From 7d7f94f114baf275c28f832d857dd7d86e0ed552 Mon Sep 17 00:00:00 2001 From: Sameh Abouelsaad Date: Thu, 15 May 2025 15:28:00 +0300 Subject: [PATCH] Feat: add vault module --- vault/Cargo.toml | 25 +- vault/README.md | 70 +++ vault/src/crypto.rs | 62 ++ vault/src/data.rs | 50 ++ vault/src/error.rs | 21 + vault/src/lib.rs | 563 +++++++++++++++++- vault/src/session.rs | 22 + vault/src/utils.rs | 19 + vault/tests/keypair_management.rs | 75 +++ vault/tests/mock_store.rs | 35 ++ vault/tests/wasm_keypair_management.rs | 128 ++++ vault/vault_crypto_debug.log | 121 ++++ vault/vault_native_test/conf | 4 + vault/vault_native_test/db | Bin 0 -> 524287 bytes vault/vault_native_test/snap.00000000000022A1 | Bin 0 -> 124 bytes 15 files changed, 1178 insertions(+), 17 deletions(-) create mode 100644 vault/README.md create mode 100644 vault/src/crypto.rs create mode 100644 vault/src/data.rs create mode 100644 vault/src/error.rs create mode 100644 vault/src/session.rs create mode 100644 vault/src/utils.rs create mode 100644 vault/tests/keypair_management.rs create mode 100644 vault/tests/mock_store.rs create mode 100644 vault/tests/wasm_keypair_management.rs create mode 100644 vault/vault_crypto_debug.log create mode 100644 vault/vault_native_test/conf create mode 100644 vault/vault_native_test/db create mode 100644 vault/vault_native_test/snap.00000000000022A1 diff --git a/vault/Cargo.toml b/vault/Cargo.toml index eafecdc..01b96f3 100644 --- a/vault/Cargo.toml +++ b/vault/Cargo.toml @@ -8,8 +8,31 @@ path = "src/lib.rs" [dependencies] kvstore = { path = "../kvstore" } +scrypt = "0.11" +sha2 = "0.10" +aes-gcm = "0.10" +pbkdf2 = "0.12" +signature = "2.2" async-trait = "0.1" chacha20poly1305 = "0.10" -k256 = "0.13" +k256 = { version = "0.13", features = ["ecdsa"] } +ed25519-dalek = "2.1" rand_core = "0.6" thiserror = "1" +serde = { version = "1", features = ["derive"] } +serde_json = "1.0" +hex = "0.4" + +[dev-dependencies] +console_error_panic_hook = "0.1" +tokio = { version = "1.0", features = ["rt", "macros"] } +async-std = { version = "1", features = ["attributes"] } +wasm-bindgen-test = "0.3" +chrono = "0.4" + +[target.'cfg(target_arch = "wasm32")'.dependencies] +getrandom = { version = "0.2", features = ["js"] } +wasm-bindgen = "0.2" +js-sys = "0.3" +console_error_panic_hook = "0.1" + diff --git a/vault/README.md b/vault/README.md new file mode 100644 index 0000000..40e5f5f --- /dev/null +++ b/vault/README.md @@ -0,0 +1,70 @@ +# vault: Cryptographic Vault for Native and WASM + +`vault` provides a secure, async, and cross-platform cryptographic key management system. It leverages the `kvstore` crate for persistent storage and supports both native (desktop/server) and WASM (browser) environments. + +## Features +- **Keyspace management**: Create, unlock, and manage encrypted keyspaces. +- **Keypair operations**: Add, remove, list, export, and use keypairs for signing and verification. +- **End-to-end encryption**: All key material is encrypted at rest using modern ciphers (ChaCha20Poly1305, AES-GCM). +- **Async API**: All operations are async and runtime-agnostic. +- **Cross-platform**: Native uses `sled` via `kvstore::native::NativeStore`, WASM uses IndexedDB via `kvstore::wasm::WasmStore`. +- **Pluggable logging**: Uses the standard `log` crate for logging, with recommended backends for native (`env_logger`) and WASM (`console_log`). + +## Logging Best Practices + +This crate uses the [`log`](https://docs.rs/log) crate for all logging. To see logs in your application or tests, you must initialize a logger: + +- **Native (desktop/server):** + - Add `env_logger` as a dev-dependency. + - Initialize in your main or test: + ```rust + let _ = env_logger::builder().is_test(true).try_init(); + ``` +- **WASM (browser):** + - Add `console_log` as a dev-dependency. + - Initialize in your main or test: + ```rust + console_log::init_with_level(log::Level::Debug).expect("error initializing logger"); + ``` + +Then use logging macros (`log::debug!`, `log::info!`, `log::warn!`, `log::error!`) throughout your code and tests. + +## Usage Example + +```rust +use vault::{Vault, KeyType, KeyMetadata}; +use kvstore::native::NativeStore; + +#[tokio::main] +async fn main() { + let store = NativeStore::open("/tmp/vaultdb").unwrap(); + let mut vault = Vault::new(store); + let keyspace = "myspace"; + let password = b"secret"; + vault.create_keyspace(keyspace, password, "pbkdf2", "chacha20poly1305", None).await.unwrap(); + let key_id = vault.add_keypair(keyspace, password, KeyType::Ed25519, None).await.unwrap(); + println!("Created keypair: {}", key_id); +} +``` + +For WASM/browser, use `kvstore::wasm::WasmStore` and initialize logging with `console_log`. + +## Testing + +### Native +```sh +cargo test -p vault --features native +``` + +### WASM +```sh +wasm-pack test --headless --firefox +``` + +## Security Notes +- All cryptographic operations use vetted RustCrypto crates. +- Password-based key derivation uses PBKDF2 by default (10,000 iterations). +- All sensitive data is encrypted before storage. + +## License +MIT OR Apache-2.0 diff --git a/vault/src/crypto.rs b/vault/src/crypto.rs new file mode 100644 index 0000000..9636acf --- /dev/null +++ b/vault/src/crypto.rs @@ -0,0 +1,62 @@ +//! Crypto utilities for the vault crate + +//! Crypto utilities for the vault crate +use chacha20poly1305::{ChaCha20Poly1305, KeyInit as ChaChaKeyInit, aead::{Aead, generic_array::GenericArray}}; +use aes_gcm::Aes256Gcm; +use pbkdf2::pbkdf2_hmac; +use scrypt::{scrypt, Params as ScryptParams}; +use sha2::Sha256; +use rand_core::{RngCore, OsRng as RandOsRng}; + +pub mod kdf { + use super::*; + + + pub fn derive_key_scrypt(password: &[u8], salt: &[u8], key_len: usize) -> Result, String> { + let params = ScryptParams::recommended(); + let mut key = vec![0u8; key_len]; + scrypt(password, salt, ¶ms, &mut key).map_err(|e| e.to_string())?; + Ok(key) + } + + pub fn derive_key_pbkdf2(password: &[u8], salt: &[u8], key_len: usize, iterations: u32) -> Vec { + let mut key = vec![0u8; key_len]; + pbkdf2_hmac::(password, salt, iterations, &mut key); + key + } +} + +pub mod cipher { + use super::*; + + + pub fn encrypt_chacha20(key: &[u8], plaintext: &[u8], nonce: &[u8]) -> Result, String> { + let cipher = ChaCha20Poly1305::new(GenericArray::from_slice(key)); + cipher.encrypt(GenericArray::from_slice(nonce), plaintext) + .map_err(|e| format!("encryption error: {e}")) + } + + pub fn decrypt_chacha20(key: &[u8], ciphertext: &[u8], nonce: &[u8]) -> Result, String> { + let cipher = ChaCha20Poly1305::new(GenericArray::from_slice(key)); + cipher.decrypt(GenericArray::from_slice(nonce), ciphertext) + .map_err(|e| format!("decryption error: {e}")) + } + + pub fn encrypt_aes_gcm(key: &[u8], plaintext: &[u8], nonce: &[u8]) -> Result, String> { + let cipher = Aes256Gcm::new(GenericArray::from_slice(key)); + cipher.encrypt(GenericArray::from_slice(nonce), plaintext) + .map_err(|e| format!