void_crypto/

seed.rs

//! BIP-39 mnemonic and deterministic key derivation for void identities.
//!
//! This module provides:
//! - 24-word BIP-39 mnemonic generation
//! - Mnemonic → seed conversion
//! - HKDF-SHA256 derivation of signing and recipient keys from a seed
//!
//! The derivation uses domain-separated HKDF so that the same seed produces
//! distinct, deterministic Ed25519 signing and X25519 recipient keys.

use hkdf::Hkdf;
use sha2::Sha256;

use crate::kdf::{IdentitySeed, NostrSecretKey, RecipientSecretKey, SigningSecretKey};

/// Salt for identity key derivation — distinct from the repo key salt in `kdf`.
const IDENTITY_SALT: &[u8] = b"void-identity-v1";

/// HKDF info for Ed25519 signing key derivation.
const SIGNING_INFO: &[u8] = b"void-identity-signing";

/// HKDF info for X25519 recipient key derivation.
const RECIPIENT_INFO: &[u8] = b"void-identity-recipient";

/// HKDF info for secp256k1 Nostr key derivation.
const NOSTR_INFO: &[u8] = b"void-identity-nostr";

/// Salt for per-repo owner key derivation — distinct from identity keys.
const REPO_OWNER_SALT: &[u8] = b"void-repo-owner-v1";

/// Errors during seed/mnemonic operations.
#[derive(Debug, thiserror::Error)]
pub enum SeedError {
    #[error("invalid mnemonic phrase: {0}")]
    InvalidMnemonic(String),

    #[error("key derivation failed")]
    DerivationFailed,
}

/// Generate a new 24-word BIP-39 mnemonic.
///
/// Uses 256 bits of entropy for maximum security, producing a 24-word phrase.
pub fn generate_mnemonic() -> String {
    bip39::Mnemonic::generate(24)
        .expect("24 is a valid word count")
        .to_string()
}

/// Convert a BIP-39 mnemonic phrase to a 64-byte seed.
///
/// The mnemonic is validated for correct word count and checksum.
/// Uses an empty passphrase (standard BIP-39 behavior).
pub fn mnemonic_to_seed(mnemonic: &str) -> Result<IdentitySeed, SeedError> {
    let parsed = bip39::Mnemonic::parse(mnemonic)
        .map_err(|e| SeedError::InvalidMnemonic(e.to_string()))?;

    let seed_bytes: [u8; 64] = parsed.to_seed("");
    Ok(IdentitySeed::from_bytes(seed_bytes))
}

/// Derive an Ed25519 signing secret key from an identity seed.
///
/// Uses HKDF-SHA256 with domain separation to produce a deterministic
/// 32-byte key from the 64-byte seed.
pub fn derive_signing_key(seed: &IdentitySeed) -> Result<SigningSecretKey, SeedError> {
    let hk = Hkdf::<Sha256>::new(Some(IDENTITY_SALT), seed.as_bytes());
    let mut output = [0u8; 32];
    hk.expand(SIGNING_INFO, &mut output)
        .map_err(|_| SeedError::DerivationFailed)?;
    Ok(SigningSecretKey::from_bytes(output))
}

/// Derive an X25519 recipient secret key from an identity seed.
///
/// Uses HKDF-SHA256 with domain separation to produce a deterministic
/// 32-byte key from the 64-byte seed. The info string differs from
/// `derive_signing_key` to ensure distinct keys.
pub fn derive_recipient_key(seed: &IdentitySeed) -> Result<RecipientSecretKey, SeedError> {
    let hk = Hkdf::<Sha256>::new(Some(IDENTITY_SALT), seed.as_bytes());
    let mut output = [0u8; 32];
    hk.expand(RECIPIENT_INFO, &mut output)
        .map_err(|_| SeedError::DerivationFailed)?;
    Ok(RecipientSecretKey::from_bytes(output))
}

/// Derive a secp256k1 Nostr secret key from an identity seed.
///
/// Uses HKDF-SHA256 with domain separation to produce a deterministic
/// 32-byte key from the 64-byte seed. The info string differs from
/// signing and recipient keys to ensure distinct keys.
pub fn derive_nostr_key(seed: &IdentitySeed) -> Result<NostrSecretKey, SeedError> {
    let hk = Hkdf::<Sha256>::new(Some(IDENTITY_SALT), seed.as_bytes());
    let mut output = [0u8; 32];
    hk.expand(NOSTR_INFO, &mut output)
        .map_err(|_| SeedError::DerivationFailed)?;
    Ok(NostrSecretKey::from_bytes(output))
}

