sare-lib 0.1.0

Hybrid post-quantum encryption library providing SARE standard primitives and APIs.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257

# SARE Lib

![Crates.io Version](https://img.shields.io/crates/v/sare-lib)
![Deps.rs Crate Dependencies (latest)](https://img.shields.io/deps-rs/sare-lib/latest)
![Crates.io License](https://img.shields.io/crates/l/sare-lib)
![Crates.io Size](https://img.shields.io/crates/size/sare-lib)
![Crates.io Total Downloads](https://img.shields.io/crates/d/sare-lib)


**SARE LIB IS IN BETA. IT IS QUICKLY EVOLVING AND NOT YET AUDITED FOR SECURITY. USE WITH CAUTION.**

SARE Lib is the high-level library for building applications using the SARE cryptographic standard. It provides safe, modular, and user-friendly interfaces for encryption, decryption, signing, key management, and certificate handling, while relying on **sare-core** under the hood for low-level cryptography.

---

## Core Principles

- **Hybrid Security**: SARE Lib is secure against both classical and quantum attacks.
    
- **Modular Design**: Easily integrate new algorithms for encryption, signing, or key derivation.
    
- **Human Rights Focused**: Privacy and security are foundational rights. SARE empowers users to protect these rights online. Even when quantum-computers emerge.
    

> This is **not a roll-your-own-crypto project**. Only audited, standard, and proven algorithms are used for all encryption, signing, and key encapsulation operations.

---

## Installation

### Using SARE Lib in a Rust Project

Add it to your dependencies in `Cargo.toml`:

```toml
[dependencies]
sare-lib = "0.1"
```

### Using Cargo

Install via Cargo:

```bash
cargo add sare-lib
```

---

## Example Usage

### Encrypting and Decrypting Files

#### Symmetric Encryption

```rust
use sare_lib::{encryption::Encryptor, keys::{EncryptionAlgorithm, RECOMMENDED_PKDF_PARAMS}};
use secrecy::SecretVec;
use std::fs::File;

let input_file = File::open("message.txt")?;
let mut output_file = File::create("message.enc")?;
let passphrase = SecretVec::new(b"supersecret".to_vec());

// Generate key derivation function (KDF) using recommended parameters
let pkdf = Encryptor::get_pkdf(&passphrase, RECOMMENDED_PKDF_PARAMS, 1);

// Encrypt the file symmetrically using XChaCha20-Poly1305 AEAD
Encryptor::encrypt_with_passphrase(&mut input_file, &mut output_file, pkdf, EncryptionAlgorithm::XCHACHA20POLY1305)?;
```

#### Symmetric Decryption

```rust
use sare_lib::encryption::Decryptor;
use secrecy::SecretVec;
use std::fs::File;

let mut input_file = File::open("message.enc")?;
let mut output_file = File::create("message_decrypted.txt")?;
let passphrase = SecretVec::new(b"supersecret".to_vec());

Decryptor::decrypt_with_passphrase(passphrase, &mut input_file, &mut output_file)?;
```

---

#### Asymmetric Encryption

```rust
use sare_lib::{encryption::Encryptor, keys::{MasterKey, SharedPublicKey, EncryptionAlgorithm}};
use std::fs::File;

let input_file = File::open("document.txt")?;
let mut output_file = File::create("document.enc")?;

// Load master key and recipient public key
let master_key = MasterKey::load("MASTER_KEY.pem")?;
let recipient_key = SharedPublicKey::from_pem(std::fs::read_to_string("recipient.pem")?)?;

let encryptor = Encryptor::new(master_key);
encryptor.encrypt_with_recipient(&mut input_file, &mut output_file, &recipient_key, EncryptionAlgorithm::XCHACHA20POLY1305)?;
```

#### Asymmetric Decryption

```rust
use sare_lib::encryption::Decryptor;
use std::fs::File;

// Load your master key
let master_key = MasterKey::load("MASTER_KEY.pem")?;
let decryptor = Decryptor::new(master_key);

let mut input_file = File::open("document.enc")?;
let mut output_file = File::create("document_decrypted.txt")?;

// Decrypt the file
let signature = decryptor.decrypt_with_recipient(&mut input_file, &mut output_file)?;

if let Some(sig) = signature {
    println!("Signature attached: {:?}", sig.fullchain_fingerprint);
}
```