("encryption error: {e}")) + } + + pub fn decrypt_aes_gcm(key: &[u8], ciphertext: &[u8], nonce: &[u8]) -> Result, String> { + let cipher = Aes256Gcm::new(GenericArray::from_slice(key)); + cipher.decrypt(GenericArray::from_slice(nonce), ciphertext) + .map_err(|e| format!("decryption error: {e}")) + } +} + +pub fn random_salt(len: usize) -> Vec { + let mut salt = vec![0u8; len]; + RandOsRng.fill_bytes(&mut salt); + salt +} diff --git a/vault/src/data.rs b/vault/src/data.rs new file mode 100644 index 0000000..30b1b2e --- /dev/null +++ b/vault/src/data.rs @@ -0,0 +1,50 @@ +//! Data models for the vault crate + +#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] +pub struct VaultMetadata { + pub name: String, + pub keyspaces: Vec, + // ... other vault-level metadata +} + +#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] +pub struct KeyspaceMetadata { + pub name: String, + pub salt: [u8; 16], // Unique salt for this keyspace + pub kdf: String, // e.g. "scrypt" or "pbkdf2" + pub cipher: String, // e.g. "chacha20poly1305" or "aes-gcm" + pub encrypted_blob: Vec, + pub created_at: Option, // Unix timestamp + pub tags: Option>, + // ... other keyspace metadata +} + +#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] +pub struct KeyspaceData { + pub keypairs: Vec, + // ... other keyspace-level metadata +} + +#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] +pub struct KeyEntry { + pub id: String, + pub key_type: KeyType, + pub private_key: Vec, // Only present in memory after decryption + pub public_key: Vec, + pub metadata: Option, +} + +#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] +pub enum KeyType { + Secp256k1, + Ed25519, + // ... +} + +#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] +pub struct KeyMetadata { + pub name: Option, + pub created_at: Option, + pub tags: Option>, + // ... +} diff --git a/vault/src/error.rs b/vault/src/error.rs new file mode 100644 index 0000000..e77a707 --- /dev/null +++ b/vault/src/error.rs @@ -0,0 +1,21 @@ +//! Error types for the vault crate + +#[derive(Debug, thiserror::Error)] +pub enum VaultError { + #[error("Storage error: {0}")] + Storage(String), + #[error("Crypto error: {0}")] + Crypto(String), + #[error("Unauthorized")] + Unauthorized, + #[error("Keyspace not found: {0}")] + KeyspaceNotFound(String), + #[error("Key not found: {0}")] + KeyNotFound(String), + #[error("Invalid password")] + InvalidPassword, + #[error("Serialization error: {0}")] + Serialization(String), + #[error("Other: {0}")] + Other(String), +} diff --git a/vault/src/lib.rs b/vault/src/lib.rs index ab4c283..79e899a 100644 --- a/vault/src/lib.rs +++ b/vault/src/lib.rs @@ -1,27 +1,558 @@ //! vault: Cryptographic keyspace and operations +//! vault: Cryptographic keyspace and operations + +mod data; +pub use crate::data::{KeyType, KeyMetadata}; +mod error; +mod crypto; +mod session; +mod utils; + use kvstore::KVStore; +use data::*; +use error::VaultError; +use crate::crypto::random_salt; -#[derive(Debug, thiserror::Error)] -pub enum VaultError { - #[error("Storage error: {0}")] - Storage(String), - #[error("Crypto error: {0}")] - Crypto(String), - #[error("Unauthorized")] - Unauthorized, +use crate::crypto::cipher::{encrypt_chacha20, decrypt_chacha20, encrypt_aes_gcm, decrypt_aes_gcm}; +use signature::SignatureEncoding; +// TEMP: File-based debug logger for crypto troubleshooting +#[cfg(not(target_arch = "wasm32"))] +fn debug_log(msg: &str) { + use std::fs::OpenOptions; + use std::io::Write; + let mut f = OpenOptions::new() + .create(true) + .append(true) + .open("/tmp/vault_crypto_debug.log") + .unwrap(); + writeln!(f, "{}", msg).unwrap(); } -pub struct Vault { +#[cfg(target_arch = "wasm32")] +fn debug_log(_msg: &str) { + // No-op in WASM +} + +/// Vault: Cryptographic keyspace and operations +pub struct Vault { storage: S, - // ... other fields + // Optionally: cache of unlocked keyspaces, etc. } -impl Vault { - /// Creates a new keyspace. Implementation pending. - pub async fn create_keyspace(_dummy: ()) -> Result<(), VaultError> { - todo!("Implement create_keyspace") - } - // ... other API stubs +/// Helper to encrypt and prepend nonce to ciphertext for keyspace storage +fn encrypt_with_nonce_prepended(key: &[u8], plaintext: &[u8], cipher: &str) -> Result, VaultError> { + use crate::crypto::random_salt; + use crate::crypto; + let nonce = random_salt(12); + debug_log(&format!("[DEBUG][ENCRYPT_HELPER] nonce: {}", hex::encode(&nonce))); + let (ct, _key_hex) = match cipher { + "chacha20poly1305" => { + let ct = encrypt_chacha20(key, plaintext, &nonce) + .map_err(|e| VaultError::Crypto(e))?; + debug_log(&format!("[DEBUG][ENCRYPT_HELPER] ct: {}", hex::encode(&ct))); + debug_log(&format!("[DEBUG][ENCRYPT_HELPER] key: {}", hex::encode(key))); + (ct, hex::encode(key)) + }, + "aes-gcm" => { + let ct = encrypt_aes_gcm(key, plaintext, &nonce) + .map_err(|e| VaultError::Crypto(e))?; + debug_log(&format!("[DEBUG][ENCRYPT_HELPER] ct: {}", hex::encode(&ct))); + debug_log(&format!("[DEBUG][ENCRYPT_HELPER] key: {}", hex::encode(key))); + (ct, hex::encode(key)) + }, + _ => { + debug_log(&format!("[DEBUG][ENCRYPT_HELPER] unsupported cipher: {}", cipher)); + return Err(VaultError::Other(format!("Unsupported cipher: {cipher}"))); + } + }; + let mut blob = nonce.clone(); + blob.extend_from_slice(&ct); + debug_log(&format!("[DEBUG][ENCRYPT_HELPER] ENCRYPTED (nonce|ct): {}", hex::encode(&blob))); + Ok(blob) } + +impl Vault { + pub fn new(storage: S) -> Self { + Self { storage } + } + + /// Create a new keyspace with the given name, password, and options. + pub async fn create_keyspace(&mut self, name: &str, password: &[u8], kdf: &str, cipher: &str, tags: Option>) -> Result<(), VaultError> { + // Check if keyspace already exists + if self.storage.get(name).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?.is_some() { + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] ERROR: keyspace '{}' already exists", name)); + return Err(VaultError::Crypto("Keyspace already exists".to_string())); + } + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] entry: name={}", name)); + use crate::crypto::{random_salt, kdf}; + use crate::data::{KeyspaceMetadata, KeyspaceData}; + use serde_json; + + // 1. Generate salt + let salt = random_salt(16); + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] salt: {:?}", salt)); + // 2. Derive key + let key = match kdf { + "scrypt" => match kdf::derive_key_scrypt(password, &salt, 32) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] kdf scrypt error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + "pbkdf2" => kdf::derive_key_pbkdf2(password, &salt, 32, 10_000), + _ => { + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] unsupported KDF: {}", kdf)); + return Err(VaultError::Other(format!