Expand description
Credential bundle encryption and relay upload/download for shunt push / shunt login.
Security model:
- Transfer code = 9 random bytes encoded as 18 hex chars, prefixed with “SH-”
- Encryption key = SHA-256(code) — 32 bytes, never sent to the relay
- Cipher: AES-256-GCM with a random 12-byte nonce
- Wire payload = base64(nonce_12B ‖ ciphertext_with_tag)
- Relay stores only ciphertext; bundle is deleted after first download
Structs§
Functions§
- decrypt_
bundle - Decrypt a base64-encoded payload into a
SyncBundle. - decrypt_
bytes - Decrypt a base64 payload into bytes using the given code.
- encrypt_
bundle - Encrypt a
SyncBundleand return a base64-encoded payload string. - encrypt_
bytes - Encrypt arbitrary bytes with the given code; returns a base64 payload string.
Uses the same AES-256-GCM scheme as
encrypt_bundle. - generate_
code - Generate a random transfer code like
SH-a3f2b1c4d5e6f7a8b9. - generate_
remote_ code - Generate a random remote-watch code like
RM-a3f2b1c4d5e6f7a8b9. - pull_
from_ relay - Download and delete the encrypted payload for the given code from the relay. Returns the base64 payload string.
- push_
to_ relay - Upload an encrypted payload to the relay under the given code.
- validate_
code - Validate that a code looks like what we generated.
- validate_
remote_ code - Validate that a remote-watch code looks like what we generated.