void_crypto/

kdf.rs

//! HKDF-SHA256 key derivation with purpose separation.
//!
//! All keys are derived from a single root key using HKDF-SHA256 with
//! purpose-specific info strings. This ensures cryptographic separation
//! between different key uses (commits, metadata, content, index, etc.).

use hkdf::Hkdf;
use rand::RngCore;
use sha2::Sha256;
use zeroize::{Zeroize, ZeroizeOnDrop};

use crate::{CryptoError, CryptoResult};

const SALT: &[u8] = b"void-v1";

// ============================================================================
// Macro for secret key newtypes (zeroed on drop, no serialization)
// ============================================================================

/// Defines a secret key newtype with zeroize-on-drop and redacted debug.
///
/// Generated types:
/// - Implement `Zeroize + ZeroizeOnDrop` for memory safety
/// - Have redacted `Debug` output to prevent accidental logging
/// - Do NOT implement `Copy`, `Serialize`, `Display`, or hex encoding
/// - Only expose `from_bytes()`, `as_bytes()`, and `Clone`
macro_rules! define_secret_key_newtype {
    ($(#[$meta:meta])* $name:ident, $size:literal) => {
        $(#[$meta])*
        #[derive(Clone, Zeroize, ZeroizeOnDrop)]
        pub struct $name([u8; $size]);

        impl $name {
            /// Create from raw bytes.
            pub fn from_bytes(bytes: [u8; $size]) -> Self {
                Self(bytes)
            }

            /// Access the underlying bytes.
            pub fn as_bytes(&self) -> &[u8; $size] {
                &self.0
            }
        }

        impl std::fmt::Debug for $name {
            fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
                write!(f, "{}([REDACTED])", stringify!($name))
            }
        }
    };
}

// ============================================================================
// ShareKey — derived key from share-based unseal (zeroed on drop)
// ============================================================================

define_secret_key_newtype!(
    /// A derived key from share-based unseal.
    ///
    /// In share-based unseal the derived key serves directly as the content
    /// key — there is no commit envelope involved. This type ensures share
    /// keys enter the crypto system through explicit construction, not via
    /// raw `[u8; 32]` injection.
    ShareKey, 32
);

// ============================================================================
// Identity secret keys (zeroed on drop)
// ============================================================================

define_secret_key_newtype!(
    /// Ed25519 secret key for signing (32 bytes). Zeroed on drop.
    SigningSecretKey, 32
);

define_secret_key_newtype!(
    /// X25519 secret key for ECIES decryption (32 bytes). Zeroed on drop.
    RecipientSecretKey, 32
);

define_secret_key_newtype!(
    /// BIP-39 seed bytes (64 bytes). Zeroed on drop.
    IdentitySeed, 64
);

define_secret_key_newtype!(
    /// Secp256k1 secret key for Nostr transport (32 bytes). Zeroed on drop.
    NostrSecretKey, 32
);

// ============================================================================
// SecretKey - A 32-byte key that is zeroed on drop
// ============================================================================

/// A 32-byte derived key that is zeroed on drop.
///
/// # Security
///
/// This type holds derived key material (never the root key itself).
/// It is handed out by `KeyVault` for purpose-specific operations
/// (index encryption, stash encryption, etc.).
#[derive(Clone, Zeroize, ZeroizeOnDrop)]
pub struct SecretKey([u8; 32]);

impl SecretKey {
    /// Create a new SecretKey from raw bytes.
    pub fn new(bytes: [u8; 32]) -> Self {
        Self(bytes)
    }

    /// Get the underlying bytes as a reference.
    ///
    /// # Security
    ///
    /// This is intentionally available for callers that need to pass
    /// the key to low-level AEAD operations. The bytes should never
    /// be copied into long-lived storage.
    pub fn as_bytes(&self) -> &[u8; 32] {
        &self.0
    }

    /// Generate a new random SecretKey.
    pub fn generate() -> Self {
        let mut bytes = [0u8; 32];
        rand::thread_rng().fill_bytes(&mut bytes);
        Self(bytes)
    }
}

impl AsRef<[u8]> for SecretKey {
    fn as_ref(&self) -> &[u8] {
        &self.0
    }
}

// ============================================================================
// ContentKey - Typed wrapper for per-commit derived content keys
// ============================================================================