("Unsupported KDF: {kdf}"))); + } + }; + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] derived key: {} bytes", key.len())); + // 3. Prepare initial keyspace data + let keyspace_data = KeyspaceData { keypairs: vec![] }; + let plaintext = match serde_json::to_vec(&keyspace_data) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] serde_json error: {}", e)); + return Err(VaultError::Serialization(e.to_string())); + } + }; + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] plaintext serialized: {} bytes", plaintext.len())); + // 4. Generate nonce (12 bytes for both ciphers) + let nonce = random_salt(12); + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] nonce: {}", hex::encode(&nonce))); + // 5. Encrypt + let encrypted_blob = encrypt_with_nonce_prepended(&key, &plaintext, cipher)?; + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] encrypted_blob: {} bytes", encrypted_blob.len())); + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] encrypted_blob (hex): {}", hex::encode(&encrypted_blob))); + // 6. Compose metadata + let metadata = KeyspaceMetadata { + name: name.to_string(), + salt: salt.try_into().unwrap_or([0u8; 16]), + kdf: kdf.to_string(), + cipher: cipher.to_string(), + encrypted_blob, + created_at: Some(crate::utils::now()), + tags, + }; + // 7. Store in kvstore (keyed by keyspace name) + let meta_bytes = match serde_json::to_vec(&metadata) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][CREATE_KEYSPACE] serde_json metadata error: {}", e)); + return Err(VaultError::Serialization(e.to_string())); + } + }; + self.storage.set(name, &meta_bytes).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?; + debug_log("[DEBUG][CREATE_KEYSPACE] success"); + Ok(()) + } + + /// List all keyspaces (metadata only, not decrypted) + pub async fn list_keyspaces(&self) -> Result, VaultError> { + use serde_json; + // 1. List all keys in kvstore + let keys = self.storage.keys().await.map_err(|e| VaultError::Storage(format!("{e:?}")))?; + let mut keyspaces = Vec::new(); + for key in keys { + if let Some(bytes) = self.storage.get(&key).await.map_err(|e| VaultError::Storage(format!("{e:?}")))? { + if let Ok(meta) = serde_json::from_slice::(&bytes) { + keyspaces.push(meta); + } + } + } + Ok(keyspaces) + } + + /// Unlock a keyspace by name and password, returning the decrypted data + pub async fn unlock_keyspace(&self, name: &str, password: &[u8]) -> Result { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] entry: name={} password={}", name, hex::encode(password))); + use crate::crypto::{kdf}; + use serde_json; + // 1. Fetch keyspace metadata + let meta_bytes = self.storage.get(name).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?; + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] got meta_bytes: {}", meta_bytes.as_ref().map(|v| v.len()).unwrap_or(0))); + let meta_bytes = meta_bytes.ok_or(VaultError::KeyspaceNotFound(name.to_string()))?; + let metadata: KeyspaceMetadata = serde_json::from_slice(&meta_bytes).map_err(|e| VaultError::Serialization(e.to_string()))?; + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] metadata: kdf={} cipher={} salt={:?} encrypted_blob_len={}", metadata.kdf, metadata.cipher, metadata.salt, metadata.encrypted_blob.len())); + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] ENCRYPTED_BLOB (hex): {}", hex::encode(&metadata.encrypted_blob))); + if metadata.salt.len() != 16 { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] ERROR: salt length {} != 16", metadata.salt.len())); + return Err(VaultError::Crypto("Salt length must be 16 bytes".to_string())); + } + // 2. Derive key + let key = match metadata.kdf.as_str() { + "scrypt" => match kdf::derive_key_scrypt(password, &metadata.salt, 32) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] kdf scrypt error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + "pbkdf2" => kdf::derive_key_pbkdf2(password, &metadata.salt, 32, 10_000), + _ => { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] unsupported KDF: {}", metadata.kdf)); + return Err(VaultError::Other(format!("Unsupported KDF: {}", metadata.kdf))); + } + }; + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] derived key: {} bytes", key.len())); + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] derived key (hex): {}", hex::encode(&key))); + // 3. Split nonce and ciphertext + let ciphertext = &metadata.encrypted_blob; + if ciphertext.len() < 12 { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] ciphertext too short: {}", ciphertext.len())); + return Err(VaultError::Crypto("Ciphertext too short".to_string())); + } + let (nonce, ct) = ciphertext.split_at(12); + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] nonce: {} ct: {}", hex::encode(nonce), hex::encode(ct))); + // 4. Decrypt + let plaintext = match metadata.cipher.as_str() { + "chacha20poly1305" => match decrypt_chacha20(&key, ct, nonce) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] chacha20poly1305 error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + "aes-gcm" => match decrypt_aes_gcm(&key, ct, nonce) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] aes-gcm error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + _ => { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] unsupported cipher: {}", metadata.cipher)); + return Err(VaultError::Other(format!("Unsupported cipher: {}", metadata.cipher))); + } + }; + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] plaintext decrypted: {} bytes", plaintext.len())); + // 4. Deserialize keyspace data + let keyspace_data: KeyspaceData = match serde_json::from_slice(&plaintext) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][UNLOCK_KEYSPACE] serde_json data error: {}", e)); + return Err(VaultError::Serialization(e.to_string())); + } + }; + debug_log("[DEBUG][UNLOCK_KEYSPACE] success"); + Ok(keyspace_data) + } + + /// Lock a keyspace (remove from cache, if any) + /// Lock a keyspace (remove from cache, if any) + pub fn lock_keyspace(&mut self, _name: &str) { + // Optional: clear from in-memory cache + } + + // --- Keypair Management APIs --- + + /// Add a new keypair to a keyspace (generates and stores a new keypair) + pub async fn add_keypair(&mut self, keyspace: &str, password: &[u8], key_type: KeyType, metadata: Option) -> Result { + use crate::data::KeyEntry; + use rand_core::OsRng; + use rand_core::RngCore; + + // 1. Unlock keyspace + let mut data = self.unlock_keyspace(keyspace, password).await?; + // 2. Generate keypair + let (private_key, public_key, id) = match key_type { + KeyType::Ed25519 => { + use ed25519_dalek::{SigningKey, VerifyingKey}; + let mut bytes = [0u8; 32]; + OsRng.fill_bytes(&mut bytes); + let signing = SigningKey::from_bytes(&bytes); + let verifying: VerifyingKey = (&signing).into(); + let priv_bytes = signing.to_bytes().to_vec(); + let pub_bytes = verifying.to_bytes().to_vec(); + let id = hex::encode(&pub_bytes); + (priv_bytes, pub_bytes, id) + }, + KeyType::Secp256k1 => { + use k256::ecdsa::SigningKey; + + let