libsignify_rs/

file.rs

//
// signify-rs: cryptographically sign and verify files
// lib/src/file.rs: File utility functions
//
// Copyright (c) 2025, 2026 Ali Polatel <alip@chesswob.org>
// Based in part upon OpenBSD's signify which is:
//   Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
//   Copyright (c) 2016 Marc Espie <espie@openbsd.org>
//   Copyright (c) 2019 Adrian Perez de Castro <aperez@igalia.com>
//   Copyright (c) 2019 Scott Bennett and other contributors
//   SPDX-License-Identifier: ISC
//
// SPDX-License-Identifier: ISC

use crate::crypto::{CHECKSUM_LEN, KDFALG, KEYNUMLEN, PKALG, SALT_LEN};
use crate::error::{Error, Result};
use base64ct::{Base64, Encoding as _};
use core::str;
use memchr::memchr;
use static_assertions::assert_eq_size;
use std::fs::File;
use std::io::stdin;
use std::io::stdout;
use std::io::{Read, Write};
use std::path::Component;
use std::path::Path;
use zeroize::Zeroize;
use zeroize::Zeroizing;

/// Untrusted comment header.
pub const COMMENTHDR: &str = "untrusted comment: ";
/// Max comment length.
pub const MAX_COMMENT_LEN: usize = 1024;

/// Encrypted secret key structure.
///
/// Stores the encrypted secret key along with KDF parameters and checksums.
#[repr(C)]
#[derive(Debug)]
pub struct EncKey {
    /// Public key algorithm (must be "Ed").
    pub pkalg: [u8; 2],
    /// KDF algorithm (must be "BK").
    pub kdfalg: [u8; 2],
    /// Number of KDF rounds.
    pub kdfrounds: u32,
    /// Salt for KDF.
    pub salt: [u8; SALT_LEN],
    /// Checksum of the decrypted key.
    pub checksum: [u8; CHECKSUM_LEN],
    /// Key ID (`KeyNum`).
    pub keynum: [u8; KEYNUMLEN],
    /// Encrypted secret key data.
    pub seckey: Zeroizing<[u8; 64]>,
}

impl Zeroize for EncKey {
    fn zeroize(&mut self) {
        self.pkalg.zeroize();
        self.kdfalg.zeroize();
        self.kdfrounds.zeroize();
        self.salt.zeroize();
        self.checksum.zeroize();
        self.keynum.zeroize();
        self.seckey.zeroize();
    }
}

impl Drop for EncKey {
    fn drop(&mut self) {
        self.zeroize();
    }
}

/// Public key structure.
#[repr(C)]
#[derive(Debug, Clone, Copy)]
pub struct PubKey {
    /// Public key algorithm (must be "Ed").
    pub pkalg: [u8; 2],
    /// Key ID (`KeyNum`).
    pub keynum: [u8; KEYNUMLEN],
    /// Public key data.
    pub pubkey: [u8; 32],
}

/// Signature structure.
#[derive(Debug, Clone, Copy)]
pub struct Sig {
    /// Public key algorithm (must be "Ed").
    pub pkalg: [u8; 2],
    /// Key ID (`KeyNum`).
    pub keynum: [u8; KEYNUMLEN],
    /// Signature data.
    pub sig: [u8; 64],
}

impl EncKey {
    /// Parse `EncKey` from raw bytes.
    ///
    /// # Errors
    ///
    /// Returns `Error::InvalidKeyLength` if byte length is incorrect.
    /// Returns `Error::UnsupportedPkAlgo` if algorithm is not Ed.
    /// Returns `Error::UnsupportedKdfAlgo` if algorithm is not BK.
    pub fn from_bytes(bytes: &[u8]) -> Result<Self> {
        let pkalg = bytes
            .get(0..2)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let kdfalg = bytes
            .get(2..4)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let kdfrounds_bytes = bytes.get(4..8).ok_or(Error::InvalidKeyLength)?;
        let kdfrounds = u32::from_be_bytes(
            kdfrounds_bytes
                .try_into()
                .map_err(|_e| Error::InvalidKeyLength)?,
        );
        let salt = bytes
            .get(8..24)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let checksum = bytes
            .get(24..32)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let keynum = bytes
            .get(32..40)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let seckey = Zeroizing::new(
            bytes
                .get(40..104)
                .ok_or(Error::InvalidKeyLength)?
                .try_into()
                .map_err(|_e| Error::InvalidKeyLength)?,
        );

