void_core/crypto/

reader.rs

//! CommitReader: encapsulates the commit->metadata->shard key derivation chain.
//!
//! This is the void-core version that adds void-core-specific methods:
//! - `collect_ancestor_content_keys()` -- needs ObjectStore + Commit types
//!
//! Low-level crypto primitives are delegated to `void-crypto`.

use crate::cid::ToVoidCid;
use crate::store::ObjectStoreExt;
use crate::{Result, VoidError};
use void_crypto::{
    ContentKey, EncryptedCommit, EncryptedMetadata, EncryptedRepoManifest,
    EncryptedShard, KeyVault,
};

/// Decrypted shard bytes (zstd-compressed body + optional padding).
///
/// The result of decrypting an `EncryptedShard`. Use `decompress()` to get
/// a `ShardBody` for manifest-driven file access.
#[derive(Debug, Clone)]
pub struct DecryptedShard(Vec<u8>);

impl DecryptedShard {
    /// Decompress the body into a `ShardBody` for manifest-driven file access
    /// via `ShardBody::read_file(&ManifestEntry)`.
    pub fn decompress(self) -> Result<crate::shard::ShardBody> {
        crate::shard::decompress_shard_body(self.0)
    }

    /// Access the raw bytes.
    pub fn as_bytes(&self) -> &[u8] {
        &self.0
    }

    /// Consume into the inner bytes.
    pub fn into_bytes(self) -> Vec<u8> {
        self.0
    }

    /// Get the byte length.
    pub fn len(&self) -> usize {
        self.0.len()
    }

    /// Check if empty.
    pub fn is_empty(&self) -> bool {
        self.0.is_empty()
    }
}

/// Decrypted commit plaintext bytes.
///
/// This newtype wraps the raw bytes returned by `CommitReader::open_with_vault()`
/// and provides a typed `parse()` method to deserialize into a `Commit`.
/// Prevents accidentally passing arbitrary `Vec<u8>` to `parse_commit()`.
#[derive(Debug, Clone)]
pub struct CommitPlaintext(Vec<u8>);

impl CommitPlaintext {
    /// Parse the plaintext bytes into a `Commit`.
    pub fn parse(&self) -> Result<crate::metadata::Commit> {
        crate::metadata::parse_commit(&self.0)
    }

    /// Access the raw bytes.
    pub fn as_bytes(&self) -> &[u8] {
        &self.0
    }
}

/// Encapsulates the key derivation chain for reading a commit's objects.
///
/// Created by decrypting a commit blob, which extracts the envelope nonce
/// and derives the content key. The content key is then used to decrypt
/// metadata and shards.
pub struct CommitReader {
    content_key: ContentKey,
}

impl CommitReader {
    /// Create a CommitReader from a share key (for share-based unseal).
    ///
    /// In share-based unseal the derived key serves directly as the
    /// content key — there is no commit envelope involved.
    pub fn from_share_key(key: void_crypto::ShareKey) -> Self {
        let crypto_reader = void_crypto::CommitReader::from_share_key(key);
        Self {
            content_key: crypto_reader.into_parts(),
        }
    }

    /// Create a CommitReader from a content key directly (for scoped-key clone).
    ///
    /// Used when cloning from a published repo with `--content-key`. The content
    /// key is the only key available -- no root key exists in scoped mode.
    pub fn from_content_key(content_key: ContentKey) -> Self {
        Self { content_key }
    }

    /// Decrypt a commit blob using a `KeyVault`, routing key material through
    /// the vault rather than accepting raw bytes.
    ///
    /// This is the preferred constructor. The vault decrypts the commit and
    /// produces a crypto-layer `CommitReader`, whose parts are transferred
    /// into this core-layer reader. Callers never handle raw key bytes.
    pub fn open_with_vault(vault: &KeyVault, commit_blob: &EncryptedCommit) -> Result<(CommitPlaintext, Self)> {
        let (plaintext, crypto_reader) = vault.open_commit(commit_blob)?;
        let content_key = crypto_reader.into_parts();
        Ok((CommitPlaintext(plaintext), Self { content_key }))
    }

    /// Decrypt a metadata bundle blob and deserialize from CBOR.
    pub fn decrypt_metadata<T>(&self, blob: &EncryptedMetadata) -> Result<T>
    where
        T: serde::de::DeserializeOwned,
    {
        Ok(blob.decrypt_and_parse(self.content_key.as_bytes())?)
    }