sk = SigningKey::random(&mut OsRng); + let pk = sk.verifying_key(); + let priv_bytes = sk.to_bytes().to_vec(); + let pub_bytes = pk.to_encoded_point(false).as_bytes().to_vec(); + let id = hex::encode(&pub_bytes); + (priv_bytes, pub_bytes, id) + }, + }; + // 3. Add to keypairs + let entry = KeyEntry { + id: id.clone(), + key_type, + private_key, + public_key, + metadata, + }; + data.keypairs.push(entry); + // 4. Re-encrypt and store + self.save_keyspace(keyspace, password, &data).await?; + Ok(id) + } + + /// Remove a keypair by id from a keyspace + pub async fn remove_keypair(&mut self, keyspace: &str, password: &[u8], key_id: &str) -> Result<(), VaultError> { + let mut data = self.unlock_keyspace(keyspace, password).await?; + data.keypairs.retain(|k| k.id != key_id); + self.save_keyspace(keyspace, password, &data).await + } + + /// List all keypairs in a keyspace (public info only) + pub async fn list_keypairs(&self, keyspace: &str, password: &[u8]) -> Result, VaultError> { + let data = self.unlock_keyspace(keyspace, password).await?; + Ok(data.keypairs.iter().map(|k| (k.id.clone(), k.key_type.clone())).collect()) + } + + /// Export a keypair's private and public key by id + pub async fn export_keypair(&self, keyspace: &str, password: &[u8], key_id: &str) -> Result<(Vec, Vec), VaultError> { + let data = self.unlock_keyspace(keyspace, password).await?; + let key = data.keypairs.iter().find(|k| k.id == key_id).ok_or(VaultError::KeyNotFound(key_id.to_string()))?; + Ok((key.private_key.clone(), key.public_key.clone())) + } + + /// Save the updated keyspace data (helper) + async fn save_keyspace(&mut self, keyspace: &str, password: &[u8], data: &KeyspaceData) -> Result<(), VaultError> { + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] entry: keyspace={} password={}", keyspace, hex::encode(password))); + use crate::crypto::kdf; + use serde_json; + // 1. Fetch metadata + let meta_bytes = self.storage.get(keyspace).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?; + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] got meta_bytes: {}", meta_bytes.as_ref().map(|v| v.len()).unwrap_or(0))); + let meta_bytes = meta_bytes.ok_or(VaultError::KeyspaceNotFound(keyspace.to_string()))?; + let mut metadata: KeyspaceMetadata = serde_json::from_slice(&meta_bytes).map_err(|e| VaultError::Serialization(e.to_string()))?; + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] metadata: kdf={} cipher={} salt={:?}", metadata.kdf, metadata.cipher, metadata.salt)); + if metadata.salt.len() != 16 { + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] ERROR: salt length {} != 16", metadata.salt.len())); + return Err(VaultError::Crypto("Salt length must be 16 bytes".to_string())); + } + // 2. Derive key + let key = match metadata.kdf.as_str() { + "scrypt" => match kdf::derive_key_scrypt(password, &metadata.salt, 32) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] kdf scrypt error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + "pbkdf2" => kdf::derive_key_pbkdf2(password, &metadata.salt, 32, 10_000), + _ => { + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] unsupported KDF: {}", metadata.kdf)); + return Err(VaultError::Other(format!("Unsupported KDF: {}", metadata.kdf))); + } + }; + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] derived key: {} bytes", key.len())); + // 3. Serialize plaintext + let plaintext = match serde_json::to_vec(data) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] serde_json data error: {}", e)); + return Err(VaultError::Serialization(e.to_string())); + } + }; + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] plaintext serialized: {} bytes", plaintext.len())); + // 4. Generate nonce + let nonce = random_salt(12); + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] nonce: {}", hex::encode(&nonce))); + // 5. Encrypt + let encrypted_blob = encrypt_with_nonce_prepended(&key, &plaintext, &metadata.cipher)?; + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] encrypted_blob: {} bytes", encrypted_blob.len())); + // 6. Store new encrypted blob + metadata.encrypted_blob = encrypted_blob; + let meta_bytes = match serde_json::to_vec(&metadata) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][SAVE_KEYSPACE] serde_json metadata error: {}", e)); + return Err(VaultError::Serialization(e.to_string())); + } + }; + self.storage.set(keyspace, &meta_bytes).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?; + debug_log("[DEBUG][SAVE_KEYSPACE] success"); + Ok(()) + } + + /// Sign a message with a stored keypair in a keyspace + /// + /// # Arguments + /// * `keyspace` - Keyspace name + /// * `password` - Keyspace password + /// * `key_id` - Keypair ID + /// * `message` - Message to sign + pub async fn sign(&self, keyspace: &str, password: &[u8], key_id: &str, message: &[u8]) -> Result, VaultError> { + let data = self.unlock_keyspace(keyspace, password).await?; + let key = data.keypairs.iter().find(|k| k.id == key_id).ok_or(VaultError::KeyNotFound(key_id.to_string()))?; + match key.key_type { + KeyType::Ed25519 => { + use ed25519_dalek::{SigningKey, Signer}; + let signing = SigningKey::from_bytes(&key.private_key.clone().try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 private key length".to_string()))?); + let sig = signing.sign(message); + Ok(sig.to_bytes().to_vec()) + } + KeyType::Secp256k1 => { + use k256::ecdsa::{SigningKey, signature::Signer}; + let arr: &[u8; 32] = key.private_key.as_slice().try_into().map_err(|_| VaultError::Crypto("Invalid secp256k1 private key length".to_string()))?; + let sk = SigningKey::from_bytes(arr.into()).map_err(|e| VaultError::Crypto(e.to_string()))?; + let sig: k256::ecdsa::DerSignature = sk.sign(message); + Ok(sig.to_vec()) + } + } + } + + /// Verify a signature with a stored keypair in a keyspace + /// + /// # Arguments + /// * `keyspace` - Keyspace name + /// * `password` - Keyspace password + /// * `key_id` - Keypair ID + /// * `message` - Message that was signed + /// * `signature` - Signature to verify + pub async fn verify(&self, keyspace: &str, password: &[u8], key_id: &str, message: &[u8], signature: &[u8]) -> Result { + let data = self.unlock_keyspace(keyspace, password).await?; + let key = data.keypairs.iter().find(|k| k.id == key_id).ok_or(VaultError::KeyNotFound(key_id.to_string()))?; + match key.key_type { + KeyType::Ed25519 => { + use ed25519_dalek::{VerifyingKey, Signature, Verifier}; + let verifying = VerifyingKey::from_bytes(&key.public_key.clone().try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 public key length".to_string()))?) + .map_err(|e| VaultError::Crypto(e.to_string()))?; + let sig = Signature::from_bytes(&signature.try_into().map_err(|_| VaultError::Crypto("Invalid Ed25519 signature length".to_string()))?); + Ok(verifying.verify(message, &sig).is_ok()) + } + KeyType::Secp256k1 => { + use k256::ecdsa::{VerifyingKey, Signature, signature::Verifier}; + let pk = VerifyingKey::from_sec1_bytes(&key.public_key).map_err(|e| VaultError::Crypto(e.to_string()))?; + let sig = Signature::from_der(signature).map_err(|e| VaultError::Crypto(e.to_string()))?; + Ok(pk.verify(message, &sig).is_ok()) + } + } + } + + +/// Encrypt a message using the keyspace symmetric cipher +/// (for simplicity, uses keyspace password-derived key) +pub async fn encrypt(&self, keyspace: &str, password: &[u8], plaintext: &[u8]) -> Result, VaultError> { + debug_log("[DEBUG][ENTER] encrypt"); + debug_log(&format!