        // Strict length check
        if bytes.len() != 104 {
            return Err(Error::InvalidKeyLength);
        }

        if pkalg != PKALG {
            return Err(Error::UnsupportedPkAlgo);
        }
        if kdfalg != KDFALG {
            return Err(Error::UnsupportedKdfAlgo);
        }

        Ok(Self {
            pkalg,
            kdfalg,
            kdfrounds,
            salt,
            checksum,
            keynum,
            seckey,
        })
    }

    /// Serialize `EncKey` to raw bytes.
    #[must_use]
    pub fn to_bytes(&self) -> Zeroizing<Vec<u8>> {
        let mut out = Zeroizing::new(Vec::with_capacity(104));
        out.extend_from_slice(&self.pkalg);
        out.extend_from_slice(&self.kdfalg);
        out.extend_from_slice(&self.kdfrounds.to_be_bytes());
        out.extend_from_slice(&self.salt);
        out.extend_from_slice(&self.checksum);
        out.extend_from_slice(&self.keynum);
        out.extend_from_slice(self.seckey.as_ref());
        out
    }
}

impl PubKey {
    /// Parse `PubKey` from bytes.
    ///
    /// # Errors
    ///
    /// Returns `Error::InvalidKeyLength` if byte length is incorrect.
    /// Returns `Error::UnsupportedPkAlgo` if algorithm is not Ed.
    pub fn from_bytes(bytes: &[u8]) -> Result<Self> {
        let pkalg = bytes
            .get(0..2)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let keynum = bytes
            .get(2..10)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let pubkey = bytes
            .get(10..42)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;

        if bytes.len() != 42 {
            return Err(Error::InvalidKeyLength);
        }

        if pkalg != PKALG {
            return Err(Error::UnsupportedPkAlgo);
        }

        Ok(Self {
            pkalg,
            keynum,
            pubkey,
        })
    }

    /// Serialize `PubKey` to bytes.
    #[must_use]
    pub fn to_bytes(&self) -> Vec<u8> {
        let mut out = Vec::with_capacity(42);
        out.extend_from_slice(&self.pkalg);
        out.extend_from_slice(&self.keynum);
        out.extend_from_slice(&self.pubkey);
        out
    }
}

impl Sig {
    /// Parse `Sig` from bytes.
    ///
    /// # Errors
    ///
    /// Returns `Error::InvalidKeyLength` if byte length is incorrect.
    /// Returns `Error::UnsupportedPkAlgo` if algorithm is not Ed.
    pub fn from_bytes(bytes: &[u8]) -> Result<Self> {
        let pkalg = bytes
            .get(0..2)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let keynum = bytes
            .get(2..10)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;
        let sig = bytes
            .get(10..74)
            .ok_or(Error::InvalidKeyLength)?
            .try_into()
            .map_err(|_e| Error::InvalidKeyLength)?;

        if bytes.len() != 74 {
            return Err(Error::InvalidKeyLength);
        }

        if pkalg != PKALG {
            return Err(Error::UnsupportedPkAlgo);
        }

        Ok(Self { pkalg, keynum, sig })
    }

    /// Serialize `Sig` to bytes.
    #[must_use]
    pub fn to_bytes(&self) -> Vec<u8> {
        let mut out = Vec::with_capacity(74);
        out.extend_from_slice(&self.pkalg);
        out.extend_from_slice(&self.keynum);
        out.extend_from_slice(&self.sig);
        out
    }
}

/// Parse a signify file from a stream.
///
/// Reads from `reader`, parses the OpenBSD-compatible format
/// (comment line + base64 line), and decodes the object using `parse_fn`.
///
/// # Errors
///
/// Returns `Error::Io` if file cannot be read.
/// Returns `Error::InvalidCommentHeader` if header is missing or malformed.
/// Returns `Error::InvalidSignatureUtf8` if base64 is invalid utf8.
/// Returns `Error::Base64Decode` if decoding fails.
/// Returns various errors from `parse_fn`.
pub fn parse_stream<F, R, T>(mut reader: R, parse_fn: F) -> Result<(T, Vec<u8>)>
where
    R: Read,
    F: Fn(&[u8]) -> Result<T>,
{
    // Bounded read for header (comment + base64).
    // Keys are small (104 bytes encoded ~ 140 bytes + comment).
    // Signatures are small (74 bytes encoded ~ 100 bytes + comment).
    // 4KB is generous.
    const HEADER_LIMIT: usize = 4096;
    let mut header_buf = vec![0_u8; HEADER_LIMIT];

