void_crypto/

reader.rs

//! CommitReader: encapsulates the commit→metadata→shard key derivation chain.
//!
//! Makes it structurally impossible to use the wrong key for metadata/shard
//! decryption. Replaces the manual `decrypt_commit` → `derive_scoped_key` →
//! `decrypt_blob_*_key_fallback` pattern.
//!
//! # Security
//!
//! `CommitReader` holds the per-commit content key. Methods use the content key
//! for metadata/shard decryption. Wrapped shard keys are unwrapped with the
//! content key or ancestor keys.

use crate::envelope::decrypt_envelope;
use crate::kdf::{derive_scoped_key, ContentKey, KeyNonce};
use crate::{CryptoError, CryptoResult};

/// Encapsulates the key derivation chain for reading a commit's objects.
///
/// Created by decrypting a commit blob, which extracts the envelope nonce
/// and derives the content key. The content key is then used to decrypt
/// metadata and shards.
///
/// # Security
///
/// The `content_key` is a per-commit derived key, not the root key.
pub struct CommitReader {
    content_key: ContentKey,
}

impl CommitReader {
    /// Decrypt a commit blob and create a `CommitReader` for its child objects.
    ///
    /// Requires VD01 envelope format. The content key is derived from the
    /// envelope nonce.
    ///
    /// # Security
    ///
    /// This is one of only two operations that require the root key
    /// (the other being `seal_commit` on `KeyVault`).
    pub fn open(root_key: &[u8; 32], commit_blob: &[u8]) -> CryptoResult<(Vec<u8>, Self)> {
        let (plaintext, nonce) =
            decrypt_envelope(root_key, commit_blob, crate::aead::AAD_COMMIT)?;

        let scope = format!("commit:{}", hex::encode(nonce.as_bytes()));
        let content_key = ContentKey::new(derive_scoped_key(root_key, &scope)?);

        Ok((
            plaintext,
            Self { content_key },
        ))
    }

    /// Decrypt a metadata bundle blob using the content key.
    pub fn decrypt_metadata<T>(&self, blob: &[u8]) -> CryptoResult<T>
    where
        T: serde::de::DeserializeOwned,
    {
        crate::aead::decrypt_and_parse::<T>(
            self.content_key.as_bytes(),
            blob,
            crate::aead::AAD_METADATA,
        )
    }

    /// Decrypt a metadata bundle blob into raw bytes.
    pub fn decrypt_metadata_raw(&self, blob: &[u8]) -> CryptoResult<Vec<u8>> {
        crate::aead::decrypt(
            self.content_key.as_bytes(),
            blob,
            crate::aead::AAD_METADATA,
        )
    }

    /// Decrypt a shard blob. Handles wrapped keys and ancestor key fallback.
    ///
    /// Fallback chain:
    /// 1. If `wrapped_key` is `Some`, try unwrapping with content_key, then each ancestor key
    /// 2. Error if all attempts fail
    pub fn decrypt_shard(
        &self,
        blob: &[u8],
        wrapped_key: Option<&crate::WrappedKey>,
        ancestor_keys: &[ContentKey],
    ) -> CryptoResult<Vec<u8>> {
        use crate::aead::{decrypt, unwrap_shard_key, AAD_SHARD};

        // Try wrapped key path
        if let Some(wk) = wrapped_key {
            if let Ok(shard_key) = unwrap_shard_key(&self.content_key, wk) {
                if let Ok(result) = decrypt(&shard_key, blob, AAD_SHARD) {
                    return Ok(result);
                }
            }
            for ak in ancestor_keys {
                if let Ok(shard_key) = unwrap_shard_key(ak, wk) {
                    if let Ok(result) = decrypt(&shard_key, blob, AAD_SHARD) {
                        return Ok(result);
                    }
                }
            }
        }

        // Try content_key directly (for shards encrypted directly with content key)
        if let Ok(result) = decrypt(self.content_key.as_bytes(), blob, AAD_SHARD) {
            return Ok(result);
        }

        // Try ancestor keys directly
        for key in ancestor_keys {
            if let Ok(result) = decrypt(key.as_bytes(), blob, AAD_SHARD) {
                return Ok(result);
            }
        }

        Err(CryptoError::Decryption(
            "shard decryption failed with all known keys".into(),
        ))
    }

    /// Decrypt a repo manifest blob (collaboration manifest JSON).
    pub fn decrypt_repo_manifest(&self, blob: &[u8]) -> CryptoResult<Vec<u8>> {
        crate::aead::decrypt(
            self.content_key.as_bytes(),
            blob,
            crate::aead::AAD_REPO_MANIFEST,
        )
    }