("[DEBUG][encrypt] keyspace={}", keyspace)); + use crate::crypto::{kdf}; + // 1. Load keyspace metadata + let meta_bytes = self.storage.get(keyspace).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?; + let meta_bytes = match meta_bytes { + Some(val) => val, + None => { + debug_log("[DEBUG][ERR] encrypt: keyspace not found"); + return Err(VaultError::Other("Keyspace not found".to_string())); + } + }; + let meta: KeyspaceMetadata = match serde_json::from_slice(&meta_bytes) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][ERR] encrypt: serialization error: {}", e)); + return Err(VaultError::Serialization(e.to_string())); + } + }; + debug_log(&format!("[DEBUG][encrypt] salt={:?} cipher={} (hex salt: {})", meta.salt, meta.cipher, hex::encode(&meta.salt))); + // 2. Derive key + let key = match meta.kdf.as_str() { + "scrypt" => match kdf::derive_key_scrypt(password, &meta.salt, 32) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][ERR] encrypt: kdf scrypt error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + "pbkdf2" => kdf::derive_key_pbkdf2(password, &meta.salt, 32, 10_000), + _ => { + debug_log(&format!("[DEBUG][ERR] encrypt: unsupported KDF: {}", meta.kdf)); + return Err(VaultError::Other(format!("Unsupported KDF: {}", meta.kdf))); + } + }; + // 3. Generate nonce + let nonce = random_salt(12); + debug_log(&format!("[DEBUG][encrypt] nonce={:?} (hex nonce: {})", nonce, hex::encode(&nonce))); + // 4. Encrypt + let ciphertext = match meta.cipher.as_str() { + "chacha20poly1305" => match encrypt_chacha20(&key, plaintext, &nonce) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][ERR] encrypt: chacha20poly1305 error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + "aes-gcm" => match encrypt_aes_gcm(&key, plaintext, &nonce) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][ERR] encrypt: aes-gcm error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + _ => { + debug_log(&format!("[DEBUG][ERR] encrypt: unsupported cipher: {}", meta.cipher)); + return Err(VaultError::Other(format!("Unsupported cipher: {}", meta.cipher))); + } + }; + // 5. Prepend nonce to ciphertext + let mut out = nonce; + out.extend_from_slice(&ciphertext); + Ok(out) +} + +/// Decrypt a message using the keyspace symmetric cipher +/// (for simplicity, uses keyspace password-derived key) +pub async fn decrypt(&self, keyspace: &str, password: &[u8], ciphertext: &[u8]) -> Result, VaultError> { + debug_log("[DEBUG][ENTER] decrypt"); + debug_log(&format!("[DEBUG][decrypt] keyspace={}", keyspace)); + use crate::crypto::{kdf}; + // 1. Fetch metadata + let meta_bytes = self.storage.get(keyspace).await.map_err(|e| VaultError::Storage(format!("{e:?}")))?; + let meta_bytes = meta_bytes.ok_or(VaultError::KeyspaceNotFound(keyspace.to_string()))?; + let metadata: KeyspaceMetadata = serde_json::from_slice(&meta_bytes).map_err(|e| VaultError::Serialization(e.to_string()))?; + debug_log(&format!("[DEBUG][decrypt] salt={:?} cipher={} (hex salt: {})", metadata.salt, metadata.cipher, hex::encode(&metadata.salt))); + // 2. Derive key + let key = match metadata.kdf.as_str() { + "scrypt" => match kdf::derive_key_scrypt(password, &metadata.salt, 32) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][ERR] decrypt: storage error: {:?}", e)); + return Err(VaultError::Crypto(e)); + } + }, + "pbkdf2" => kdf::derive_key_pbkdf2(password, &metadata.salt, 32, 10_000), + _ => { + debug_log(&format!("[DEBUG][ERR] decrypt: unsupported KDF: {}", metadata.kdf)); + return Err(VaultError::Other(format!("Unsupported KDF: {}", metadata.kdf))); + } + }; + // 3. Split nonce and ciphertext + if ciphertext.len() < 12 { + debug_log(&format!("[DEBUG][ERR] decrypt: ciphertext too short: {}", ciphertext.len())); + return Err(VaultError::Crypto("Ciphertext too short".to_string())); + } + let (nonce, ct) = ciphertext.split_at(12); + debug_log(&format!("[DEBUG][decrypt] nonce={:?} (hex nonce: {})", nonce, hex::encode(nonce))); + // 4. Decrypt + let plaintext = match metadata.cipher.as_str() { + "chacha20poly1305" => match decrypt_chacha20(&key, ct, nonce) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][ERR] decrypt: chacha20poly1305 error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + "aes-gcm" => match decrypt_aes_gcm(&key, ct, nonce) { + Ok(val) => val, + Err(e) => { + debug_log(&format!("[DEBUG][ERR] decrypt: aes-gcm error: {}", e)); + return Err(VaultError::Crypto(e)); + } + }, + _ => { + debug_log(&format!("[DEBUG][ERR] decrypt: unsupported cipher: {}", metadata.cipher)); + return Err(VaultError::Other(format!("Unsupported cipher: {}", metadata.cipher))); + } + }; + Ok(plaintext) +} + +} // <-- Close the impl block diff --git a/vault/src/session.rs b/vault/src/session.rs new file mode 100644 index 0000000..a824cc7 --- /dev/null +++ b/vault/src/session.rs @@ -0,0 +1,22 @@ +//! Session manager for the vault crate (optional) + +use crate::data::KeyspaceData; +use std::collections::HashMap; + +pub struct SessionManager { + unlocked_keyspaces: HashMap, + current_keyspace: Option, + current_keypair: Option, + // ... +} + +impl SessionManager { + pub fn new() -> Self { + Self { + unlocked_keyspaces: HashMap::new(), + current_keyspace: None, + current_keypair: None, + } + } + // ... methods for unlock, lock, select, timeout, etc. +} diff --git a/vault/src/utils.rs b/vault/src/utils.rs new file mode 100644 index 0000000..e23f742 --- /dev/null +++ b/vault/src/utils.rs @@ -0,0 +1,19 @@ +//! Utility functions for the vault crate + +// Add serialization helpers, random salt generation, etc. + +/// Returns the current unix timestamp as u64 (seconds since epoch) +pub fn now() -> u64 { + #[cfg(target_arch = "wasm32")] + { + // Use JS Date.now() in milliseconds, convert to seconds + use wasm_bindgen::prelude::*; + let date = js_sys::Date::new_0(); + (date.get_time() / 1000.0) as u64 + } + #[cfg(not(target_arch = "wasm32"))] + { + use std::time::{SystemTime, UNIX_EPOCH}; + SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() + } +} diff --git a/vault/tests/keypair_management.rs b/vault/tests/keypair_management.rs new file mode 100644 index 0000000..5b6a2ae --- /dev/null +++ b/vault/tests/keypair_management.rs @@ -0,0 +1,75 @@ +#![cfg(not(target_arch = "wasm32"))] +//! Tests for vault keypair management and crypto operations +use vault::{Vault, KeyType, KeyMetadata}; +use kvstore::native::NativeStore; + +fn debug_log(msg: &str) { + use std::fs::OpenOptions; + use std::io::Write; + let mut f = OpenOptions::new() + .create(true) + .append(true) + .open("vault_crypto_debug.log") + .unwrap(); + writeln!