Skip to main content

peat_protocol/security/
mod.rs

1//! # Security Module - Device Authentication (PKI) for Peat Protocol
2//!
3//! Implements ADR-006 Layer 1: Device Identity and Authentication.
4//!
5//! ## Overview
6//!
7//! This module provides cryptographic device authentication using Ed25519 signatures.
8//! Every device has a keypair that proves its identity through challenge-response.
9//!
10//! ## Key Types
11//!
12//! - [`DeviceId`] - Unique identifier derived from Ed25519 public key
13//! - [`DeviceKeypair`] - Ed25519 keypair for signing and identity
14//! - [`DeviceAuthenticator`] - Manages challenge-response authentication
15//!
16//! ## Usage
17//!
18//! ```ignore
19//! use peat_protocol::security::{DeviceKeypair, DeviceAuthenticator, DeviceId};
20//!
21//! // Generate a new device identity
22//! let keypair = DeviceKeypair::generate();
23//! let device_id = keypair.device_id();
24//!
25//! // Create authenticator
26//! let authenticator = DeviceAuthenticator::new(keypair);
27//!
28//! // Generate challenge for peer
29//! let challenge = authenticator.generate_challenge();
30//!
31//! // Respond to challenge (peer side)
32//! let response = peer_authenticator.respond_to_challenge(&challenge)?;
33//!
34//! // Verify peer response
35//! let peer_id = authenticator.verify_response(&response)?;
36//! ```
37
38// Re-export stub submodules (generic primitives now live in peat-mesh)
39mod callsign;
40mod device_id;
41mod encryption;
42mod error;
43mod formation_key;
44mod keypair;
45
46// Peat-specific security modules (depend on peat-schema / domain types)
47mod audit;
48mod auth_state;
49mod authenticator;
50mod authorization;
51mod membership;
52mod transport;
53mod user_auth;
54
55// --- Generic security primitives re-exported from peat-mesh ---
56
57pub use peat_mesh::security::{
58    // Callsign generation
59    CallsignError,
60    CallsignGenerator,
61    // Device identity
62    DeviceId,
63    DeviceKeypair,
64    // Encryption
65    EncryptedCellMessage,
66    EncryptedData,
67    EncryptedDocument,
68    EncryptionKeypair,
69    EncryptionManager,
70    // Formation key authentication
71    FormationAuthResult,
72    FormationChallenge,
73    FormationChallengeResponse,
74    FormationKey,
75    GroupKey,
76    SecureChannel,
77    SecurityError,
78    SymmetricKey,
79    // Module-level constants
80    CHALLENGE_NONCE_SIZE,
81    DEFAULT_CHALLENGE_TIMEOUT_SECS,
82    // Formation constants
83    FORMATION_CHALLENGE_SIZE,
84    FORMATION_RESPONSE_SIZE,
85    // Constants
86    MAX_CALLSIGN_LENGTH,
87    NATO_ALPHABET,
88    // Encryption constants
89    NONCE_SIZE,
90    PUBLIC_KEY_SIZE,
91    SIGNATURE_SIZE,
92    SYMMETRIC_KEY_SIZE,
93    TOTAL_CALLSIGNS,
94    X25519_PUBLIC_KEY_SIZE,
95};
96
97// --- Peat-specific exports ---
98
99pub use audit::{
100    AuditEventType, AuditLogEntry, AuditLogger, FileAuditLogger, MemoryAuditLogger,
101    NullAuditLogger, SecurityViolation,
102};
103pub use authenticator::{DeviceAuthenticator, VerifiedPeer};
104pub use authorization::{
105    AuthenticatedEntity, AuthorizationContext, AuthorizationController, AuthorizationPolicy,
106    CellMembershipContext, DeviceIdentityInfo, DeviceType, HierarchyLevel, Permission, Role,
107    UserIdentityInfo,
108};
109pub use transport::{AuthenticatedConnection, AuthenticationChannel, SecureMeshTransport};
110pub use user_auth::{
111    AccountStatus, AuthMethod, Credential, LocalUserStore, MilitaryRank, OrganizationUnit,
112    SecurityClearance, SessionId, UserAuthenticator, UserIdentity, UserIdentityBuilder, UserRecord,
113    UserSession, UserStore,
114};
115
116// Membership certificates (ADR-048: Tactical Trust)
117pub use membership::{
118    CertificateRegistry, MemberPermissions, MembershipCertificate, CERTIFICATE_BASE_SIZE,
119    MAX_CALLSIGN_LEN, MESH_ID_LEN,
120};
121
122// Auth state tracking (ADR-048: Graceful Degradation)
123pub use auth_state::{
124    AuthConfig, AuthStateEvent, AuthStateMonitor, AuthStateTracker, CertificateState,
125};
126
127// Re-export protobuf types for convenience
128pub use peat_schema::security::v1::{
129    Challenge, DeviceIdentity, DeviceType as ProtoDeviceType,
130    HierarchyLevel as ProtoHierarchyLevel, SecurityError as ProtoSecurityError, SignedBeacon,
131    SignedChallengeResponse,
132};
133
134// Integration with main crate error type (moved from error.rs)
135impl From<peat_mesh::security::SecurityError> for crate::Error {
136    fn from(err: peat_mesh::security::SecurityError) -> Self {
137        crate::Error::Security(err.to_string())
138    }
139}
140
141#[cfg(test)]
142mod tests {
143    use super::*;
144
145    #[test]
146    fn test_module_exports() {
147        // Verify all public types are accessible
148        let _: fn() -> DeviceKeypair = DeviceKeypair::generate;
149    }
150}