rustolio_utils/crypto/

encryption.rs

//
// SPDX-License-Identifier: MPL-2.0
//
// Copyright (c) 2026 Tobias Binnewies. All rights reserved.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
//

use aes_gcm::{
    aead::{Aead as _, Payload},
    Aes256Gcm, KeyInit as _,
};

use crate::bytes::Bytes;
use crate::prelude::*;

use super::rand;

pub type Result<T> = std::result::Result<T, Error>;

#[derive(Debug, Clone, PartialEq)]
pub enum Error {
    Rand(rand::Error),
    InvalidKey,
    Encryption,
    Decryption,
}

impl From<rand::Error> for Error {
    fn from(value: rand::Error) -> Self {
        Self::Rand(value)
    }
}

impl std::fmt::Display for Error {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{self:?}")
    }
}

impl std::error::Error for Error {
    fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
        match self {
            Self::Rand(e) => Some(e),
            _ => None,
        }
    }
}

#[derive(Debug, Clone, Encode, Decode)]
#[repr(transparent)]
pub struct Key([u8; 32]);

impl Key {
    pub fn generate() -> Result<Self> {
        Ok(Self(rand::array()?))
    }

    pub fn to_bytes(&self) -> [u8; 32] {
        self.0
    }

    pub fn from_bytes(bytes: &[u8]) -> Result<&Self> {
        if bytes.len() != 32 {
            return Err(Error::InvalidKey);
        }
        Ok(unsafe {
            // SAFETY: #[repr(transparent)] & length checked
            &*bytes.as_ptr().cast()
        })
    }

    pub fn from_array(bytes: [u8; 32]) -> Self {
        Self(bytes)
    }
}

#[derive(Clone)]
pub struct Cipher(Aes256Gcm);

impl Cipher {
    pub fn new(key: &Key) -> Self {
        Self(Aes256Gcm::new(&key.0.into()))
    }

    pub fn encrypt(&self, msg: impl AsRef<[u8]>) -> Result<Encypted> {
        self.encrypt_with_aad(b"", msg)
    }

    pub fn encrypt_with_aad(
        &self,
        aad: impl AsRef<[u8]>,
        msg: impl AsRef<[u8]>,
    ) -> Result<Encypted> {
        let nonce = rand::array()?;

        let payload = Payload {
            msg: msg.as_ref(),
            aad: aad.as_ref(),
        };
        let Ok(msg) = self.0.encrypt(&nonce.into(), payload) else {
            return Err(Error::Encryption);
        };

        Ok(Encypted {
            msg: Bytes::from(msg),
            nonce,
        })
    }

    pub fn decrypt(&self, encrypted: &Encypted) -> Result<Bytes> {
        self.decrypt_with_aad(b"", encrypted)
    }

    pub fn decrypt_with_aad(&self, aad: impl AsRef<[u8]>, encrypted: &Encypted) -> Result<Bytes> {
        let Encypted { msg, nonce } = encrypted;
        let payload = Payload {
            msg,
            aad: aad.as_ref(),
        };
        let Ok(msg) = self.0.decrypt(nonce.into(), payload) else {
            return Err(Error::Decryption);
        };
        Ok(Bytes::from_owner(msg))
    }
}

#[derive(Debug, Clone, PartialEq, Eq, Hash, Encode, Decode)]
pub struct Encypted {
    nonce: [u8; 12],
    msg: Bytes,
}

impl Encypted {
    pub fn size(&self) -> usize {
        12 + self.msg.len()
    }
}

#[cfg(test)]
mod tests {

    use super::*;

    #[test]
    fn test_encryption() {
        let msg = b"Some message";

        let key = Key::generate().unwrap();
        let cipher = Cipher::new(&key);

        let encrypted = cipher.encrypt(&msg).unwrap();
        let decryped = cipher.decrypt(&encrypted).unwrap();

        assert_eq!(*decryped, *msg);
    }

    #[test]
    fn test_encryption_encoding_decoding() {
        let msg = b"Some message";

        let key = Key::generate().unwrap();

        let encoded = key.to_bytes();
        let key = Key::from_bytes(&encoded).unwrap();

        let cipher = Cipher::new(&key);

        let encrypted = cipher.encrypt(&msg).unwrap();
        let decryped = cipher.decrypt(&encrypted).unwrap();

        assert_eq!(*decryped, *msg);
    }
}