---

### Signing and Verifying

#### Detached Signature

```rust
use sare_lib::signing::Signing;
use std::fs;

let master_key = MasterKey::load("MASTER_KEY.pem")?;
let signer = Signing::new(master_key);

let message = fs::read("report.txt")?;
let signature = signer.sign_detached(&message);
fs::write("report.sig", signature.encode_with_magic_byte())?;
```

#### Verifying a Detached Signature

```rust
use sare_lib::signing::Signing;
use sare_lib::format::signature::SignatureHeaderFormat;
use std::fs;

let signed_file = fs::read("report.sig")?;
let original_file = fs::read("report.txt")?;

let signature_header = SignatureHeaderFormat::decode_with_magic_byte(&signed_file)?;
let is_valid = Signing::verify_detached(&signature_header, &original_file)?;

println!("Signature valid: {}", is_valid);
```

---

### Master Key Management

#### Generate a Master Key

```rust
use sare_lib::keys::{MasterKey, HybridKEMAlgorithm, HybridSignAlgorithm};

let master_key = MasterKey::generate(
    HybridKEMAlgorithm::default(),
    HybridSignAlgorithm::default()
);

// Export the master key (optionally encrypted with a passphrase)
master_key.export(Some("supersecret".as_bytes().to_vec().into()), &mut std::fs::File::create("MASTER_KEY.pem")?)?;

// Export public key
master_key.export_public(&mut std::fs::File::create("PUB_KEY.pem")?)?;
```

#### Inspect a Master Key

```rust
let master_key = MasterKey::load("MASTER_KEY.pem")?;
println!("Master Key Fingerprint: {:?}", master_key.get_fullchain_public_fingerprint());
println!("Mnemonic Seed: {}", master_key.to_mnemonic().expose_secret());
```

#### Revoke a Master Key

```rust
use sare_lib::{certificate::Certificate, format::certificate::Issuer, format::certificate::RevocationReason};

let master_key = MasterKey::load("MASTER_KEY.pem")?;
let issuer = Issuer::new("Your Name", "your@email.com");

let revocation_cert = Certificate::new_revocation(master_key, 1682611200, issuer, RevocationReason::NoReasonSpecified);
revocation_cert.export(std::fs::File::create("REVOC_KEY.asc")?)?;
```

---

### Recipient Management

```rust
use sare_lib::keys::SharedPublicKey;

// Add a recipient
let recipient_key = SharedPublicKey::from_pem(std::fs::read_to_string("recipient.pem")?)?;
recipient_key.export(std::fs::File::create("RECIPIENT.pem")?)?;

// Load and list recipients
let recipient_key = SharedPublicKey::from_pem(std::fs::read_to_string("RECIPIENT.pem")?)?;
println!("Recipient fingerprint: {:?}", recipient_key.fullchain_public_key.calculate_fingerprint());
```


> For more detailed documentation on the underlying processes and formatting happening behind the scenes, please read our documentation book at [https://sareproject.github.io/docs](https://sareproject.github.io/docs)

---
## Core Components

- **Keys**: Generate master keys, export/import keys, derive subkeys for encryption/signing
    
- **Encryption & Decryption**: Symmetric (password-based) and asymmetric (recipient-based) encryption engines
    
- **Signing**: Hybrid post-quantum + classical signatures with attached or detached message support
    
- **Certificates**: Validation and revocation certificates
    
- **Modular Cryptography**: Easily extendable to new algorithms
    

SARE Lib is designed to make application development straightforward while letting **sare-core** handle the complexity of cryptography in the background.

---

## Security Notice

SARE is built to use **audited and standard cryptographic algorithms** at the low-level encryption, signing, and encapsulation layers.

However, SARE itself still needs to be audited to be considered secure. Please use it at your own risk and do not use it for critical use cases.

If you've found security vulnerabilities, please follow our security policy for reporting. Do not report them in the GitHub issues or announce them publicly until we have released a fix for the issue: [https://github.com/SareProject/sare/security/policy](https://github.com/SareProject/sare/security/policy)

---

## Support

If you want to help SARE grow, the best way is financially. Please check out our donation page: [https://sareproject.github.com/docs/support](https://sareproject.github.com/docs/support)

But a share on social media, a star on our GitHub repo, or even a simple supporting message is enough motivation for us to keep going.

---
## License

SARE Lib is released under a combination of the [MIT License](/LICENSE-MIT) and the [Apache License](/LICENSE-APACHE).