    // Read up to HEADER_LIMIT.
    let mut total_read = 0;
    while total_read < HEADER_LIMIT {
        let n = reader
            .read(&mut header_buf[total_read..])
            .map_err(Error::Io)?;
        if n == 0 {
            break;
        }
        total_read = total_read.checked_add(n).ok_or(Error::Overflow)?;
    }
    header_buf.truncate(total_read);

    // Find first newline.
    let n1 = memchr(b'\n', &header_buf).ok_or(Error::InvalidCommentHeader)?;
    let header_bytes = &header_buf[..n1];

    // Strict verify prefix.
    let prefix = COMMENTHDR.as_bytes();
    if !header_bytes.starts_with(prefix) {
        return Err(Error::InvalidCommentHeader);
    }
    let comment = header_bytes[prefix.len()..].to_vec();

    let n2_start = n1.checked_add(1).ok_or(Error::Overflow)?;
    let n2 = memchr(b'\n', &header_buf[n2_start..])
        .unwrap_or_else(|| header_buf.len().saturating_sub(n2_start));

    let b64_start = n2_start;
    let b64_end = b64_start.checked_add(n2).ok_or(Error::Overflow)?;

    if b64_end > header_buf.len() {
        return Err(Error::InvalidCommentHeader);
    }

    let b64_bytes = &header_buf[b64_start..b64_end];

    // Base64 decode.
    let b64_str = str::from_utf8(b64_bytes).map_err(|_e| Error::InvalidSignatureUtf8)?;
    let decoded = Base64::decode_vec(b64_str.trim()).map_err(Error::Base64Decode)?;

    let obj = parse_fn(&decoded)?;
    Ok((obj, comment))
}

/// Parse a signify file.
///
/// Reads file at `path` (or stdin if "-"), parses the OpenBSD-compatible format
/// (comment line + base64 line), and decodes the object using `parse_fn`.
///
/// # Errors
///
/// Returns `Error::Io` if file cannot be read.
/// Returns `Error::InvalidCommentHeader` if header is missing or malformed.
/// Returns `Error::InvalidSignatureUtf8` if base64 is invalid utf8.
/// Returns `Error::Base64Decode` if decoding fails.
/// Returns various errors from `parse_fn`.
pub fn parse<T, F>(path: &Path, parse_fn: F) -> Result<(T, Vec<u8>)>
where
    F: Fn(&[u8]) -> Result<T>,
{
    let reader: Box<dyn Read> = if path.to_str() == Some("-") {
        Box::new(stdin())
    } else {
        Box::new(open(path, false)?)
    };

    parse_stream(reader, parse_fn)
}

/// Write a signify file to a stream.
///
/// Writes `comment` and base64-encoded `data` to `writer`.
///
/// # Errors
///
/// Returns `Error::Io` on write failure.
pub fn write_stream(mut writer: impl Write, comment: &[u8], data: &[u8]) -> Result<()> {
    let encoded = Base64::encode_string(data);

    let mut content = Vec::new();
    content.extend_from_slice(COMMENTHDR.as_bytes());
    content.extend_from_slice(comment);
    content.push(b'\n');
    content.extend_from_slice(encoded.as_bytes());
    content.push(b'\n');

    writer.write_all(&content).map_err(Error::Io)?;
    Ok(())
}

/// Write a signify file.
///
/// Writes `comment` and base64-encoded `data` to `path` (or stdout if "-").
///
/// # Errors
///
/// Returns `Error::Io` on file creation or write failure.
pub fn write(path: &Path, comment: &[u8], data: &[u8]) -> Result<()> {
    let writer: Box<dyn Write> = if path.to_str() == Some("-") {
        Box::new(stdout())
    } else {
        Box::new(open(path, true)?)
    };

    write_stream(writer, comment, data)
}

/// Open a file for read or write.
///
/// If `write` the file is created new with mode 600.
pub fn open(path: &Path, write: bool) -> Result<File> {
    if path.components().any(|p| p == Component::ParentDir) {
        return Err(Error::InvalidPath);
    }
    #[cfg(unix)]
    {
        safe_name(path)?;
    }
    #[cfg(target_os = "linux")]
    {
        safe_open(path, write)
    }
    #[cfg(not(target_os = "linux"))]
    {
        use std::fs::OpenOptions;

        let mut opts = OpenOptions::new();
        if write {
            opts.write(true).create_new(true);
            #[cfg(unix)]
            {
                use std::os::unix::fs::OpenOptionsExt;
                opts.mode(0o600);
            }
        } else {
            opts.read(true);
            #[cfg(unix)]
            {
                use nix::fcntl::OFlag;
                use std::os::unix::fs::OpenOptionsExt;
                opts.custom_flags(OFlag::O_NOFOLLOW.bits());
            }
        }

