secret-utils 0.2.0

Shared utilities for secret handling (wrappers, zeroization, secrecy) used across the PAKEs-Conflux workspace
Documentation
  • Coverage
  • 100%
    13 out of 13 items documented0 out of 9 items with examples
  • Size
  • Source code size: 14.23 kB This is the summed size of all the files inside the crates.io package for this release.
  • Documentation size: 3.85 MB This is the summed size of all files generated by rustdoc for all configured targets
  • Ø build duration
  • this release: 23s Average build duration of successful builds.
  • all releases: 22s Average build duration of successful builds in releases after 2024-10-23.
  • Links
  • thatnewyorker/PAKEs-Conflux
    0 0 0
  • crates.io
  • Dependencies
  • Versions
  • Owners
  • thatnewyorker

Secret handling utilities for the PAKEs-Conflux workspace.

This crate is intended to centralize secret-handling patterns across the aucpace, spake2, and srp crates. It will provide:

  • Typed wrappers for secret material (passwords, verifiers, scalars, derived keys).
  • Reliable in-memory erasure via zeroization semantics.
  • Clear API boundaries that prevent accidental exposure or cloning of secrets.
  • Testing guidance and utilities to validate zeroization behavior where feasible.

Design goals

  • Minimize accidental copies of secret data.
  • Ensure secrets are zeroized on drop and after critical transitions.
  • Provide clear documentation and policies for secret lifecycles.
  • Remain no_std-friendly with an alloc-based default.

Scope (initial scaffolding)

  • This initial version is documentation-only with module placeholders. There are no public APIs yet. Follow-up phases will introduce concrete wrappers, traits, and utilities, along with unit and integration tests.

Feature flags

  • alloc (default): Enables heap-backed containers to support secret buffers.
  • std: Convenience alias that implies alloc. Intended for environments where the standard library is available.

Usage policy (to be enforced in subsequent phases)

  • All password bytes, ephemeral private scalars, long-lived verifiers, and derived session keys must be wrapped by secret types provided here.
  • Public APIs must not expose raw secret bytes. Controlled exposure methods will be provided and documented.
  • Conversions to/from public representations (e.g., serialized forms) will be centralized in audited helpers.

Tests and CI (to be added in later phases)

  • Unit tests to verify zeroization semantics and API boundaries.
  • Integration tests to exercise protocol flows without leaking secrets.
  • CI gates to help prevent regressions in secret-handling policies.