Skip to main content

hexz_cli/cmd/sys/
keygen.rs

1//! Ed25519 key pair generation for archive signing.
2//!
3//! This command generates cryptographic signing keys used to sign and verify
4//! Hexz archives, ensuring authenticity and integrity.
5//!
6//! # Key Generation
7//!
8//! The `keygen` command creates an Ed25519 key pair:
9//! - **Private key** (`private.key`): Used to sign archives
10//! - **Public key** (`public.key`): Used to verify signatures
11//!
12//! # Security Considerations
13//!
14//! - **Private Key Protection**: Store private keys securely with restricted permissions (chmod 600)
15//! - **Key Distribution**: Share public keys safely; they can be freely distributed
16//! - **Backup**: Maintain secure backups of private keys to prevent loss
17//!
18//! # Usage
19//!
20//! ```bash
21//! # Generate keys in current directory
22//! hexz sys keygen
23//!
24//! # Generate keys in specific directory
25//! hexz sys keygen --output-dir ~/.hexz/keys
26//!
27//! # Secure the private key
28//! chmod 600 ~/.hexz/keys/private.key
29//! ```
30//!
31//! # Integration with Archive Signing
32//!
33//! After generating keys, use them to sign archives:
34//!
35//! ```bash
36//! # Sign an archive
37//! hexz sys sign --key private.key snapshot.st
38//!
39//! # Verify the signature
40//! hexz sys verify --key public.key snapshot.st
41//! ```
42//!
43//! # Implementation
44//!
45//! Uses Ed25519 signatures via the `ed25519-dalek` crate for:
46//! - Fast signature generation and verification
47//! - 64-byte signatures
48//! - Strong cryptographic security (128-bit security level)
49
50use anyhow::Result;
51use hexz_common::sign;
52use std::path::PathBuf;
53
54/// Generate an Ed25519 signing key pair.
55///
56/// This function creates a new Ed25519 private/public key pair and saves them
57/// to the specified output directory (or current directory if not specified).
58///
59/// # Arguments
60///
61/// * `output_dir` - Optional directory to store keys. Defaults to current directory.
62///
63/// # Generated Files
64///
65/// - `private.key`: Ed25519 private key (32 bytes, keep secure!)
66/// - `public.key`: Ed25519 public key (32 bytes, can be shared)
67///
68/// # Returns
69///
70/// Returns `Ok(())` on success, or an error if key generation or file writing fails.
71///
72/// # Security Warning
73///
74/// The private key file MUST be protected with appropriate filesystem permissions:
75///
76/// ```bash
77/// chmod 600 private.key
78/// ```
79///
80/// # Example
81///
82/// ```no_run
83/// # use std::path::PathBuf;
84/// # use hexz_cli::cmd::sys::keygen;
85/// // Generate keys in ~/.hexz/keys
86/// keygen::run(Some(PathBuf::from("/home/user/.hexz/keys")))?;
87/// # Ok::<(), anyhow::Error>(())
88/// ```
89pub fn run(output_dir: Option<PathBuf>) -> Result<()> {
90    let dir = match output_dir {
91        Some(d) => d,
92        None => std::env::current_dir()?,
93    };
94    let priv_path = dir.join("private.key");
95    let pub_path = dir.join("public.key");
96
97    println!("Generating Ed25519 keypair...");
98    sign::generate_keypair(&priv_path, &pub_path)?;
99
100    println!("Keys generated:");
101    println!("  Private: {:?}", priv_path);
102    println!("  Public:  {:?}", pub_path);
103    println!("Keep the private key safe!");
104
105    Ok(())
106}