        opts.open(path).map_err(Error::Io)
    }
}

#[cfg(target_os = "linux")]
fn safe_open(path: &Path, write: bool) -> Result<File> {
    use nix::fcntl::{openat2, OFlag, OpenHow, ResolveFlag, AT_FDCWD};
    use nix::sys::stat::Mode;
    use std::os::fd::AsRawFd;

    let mut how = OpenHow::new()
        .resolve(ResolveFlag::RESOLVE_NO_SYMLINKS | ResolveFlag::RESOLVE_NO_MAGICLINKS);

    if write {
        // Exclusively create new file for write.
        how = how.flags(OFlag::O_WRONLY | OFlag::O_CREAT | OFlag::O_EXCL);
        how = how.mode(Mode::from_bits_truncate(0o600));
        return Ok(openat2(AT_FDCWD, path, how).map(File::from)?);
    }

    // Check for regular file.
    how = how.flags(OFlag::O_PATH | OFlag::O_NOFOLLOW);
    let file = openat2(AT_FDCWD, path, how).map(File::from)?;
    if !file.metadata()?.is_file() {
        return Err(Error::InvalidPath);
    }

    // Reopen using proc indirection.
    how = how.flags(OFlag::O_RDONLY).resolve(ResolveFlag::empty());
    let path = format!("/proc/thread-self/fd/{}", file.as_raw_fd());
    let file = openat2(AT_FDCWD, path.as_str(), how).map(File::from)?;

    Ok(file)
}

// Validates a filename based on David A. Wheeler's Safename Linux
// Security Module (LSM) rules.
#[cfg(unix)]
fn safe_name(path: &Path) -> Result<()> {
    use nix::errno::Errno;
    use std::os::unix::ffi::OsStrExt;

    let name = match path.file_name() {
        Some(name) => name.as_bytes(),
        None => return Err(Errno::EILSEQ.into()),
    };

    // Check the first byte.
    if !name
        .get(0)
        .map(|&b| is_permitted_initial(b))
        .unwrap_or(false)
    {
        return Err(Errno::EILSEQ.into());
    }

    // Check the last byte.
    let last = name.len().saturating_sub(1);
    if !name
        .get(last)
        .map(|&b| is_permitted_final(b))
        .unwrap_or(false)
    {
        return Err(Errno::EILSEQ.into());
    }

    // Check the middle bytes (if any).
    if last > 1 && !name[1..last].iter().all(|&b| is_permitted_middle(b)) {
        return Err(Errno::EILSEQ.into());
    }

    // Check if name is valid UTF-8.
    let name = std::str::from_utf8(name).or(Err(Errno::EILSEQ))?;

    // Check if first and last character is not whitespace.
    // This includes UTF-8 whitespace.
    if name
        .chars()
        .nth(0)
        .map(|c| c.is_whitespace())
        .unwrap_or(false)
    {
        return Err(Errno::EILSEQ.into());
    }
    if name
        .chars()
        .last()
        .map(|c| c.is_whitespace())
        .unwrap_or(false)
    {
        return Err(Errno::EILSEQ.into());
    }

    Ok(())
}

#[cfg(unix)]
fn is_permitted_initial(b: u8) -> bool {
    is_permitted_byte(b) && !matches!(b, b'-' | b' ' | b'~')
}

#[cfg(unix)]
fn is_permitted_middle(b: u8) -> bool {
    is_permitted_byte(b)
}

#[cfg(unix)]
fn is_permitted_final(b: u8) -> bool {
    is_permitted_byte(b) && b != b' '
}

#[cfg(unix)]
fn is_permitted_byte(b: u8) -> bool {
    match b {
        b'*' | b'?' | b'[' | b']' | b'"' | b'<' | b'>' | b'|' | b'(' | b')' | b'&' | b'\''
        | b'!' | b'\\' | b':' | b'{' | b'}' | b';' | b'$' | b'`' => false,
        0x20..=0x7E => true,
        0x80..=0xFE => true,
        _ => false,
    }
}

assert_eq_size!(EncKey, [u8; 104]);
assert_eq_size!(PubKey, [u8; 42]);
assert_eq_size!(Sig, [u8; 74]);

#[cfg(test)]
mod tests {
    use super::*;
    #[cfg(unix)]
    use std::ffi::OsStr;
    use std::fs::OpenOptions;
    #[cfg(unix)]
    use std::os::unix::ffi::OsStrExt;

