kimberlite_crypto/lib.rs
1//! # kmb-crypto: Cryptographic primitives for `Kimberlite`
2//!
3//! This crate provides the cryptographic foundation for `Kimberlite`'s
4//! tamper-evident append-only log.
5//!
6//! ## Modules
7//!
8//! | Module | Purpose | Status |
9//! |--------|---------|--------|
10//! | [`chain`] | Hash chains for tamper evidence (SHA-256) | ✅ Ready |
11//! | [`hash`] | Dual-hash abstraction (SHA-256/BLAKE3) | ✅ Ready |
12//! | [`signature`] | Ed25519 signatures for non-repudiation | ✅ Ready |
13//! | [`encryption`] | AES-256-GCM encryption and key wrapping | ✅ Ready |
14//!
15//! ## Quick Start
16//!
17//! ```
18//! use kimberlite_crypto::{chain_hash, ChainHash, SigningKey, internal_hash, HashPurpose};
19//! use kimberlite_crypto::{EncryptionKey, WrappedKey};
20//!
21//! // Build a tamper-evident chain of records (SHA-256 for compliance)
22//! let hash0 = chain_hash(None, b"genesis record");
23//! let hash1 = chain_hash(Some(&hash0), b"second record");
24//!
25//! // Fast internal hash (BLAKE3) for deduplication
26//! let fingerprint = internal_hash(b"content to deduplicate");
27//!
28//! // Sign records for non-repudiation
29//! let signing_key = SigningKey::generate();
30//! let signature = signing_key.sign(hash1.as_bytes());
31//!
32//! // Verify the signature
33//! let verifying_key = signing_key.verifying_key();
34//! assert!(verifying_key.verify(hash1.as_bytes(), &signature).is_ok());
35//!
36//! // Wrap a key for secure storage (key hierarchy)
37//! let kek = EncryptionKey::generate();
38//! let dek = EncryptionKey::generate();
39//! let wrapped = WrappedKey::new(&kek, &dek.to_bytes());
40//! let unwrapped = wrapped.unwrap_key(&kek).unwrap();
41//! assert_eq!(dek.to_bytes(), unwrapped);
42//! ```
43
44pub mod anonymize;
45pub mod chain;
46pub mod crc32;
47pub mod encryption;
48pub mod error;
49pub mod field;
50pub mod hash;
51pub mod signature;
52
53#[cfg(test)]
54mod tests_assertions;
55
56// Re-export primary types at crate root for convenience
57pub use anonymize::{
58 DatePrecision, GeoLevel, KAnonymityResult, MaskStyle, check_k_anonymity, generalize_age,
59 generalize_numeric, generalize_zip, mask, redact, truncate_date,
60};
61pub use chain::{ChainHash, HASH_LENGTH, chain_hash};
62pub use crc32::{Crc32, crc32};
63pub use encryption::{
64 DataEncryptionKey, EncryptionKey, InMemoryMasterKey, KeyEncryptionKey, MasterKeyProvider,
65 WrappedKey,
66};
67pub use error::CryptoError;
68pub use field::{
69 FieldKey, ReversibleToken, TOKEN_LENGTH, Token, decrypt_field, encrypt_field, matches_token,
70 tokenize,
71};
72pub use hash::{HashAlgorithm, HashPurpose, InternalHash, hash_with_purpose, internal_hash};
73pub use signature::{Signature, SigningKey, VerifyingKey};