secure_gate/encoding/mod.rs
1//! Encoding utilities for secure handling of encoded secret data.
2//!
3//! This module provides validated string wrappers for various encoding formats
4//! commonly used with cryptographic secrets. Each wrapper ensures the contained
5//! string is valid for its encoding format and provides secure decoding methods.
6//!
7//! The wrappers are designed to prevent accidental leakage of sensitive data:
8//! - Input validation with secure zeroization of invalid inputs
9//! - Controlled access to decoded bytes through explicit methods
10//! - Constant-time equality comparison (when `ct-eq` feature is enabled)
11//! - Debug redaction to prevent accidental logging of secrets
12//!
13//! # Available Encodings
14//!
15//! - **Hex**: Lowercase hexadecimal strings via `hex` module
16//! - **Base64**: URL-safe base64 (no padding) via `base64` module
17//! - **Bech32/Bech32m**: Human-readable encoded strings via `bech32` module
18//!
19//! # Security Features
20//!
21//! All encoding wrappers implement secure practices:
22//! - **Security**: Invalid inputs are only zeroized when the `zeroize` feature is enabled.
23//! Without `zeroize`, rejected secrets may remain in memory until normal drop.
24//! - Constant-time equality prevents timing attacks (with `ct-eq`)
25//! - Memory is securely zeroized when wrappers are dropped
26//! - Debug output shows `[REDACTED]` to prevent accidental exposure
27
28// Allow unsafe_code when zeroize is enabled (not needed here, but consistent)
29// but forbid it when none of the encoding features are enabled
30#![cfg_attr(
31 not(any(feature = "encoding-hex", feature = "encoding-base64")),
32 forbid(unsafe_code)
33)]
34
35#[cfg(feature = "encoding-hex")]
36pub mod hex;
37
38#[cfg(feature = "encoding-base64")]
39pub mod base64;
40
41#[cfg(feature = "encoding-bech32")]
42pub mod bech32;
43
44pub mod extensions;