/// A 32-byte content key derived from a commit's envelope nonce.
///
/// # Security
///
/// This newtype prevents accidentally passing a root key where a content key
/// is expected (or vice versa). Construction is restricted to `pub(crate)` so
/// only `void-crypto` can mint content keys.
#[derive(Clone, Copy, PartialEq, Eq, Zeroize, serde::Serialize, serde::Deserialize)]
pub struct ContentKey([u8; 32]);

impl ContentKey {
    /// Create a new `ContentKey` from raw bytes.
    ///
    /// Restricted to `pub(crate)` so that only void-crypto can mint content keys.
    pub(crate) fn new(bytes: [u8; 32]) -> Self {
        Self(bytes)
    }

    /// Create a `ContentKey` from raw bytes (crate-internal only).
    pub(crate) fn from_raw(bytes: [u8; 32]) -> Self {
        Self(bytes)
    }

    /// Parse a content key from a hex string.
    ///
    /// Used for scoped read-only access via `--content-key` CLI flag.
    /// The content key grants access to a single commit's data without
    /// requiring the root encryption key.
    pub fn from_hex(hex: &str) -> CryptoResult<Self> {
        let bytes = hex::decode(hex.trim())
            .map_err(|e| CryptoError::InvalidKey(format!("invalid content key hex: {e}")))?;
        let arr: [u8; 32] = bytes
            .try_into()
            .map_err(|_| CryptoError::InvalidKey("content key must be 32 bytes".into()))?;
        Ok(Self(arr))
    }

    /// Access the underlying bytes for low-level crypto calls.
    ///
    /// # Security
    ///
    /// Needed for passing to AEAD encrypt/decrypt. The bytes are a per-commit
    /// derived key, not the root key.
    pub fn as_bytes(&self) -> &[u8; 32] {
        &self.0
    }
}

impl std::fmt::Debug for ContentKey {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "ContentKey({}…)", hex::encode(&self.0[..4]))
    }
}

// ============================================================================
// Nonce<N> - Typed wrapper for cryptographic nonces (const-generic sized)
// ============================================================================

/// A fixed-size cryptographic nonce.
///
/// # Security
///
/// Using a typed wrapper prevents accidentally passing truncated hashes,
/// key fragments, or other byte arrays where a nonce is expected. The const
/// generic parameter enforces size at compile time — `Nonce<16>` and
/// `Nonce<12>` are distinct types that cannot be mixed.
#[derive(Clone, Copy, PartialEq, Eq)]
pub struct Nonce<const N: usize>([u8; N]);

impl<const N: usize> Nonce<N> {
    /// Size of the nonce in bytes.
    pub const SIZE: usize = N;

    /// Generate a cryptographically secure random nonce.
    pub fn generate() -> Self {
        let mut bytes = [0u8; N];
        rand::thread_rng().fill_bytes(&mut bytes);
        Self(bytes)
    }

    /// Parse a nonce from a byte slice.
    ///
    /// Returns `None` if the slice length does not match `N`.
    pub fn from_bytes(bytes: &[u8]) -> Option<Self> {
        let arr: [u8; N] = bytes.try_into().ok()?;
        Some(Self(arr))
    }

    /// Access the underlying bytes.
    pub fn as_bytes(&self) -> &[u8; N] {
        &self.0
    }
}

impl<const N: usize> AsRef<[u8]> for Nonce<N> {
    fn as_ref(&self) -> &[u8] {
        &self.0
    }
}

impl<const N: usize> std::fmt::Debug for Nonce<N> {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let preview_len = N.min(4);
        write!(f, "Nonce<{}>({}…)", N, hex::encode(&self.0[..preview_len]))
    }
}

impl<const N: usize> std::fmt::Display for Nonce<N> {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{}", hex::encode(&self.0))
    }
}

/// 16-byte nonce for VD01 envelope key derivation.
///
/// Embedded in bytes 4..20 of the envelope header. Used to derive
/// a per-commit content key via `HKDF(root_key, "commit:<hex(nonce)>")`.
pub type KeyNonce = Nonce<16>;

/// 12-byte nonce for AES-256-GCM authenticated encryption.
pub type AeadNonce = Nonce<12>;

// ============================================================================
// RepoSecret - A 32-byte random secret for shard path hashing
// ============================================================================

/// A 32-byte random secret used for shard path hashing (NOT an encryption key).
///
/// Distinct from `SecretKey` (derived encryption key) and `RepoKey` (root
/// encryption key). Used as HMAC-PRF input: `hash(repo_secret || path) →
/// shard assignment`. Each repository generates its own `RepoSecret` at
/// init time; it is stored inside `MetadataBundle`.
#[derive(Clone, Copy, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
pub struct RepoSecret([u8; 32]);

impl RepoSecret {
    /// Create a new `RepoSecret` from raw bytes.
    pub fn new(bytes: [u8; 32]) -> Self {
        Self(bytes)
    }

