sealwd 0.2.0

Secure password and token management library for Rust, featuring hashing, encryption, and random generation.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# sealwd

`sealwd` provides small, focused primitives for handling secrets safely in Rust. 

Designed specifically for server-side authentication systems, it enforces a strict separation between low-entropy user passwords and high-entropy machine-generated tokens. It handles memory zeroization, secure generation, policy validation, forward-compatible hashing, and optional encryption at rest.

## Core Philosophy & Security Model

Passwords and tokens serve different purposes and require different cryptographic treatments:
* **Passwords** are low-entropy secrets provided by users. They are hashed using **Argon2id** (slow, memory-hard) to resist brute-force attacks.
* **Tokens** are high-entropy, fixed-length secrets generated by the system (e.g., session IDs, API keys). They are hashed using **BLAKE3** (fast) with a server-side pepper. Using token hashing for passwords is mathematically insecure and intentionally unsupported by this crate.

## Features

* **Explicit Secret Types:** Strongly typed `Password` and `Token<LEN>` primitives.
* **Memory Safety:** Secrets are wrapped in containers that automatically zeroize memory on drop.
* **Password Policies:** Configurable rules for generation and validation (length, character classes).
* **Self-Describing Hashes:** Binary serializable hashes (`PasswordHash`, `TokenHash`) with embedded algorithm versions for forward compatibility.
* **Encryption at Rest (Optional):** AEAD encryption (XChaCha20-Poly1305 or AES-256-GCM-SIV) via the `encryption` feature.
* **Framework Integrations (Optional):** Direct `BYTEA` mappings for PostgreSQL via `sqlx`, and transparent `serde` serialization.

## Usage

### Managing Passwords

```rust
use sealwd::{Password, PasswordPolicy};

// 1. Define a policy
let policy = PasswordPolicy::with_sane_defaults();

// 2. Generate a secure random password satisfying the policy
let password = Password::random(&policy).unwrap();

// 3. Hash the password for storage (uses Argon2id automatically)
let hash = password.to_default_hash().unwrap();

// 4. Verify a login attempt
assert!(hash.verify(&password).is_ok());

```

### Managing High-Entropy Tokens

```rust
use sealwd::Token;

// 1. Generate a 32-byte cryptographic token
let token = Token::<32>::random().unwrap();

// 2. Export to URL-safe Base64 to send to the client
let encoded = token.to_base64();

// 3. Hash with a server-side pepper for database storage (uses BLAKE3)
let pepper = b"my-secret-server-pepper-value";
let token_hash = token.to_default_hash(pepper);

// 4. Store `token_hash.to_bytes()` in your database

```

### Encryption at Rest (Requires `encryption` feature)

When storing secrets that must be reversible (e.g., external API keys), you can encrypt them before storage.

```rust
use sealwd::{Token, crypto::CipherSuite};

let token = Token::<16>::random().unwrap();
let encryption_key = b"thisisa32bytekeyforrustcryptolib";

// Encrypt the token using XChaCha20-Poly1305
let encrypted_token = token.encrypt(encryption_key, CipherSuite::XChaCha20Poly1305).unwrap();

// Decrypt back to a strongly-typed Token<16>
let decrypted_token = encrypted_token.decrypt(encryption_key).unwrap();

```

## Feature Flags

* `encryption`: Enables the `crypto` module, providing `EncryptedPassword` and `EncryptedToken` wrappers backed by AEAD ciphers.
* `serde`: Enables transparent serialization/deserialization for domain types.
* `sqlx`: Implements `sqlx::Type`, `Encode`, and `Decode` allowing hashes and encrypted types to be used directly with database queries (maps to `BYTEA` in Postgres).

## License

Apache-2.0