    #[test]
    fn test_enckey_serialization() -> crate::error::Result<()> {
        let enc = EncKey {
            pkalg: PKALG,
            kdfalg: KDFALG,
            kdfrounds: 42,
            salt: [1u8; SALT_LEN],
            checksum: [2u8; CHECKSUM_LEN],
            keynum: [3u8; KEYNUMLEN],
            seckey: Zeroizing::new([4u8; 64]),
        };
        let bytes = enc.to_bytes();
        let enc2 = EncKey::from_bytes(&bytes)?;
        assert_eq!(enc.kdfrounds, enc2.kdfrounds);
        assert_eq!(enc.salt, enc2.salt);

        // Test invalid lengths.
        assert!(matches!(
            EncKey::from_bytes(&bytes[..103]),
            Err(Error::InvalidKeyLength)
        ));

        let mut long = bytes.clone();
        long.push(0);
        assert!(matches!(
            EncKey::from_bytes(&long),
            Err(Error::InvalidKeyLength)
        ));

        // Test bad PKALG.
        let mut bad_alg = bytes.clone();
        bad_alg[0] = b'X';
        assert!(matches!(
            EncKey::from_bytes(&bad_alg),
            Err(Error::UnsupportedPkAlgo)
        ));

        // Test bad KDFALG.
        let mut bad_kdf = bytes.clone();
        bad_kdf[2] = b'X';
        assert!(matches!(
            EncKey::from_bytes(&bad_kdf),
            Err(Error::UnsupportedKdfAlgo)
        ));

        Ok(())
    }

    #[test]
    fn test_pubkey_serialization() -> crate::error::Result<()> {
        let pubk = PubKey {
            pkalg: PKALG,
            keynum: [1u8; KEYNUMLEN],
            pubkey: [2u8; 32],
        };
        let bytes = pubk.to_bytes();
        let pubk2 = PubKey::from_bytes(&bytes)?;
        assert_eq!(pubk.keynum, pubk2.keynum);

        // Test invalid lengths.
        assert!(matches!(
            PubKey::from_bytes(&bytes[..41]),
            Err(Error::InvalidKeyLength)
        ));
        let mut long = bytes.clone();
        long.push(0);
        assert!(matches!(
            PubKey::from_bytes(&long),
            Err(Error::InvalidKeyLength)
        ));

        // Test bad PKALG.
        let mut bad_alg = bytes.clone();
        bad_alg[0] = b'X';
        assert!(matches!(
            PubKey::from_bytes(&bad_alg),
            Err(Error::UnsupportedPkAlgo)
        ));

        Ok(())
    }

    #[test]
    fn test_sig_serialization() -> crate::error::Result<()> {
        let sig = Sig {
            pkalg: PKALG,
            keynum: [1u8; KEYNUMLEN],
            sig: [0u8; 64],
        };
        let bytes = sig.to_bytes();
        let sig2 = Sig::from_bytes(&bytes)?;
        assert_eq!(sig.keynum, sig2.keynum);

        // Test invalid lengths.
        assert!(matches!(
            Sig::from_bytes(&bytes[..73]),
            Err(Error::InvalidKeyLength)
        ));

        let mut long = bytes.clone();
        long.push(0);
        assert!(matches!(
            Sig::from_bytes(&long),
            Err(Error::InvalidKeyLength)
        ));

        // Test bad PKALG.
        let mut bad_alg = bytes.clone();
        bad_alg[0] = b'X';
        assert!(matches!(
            Sig::from_bytes(&bad_alg),
            Err(Error::UnsupportedPkAlgo)
        ));

        Ok(())
    }

    #[test]
    #[cfg_attr(any(target_arch = "wasm32", target_arch = "wasm64"), ignore)]
    fn test_file_io() -> std::result::Result<(), Box<dyn std::error::Error>> {
        let dir = tempfile::tempdir()?;
        let path = dir.path().join("secret.key");
        let data = b"secret data";

        write(&path, b"mycomment", data)?;

        let (read_data, comment) = parse::<Vec<u8>, _>(&path, |b| Ok(b.to_vec()))?;
        assert_eq!(read_data, data);
        assert_eq!(comment, b"mycomment");

        // Test missing file.
        let missing = dir.path().join("missing");
        let result = parse::<Vec<u8>, _>(&missing, |_| Ok(vec![]));
        #[cfg(not(target_os = "linux"))]
        assert!(matches!(result, Err(Error::Io(_))));
        #[cfg(target_os = "linux")]
        assert!(matches!(result, Err(Error::Nix(_))));

