samehabouelsaad/sal-modular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cea2d7e655
sal-modular/docs/vault.md
Sameh Abouelsaad cea2d7e655 feat: Refactor kvstore and vault to use features and logging 
- Remove hardcoded dependencies in kvstore Cargo.toml; use features
  instead. This allows for more flexible compilation for different
  targets (native vs. WASM).
- Improve logging in vault crate using the `log` crate. This makes
  debugging easier and provides more informative output during
  execution.  Native tests use `env_logger`, WASM tests use
  `console_log`.
- Update README to reflect new logging best practices.
- Add cfg attributes to native and wasm modules to improve clarity.
- Update traits.rs to specify Send + Sync behavior expectations.
2025-05-15 16:42:19 +03:00

4.7 KiB
Raw Blame History

🧱 Vault Crate Architecture

  1. VaultStore Purpose: Central manager for all keyspaces.

Responsibilities:

Maintain metadata about keyspaces.

Provide interfaces to create, load, and manage keyspaces.

Ensure each keyspace is encrypted with its own password.

  1. KeySpace Purpose: Isolated environment containing multiple keypairs.

Responsibilities:

Securely store and manage keypairs.

Provide cryptographic operations like signing and encryption.

Handle encryption/decryption using a password-derived key.

  1. KeyPair Purpose: Represents an individual cryptographic keypair.

Responsibilities:

Perform cryptographic operations such as signing and verification.

Support key export and import functionalities.

  1. Symmetric Encryption Module Purpose: Provides encryption and decryption functionalities.

Responsibilities:

Encrypt and decrypt data using algorithms like ChaCha20Poly1305.

Derive encryption keys from passwords using PBKDF2.

  1. SessionManager Purpose: Manages the active context for cryptographic operations, simplifying API usage.

Responsibilities:

Maintain the currently selected keypair.

Provide simplified methods for cryptographic operations without repeatedly specifying the keypair.

🔐 Security Model Per-KeySpace Encryption: Each keyspace is encrypted independently using a key derived from its password.

VaultStore Metadata: Stores non-sensitive metadata about keyspaces, such as their names and creation dates. This metadata can be stored in plaintext or encrypted based on security requirements.

🧪 API Design VaultStore rust Copy Edit pub struct VaultStore { // Internal fields }

impl VaultStore { pub fn new() -> Self; pub fn load() -> Result<Self, VaultError>; pub fn save(&self) -> Result<(), VaultError>;

pub fn list_keyspaces(&self) -> Vec<KeyspaceMetadata>;
pub fn create_keyspace(&mut self, name: &str, password: &str) -> Result<(), VaultError>;
pub fn delete_keyspace(&mut self, name: &str) -> Result<(), VaultError>;
pub fn rename_keyspace(&mut self, old_name: &str, new_name: &str) -> Result<(), VaultError>;
pub fn load_keyspace(&self, name: &str, password: &str) -> Result<KeySpace, VaultError>;

} KeySpace rust Copy Edit pub struct KeySpace { // Internal fields }

impl KeySpace { pub fn new(name: &str, password: &str) -> Result<Self, VaultError>; pub fn save(&self) -> Result<(), VaultError>;

pub fn list_keypairs(&self) -> Vec<String>;
pub fn create_keypair(&mut self, name: &str) -> Result<(), VaultError>;
pub fn delete_keypair(&mut self, name: &str) -> Result<(), VaultError>;
pub fn rename_keypair(&mut self, old_name: &str, new_name: &str) -> Result<(), VaultError>;
pub fn get_keypair(&self, name: &str) -> Result<KeyPair, VaultError>;

pub fn sign(&self, keypair_name: &str, message: &[u8]) -> Result<Vec<u8>, VaultError>;
pub fn verify(&self, keypair_name: &str, message: &[u8], signature: &[u8]) -> Result<bool, VaultError>;

} KeyPair rust Copy Edit pub struct KeyPair { // Internal fields }

impl KeyPair { pub fn new() -> Self; pub fn from_private_key(private_key: &[u8]) -> Result<Self, VaultError>;

pub fn public_key(&self) -> Vec<u8>;
pub fn private_key(&self) -> Vec<u8>;

pub fn sign(&self, message: &[u8]) -> Result<Vec<u8>, VaultError>;
pub fn verify(&self, message: &[u8], signature: &[u8]) -> Result<bool, VaultError>;

} SessionManager (Optional) rust Copy Edit pub struct SessionManager { keyspace: KeySpace, active_keypair: String, }

impl SessionManager { pub fn new(keyspace: KeySpace, keypair_name: &str) -> Result<Self, VaultError>; pub fn sign(&self, message: &[u8]) -> Result<Vec, VaultError>; pub fn verify(&self, message: &[u8], signature: &[u8]) -> Result<bool, VaultError>; pub fn switch_keypair(&mut self, keypair_name: &str) -> Result<(), VaultError>; } 📦 Storage Structure Copy Edit vault_store/ ├── metadata.json └── keyspaces/ ├── alice.ksp ├── bob.ksp └── ... metadata.json: Contains metadata about each keyspace, such as name and creation date.

keyspaces/: Directory containing encrypted keyspace files.

🔄 Integration with kvstore Native Environment Storage Backend: Utilize the local filesystem or a persistent database (e.g., SQLite) for storing VaultStore and KeySpace data.

Usage:

Initialize VaultStore and load existing keyspaces.

Perform cryptographic operations using KeySpace and KeyPair.

Persist changes to disk or database.

Browser Environment (WASM) Storage Backend: Use browser storage APIs like localStorage or IndexedDB for persisting data.

Usage:

Compile the vault crate to WebAssembly.

Interact with the vault API through JavaScript bindings.

Store and retrieve encrypted keyspaces using browser storage.