shield_core/
rotation.rs

1//! Key rotation with version tagging.
2//!
3//! Manages multiple key versions for seamless rotation.
4
5// Crypto block counters are intentionally u32 - data >4GB would have other issues
6#![allow(clippy::cast_possible_truncation)]
7
8use ring::hmac;
9use ring::rand::{SecureRandom, SystemRandom};
10use std::collections::HashMap;
11use subtle::ConstantTimeEq;
12
13use crate::error::{Result, ShieldError};
14
15/// Key rotation manager.
16pub struct KeyRotationManager {
17    keys: HashMap<u32, [u8; 32]>,
18    current_version: u32,
19}
20
21impl KeyRotationManager {
22    /// Create new manager with initial key.
23    #[must_use]
24    pub fn new(key: [u8; 32], version: u32) -> Self {
25        let mut keys = HashMap::new();
26        keys.insert(version, key);
27
28        Self {
29            keys,
30            current_version: version,
31        }
32    }
33
34    /// Get current key version.
35    #[must_use]
36    pub fn current_version(&self) -> u32 {
37        self.current_version
38    }
39
40    /// Get all available versions.
41    #[must_use]
42    pub fn versions(&self) -> Vec<u32> {
43        let mut v: Vec<u32> = self.keys.keys().copied().collect();
44        v.sort_unstable();
45        v
46    }
47
48    /// Add a historical key.
49    pub fn add_key(&mut self, key: [u8; 32], version: u32) -> Result<()> {
50        if self.keys.contains_key(&version) {
51            return Err(ShieldError::VersionExists(version));
52        }
53        self.keys.insert(version, key);
54        Ok(())
55    }
56
57    /// Rotate to new key.
58    pub fn rotate(&mut self, new_key: [u8; 32], new_version: Option<u32>) -> Result<u32> {
59        let version = new_version.unwrap_or(self.current_version + 1);
60        if version <= self.current_version {
61            return Err(ShieldError::InvalidVersion);
62        }
63
64        self.keys.insert(version, new_key);
65        self.current_version = version;
66        Ok(version)
67    }
68
69    /// Encrypt with current key.
70    ///
71    /// Format: version(4) || nonce(16) || ciphertext || mac(16)
72    pub fn encrypt(&self, plaintext: &[u8]) -> Result<Vec<u8>> {
73        let key = self.keys.get(&self.current_version).unwrap();
74        let rng = SystemRandom::new();
75
76        let mut nonce = [0u8; 16];
77        rng.fill(&mut nonce)
78            .map_err(|_| ShieldError::RandomFailed)?;
79
80        // Generate keystream
81        let keystream = generate_keystream(key, &nonce, plaintext.len());
82        let ciphertext: Vec<u8> = plaintext
83            .iter()
84            .zip(keystream.iter())
85            .map(|(p, k)| p ^ k)
86            .collect();
87
88        // Version bytes
89        let version_bytes = self.current_version.to_le_bytes();
90
91        // HMAC over version || nonce || ciphertext
92        let hmac_key = hmac::Key::new(hmac::HMAC_SHA256, key);
93        let mut hmac_data = Vec::with_capacity(4 + 16 + ciphertext.len());
94        hmac_data.extend_from_slice(&version_bytes);
95        hmac_data.extend_from_slice(&nonce);
96        hmac_data.extend_from_slice(&ciphertext);
97        let tag = hmac::sign(&hmac_key, &hmac_data);
98
99        // Result: version || nonce || ciphertext || mac
100        let mut result = Vec::with_capacity(4 + 16 + ciphertext.len() + 16);
101        result.extend_from_slice(&version_bytes);
102        result.extend_from_slice(&nonce);
103        result.extend_from_slice(&ciphertext);
104        result.extend_from_slice(&tag.as_ref()[..16]);
105
106        Ok(result)
107    }
108
109    /// Decrypt with appropriate key version.
110    pub fn decrypt(&self, encrypted: &[u8]) -> Result<Vec<u8>> {
111        if encrypted.len() < 36 {
112            return Err(ShieldError::CiphertextTooShort {
113                expected: 36,
114                actual: encrypted.len(),
115            });
116        }
117
118        // Parse components
119        let version = u32::from_le_bytes(encrypted[..4].try_into().unwrap());
120        let nonce = &encrypted[4..20];
121        let ciphertext = &encrypted[20..encrypted.len() - 16];
122        let mac = &encrypted[encrypted.len() - 16..];
123
124        // Get key for version
125        let key = self
126            .keys
127            .get(&version)
128            .ok_or(ShieldError::UnknownVersion(version))?;
129
130        // Verify MAC
131        let hmac_key = hmac::Key::new(hmac::HMAC_SHA256, key);
132        let expected_tag = hmac::sign(&hmac_key, &encrypted[..encrypted.len() - 16]);
133
134        if mac.ct_eq(&expected_tag.as_ref()[..16]).unwrap_u8() != 1 {
135            return Err(ShieldError::AuthenticationFailed);
136        }
137
138        // Decrypt
139        let keystream = generate_keystream(key, nonce, ciphertext.len());
140        let plaintext: Vec<u8> = ciphertext
141            .iter()
142            .zip(keystream.iter())
143            .map(|(c, k)| c ^ k)
144            .collect();
145
146        Ok(plaintext)
147    }
148
149    /// Prune old keys, keeping specified number of most recent.
