Skip to main content

Module bech32m

secure_gate::traits::encoding

Module bech32m 

Source
Expand description

Bech32m encoding trait.

Import path: use secure_gate::ToBech32m;

This trait provides secure, explicit encoding of byte data to Bech32m strings (BIP-350 checksum) with a specified HRP. Designed for intentional export.

Requires the encoding-bech32m feature.

§Security Notes

  • BIP-350 variant: Enhanced checksum vs. BIP-173 Bech32 — use Bech32m for Taproot, SegWit v1+, and modern address formats.
  • Full secret exposure: The resulting string contains the entire secret. Always treat output as sensitive.
  • Zeroizing variants: Prefer try_to_bech32m_zeroizing, which returns [EncodedSecret] (wrapping Zeroizing<String> with redacted Debug) when the encoded form remains sensitive.
  • Audit visibility: Direct wrapper calls (key.try_to_bech32m(...)) do not appear in grep expose_secret / grep with_secret audit sweeps. For audit-first teams or multi-step operations, prefer with_secret(|b| b.try_to_bech32m(...)) — the borrow checker enforces the reference cannot escape the closure.
  • HRP: pass the intended human-readable part to try_to_bech32m; test empty and invalid HRP inputs in security-critical code.
  • Standard BIP-350 payload limit (~90 bytes): intentionally kept at spec compliance for interoperability with Bitcoin Taproot/SegWit v1+ tooling. For non-address use cases with large payloads (age-style encryption recipients, ciphertexts), use ToBech32 / FromBech32Str which use the extended Bech32Large variant (~5 KB (5,115 bytes maximum payload)).
  • Treat all input as untrusted: validate data upstream before wrapping.

§Example

use secure_gate::{Fixed, ToBech32m, RevealSecret};

let secret = Fixed::new([0x00u8, 0x01]);

// Use try_to_bech32m — the sole encoding API:
let encoded = secret.with_secret(|s| s.try_to_bech32m("key")).unwrap();
assert!(encoded.starts_with("key1"));

// Zeroizing variant for sensitive encoded output:
let encoded_z = secret.try_to_bech32m_zeroizing("key")?;
assert!(encoded_z.starts_with("key1"));
// encoded_z is EncodedSecret — zeroized on drop, redacted Debug

Traits§

ToBech32m
Extension trait for encoding byte data as Bech32m (BIP-350) strings.