        // Test invalid prefix.
        let bad_prefix = dir.path().join("bad_prefix");
        let mut f = OpenOptions::new()
            .write(true)
            .create_new(true)
            .open(&bad_prefix)?;
        f.write_all(b"invalid header\n")?;
        assert!(matches!(
            parse::<Vec<u8>, _>(&bad_prefix, |_| Ok(vec![])),
            Err(Error::InvalidCommentHeader)
        ));

        // Test missing newline.
        let no_newline = dir.path().join("no_newline");
        let mut f = OpenOptions::new()
            .write(true)
            .create_new(true)
            .open(&no_newline)?;
        f.write_all(b"untrusted comment: foo")?;
        assert!(matches!(
            parse::<Vec<u8>, _>(&no_newline, |_| Ok(vec![])),
            Err(Error::InvalidCommentHeader)
        ));

        // Test invalid base64 (not utf8).
        // Create valid structure first.
        // Overwrite base64 part with garbage.
        let bad_utf8 = dir.path().join("bad_utf8");
        write(&bad_utf8, b"comment", b"")?;
        let mut f = OpenOptions::new().write(true).open(&bad_utf8)?;
        f.write_all(b"untrusted comment: comment\n\xFF\xFF\n")?;
        assert!(matches!(
            parse::<Vec<u8>, _>(&bad_utf8, |_| Ok(vec![])),
            Err(Error::InvalidSignatureUtf8)
        ));

        Ok(())
    }

    #[test]
    #[cfg(unix)]
    fn test_open_symlink_fail() -> std::result::Result<(), Box<dyn std::error::Error>> {
        use std::os::unix::fs::symlink;
        let dir = tempfile::tempdir()?;
        let target = dir.path().join("target");
        let link = dir.path().join("link");

        std::fs::write(&target, b"target")?;
        symlink(&target, &link)?;

        // Opening a symlink should fail due to O_NOFOLLOW / RESOLVE_NO_SYMLINKS.
        assert!(open(&link, false).is_err());

        Ok(())
    }

    #[test]
    #[cfg(unix)]
    fn test_open_write_mode() -> std::result::Result<(), Box<dyn std::error::Error>> {
        use std::os::unix::fs::PermissionsExt;

        let dir = tempfile::tempdir()?;
        let path = dir.path().join("secret.key");

        let _f = open(&path, true)?;

        let metadata = std::fs::metadata(&path)?;
        let mode = metadata.permissions().mode();

        // Mode should be 0600.
        assert_eq!(mode & 0o777, 0o600);

        Ok(())
    }

    #[test]
    fn test_open_parent_dir_fail() {
        let path = Path::new("foo/../bar");
        assert!(matches!(open(path, false), Err(Error::InvalidPath)));
        assert!(matches!(open(path, true), Err(Error::InvalidPath)));
    }

    #[test]
    #[cfg(target_os = "linux")]
    fn test_safe_open_not_file_fail() -> std::result::Result<(), Box<dyn std::error::Error>> {
        let dir = tempfile::tempdir()?;
        let path = dir.path();

        // Opening a directory should fail.
        assert!(matches!(open(path, false), Err(Error::InvalidPath)));

        Ok(())
    }

    #[test]
    #[cfg(target_os = "linux")]
    fn test_open_magiclink_fail() {
        let path = Path::new("/proc/self/root");
        assert!(matches!(
            open(path, false),
            Err(Error::Nix(nix::errno::Errno::ELOOP))
        ));
    }

    #[test]
    #[cfg(target_os = "linux")]
    fn test_open_char_device_fail() {
        let path = Path::new("/dev/null");
        assert!(matches!(open(path, false), Err(Error::InvalidPath)));
    }

    #[test]
    #[cfg(target_os = "linux")]
    fn test_open_fifo_fail() -> std::result::Result<(), Box<dyn std::error::Error>> {
        use nix::sys::stat::Mode;
        use nix::unistd::mkfifo;

        let dir = tempfile::tempdir()?;
        let path = dir.path().join("test.fifo");

        mkfifo(&path, Mode::S_IRUSR | Mode::S_IWUSR)?;

        // FIFO is not a file.
        assert!(matches!(open(&path, false), Err(Error::InvalidPath)));

        Ok(())
    }

    #[test]
    #[cfg(target_os = "linux")]
    fn test_open_socket_fail() -> std::result::Result<(), Box<dyn std::error::Error>> {
        use std::os::unix::net::UnixListener;

        let dir = tempfile::tempdir()?;
        let path = dir.path().join("test.sock");

        let _listener = UnixListener::bind(&path)?;