    /// Get the content key (derived from envelope nonce).
    pub fn content_key(&self) -> &ContentKey {
        &self.content_key
    }

    /// Create a CommitReader from a content key directly (for scoped-key clone).
    ///
    /// Used when cloning from a published repo with `--content-key`. The content
    /// key is the only key available — no root key exists in scoped mode.
    pub fn from_content_key(content_key: ContentKey) -> Self {
        Self { content_key }
    }

    /// Create a reader from a share key (for share-based unseal).
    ///
    /// In share-based unseal the derived key serves directly as the
    /// content key — there is no commit envelope involved.
    pub fn from_share_key(key: crate::kdf::ShareKey) -> Self {
        Self {
            content_key: ContentKey::from_raw(*key.as_bytes()),
        }
    }

    /// Decrypt a VD01 envelope body using the content key.
    ///
    /// Validates the VD01 header, extracts the nonce, and decrypts the
    /// payload using the content key directly (no key derivation — the
    /// content key is already the correct decryption key).
    ///
    /// Returns the decrypted plaintext and the envelope nonce.
    ///
    /// Used by share-based unseal where the share key IS the content key.
    pub fn decrypt_envelope_body(
        &self,
        blob: &[u8],
        aad: &[u8],
    ) -> CryptoResult<(Vec<u8>, KeyNonce)> {
        const HEADER_SIZE: usize = 4 + KeyNonce::SIZE;
        if blob.len() <= HEADER_SIZE || !blob.starts_with(crate::envelope::MAGIC_V1) {
            return Err(CryptoError::Decryption(
                "invalid envelope: missing or invalid VD01 header".into(),
            ));
        }
        let nonce = KeyNonce::from_bytes(&blob[4..HEADER_SIZE])
            .ok_or_else(|| CryptoError::Decryption("invalid envelope nonce length".into()))?;
        let plaintext = crate::aead::decrypt(self.content_key.as_bytes(), &blob[HEADER_SIZE..], aad)?;
        Ok((plaintext, nonce))
    }

    /// Consume the reader, returning the content key.
    ///
    /// Used by `void-core`'s `CommitReader::open_with_vault()` to construct
    /// the core-layer reader from a vault-opened crypto-layer reader.
    pub fn into_parts(self) -> ContentKey {
        self.content_key
    }
}

// ---------------------------------------------------------------------------
// decrypt_shard_data: unified shard decryption with wrapped key support
// ---------------------------------------------------------------------------

/// Decrypt a shard blob with wrapped key support.
///
/// Fallback chain:
/// 1. If `wrapped_key` is `Some`, try unwrapping with content_key, then each ancestor key
/// 2. Try content_key directly
/// 3. Try each ancestor key directly
pub fn decrypt_shard_data(
    content_key: &ContentKey,
    ancestor_keys: &[ContentKey],
    blob: &[u8],
    wrapped_key: Option<&crate::WrappedKey>,
) -> CryptoResult<Vec<u8>> {
    use crate::aead::{decrypt, unwrap_shard_key, AAD_SHARD};

    if let Some(wk) = wrapped_key {
        if let Ok(shard_key) = unwrap_shard_key(content_key, wk) {
            if let Ok(result) = decrypt(&shard_key, blob, AAD_SHARD) {
                return Ok(result);
            }
        }
        for ak in ancestor_keys {
            if let Ok(shard_key) = unwrap_shard_key(ak, wk) {
                if let Ok(result) = decrypt(&shard_key, blob, AAD_SHARD) {
                    return Ok(result);
                }
            }
        }
    }
    if let Ok(result) = decrypt(content_key.as_bytes(), blob, AAD_SHARD) {
        return Ok(result);
    }
    for ak in ancestor_keys {
        if let Ok(result) = decrypt(ak.as_bytes(), blob, AAD_SHARD) {
            return Ok(result);
        }
    }
    Err(CryptoError::Decryption(
        "shard decryption failed with all known keys".into(),
    ))
}

// ---------------------------------------------------------------------------
// decrypt_object: universal decrypt with envelope auto-detection
// ---------------------------------------------------------------------------

/// Decrypt a blob with VD01 envelope format.
pub fn decrypt_object(key: &[u8; 32], blob: &[u8], aad: &[u8]) -> CryptoResult<Vec<u8>> {
    decrypt_envelope(key, blob, aad).map(|(plaintext, _nonce)| plaintext)
}