150    pub fn prune_old_keys(&mut self, keep_versions: usize) -> Vec<u32> {
151        let mut versions = self.versions();
152        versions.reverse(); // Most recent first
153
154        let mut to_keep: std::collections::HashSet<u32> =
155            versions.iter().take(keep_versions).copied().collect();
156        to_keep.insert(self.current_version);
157
158        let mut pruned = Vec::new();
159        for v in self.keys.keys().copied().collect::<Vec<_>>() {
160            if !to_keep.contains(&v) {
161                self.keys.remove(&v);
162                pruned.push(v);
163            }
164        }
165
166        pruned
167    }
168
169    /// Re-encrypt data with current key.
170    pub fn re_encrypt(&self, encrypted: &[u8]) -> Result<Vec<u8>> {
171        let plaintext = self.decrypt(encrypted)?;
172        self.encrypt(&plaintext)
173    }
174}
175
176/// Generate keystream using SHA256.
177fn generate_keystream(key: &[u8], nonce: &[u8], length: usize) -> Vec<u8> {
178    let mut keystream = Vec::with_capacity(length.div_ceil(32) * 32);
179    let num_blocks = length.div_ceil(32);
180
181    for i in 0..num_blocks {
182        let counter = (i as u32).to_le_bytes();
183        let mut data = Vec::with_capacity(key.len() + nonce.len() + 4);
184        data.extend_from_slice(key);
185        data.extend_from_slice(nonce);
186        data.extend_from_slice(&counter);
187
188        let hash = ring::digest::digest(&ring::digest::SHA256, &data);
189        keystream.extend_from_slice(hash.as_ref());
190    }
191
192    keystream.truncate(length);
193    keystream
194}
195
196#[cfg(test)]
197mod tests {
198    use super::*;
199
200    #[test]
201    fn test_encrypt_decrypt() {
202        let key = [42u8; 32];
203        let manager = KeyRotationManager::new(key, 1);
204        let plaintext = b"Hello, Rotation!";
205
206        let encrypted = manager.encrypt(plaintext).unwrap();
207        let decrypted = manager.decrypt(&encrypted).unwrap();
208
209        assert_eq!(plaintext.as_slice(), decrypted.as_slice());
210    }
211
212    #[test]
213    fn test_version_embedded() {
214        let key = [42u8; 32];
215        let manager = KeyRotationManager::new(key, 5);
216        let encrypted = manager.encrypt(b"test").unwrap();
217
218        let version = u32::from_le_bytes(encrypted[..4].try_into().unwrap());
219        assert_eq!(version, 5);
220    }
221
222    #[test]
223    fn test_rotate() {
224        let key1 = [1u8; 32];
225        let mut manager = KeyRotationManager::new(key1, 1);
226        let encrypted1 = manager.encrypt(b"message 1").unwrap();
227
228        let key2 = [2u8; 32];
229        manager.rotate(key2, None).unwrap();
230        assert_eq!(manager.current_version(), 2);
231
232        let encrypted2 = manager.encrypt(b"message 2").unwrap();
233
234        // Both decrypt
235        assert_eq!(manager.decrypt(&encrypted1).unwrap(), b"message 1");
236        assert_eq!(manager.decrypt(&encrypted2).unwrap(), b"message 2");
237    }
238
239    #[test]
240    fn test_prune_old_keys() {
241        let mut manager = KeyRotationManager::new([1u8; 32], 1);
242        manager.rotate([2u8; 32], None).unwrap();
243        manager.rotate([3u8; 32], None).unwrap();
244        manager.rotate([4u8; 32], None).unwrap();
245
246        let encrypted = manager.encrypt(b"test").unwrap();
247        let pruned = manager.prune_old_keys(2);
248
249        assert!(!pruned.is_empty());
250        assert_eq!(manager.decrypt(&encrypted).unwrap(), b"test");
251    }
252
253    #[test]
254    fn test_re_encrypt() {
255        let mut manager = KeyRotationManager::new([1u8; 32], 1);
256        let encrypted = manager.encrypt(b"original").unwrap();
257
258        manager.rotate([2u8; 32], None).unwrap();
259        let re_encrypted = manager.re_encrypt(&encrypted).unwrap();
260
261        let version = u32::from_le_bytes(re_encrypted[..4].try_into().unwrap());
262        assert_eq!(version, 2);
263        assert_eq!(manager.decrypt(&re_encrypted).unwrap(), b"original");
264    }
265
266    #[test]
267    fn test_unknown_version() {
268        let manager = KeyRotationManager::new([1u8; 32], 1);
269        let mut encrypted = manager.encrypt(b"test").unwrap();
270
271        // Corrupt version
272        encrypted[0] = 99;
273        assert!(manager.decrypt(&encrypted).is_err());
274    }
275}
shield_core/rotation.rs

shield_core/
rotation.rs