        // Socket is not a file.
        assert!(matches!(open(&path, false), Err(Error::InvalidPath)));

        Ok(())
    }

    #[test]
    #[cfg(unix)]
    fn test_check_name_valid() {
        let valid_filenames = [
            "valid_filename.txt",
            "hello_world",
            "File123",
            "Makefile",
            "こんにちは", // Japanese characters
            "文件",       // Chinese characters
            "emoji😀",    // Starts with permitted character
            "valid~name", // '~' allowed in middle
            "name~",      // '~' allowed at end
            "a",
            "normal",
            "test-file",
            "test_file",
            "file name",
            "file☃name",    // Snowman character
            "name\u{0080}", // Contains 0x80 (allowed)
            "name\u{00FE}", // Contains 0xFE (allowed)
            "😀name",       // Multi-byte character at start
            "name😀",       // Multi-byte character at end
            "😀",           // Single multi-byte character
            "name😀name",   // Multi-byte character in middle
            "na~me",        // '~' allowed in middle
            "name-",        // Hyphen at end (allowed)
            "name_",        // Underscore at end (allowed)
            "name.",        // Period at end (allowed)
            "a\u{0020}b",   // SPACE in the middle (allowed)
            "a\u{00A0}b",   // NO-BREAK SPACE in the middle (allowed)
            "a\u{1680}b",   // OGHAM SPACE MARK in the middle (allowed)
            "a\u{2007}b",   // FIGURE SPACE in the middle (allowed)
            "a\u{202F}b",   // NARROW NO-BREAK SPACE in the middle (allowed)
            "a\u{3000}b",   // IDEOGRAPHIC SPACE in the middle (allowed)
        ];

        for (idx, name) in valid_filenames.iter().enumerate() {
            assert!(
                safe_name(Path::new(name)).is_ok(),
                "Filename {idx} '{name}' should be valid"
            );
        }
    }

    #[test]
    #[cfg(unix)]
    fn test_check_name_invalid() {
        let invalid_filenames: &[&[u8]] = &[
            b"",                             // Empty filename
            b"-",                            // Starts with '-'
            b"*",                            // Starts with '*'
            b"?",                            // Starts with '?'
            b"!",                            // Starts with '!'
            b"$",                            // Starts with '$'
            b"`",                            // Starts with '`'
            b" -",                           // Starts with space
            b"~home",                        // Starts with '~'
            b"*home",                        // Starts with '*'
            b"?home",                        // Starts with '?'
            b"!home",                        // Starts with '!'
            b"$home",                        // Starts with '$'
            b"`home",                        // Starts with '`'
            b"file ",                        // Ends with space
            b"file*",                        // Ends with '*'
            b"file?",                        // Ends with '?'
            b"file!",                        // Ends with '!'
            b"file$",                        // Ends with '$'
            b"file`",                        // Ends with '`'
            b"bad*name",                     // Contains '*'
            b"bad?name",                     // Contains '?'
            b"bad!name",                     // Contains '!'
            b"bad$name",                     // Contains '$'
            b"bad`name",                     // Contains '`'
            b"bad\nname",                    // Contains newline
            b"\0",                           // Null byte
            b"bad\0name",                    // Contains null byte
            b"bad\x7Fname",                  // Contains delete character
            b"bad\xFFname",                  // Contains 0xFF
            b"\x1Fcontrol",                  // Starts with control character
            b"name\x1F",                     // Ends with control character
            b"name\x7F",                     // Ends with delete character
            b"name\xFF",                     // Ends with 0xFF
            b"name ",                        // Ends with space
            b"-name",                        // Starts with '-'
            b" name",                        // Starts with space
            b"~name",                        // Starts with '~'
            b"*name",                        // Starts with '*'
            b"?name",                        // Starts with '?'
            b"!name",                        // Starts with '!'
            b"$name",                        // Starts with '$'
            b"`name",                        // Starts with '`'
            b"name\x19",                     // Contains control character
            b"name\n",                       // Ends with newline
            b"\nname",                       // Starts with newline
            b"na\nme",                       // Contains newline
            b"name\t",                       // Contains tab
            b"name\r",                       // Contains carriage return
            b"name\x1B",                     // Contains escape character
            b"name\x00",                     // Contains null byte
            b"name\x7F",                     // Contains delete character
            b"name\xFF",                     // Contains 0xFF (disallowed)
            b"\xFF",                         // Single byte 0xFF
            b"name\x80\xFF",                 // Contains valid and invalid extended ASCII
            b"name\xC0\xAF",                 // Invalid UTF-8 sequence
            b"\xF0\x28\x8C\xBC",             // Invalid UTF-8 sequence
            b"\xF0\x90\x28\xBC",             // Invalid UTF-8 sequence
            b"\xF0\x28\x8C\x28",             // Invalid UTF-8 sequence
            b"name\xFFname",                 // Contains 0xFF
            b"name\xC3\x28",                 // Invalid UTF-8 sequence
            b"name\xA0\xA1",                 // Invalid UTF-8 sequence
            b"\xE2\x28\xA1",                 // Invalid UTF-8 sequence
            b"\xE2\x82\x28",                 // Invalid UTF-8 sequence
            b"\xF0\x28\x8C\xBC",             // Invalid UTF-8 sequence
            b"\xF0\x90\x28\xBC",             // Invalid UTF-8 sequence
            b"\xF0\x28\x8C\x28",             // Invalid UTF-8 sequence
            b"\xC2\xA0",                     // Non-breaking space
            b"\x20file",                     // leading SPACE U+0020
            b"file\x20",                     // trailing SPACE U+0020
            b"\xC2\xA0file",                 // leading NO-BREAK SPACE U+00A0
            b"file\xE3\x80\x80",             // trailing IDEOGRAPHIC SPACE U+3000
            b"\xE2\x80\xAFfile",             // leading NARROW NO-BREAK SPACE U+202F
            b"\xE2\x81\x9Ffile\xE2\x81\x9F", // both sides MEDIUM MATHEMATICAL SPACE U+205F
        ];