(f, "{}", msg).unwrap(); +} + +#[tokio::test] +async fn test_keypair_management_and_crypto() { + debug_log("[DEBUG][TEST] test_keypair_management_and_crypto started"); + // Use NativeStore for native tests + #[cfg(not(target_arch = "wasm32"))] + let store = NativeStore::open("vault_native_test").expect("Failed to open native store"); + #[cfg(not(target_arch = "wasm32"))] + let mut vault = Vault::new(store); + #[cfg(target_arch = "wasm32")] + compile_error!("This test is not intended for wasm32 targets"); + let keyspace = &format!("testspace_{}", chrono::Utc::now().timestamp_nanos()); + let password = b"supersecret"; + + debug_log(&format!("[DEBUG][TEST] keyspace: {} password: {}", keyspace, hex::encode(password))); + debug_log("[DEBUG][TEST] before create_keyspace"); + vault.create_keyspace(keyspace, password, "pbkdf2", "chacha20poly1305", None).await.unwrap(); + + debug_log(&format!("[DEBUG][TEST] after create_keyspace: keyspace={} password={}", keyspace, hex::encode(password))); + debug_log("[DEBUG][TEST] before add Ed25519 keypair"); + let key_id = vault.add_keypair(keyspace, password, KeyType::Ed25519, Some(KeyMetadata { name: Some("edkey".into()), created_at: None, tags: None })).await; + match &key_id { + Ok(_) => debug_log("[DEBUG][TEST] after add Ed25519 keypair (Ok)"), + Err(e) => debug_log(&format!("[DEBUG][TEST] after add Ed25519 keypair (Err): {:?}", e)), + } + let key_id = key_id.unwrap(); + debug_log("[DEBUG][TEST] before add secp256k1 keypair"); + let secp_id = vault.add_keypair(keyspace, password, KeyType::Secp256k1, Some(KeyMetadata { name: Some("secpkey".into()), created_at: None, tags: None })).await.unwrap(); + + debug_log("[DEBUG][TEST] before list_keypairs"); + let keys = vault.list_keypairs(keyspace, password).await.unwrap(); + assert_eq!(keys.len(), 2); + + debug_log("[DEBUG][TEST] before export Ed25519 keypair"); + let (priv_bytes, pub_bytes) = vault.export_keypair(keyspace, password, &key_id).await.unwrap(); + assert!(!priv_bytes.is_empty() && !pub_bytes.is_empty()); + + debug_log("[DEBUG][TEST] before sign Ed25519"); + let msg = b"hello world"; + let sig = vault.sign(keyspace, password, &key_id, msg).await.unwrap(); + debug_log("[DEBUG][TEST] before verify Ed25519"); + let ok = vault.verify(keyspace, password, &key_id, msg, &sig).await.unwrap(); + assert!(ok); + + debug_log("[DEBUG][TEST] before sign secp256k1"); + let sig2 = vault.sign(keyspace, password, &secp_id, msg).await.unwrap(); + debug_log("[DEBUG][TEST] before verify secp256k1"); + let ok2 = vault.verify(keyspace, password, &secp_id, msg, &sig2).await.unwrap(); + assert!(ok2); + + // Encrypt and decrypt + let ciphertext = vault.encrypt(keyspace, password, msg).await.unwrap(); + let plaintext = vault.decrypt(keyspace, password, &ciphertext).await.unwrap(); + assert_eq!(plaintext, msg); + + // Remove a keypair + vault.remove_keypair(keyspace, password, &key_id).await.unwrap(); + let keys = vault.list_keypairs(keyspace, password).await.unwrap(); + assert_eq!(keys.len(), 1); +} diff --git a/vault/tests/mock_store.rs b/vault/tests/mock_store.rs new file mode 100644 index 0000000..d59c9c2 --- /dev/null +++ b/vault/tests/mock_store.rs @@ -0,0 +1,35 @@ +//! In-memory mock key-value store for testing vault logic (native only) +use kvstore::KVStore; +use std::collections::HashMap; +use std::sync::{Arc, Mutex}; + +#[derive(Clone, Default)] +pub struct MockStore { + inner: Arc>>>, +} + +#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))] +#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)] +impl KVStore for MockStore { + async fn get(&self, key: &str) -> Result>, kvstore::KVError> { + Ok(self.inner.lock().unwrap().get(key).cloned()) + } + async fn set(&self, key: &str, value: &[u8]) -> Result<(), kvstore::KVError> { + self.inner.lock().unwrap().insert(key.to_string(), value.to_vec()); + Ok(()) + } + async fn remove(&self, key: &str) -> Result<(), kvstore::KVError> { + self.inner.lock().unwrap().remove(key); + Ok(()) + } + async fn contains_key(&self, key: &str) -> Result { + Ok(self.inner.lock().unwrap().contains_key(key)) + } + async fn keys(&self) -> Result, kvstore::KVError> { + Ok(self.inner.lock().unwrap().keys().cloned().collect()) + } + async fn clear(&self) -> Result<(), kvstore::KVError> { + self.inner.lock().unwrap().clear(); + Ok(()) + } +} diff --git a/vault/tests/wasm_keypair_management.rs b/vault/tests/wasm_keypair_management.rs new file mode 100644 index 0000000..c6e8e6d --- /dev/null +++ b/vault/tests/wasm_keypair_management.rs @@ -0,0 +1,128 @@ +#![cfg(target_arch = "wasm32")] +//! WASM/browser tests for vault keypair management and crypto operations +use wasm_bindgen_test::*; +use vault::{Vault, KeyType, KeyMetadata}; +use kvstore::wasm::WasmStore; +use console_error_panic_hook; + +wasm_bindgen_test_configure!(run_in_browser); + +#[wasm_bindgen_test(async)] +async fn wasm_test_keypair_management_and_crypto() { + console_error_panic_hook::set_once(); + let store = WasmStore::open("vault_idb_test").await.expect("Failed to open IndexedDB store"); + let mut vault = Vault::new(store); + let keyspace = "wasmspace"; + let password = b"supersecret"; + println!("[DEBUG] Initialized vault and IndexedDB store"); + + // Step 1: Create keyspace + match vault.create_keyspace(keyspace, password, "pbkdf2", "chacha20poly1305", None).await { + Ok(_) => println!("[DEBUG] Created keyspace"), + Err(e) => { println!("[ERROR] Failed to create keyspace: {:?}", e); return; } + } + + // Step 2: Add Ed25519 keypair + let key_id = match vault.add_keypair(keyspace, password, KeyType::Ed25519, Some(KeyMetadata { name: Some("edkey".into()), created_at: None, tags: None })).await { + Ok(id) => { println!("[DEBUG] Added Ed25519 keypair: {}", id); id }, + Err(e) => { println!("[ERROR] Failed to add Ed25519 keypair: {:?}", e); return; } + }; + + // Step 3: Add Secp256k1 keypair + let secp_id = match vault.add_keypair(keyspace, password, KeyType::Secp256k1, Some(KeyMetadata { name: Some("secpkey".into()), created_at: None, tags: None })).await { + Ok(id) => { println!("[DEBUG] Added Secp256k1 keypair: {}", id); id }, + Err(e) => { println!("[ERROR] Failed to add Secp256k1 keypair: {:?}", e); return; } + }; + + // Step 4: List keypairs + let keys = match vault.list_keypairs(keyspace, password).await { + Ok(keys) => { println!("[DEBUG] Listed keypairs: {:?}", keys); keys }, + Err(e) => { println!("[ERROR] Failed to list keypairs: {:?}", e); return; } + }; + if keys.len() != 2 { + println!("[ERROR] Expected 2 keypairs, got {}", keys.len()); + return; + } + + // Step 5: Export Ed25519 keypair + let (priv_bytes, pub_bytes) = match vault.export_keypair(keyspace, password, &key_id).await { + Ok((priv_bytes, pub_bytes)) => { + println!