    /// Decrypt a shard blob. Handles wrapped keys, content key, and
    /// optional ancestor key fallback.
    ///
    /// Fallback chain:
    /// 1. If `wrapped_key` is `Some`, try unwrapping with content_key, then each ancestor key
    /// 2. Try content_key directly
    /// 3. Try each ancestor key directly
    pub fn decrypt_shard(
        &self,
        blob: &EncryptedShard,
        wrapped_key: Option<&void_crypto::WrappedKey>,
        ancestor_keys: &[ContentKey],
    ) -> Result<DecryptedShard> {
        use void_crypto::{decrypt, unwrap_shard_key, AAD_SHARD};

        let data = blob.as_bytes();

        if let Some(wk) = wrapped_key {
            if let Ok(shard_key) = unwrap_shard_key(&self.content_key, wk) {
                if let Ok(result) = decrypt(&shard_key, data, AAD_SHARD) {
                    return Ok(DecryptedShard(result));
                }
            }
            for ak in ancestor_keys {
                if let Ok(shard_key) = unwrap_shard_key(ak, wk) {
                    if let Ok(result) = decrypt(&shard_key, data, AAD_SHARD) {
                        return Ok(DecryptedShard(result));
                    }
                }
            }
        }

        if let Ok(result) = decrypt(self.content_key.as_bytes(), data, AAD_SHARD) {
            return Ok(DecryptedShard(result));
        }

        for key in ancestor_keys {
            if let Ok(result) = decrypt(key.as_bytes(), data, AAD_SHARD) {
                return Ok(DecryptedShard(result));
            }
        }

        Err(VoidError::Decryption(
            "shard decryption failed with all known keys".into(),
        ))
    }

    /// Decrypt a repo manifest blob into a typed `Manifest`.
    pub fn decrypt_repo_manifest(&self, blob: &EncryptedRepoManifest) -> Result<crate::collab::Manifest> {
        let bytes = blob.decrypt(self.content_key.as_bytes())?;
        serde_json::from_slice(&bytes)
            .map_err(|e| VoidError::Serialization(format!("repo manifest JSON: {e}")))
    }

    /// Decrypt a VD01 envelope body of a commit blob using the content key.
    ///
    /// Returns the commit plaintext and the envelope nonce.
    /// Used by share-based unseal where the share key IS the content key.
    pub fn decrypt_envelope_body(&self, blob: &EncryptedCommit) -> Result<(CommitPlaintext, void_crypto::KeyNonce)> {
        let crypto_reader = void_crypto::CommitReader::from_content_key(*self.content_key());
        let (plaintext, nonce) = crypto_reader.decrypt_envelope_body(blob.as_bytes(), void_crypto::AAD_COMMIT)?;
        Ok((CommitPlaintext(plaintext), nonce))
    }

    /// Get the content key (derived key for envelope commits).
    pub fn content_key(&self) -> &ContentKey {
        &self.content_key
    }
}

// ---------------------------------------------------------------------------
// decrypt_shard_data: unified shard decryption with wrapped key support
// ---------------------------------------------------------------------------

/// Decrypt a shard blob with wrapped key support.
///
/// Fallback chain:
/// 1. If `wrapped_key` is `Some`, try unwrapping with content_key, then each ancestor key
/// 2. Try content_key directly
/// 3. Try each ancestor key directly
pub fn decrypt_shard_data(
    content_key: &ContentKey,
    ancestor_keys: &[ContentKey],
    blob: &EncryptedShard,
    wrapped_key: Option<&void_crypto::WrappedKey>,
) -> Result<DecryptedShard> {
    use void_crypto::{decrypt, unwrap_shard_key, AAD_SHARD};

    let data = blob.as_bytes();

    if let Some(wk) = wrapped_key {
        if let Ok(shard_key) = unwrap_shard_key(content_key, wk) {
            if let Ok(result) = decrypt(&shard_key, data, AAD_SHARD) {
                return Ok(DecryptedShard(result));
            }
        }
        for ak in ancestor_keys {
            if let Ok(shard_key) = unwrap_shard_key(ak, wk) {
                if let Ok(result) = decrypt(&shard_key, data, AAD_SHARD) {
                    return Ok(DecryptedShard(result));
                }
            }
        }
    }
    if let Ok(result) = decrypt(content_key.as_bytes(), data, AAD_SHARD) {
        return Ok(DecryptedShard(result));
    }
    for ak in ancestor_keys {
        if let Ok(result) = decrypt(ak.as_bytes(), data, AAD_SHARD) {
            return Ok(DecryptedShard(result));
        }
    }
    Err(VoidError::Decryption(
        "shard decryption failed with all known keys".into(),
    ))
}

