paserk 0.4.0

Platform-Agnostic Serialized Keys (PASERK) for PASETO
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

//! Public key encryption (PKE) operations.
//!
//! This module provides public key encryption for symmetric keys using
//! RSA-KEM (K1), X25519 (K2/K4), or P-384 ECDH (K3).
//!
//! Types:
//! - `seal` - Symmetric key encrypted with public key
//!
//! # Version Differences
//!
//! - K1: Uses RSA-4096 KEM + AES-256-CTR + HMAC-SHA384 (48-byte tags)
//! - K2/K4: Uses X25519 ECDH + `XChaCha20` + `BLAKE2b` (32-byte tags)
//! - K3: Uses P-384 ECDH + AES-256-CTR + HMAC-SHA384 (48-byte tags)
//!
//! # Security
//!
//! PKE allows a symmetric key to be encrypted using a recipient's public key,
//! so that only the holder of the corresponding secret key can decrypt it.
//!
//! # Example
//!
//! ```rust,ignore
//! use paserk::core::types::{PaserkLocal, PaserkSecret, PaserkSeal};
//! use paserk::core::version::K4;
//! use ed25519_dalek::SigningKey;
//!
//! // Create Ed25519 keypair from seed bytes
//! let seed = [0u8; 32]; // Use secure random bytes in production!
//! let signing_key = SigningKey::from_bytes(&seed);
//! let secret_key = PaserkSecret::<K4>::from(signing_key.to_keypair_bytes());
//!
//! // Create a symmetric key to seal
//! let local_key = PaserkLocal::<K4>::from([0x42u8; 32]);
//!
//! // Seal with the secret key's corresponding public key
//! let sealed = PaserkSeal::<K4>::try_seal(&local_key, &secret_key)?;
//!
//! // Serialize
//! let paserk_string = sealed.to_string();
//!
//! // Parse and unseal
//! let parsed = PaserkSeal::<K4>::try_from(paserk_string.as_str())?;
//! let unsealed = parsed.try_unseal(&secret_key)?;
//! # Ok::<(), paserk::PaserkError>(())
//! ```

#[cfg(feature = "k1-insecure")]
mod seal_k1;

#[cfg(any(feature = "k2", feature = "k4"))]
mod seal_k2k4;

#[cfg(feature = "k3")]
mod seal_k3;

// K1 seal exports (RSA-4096 KEM)
#[cfg(feature = "k1-insecure")]
pub use seal_k1::{
    K1_RSA_CIPHERTEXT_SIZE, K1_SEAL_CIPHERTEXT_SIZE, K1_SEAL_DATA_SIZE, K1_SEAL_TAG_SIZE,
};

#[cfg(feature = "k1-insecure")]
pub(crate) use seal_k1::{seal_k1, unseal_k1};

// K2/K4 seal exports (X25519 ECDH)
#[cfg(any(feature = "k2", feature = "k4"))]
pub use seal_k2k4::{EPHEMERAL_PK_SIZE, SEAL_CIPHERTEXT_SIZE, SEAL_DATA_SIZE, SEAL_TAG_SIZE};

#[cfg(any(feature = "k2", feature = "k4"))]
pub(crate) use seal_k2k4::{seal_k2k4, unseal_k2k4};

// K3 seal exports (P-384 ECDH)
#[cfg(feature = "k3")]
pub use seal_k3::{
    K3_EPHEMERAL_PK_SIZE, K3_SEAL_CIPHERTEXT_SIZE, K3_SEAL_DATA_SIZE, K3_SEAL_TAG_SIZE,
};

#[cfg(feature = "k3")]
pub(crate) use seal_k3::{seal_k3, unseal_k3};