    /// Access the underlying bytes.
    pub fn as_bytes(&self) -> &[u8; 32] {
        &self.0
    }

    /// Generate a new random `RepoSecret`.
    pub fn generate() -> Self {
        let mut bytes = [0u8; 32];
        rand::thread_rng().fill_bytes(&mut bytes);
        Self(bytes)
    }
}

impl std::fmt::Debug for RepoSecret {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "RepoSecret([REDACTED])")
    }
}

// ============================================================================
// KeyPurpose - Key derivation purposes
// ============================================================================

/// Key purposes for derivation.
///
/// Each purpose produces a cryptographically independent key from the same
/// root key via HKDF with a unique info string.
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum KeyPurpose {
    /// Key for encrypting commits.
    Commits,
    /// Key for encrypting metadata bundles.
    Metadata,
    /// Key for encrypting content (file data).
    Content,
    /// Key for encrypting the index.
    Index,
    /// Key for encrypting stash entries.
    Stash,
    /// Key for encrypting staged blobs.
    Staged,
    /// Scoped read key for limited access (scope is a path or branch pattern).
    ScopedRead(String),
}

impl KeyPurpose {
    /// Returns the info bytes used in HKDF for this purpose.
    fn info(&self) -> Vec<u8> {
        match self {
            Self::Commits => b"void-v1-commits".to_vec(),
            Self::Metadata => b"void-v1-metadata".to_vec(),
            Self::Content => b"void-v1-content".to_vec(),
            Self::Index => b"void-v1-index".to_vec(),
            Self::Stash => b"void-v1-stash".to_vec(),
            Self::Staged => b"void-v1-staged".to_vec(),
            Self::ScopedRead(scope) => format!("void-v1-read:{}", scope).into_bytes(),
        }
    }
}

// ============================================================================
// KeyRing - Holds all derived keys, zeroed on drop
// ============================================================================

/// Key ring holding all derived keys - zeroed on drop.
///
/// # Security
///
/// All fields hold purpose-derived keys, never the root key.
/// The root key is held exclusively by `KeyVault`.
#[derive(Zeroize, ZeroizeOnDrop)]
pub struct KeyRing {
    /// Key for encrypting commits.
    pub(crate) commits: SecretKey,
    /// Key for encrypting metadata bundles.
    pub(crate) metadata: SecretKey,
    /// Key for encrypting content (file data).
    pub(crate) content: SecretKey,
    /// Key for encrypting the index.
    pub(crate) index: SecretKey,
    /// Key for encrypting stash entries.
    pub(crate) stash: SecretKey,
    /// Key for encrypting staged blobs.
    pub(crate) staged: SecretKey,
}

impl KeyRing {
    /// Create a KeyRing from a root key using V2 (separated keys).
    pub fn from_root(root_key: &[u8; 32]) -> CryptoResult<Self> {
        Ok(Self {
            commits: SecretKey::new(derive_key_for_purpose(root_key, KeyPurpose::Commits)?),
            metadata: SecretKey::new(derive_key_for_purpose(root_key, KeyPurpose::Metadata)?),
            content: SecretKey::new(derive_key_for_purpose(root_key, KeyPurpose::Content)?),
            index: SecretKey::new(derive_key_for_purpose(root_key, KeyPurpose::Index)?),
            stash: SecretKey::new(derive_key_for_purpose(root_key, KeyPurpose::Stash)?),
            staged: SecretKey::new(derive_key_for_purpose(root_key, KeyPurpose::Staged)?),
        })
    }
}

// ============================================================================
// Key derivation functions
// ============================================================================

/// Derive a purpose-specific key from the root key.
pub fn derive_key_for_purpose(root_key: &[u8; 32], purpose: KeyPurpose) -> CryptoResult<[u8; 32]> {
    let hk = Hkdf::<Sha256>::new(Some(SALT), root_key);
    let mut output = [0u8; 32];
    hk.expand(&purpose.info(), &mut output)
        .map_err(|e| CryptoError::InvalidKey(e.to_string()))?;
    Ok(output)
}

/// Derive a scoped read key from a root key.
///
/// The scope is a path or branch pattern that limits access, e.g.:
/// - `"refs/heads/main"` - access to main branch only
/// - `"path:src/"` - access to files under src/
pub fn derive_scoped_key(root_key: &[u8; 32], scope: &str) -> CryptoResult<[u8; 32]> {
    derive_key_for_purpose(root_key, KeyPurpose::ScopedRead(scope.to_string()))
}