// ---------------------------------------------------------------------------
// collect_ancestor_content_keys
// ---------------------------------------------------------------------------

/// Collect content keys from ancestor commits for shard decryption fallback.
///
/// Accepts a `KeyVault` to open ancestor commits. The root key is routed
/// through the vault -- callers never handle raw key bytes.
pub fn collect_ancestor_content_keys_vault(
    vault: &KeyVault,
    store: &impl ObjectStoreExt,
    commit: &crate::metadata::Commit,
) -> Vec<ContentKey> {
    let mut keys = Vec::new();
    let mut current_parent = commit.parent().cloned();
    for _ in 0..100 {
        let parent_cid_bytes = match current_parent {
            Some(ref p) => p.clone(),
            None => break,
        };
        let parent_cid = match parent_cid_bytes.to_void_cid() {
            Ok(c) => c,
            Err(_) => break,
        };
        let parent_encrypted: EncryptedCommit = match store.get_blob(&parent_cid) {
            Ok(d) => d,
            Err(_) => break,
        };
        let (parent_bytes, parent_reader) =
            match CommitReader::open_with_vault(vault, &parent_encrypted) {
                Ok(r) => r,
                Err(_) => break,
            };
        keys.push(*parent_reader.content_key());
        let parent_commit = match parent_bytes.parse() {
            Ok(c) => c,
            Err(_) => break,
        };
        current_parent = parent_commit.parent().cloned();
    }
    keys
}


#[cfg(test)]
mod tests {
    use super::*;
    use crate::crypto::{generate_key, wrap_shard_key};

    #[test]
    fn commit_reader_open_envelope() {
        let root_key = [0x42u8; 32];
        let vault = KeyVault::new(root_key).unwrap();
        let plaintext = b"commit data";

        let commit_blob = vault.seal_commit(plaintext).unwrap();
        let (decrypted, reader) = CommitReader::open_with_vault(&vault, &commit_blob).unwrap();
        assert_eq!(decrypted.as_bytes(), plaintext);
        assert_ne!(reader.content_key().as_bytes(), &root_key);
    }

    #[test]
    fn commit_reader_decrypt_shard() {
        let root_key = [0x42u8; 32];
        let vault = KeyVault::new(root_key).unwrap();
        let shard_data = b"shard content";

        let commit_blob = vault.seal_commit(b"commit").unwrap();
        let (_commit, reader) = CommitReader::open_with_vault(&vault, &commit_blob).unwrap();

        let shard_blob = EncryptedShard::encrypt(reader.content_key().as_bytes(), shard_data).unwrap();
        let decrypted = reader.decrypt_shard(&shard_blob, None, &[]).unwrap();
        assert_eq!(decrypted.as_bytes(), shard_data);
    }

    #[test]
    fn decrypt_shard_data_falls_back_on_bad_wrapped_key() {
        let content_key = ContentKey::from_hex(&hex::encode([0x42u8; 32])).unwrap();
        let ancestor_key = ContentKey::from_hex(&hex::encode([0x99u8; 32])).unwrap();
        let shard_data = b"standalone shard data";

        let shard_blob = EncryptedShard::encrypt(ancestor_key.as_bytes(), shard_data).unwrap();

        let other_key = ContentKey::from_hex(&hex::encode([0xABu8; 32])).unwrap();
        let shard_key = generate_key();
        let bad_wrapped = wrap_shard_key(&other_key, &shard_key).unwrap();

        let decrypted = decrypt_shard_data(
            &content_key,
            &[ancestor_key],
            &shard_blob,
            Some(&bad_wrapped),
        )
        .unwrap();
        assert_eq!(decrypted.as_bytes(), shard_data);
    }

}