("[DEBUG] Exported Ed25519 keypair, priv: {} bytes, pub: {} bytes", priv_bytes.len(), pub_bytes.len()); + (priv_bytes, pub_bytes) + }, + Err(e) => { println!("[ERROR] Failed to export Ed25519 keypair: {:?}", e); return; } + }; + if priv_bytes.is_empty() || pub_bytes.is_empty() { + println!("[ERROR] Exported Ed25519 keypair bytes are empty"); + return; + } + + // Step 6: Sign and verify with Ed25519 + let msg = b"hello wasm"; + let sig = match vault.sign(keyspace, password, &key_id, msg).await { + Ok(sig) => { println!("[DEBUG] Signed message with Ed25519"); sig }, + Err(e) => { println!("[ERROR] Failed to sign with Ed25519: {:?}", e); return; } + }; + let ok = match vault.verify(keyspace, password, &key_id, msg, &sig).await { + Ok(ok) => { println!("[DEBUG] Verified Ed25519 signature: {}", ok); ok }, + Err(e) => { println!("[ERROR] Failed to verify Ed25519 signature: {:?}", e); return; } + }; + if !ok { + println!("[ERROR] Ed25519 signature verification failed"); + return; + } + + // Step 7: Sign and verify with Secp256k1 + let sig2 = match vault.sign(keyspace, password, &secp_id, msg).await { + Ok(sig) => { println!("[DEBUG] Signed message with Secp256k1"); sig }, + Err(e) => { println!("[ERROR] Failed to sign with Secp256k1: {:?}", e); return; } + }; + let ok2 = match vault.verify(keyspace, password, &secp_id, msg, &sig2).await { + Ok(ok) => { println!("[DEBUG] Verified Secp256k1 signature: {}", ok); ok }, + Err(e) => { println!("[ERROR] Failed to verify Secp256k1 signature: {:?}", e); return; } + }; + if !ok2 { + println!("[ERROR] Secp256k1 signature verification failed"); + return; + } + + // Step 8: Encrypt and decrypt + let ciphertext = match vault.encrypt(keyspace, password, msg).await { + Ok(ct) => { println!("[DEBUG] Encrypted message"); ct }, + Err(e) => { println!("[ERROR] Failed to encrypt message: {:?}", e); return; } + }; + let plaintext = match vault.decrypt(keyspace, password, &ciphertext).await { + Ok(pt) => { println!("[DEBUG] Decrypted message"); pt }, + Err(e) => { println!("[ERROR] Failed to decrypt message: {:?}", e); return; } + }; + if plaintext != msg { + println!("[ERROR] Decrypted message does not match original"); + return; + } + + // Step 9: Remove Ed25519 keypair + match vault.remove_keypair(keyspace, password, &key_id).await { + Ok(_) => println!("[DEBUG] Removed Ed25519 keypair"), + Err(e) => { println!("[ERROR] Failed to remove Ed25519 keypair: {:?}", e); return; } + } + let keys = match vault.list_keypairs(keyspace, password).await { + Ok(keys) => { println!("[DEBUG] Listed keypairs after removal: {:?}", keys); keys }, + Err(e) => { println!("[ERROR] Failed to list keypairs after removal: {:?}", e); return; } + }; + if keys.len() != 1 { + println!("[ERROR] Expected 1 keypair after removal, got {}", keys.len()); + return; + } +} + + + +wasm_bindgen_test_configure!(run_in_browser); + +#[wasm_bindgen_test] +fn sanity_check() { + assert_eq!(2 + 2, 4); +} + + + diff --git a/vault/vault_crypto_debug.log b/vault/vault_crypto_debug.log new file mode 100644 index 0000000..332a075 --- /dev/null +++ b/vault/vault_crypto_debug.log @@ -0,0 +1,121 @@ +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Err): Crypto("decryption error: aead::Error") +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Err): Crypto("decryption error: aead::Error") +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Err): Crypto("decryption error: aead::Error") +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Err): Crypto("decryption error: aead::Error") +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after add Ed25519 keypair (Err): Crypto("decryption error: aead::Error") +[DEBUG][TEST] after create_keyspace: keyspace=testspace password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Err): Crypto("decryption error: aead::Error") +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace_1747303028801159410 password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace_1747303028801159410 password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Ok) +[DEBUG][TEST] before add secp256k1 keypair +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace_1747303185421006752 password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace_1747303185421006752 password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Ok) +[DEBUG][TEST] before add secp256k1 keypair +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace_1747303743371199079 password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace_1747303743371199079 password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Ok) +[DEBUG][TEST] before add secp256k1 keypair +[DEBUG][TEST] before list_keypairs +[DEBUG][TEST] before export Ed25519 keypair +[DEBUG][TEST] before sign Ed25519 +[DEBUG][TEST] before verify Ed25519 +[DEBUG][TEST] before sign secp256k1 +[DEBUG][TEST] before verify secp256k1 +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace_1747304555613901420 password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace_1747304555613901420 password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Ok) +[DEBUG][TEST] before add secp256k1 keypair +[DEBUG][TEST] before list_keypairs +[DEBUG][TEST] before export Ed25519 keypair +[DEBUG][TEST] before sign Ed25519 +[DEBUG][TEST] before verify Ed25519 +[DEBUG][TEST] before sign secp256k1 +[DEBUG][TEST] before verify secp256k1 +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace_1747310570021504019 password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace_1747310570021504019 password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Ok) +[DEBUG][TEST] before add secp256k1 keypair +[DEBUG][TEST] before list_keypairs +[DEBUG][TEST] before export Ed25519 keypair +[DEBUG][TEST] before sign Ed25519 +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace_1747310702751219893 password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace_1747310702751219893 password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Ok) +[DEBUG][TEST] before add secp256k1 keypair +[DEBUG][TEST] before list_keypairs +[DEBUG][TEST] before export Ed25519 keypair +[DEBUG][TEST] before sign Ed25519 +[DEBUG][TEST] before verify Ed25519 +[DEBUG][TEST] before sign secp256k1 +[DEBUG][TEST] before verify secp256k1 +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace_1747311247795239358 password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace_1747311247795239358 password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Ok) +[DEBUG][TEST] before add secp256k1 keypair +[DEBUG][TEST] before list_keypairs +[DEBUG][TEST] before export Ed25519 keypair +[DEBUG][TEST] before sign Ed25519 +[DEBUG][TEST] before verify Ed25519 +[DEBUG][TEST] before sign secp256k1 +[DEBUG][TEST] before verify secp256k1 +[DEBUG][TEST] test_keypair_management_and_crypto started +[DEBUG][TEST] keyspace: testspace_1747311770351800477 password: 7375706572736563726574 +[DEBUG][TEST] before create_keyspace +[DEBUG][TEST] after create_keyspace: keyspace=testspace_1747311770351800477 password=7375706572736563726574 +[DEBUG][TEST] before add Ed25519 keypair +[DEBUG][TEST] after add Ed25519 keypair (Ok) +[DEBUG][TEST] before add secp256k1 keypair +[DEBUG][TEST] before list_keypairs +[DEBUG][TEST] before export Ed25519 keypair +[DEBUG][TEST] before sign Ed25519 +[DEBUG][TEST] before verify Ed25519 +[DEBUG][TEST] before sign secp256k1 +[DEBUG][TEST] before verify secp256k1 diff --git a/vault/vault_native_test/conf b/vault/vault_native_test/conf new file mode 100644 index 0000000..4154d7c --- /dev/null +++ b/vault/vault_native_test/conf @@ -0,0 +1,4 @@ +segment_size: 524288 +use_compression: false +version: 0.34 +vQÁ \ No newline at end of file diff --git a/vault/vault_native_test/db b/vault/vault_native_test/db new file mode 100644 index 0000000000000000000000000000000000000000..fa04fefea71f6e0a220296186d87f7c220f8edca GIT binary patch literal 524287 zcmeI)&x@t$S%>kSgbZOsf`5QQdLamBQRh@uS5*+jm2LzTHzG3hOgcs!Gh=3g29Zc~ zD+q1`SNaF&J}!l1k&O$t;>Lv_E@m|hF5-24-)f?gI0J$(aK)~vs&n4=`SH2$=YF2| zbmRBF^_|as@A%(0o*e)Cqo4i8Km5n5{QSFr{q5iX%qve`dGc?c|Kq><>}Q{R>hXdn z?>~L_?a#jUob;`Q_0&E56+e7U*1d$_$^KV0A5zyJ0hJpIb^-+A%$ z3s3*o>zH6k$zJ54e&R3`FTQC2O)6?Jn;+N>@oj3S?p~*LY>zyyZ_$sfw`Q_*Qxm>;T_FG>+ zUtitw-ixoi`PHw#^B$9WP!Ab#*!2J4`S1z6-C>!uggL zXzy}$ee%a=r+Z$!KHXn2oj1Sw;<+Py4$Sv)Pfy=_{+sVU{lZti_SRc}_|rf6d%yVF z2d{r*AU^n+PfQ?CJ`+*md-qJICG9OYZm%*A4G-kuTpsN)U;G{;EHC z&lPVzoE~`dmUqwR)9tO)=R3medxng*uE{%6>q5Wx_ow@_aWWeocyC`P0(>UcHep(F z)%nJ2&L_IEMWgQhgHWg&Q6T>&P?HAyWDNY`_?lXu`$}m)^@L$674w_ zItTs2oOglkEJDPNcXhyq!AfvpP7mCA;ny2h9N&~)5^$eTCrX6g=V#~L#cHyDXs~lM zw~W~fy@sDRL%zA>j$uG?xwdPj=`_{_zg@VIo(>c4pvl`4G3I5)Vt;(w^cexy6Jmqo zJkKn1reJL_pP`{IO>UN7XJg1x_bz*6zHX!z{K? z@is4#RZh!-$Yi|E*)DyEphLNKW2=;#kC$mgRxCy5vGFl*?zA(8x-nWQjm`=pZ__RI z7f0zNoddn|5}1y~h`995gxqcSF>z=@6$ZQ|<6T@s+2a;T%sOXbEB@?A&2GkiWHi!8 z3Nq>ipNqWEMP$oXM6$(YMWYOi+ekEf@ynG?eB2JG_D)b2=ejixC(*WlSBH`2Hiklu z(k-+7c>C%<{`^n;%WEIL`X?W`v3~gK8=sh+_3UbaXEjCTD~cUy1fJPND9KUixx{28 zQ4G5I!bQWRc$t&#y(Xb)zfG1BV$pKNn2tw?SipvaLQH74Rjd?plgUg{5F!H0R=b?x zrPG!p=Pp+#D~$9c2N;Tlz}<{wI=eMfI>|8-!*ydlXVg?FYn;uS<;T*vSZrSI7Va=B zy3U<57K5fi%ZdZEG+Aj_y5^0kIV*}5*EQYJLGc%GpZyMZ9y^>a^)BXL#8T``Mm7--HB-7G2He^LeqqZ^zWo-hFGp-!*BW# zDeZS|GOJlnJMA%l8n*%Naq+pYdj8y9qz+8SYNQbrfiOorYk*C907Gt@<`&gs#-y4F0^!j04nz3YPN#X;Hvo1jG?xmavRIbWdV#U0&N4rPc&n{&VzbwAXZu& zoD0HdA$LIo&9FVPTOUlcmt8q1GR~@CxXf7V0atj2B!N)b-iEfTnR$?69u>5=S8kMw z`)q@o%zjs-m5w}RNonfx@f72tqq1#NWfg7D!&+`)Z}@4HPECd&0LNq%0XO3zkca zj!aeKxdh->swLN3KHdKa8r^QwVWrXVW48Eo!d+XgBmre?r%xt@@ev9`>PF~-wdOf4 z#8#l3AIa>19K}(+d4>703>_ag^TpZ}z>?yixZPnMPbDrWjG4JTFewgdTRYxh`cl7k z_NT0PHxhJYd9!93YU1hm7}qAVHOR~K!2Kq|Rug@*#AtxwuGSd3Z8uw!f=Fmm9lHaa zjgMP^v1BT_8qBSP#yni%cV+s-;3`wr255`W5~nkxw_N*Wo<25kJU7!eYmI7PPOYe` zVV-g$y|X4vnbipzb}u8W;?udClOingJuz=lz{2fb=v27alH#UH3fKu2Eb!IctxeUs+t#xLGoZQa^t4usMy6Pbw_ZYD(j zS|9MW46>s6L+{R(C{eR$)SZroS?t8rBH&g@NL&V%1-Hv>jC{AanoPcISZII+PK$)u zfzY{`NCR%Ej@a;`Mu)7`RVq@{y18w`Ss%;ac`_@4?SaKSG=2HSDbpUmF?d=gnRc|{ zid7`~<`qJ1u|H}YL)ak}P{(GD@nCa8NyDY287`fO>>=JOl60K$Ka&j{g-ZQfhp}C zWW6(q-05AF^k5F`ctD5b2aQ+;2=|_c4fxCOF%oaEh?^DO=my~9hC^b+J5V|&GH6>X zGdBMjh^b(su51>lyRaqM={luje`1o>6pySvi!fNO+dfA6>_ea9HXqZiy8Dcli|Kx6 zJ=PN|k_6n2;QKW1%5%y)^4d7%_3T3qmu;vF&cXpFmpNfqG{5e^zzzJy;&&_9XdNRf zg@Q^E<(i|DIUM7m1$QHsgnwm3(5UW&9TbMQIPCbh)n#uK6k+{b!xHUrn?9V9;UQ{_ zSY+0x=a5wZ;5TC?;o;jwY3XEu-rxjyl?Exe7A?0?>dxw{JAu2kI~SMxwr_d6HQ&9+ zJ<(dhXm&(#>c_N=v?)jItcG^vw!~Z|*%n2er_g~)gHFp`+(({m30!Y}5CFdMUv72} za93A}@enR62tzSP7TIHp1ed`Wdc$QXc+<_(VDGaQb_WYP`~S`!TF??Xu(HNgD{Af` z-r;8}@F3`niKR1f$*>ys*)fA+%w)ew;io4qGWQ*3Z9HgzlgC@$V2(oaHm&Q(4l@lia?6#`@gpnH-Q6RoKQd7owhnRTKeE8? zt^QUjjvFg0F8s$qyO}s{+cCf8qbKvi=|Qzcwt<_W^u4U~F_83cUZZICbGNnR zQQm>D;<=g0k!9wEV`p33Ott{`+-cs}3PU0|%$l3bk4GsL>6UQqLCO3!fvrXi+QLE~ zmKw&xjWV*So8G+Qv3JYB8FHPAp8qmT!_R{D7>5Qg9BmpZvw|f=w2r882bZt}EC?Kp z=-D&I&e1y-SjQ;%JJH)K4KNIJ?b43?c*0WvzdCu(K)l5=5`~5B{OHBnK?d@QMFPH6 z6wl>u3+T8(?PSIk>Y9#LWUj!4#d zbfbH=Ehg`t;t)+a>&uoX=|=lpxX;{Zk_O1*mnwG7d@PD2{SL{DeV@Z@S9dKgmfKz- zGCJ-IOk-zaE+*T_YFcuo_&YHqeyk><>Sqqi7@J!ba)obGlDA~HI$Vo1zWU`#FlD`) z(Q)})9v_Uk$XJsOP!K#E+P;0$m6!FKAuc+mNpRum5_)Qxf%`eDbV7X1PlONwGE8EQw0F zVY&&B2>fX3xhGlFi94^XnjGv5kCE@$oVWb|g7)1<3=t6|q1|^}nXFNIBDUOP4%4Ae z4c9*;7P$Sle?#)k5C7>iuYK_DN5iLIa}m6>*F>yf=I=%P2%D%#C1E%(!2-v6%k{| zTefJh2`1n6U`u7Qf~{NA#k&|BS1*GZg~>{18!|sr?>%feC=!V=Q5tRD@l(%8cP=I~ z_MwT@&g?T!kNuC^oQ1c$HQO=^*ym0C92{LbY~SP}>ny9sjC69I>zL8;p#kN=t)n_M; zj~JOR_Q!V@Ytn-@EuTh@ciF*+t3zQX7Ir%4X@@4A z%7VkSu4ejWWJ?tSE zphNX%(!|L)Gw-$Qc6x1Js^em><1(CgTjbLc5LE0jzQ`D?RAR1?H~mR>LiZ z*{i6xIDT98I?vY*#x`9rhLP2{62VyaX%`iM z<*>6hb8xL#^|*^6@)Lh3U{=KA-#jrK2D{!3uMG6IqtPQ3OU+fezk=GDV_pn|;2JyD zkzrnZcOTiX^1`s#qdXw*@Ii2C&nP)H*U;+3&LFh9Q?MzkH@BLY%wHd#J$cs%iU^x5SHpL_o2Ui-`6`MDqE-<5ppBRAU*U;T?u$Zl)G z8yWlvj+>*$Qi`_uK%n+fqv_1gCY6iVJ<1dzBD>u4S28kwdWhlyoZ)MX;hoc7ndRz6G+IX*(#leW7w{Q9$+9WIv` zdZ%Qub3R8?px3_8M=(vyWy^Q}7PUhq>h{C#(W^rUJJibr@ zX^}rZN4iCFmDL&j!84aVTDM}Z-#TxD_`$8JXNMCjiXB|Kyj+EZ6E&0xJ76hk=87E zt~2h(-phnsf(zC`y3e}3h2?0F-HCkL(r>_-;DO5k8M0MsS&5queQqy^dRVsnxEAP& zU+J7*dCQlG&yn{=_!z0@0fr`w)q?K!Q41k7Nj#_U-KJSLo1sHA><*uoOc4X8Xi(; z(s6Sk<95Nj(pD@{V^$7@cirGENsi8WGb1LpqnB1HGfys(j}{CSU+yag)TvtiY>iGF zKg)|TnOd$*W9xG8Zx1{J`bnx^%k5*-G{GD_TN5?&&2jD2zQ%lIPd3cRYB0PV8@Pi+ z+am{abdi}wW~e{2P@E@;;s(XQ9+wiM;4SoyjN}p)^*%$TBc!dfwqaoT*Y?o@9lKwsX2NI1)?SBw{AK(eL!73waHluV%`Mg>!uv}tB?%F@rug<|U*Q6Nv(h_X zPY>Ixc*`>65sLfikumI(kevs1g4$L`rqGSk=2v2f9?O)%#v|WxYNJ(RW%L-XvC!K3t=PnL;Mm zo-MGdj4zkc6gEuN#fg@=C3yIaglkNT8|8b*ZkE=vd_c!Gm*A9Z_{3cs0v#TJDTlbj9BjQ=&6#+ z>6Okc0*u|dZSq)rkARt*9#!yPw3yft+a2zx^vvH)k1S#2+-gfUV=eS%CP$L+Un?`g z-Qt{u2_}sh&CjL{LWnPX%-vg$kgPzWPY_%hv~7JLAzU0zks-1m=mPS+KzQUfb}T|B z;6R|XmYOIpPf`w(jB5FnNUj@CudZ3^7WmMZ>Y1D2ptxtV=o{MgJ8tu#ql}K z(UIZfLdLV=XAxZGSoO2e>?}JP)7h+Haj z1G(f;&UrJ}W5F0fl41pifGsflFpOEcJFwVPbP__6Cr7H#<8r_q{)pV_5DO^rSZi=E;P8nIzq#+Mcpj#|R+bHztlzG-Y$NV;(R%Ki1idxWZ$PA!clQ z2odtgfnvK=hSH5&)SdXdfk&%6fS9F}3Gh>5fmHBwU zCc+HpY!4_a@Rn=yol&h1`f)v3Pc2If#7Qz0i^e`Xwh0ElV}W~~hfu>k)1$gLVav2` zc0k)MO*UccC0edD7oYQl%ow9z+ zye5r-WRdJamN?Q77uqG$aQ9)Dbh)}|T$u#}A;r8;d;YjEJTu!ohZ}YZatqFFi~frz z7l{WZU~O6she`;z#Z>lygBK0$QOP}KIm3S!HCOIJJYw{Fj;_YyH{QZqP5F<9-^|IKp0G%e&avaVDc9MDrag&Z|?Gqv& zgt?yFG_%}V&3EgZFR zz;xmcV`;JR>EELd$GbjOeJ(d!`OTr5Itw%9kn!vS8{rJcuNEO_`HlGR?80z7-|a(FQf~(XV*({v z%SbjjQ|kyOJ(=GgL_82X9A?3YOjfBubK`)GxJzTXV12G|t~_$F>)g{5bK7Tg9va8T zJZ!`&?$AAf`lw@q@kKE^PVpEDW=(O$?aSY}lu3|x3m>mIRN8{hknp}*3|uhjeGuX$ zs{xUA8YG)@<0fx*>tq2R!&r@VMeXcG-^P~A^jf$$(`}@8=SmuBWuGodA`=y@j^}O($}Jac literal 0 HcmV?d00001 diff --git a/vault/vault_native_test/snap.00000000000022A1 b/vault/vault_native_test/snap.00000000000022A1 new file mode 100644 index 0000000000000000000000000000000000000000..4a79f6f6597d3adc114e2929d6e1325bd1bff246 GIT binary patch literal 124 zcmZ3a!~h12jP4Ky1B1IHqYR8K!^x@&W2*`zz?caiXTD^Faz6h2p5e#|<@{s_{K?k0 aUjoMEKmU{A6Qe0ipQ%s*lzD2llsW*N9unCA literal 0 HcmV?d00001