        for (idx, name) in invalid_filenames.iter().enumerate() {
            assert!(
                safe_name(Path::new(OsStr::from_bytes(name))).is_err(),
                "Filename {idx} '{name:?}' should not be valid"
            );
        }
    }

    #[test]
    #[cfg(unix)]
    fn test_check_name_control_characters() {
        for b in 0x00..=0x1F {
            if let Some(c) = char::from_u32(b as u32) {
                let name = format!("name{c}char");
                assert!(
                    safe_name(Path::new(&name)).is_err(),
                    "Filename with control character '\\x{b:02X}' should be invalid",
                );
            }
        }
    }

    #[test]
    #[cfg(unix)]
    fn test_check_name_extended_ascii_characters() {
        for b in 0x80..=0xFE {
            if b == 0xFF {
                continue; // 0xFF is disallowed.
            }
            let mut bytes = b"name".to_vec();
            bytes.push(b);
            bytes.extend_from_slice(b"char");
            let name = OsStr::from_bytes(&bytes);
            let name = Path::new(name);
            let result = safe_name(name);
            if std::str::from_utf8(&bytes).is_ok() {
                assert!(result.is_ok(), "Filename with byte 0x{b:X} should be valid",);
            } else {
                assert!(
                    result.is_err(),
                    "Filename with invalid UTF-8 byte 0x{b:X} should be invalid",
                );
            }
        }
    }

    #[test]
    #[cfg(unix)]
    fn test_check_name_edge_cases() {
        // Filenames with length 1
        let valid_single_chars = [
            "a", "b", "Z", "9", "_", "😀", // Valid multi-byte character
        ];

        for (idx, name) in valid_single_chars.iter().enumerate() {
            assert!(
                safe_name(Path::new(name)).is_ok(),
                "Single-character filename {idx} '{name}' should be valid",
            );
        }

        let invalid_single_chars: &[&[u8]] = &[
            b".",            // '.'
            b"-",            // '-'
            b" ",            // Space character
            b"~",            // Tilde character
            b"*",            // Starts with '*'
            b"?",            // Starts with '?'
            b"\n",           // Newline character
            b"\r",           // Newline character
            b"\x7F",         // Delete character
            b"\x1F",         // Control character
            b"\xFF",         // 0xFF disallowed
            b"\0",           // Null byte
            b"\xC2\xA0",     // Non-breaking space
            b"\x20",         // SPACE U+0020
            b"\xC2\xA0",     // NO-BREAK SPACE U+00A0
            b"\xE1\x9A\x80", // OGHAM SPACE MARK U+1680
            b"\xE2\x80\x87", // FIGURE SPACE U+2007
            b"\xE2\x80\xAF", // NARROW NO-BREAK SPACE U+202F
            b"\xE3\x80\x80", // IDEOGRAPHIC SPACE U+3000
        ];

        for (idx, name) in invalid_single_chars.iter().enumerate() {
            assert!(
                safe_name(Path::new(OsStr::from_bytes(name))).is_err(),
                "Single-character filename {idx} '{name:?}' should be invalid",
            );
        }
    }
}