/// Derive a per-repo Ed25519 owner signing key from an identity seed and repo ID.
///
/// Uses HKDF-SHA256 with a repo-owner-specific salt and the repo_id as info,
/// producing a deterministic key unique to each (seed, repo) pair. This key is
/// used for governance operations (policy updates, contributor management),
/// while the identity key continues to sign commits (authorship).
///
/// Because derivation is deterministic from the seed, the repo owner key is
/// automatically recoverable from the user's mnemonic phrase.
pub fn derive_repo_owner_key(seed: &IdentitySeed, repo_id: &str) -> Result<SigningSecretKey, SeedError> {
    let hk = Hkdf::<Sha256>::new(Some(REPO_OWNER_SALT), seed.as_bytes());
    let mut output = [0u8; 32];
    hk.expand(repo_id.as_bytes(), &mut output)
        .map_err(|_| SeedError::DerivationFailed)?;
    Ok(SigningSecretKey::from_bytes(output))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn generate_mnemonic_is_24_words() {
        let mnemonic = generate_mnemonic();
        let words: Vec<&str> = mnemonic.split_whitespace().collect();
        assert_eq!(words.len(), 24);
    }

    #[test]
    fn mnemonic_to_seed_deterministic() {
        let mnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon art";
        let seed1 = mnemonic_to_seed(mnemonic).unwrap();
        let seed2 = mnemonic_to_seed(mnemonic).unwrap();
        assert_eq!(seed1.as_bytes(), seed2.as_bytes());
    }

    #[test]
    fn derive_signing_key_deterministic() {
        let mnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon art";
        let seed = mnemonic_to_seed(mnemonic).unwrap();
        let key1 = derive_signing_key(&seed).unwrap();
        let key2 = derive_signing_key(&seed).unwrap();
        assert_eq!(key1.as_bytes(), key2.as_bytes());
    }

    #[test]
    fn derive_recipient_key_deterministic() {
        let mnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon art";
        let seed = mnemonic_to_seed(mnemonic).unwrap();
        let key1 = derive_recipient_key(&seed).unwrap();
        let key2 = derive_recipient_key(&seed).unwrap();
        assert_eq!(key1.as_bytes(), key2.as_bytes());
    }

    #[test]
    fn signing_and_recipient_keys_differ() {
        let mnemonic = generate_mnemonic();
        let seed = mnemonic_to_seed(&mnemonic).unwrap();
        let signing = derive_signing_key(&seed).unwrap();
        let recipient = derive_recipient_key(&seed).unwrap();
        assert_ne!(signing.as_bytes(), recipient.as_bytes());
    }

    #[test]
    fn invalid_mnemonic_rejected() {
        assert!(mnemonic_to_seed("not a valid mnemonic").is_err());
        assert!(mnemonic_to_seed("").is_err());
        assert!(mnemonic_to_seed("abandon").is_err());
    }

    #[test]
    fn derive_repo_owner_key_deterministic() {
        let mnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon art";
        let seed = mnemonic_to_seed(mnemonic).unwrap();
        let key1 = derive_repo_owner_key(&seed, "repo-123").unwrap();
        let key2 = derive_repo_owner_key(&seed, "repo-123").unwrap();
        assert_eq!(key1.as_bytes(), key2.as_bytes());
    }

    #[test]
    fn derive_repo_owner_key_different_repos() {
        let mnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon art";
        let seed = mnemonic_to_seed(mnemonic).unwrap();
        let key_a = derive_repo_owner_key(&seed, "repo-a").unwrap();
        let key_b = derive_repo_owner_key(&seed, "repo-b").unwrap();
        assert_ne!(key_a.as_bytes(), key_b.as_bytes());
    }

    #[test]
    fn repo_owner_key_differs_from_identity_keys() {
        let mnemonic = generate_mnemonic();
        let seed = mnemonic_to_seed(&mnemonic).unwrap();
        let signing = derive_signing_key(&seed).unwrap();
        let recipient = derive_recipient_key(&seed).unwrap();
        let repo_owner = derive_repo_owner_key(&seed, "test-repo").unwrap();
        assert_ne!(repo_owner.as_bytes(), signing.as_bytes());
        assert_ne!(repo_owner.as_bytes(), recipient.as_bytes());
    }

    #[test]
    fn derive_nostr_key_deterministic() {
        let mnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon art";
        let seed = mnemonic_to_seed(mnemonic).unwrap();
        let key1 = derive_nostr_key(&seed).unwrap();
        let key2 = derive_nostr_key(&seed).unwrap();
        assert_eq!(key1.as_bytes(), key2.as_bytes());
    }

    #[test]
    fn nostr_key_differs_from_other_keys() {
        let mnemonic = generate_mnemonic();
        let seed = mnemonic_to_seed(&mnemonic).unwrap();
        let signing = derive_signing_key(&seed).unwrap();
        let recipient = derive_recipient_key(&seed).unwrap();
        let nostr = derive_nostr_key(&seed).unwrap();
        assert_ne!(nostr.as_bytes(), signing.as_bytes());
        assert_ne!(nostr.as_bytes(), recipient.as_bytes());
    }

    #[test]
    fn different_mnemonics_different_keys() {
        let mnemonic1 = generate_mnemonic();
        let mnemonic2 = generate_mnemonic();

        let seed1 = mnemonic_to_seed(&mnemonic1).unwrap();
        let seed2 = mnemonic_to_seed(&mnemonic2).unwrap();

        let signing1 = derive_signing_key(&seed1).unwrap();
        let signing2 = derive_signing_key(&seed2).unwrap();

        assert_ne!(signing1.as_bytes(), signing2.as_bytes());
    }
}