log_path, hmac_key);
            let mut log = SecureDecisionLog::open(config).unwrap();
            log.append(&make_record(1)).unwrap();
            log.append(&make_record(2)).unwrap();
        }

        // Tamper with the file - modify the JSON data portion
        let contents = std::fs::read_to_string(&log_path).unwrap();
        // Replace "sequence":1 with "sequence":9 to tamper with the data
        let tampered = contents.replace("\"sequence\":1", "\"sequence\":9");
        std::fs::write(&log_path, tampered).unwrap();

        // Verification should fail
        let config = SecureLogConfig::integrity_only(&log_path, hmac_key);
        let log = SecureDecisionLog::open(config).unwrap();
        let result = log.replay_and_verify();

        assert!(matches!(result, Err(SecureLogError::IntegrityViolation { .. })));
    }

    #[test]
    fn test_wrong_hmac_key() {
        let dir = TempDir::new().unwrap();
        let log_path = dir.path().join("wrong_key.log");
        let hmac_key1 = [8u8; 32];
        let hmac_key2 = [9u8; 32]; // Different key

        {
            let config = SecureLogConfig::integrity_only(&log_path, hmac_key1);
            let mut log = SecureDecisionLog::open(config).unwrap();
            log.append(&make_record(1)).unwrap();
        }

        // Try to verify with wrong key
        let config = SecureLogConfig::integrity_only(&log_path, hmac_key2);
        let log = SecureDecisionLog::open(config).unwrap();
        let result = log.replay_and_verify();

        assert!(matches!(result, Err(SecureLogError::IntegrityViolation { .. })));
    }

    #[test]
    fn test_sequence_gap_rejected() {
        let dir = TempDir::new().unwrap();
        let log_path = dir.path().join("gap.log");
        let hmac_key = [10u8; 32];

        let config = SecureLogConfig::integrity_only(&log_path, hmac_key);
        let mut log = SecureDecisionLog::open(config).unwrap();

        log.append(&make_record(1)).unwrap();
        let result = log.append(&make_record(5)); // Skip sequences

        assert!(matches!(result, Err(SecureLogError::SequenceGap { .. })));
    }

    #[test]
    fn test_replay_from_sequence() {
        let dir = TempDir::new().unwrap();
        let log_path = dir.path().join("replay_from.log");
        let hmac_key = [11u8; 32];

        {
            let config = SecureLogConfig::integrity_only(&log_path, hmac_key);
            let mut log = SecureDecisionLog::open(config).unwrap();
            for i in 1..=5 {
                log.append(&make_record(i)).unwrap();
            }
        }

        let config = SecureLogConfig::integrity_only(&log_path, hmac_key);
        let log = SecureDecisionLog::open(config).unwrap();

        let records = log.replay_from(3).unwrap();
        assert_eq!(records.len(), 3);
        assert_eq!(records[0].sequence, 3);
        assert_eq!(records[2].sequence, 5);
    }
}