/// Generates a cryptographically secure random 32-byte key.
pub fn generate_key() -> [u8; 32] {
    let mut key = [0u8; 32];
    rand::thread_rng().fill_bytes(&mut key);
    key
}

/// Derives a 32-byte key from the root key using HKDF-SHA256.
///
/// # Arguments
/// * `root_key` - The root key material
/// * `info` - Context string (e.g., "encryption", "signing")
pub fn derive_key(root_key: &[u8; 32], info: &str) -> CryptoResult<[u8; 32]> {
    let hk = Hkdf::<Sha256>::new(Some(SALT), root_key);

    let mut output = [0u8; 32];
    hk.expand(info.as_bytes(), &mut output)
        .map_err(|e| CryptoError::InvalidKey(e.to_string()))?;

    Ok(output)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn derive_key_deterministic() {
        let root = [0x42u8; 32];
        let key1 = derive_key(&root, "encryption").unwrap();
        let key2 = derive_key(&root, "encryption").unwrap();
        assert_eq!(key1, key2);
    }

    #[test]
    fn derive_key_different_info() {
        let root = [0x42u8; 32];
        let key1 = derive_key(&root, "encryption").unwrap();
        let key2 = derive_key(&root, "signing").unwrap();
        assert_ne!(key1, key2);
    }

    #[test]
    fn derive_key_different_root() {
        let root1 = [0x42u8; 32];
        let root2 = [0x43u8; 32];
        let key1 = derive_key(&root1, "encryption").unwrap();
        let key2 = derive_key(&root2, "encryption").unwrap();
        assert_ne!(key1, key2);
    }

    #[test]
    fn generate_key_unique() {
        let key1 = generate_key();
        let key2 = generate_key();
        assert_ne!(key1, key2);
    }

    #[test]
    fn key_separation_produces_different_keys() {
        let root = generate_key();
        let ring = KeyRing::from_root(&root).unwrap();

        assert_ne!(ring.commits.as_bytes(), ring.metadata.as_bytes());
        assert_ne!(ring.metadata.as_bytes(), ring.content.as_bytes());
        assert_ne!(ring.content.as_bytes(), ring.index.as_bytes());
        assert_ne!(ring.index.as_bytes(), ring.stash.as_bytes());
        assert_ne!(ring.stash.as_bytes(), ring.staged.as_bytes());
    }

    #[test]
    fn stash_and_staged_keys_are_distinct() {
        let root = generate_key();
        let ring = KeyRing::from_root(&root).unwrap();

        assert_ne!(ring.stash.as_bytes(), ring.index.as_bytes());
        assert_ne!(ring.staged.as_bytes(), ring.index.as_bytes());
        assert_ne!(ring.stash.as_bytes(), ring.staged.as_bytes());
    }

    #[test]
    fn derive_key_for_purpose_deterministic() {
        let root = [0x42u8; 32];
        let key1 = derive_key_for_purpose(&root, KeyPurpose::Commits).unwrap();
        let key2 = derive_key_for_purpose(&root, KeyPurpose::Commits).unwrap();
        assert_eq!(key1, key2);
    }

    #[test]
    fn derive_key_for_purpose_different_purposes() {
        let root = [0x42u8; 32];

        let commits = derive_key_for_purpose(&root, KeyPurpose::Commits).unwrap();
        let metadata = derive_key_for_purpose(&root, KeyPurpose::Metadata).unwrap();
        let content = derive_key_for_purpose(&root, KeyPurpose::Content).unwrap();
        let index = derive_key_for_purpose(&root, KeyPurpose::Index).unwrap();
        let stash = derive_key_for_purpose(&root, KeyPurpose::Stash).unwrap();
        let staged = derive_key_for_purpose(&root, KeyPurpose::Staged).unwrap();

        let keys = [commits, metadata, content, index, stash, staged];
        for i in 0..keys.len() {
            for j in (i + 1)..keys.len() {
                assert_ne!(keys[i], keys[j], "Keys at {} and {} should differ", i, j);
            }
        }
    }

    #[test]
    fn secret_key_generate_unique() {
        let key1 = SecretKey::generate();
        let key2 = SecretKey::generate();
        assert_ne!(key1.as_bytes(), key2.as_bytes());
    }

    #[test]
    fn secret_key_as_ref() {
        let bytes = [0x42u8; 32];
        let key = SecretKey::new(bytes);
        let slice: &[u8] = key.as_ref();
        assert_eq!(slice, &bytes);
    }
}