/// Decrypt a blob to raw bytes with VD01 envelope format.
pub fn decrypt_object_raw(
    key: &[u8; 32],
    blob: &[u8],
    aad: &[u8],
) -> CryptoResult<Vec<u8>> {
    const HEADER_SIZE: usize = 4 + KeyNonce::SIZE;
    if blob.len() > HEADER_SIZE && blob.starts_with(b"VD01") {
        let nonce = KeyNonce::from_bytes(&blob[4..HEADER_SIZE])
            .ok_or_else(|| CryptoError::Decryption("invalid envelope nonce length".into()))?;
        let scope = format!("commit:{}", hex::encode(nonce.as_bytes()));
        let derived_key = derive_scoped_key(key, &scope)?;
        return crate::aead::decrypt(&derived_key, &blob[HEADER_SIZE..], aad);
    }
    Err(CryptoError::Decryption(
        "missing VD01 envelope header".into(),
    ))
}

/// Decrypt a blob and parse a CBOR-encoded type with VD01 envelope format.
pub fn decrypt_object_parse<T>(key: &[u8; 32], blob: &[u8], aad: &[u8]) -> CryptoResult<T>
where
    T: serde::de::DeserializeOwned,
{
    let plaintext = decrypt_object_raw(key, blob, aad)?;
    ciborium::from_reader(&plaintext[..])
        .map_err(|e| CryptoError::Serialization(format!("CBOR deserialization failed: {e}")))
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::{encrypt, encrypt_with_envelope, generate_key_nonce, wrap_shard_key, AAD_COMMIT, AAD_SHARD};

    #[test]
    fn commit_reader_open_envelope() {
        let root_key = [0x42u8; 32];
        let nonce = generate_key_nonce();
        let plaintext = b"commit data";

        let commit_blob =
            encrypt_with_envelope(&root_key, &nonce, plaintext, AAD_COMMIT).unwrap();

        let (decrypted, reader) = CommitReader::open(&root_key, &commit_blob).unwrap();
        assert_eq!(decrypted, plaintext);
        assert_ne!(reader.content_key().as_bytes(), &root_key);
    }

    #[test]
    fn commit_reader_decrypt_shard() {
        let root_key = [0x42u8; 32];
        let nonce = generate_key_nonce();
        let commit_data = b"commit";
        let shard_data = b"shard content";

        let commit_blob =
            encrypt_with_envelope(&root_key, &nonce, commit_data, AAD_COMMIT).unwrap();
        let (_commit, reader) = CommitReader::open(&root_key, &commit_blob).unwrap();

        let shard_blob =
            encrypt(reader.content_key().as_bytes(), shard_data, AAD_SHARD).unwrap();
        let decrypted = reader.decrypt_shard(&shard_blob, None, &[]).unwrap();
        assert_eq!(decrypted, shard_data);
    }

    #[test]
    fn commit_reader_shard_with_wrapped_key() {
        let root_key = [0x42u8; 32];
        let nonce = generate_key_nonce();
        let commit_data = b"commit";
        let shard_data = b"shard with wrapped key";

        let commit_blob =
            encrypt_with_envelope(&root_key, &nonce, commit_data, AAD_COMMIT).unwrap();
        let (_commit, reader) = CommitReader::open(&root_key, &commit_blob).unwrap();

        // Generate a random shard key, wrap it under content_key, encrypt shard with it
        let shard_key = crate::generate_key();
        let wrapped = wrap_shard_key(reader.content_key(), &shard_key).unwrap();
        let shard_blob = encrypt(&shard_key, shard_data, AAD_SHARD).unwrap();

        let decrypted = reader.decrypt_shard(&shard_blob, Some(&wrapped), &[]).unwrap();
        assert_eq!(decrypted, shard_data);
    }

    #[test]
    fn decrypt_object_envelope() {
        let root_key = [0x42u8; 32];
        let nonce = generate_key_nonce();
        let plaintext = b"envelope data";

        let blob = encrypt_with_envelope(&root_key, &nonce, plaintext, AAD_COMMIT).unwrap();
        let decrypted = decrypt_object(&root_key, &blob, AAD_COMMIT).unwrap();
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn decrypt_object_raw_roundtrip() {
        let root_key = [0x42u8; 32];
        let nonce = generate_key_nonce();
        let plaintext = b"raw data";

        let blob = encrypt_with_envelope(&root_key, &nonce, plaintext, AAD_SHARD).unwrap();
        let raw = decrypt_object_raw(&root_key, &blob, AAD_SHARD).unwrap();
        assert_eq!(&raw, plaintext);
    }
}