add ability to crypto_box using signing keys (#128)

Cargo.toml

@@ -16,7 +16,7 @@ futures = "0.3.28"
 # determinism of the strict client/server version checks
 hc_seed_bundle = { version = "=0.2.2", path = "./crates/hc_seed_bundle" }
 # lair_keystore_api must be pinned to enable strict version checks
-lair_keystore_api = { version = "=0.4.3", path = "./crates/lair_keystore_api" }
+lair_keystore_api = { version = "=0.4.4", path = "./crates/lair_keystore_api" }
 lru = "0.10.0"
 nanoid = "0.4.0"
 one_err = "0.0.8"
@@ -32,7 +32,7 @@ serde = { version = "1", features = [ "derive", "rc" ] }
 serde_bytes = "0.11.9"
 serde_json = "1"
 serde_yaml = "0.9.21"
-sodoken = "=0.0.10"
+sodoken = "=0.0.11"
 sqlformat = "0.2.1"
 structopt = "0.3.26"
 sysinfo = "0.28.4"

README.md

@@ -43,7 +43,7 @@ License: MIT OR Apache-2.0
 
 ### `lair-keystore --help`
 ```text
-lair_keystore 0.4.3
+lair_keystore 0.4.4
 secret lair private keystore
 
 USAGE:
@@ -74,7 +74,7 @@ SUBCOMMANDS:
 ```
 ### `lair-keystore init --help`
 ```text
-lair-keystore-init 0.4.3
+lair-keystore-init 0.4.4
 Set up a new lair private keystore.
 
 USAGE:
@@ -92,7 +92,7 @@ FLAGS:
 ```
 ### `lair-keystore url --help`
 ```text
-lair-keystore-url 0.4.3
+lair-keystore-url 0.4.4
 Print the connection_url for a configured lair-keystore
 server to stdout and exit.
 
@@ -106,7 +106,7 @@ FLAGS:
 ```
 ### `lair-keystore import-seed --help`
 ```text
-lair-keystore-import-seed 0.4.3
+lair-keystore-import-seed 0.4.4
 Load a seed bundle into this lair-keystore instance.
 Note, this operation requires capturing the pid_file,
 make sure you do not have a lair-server running.
@@ -143,7 +143,7 @@ ARGS:
 ```
 ### `lair-keystore server --help`
 ```text
-lair-keystore-server 0.4.3
+lair-keystore-server 0.4.4
 Run a lair keystore server instance. Note you must
 have initialized a config file first with
 'lair-keystore init'.

crates/lair_keystore/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "lair_keystore"
-version = "0.4.3"
+version = "0.4.4"
 description = "secret lair private keystore"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/holochain/lair"

crates/lair_keystore/README.md

@@ -43,7 +43,7 @@ License: MIT OR Apache-2.0
 
 ### `lair-keystore --help`
 ```text
-lair_keystore 0.4.3
+lair_keystore 0.4.4
 secret lair private keystore
 
 USAGE:
@@ -74,7 +74,7 @@ SUBCOMMANDS:
 ```
 ### `lair-keystore init --help`
 ```text
-lair-keystore-init 0.4.3
+lair-keystore-init 0.4.4
 Set up a new lair private keystore.
 
 USAGE:
@@ -92,7 +92,7 @@ FLAGS:
 ```
 ### `lair-keystore url --help`
 ```text
-lair-keystore-url 0.4.3
+lair-keystore-url 0.4.4
 Print the connection_url for a configured lair-keystore
 server to stdout and exit.
 
@@ -106,7 +106,7 @@ FLAGS:
 ```
 ### `lair-keystore import-seed --help`
 ```text
-lair-keystore-import-seed 0.4.3
+lair-keystore-import-seed 0.4.4
 Load a seed bundle into this lair-keystore instance.
 Note, this operation requires capturing the pid_file,
 make sure you do not have a lair-server running.
@@ -143,7 +143,7 @@ ARGS:
 ```
 ### `lair-keystore server --help`
 ```text
-lair-keystore-server 0.4.3
+lair-keystore-server 0.4.4
 Run a lair keystore server instance. Note you must
 have initialized a config file first with
 'lair-keystore init'.

crates/lair_keystore/src/docs/help.md

@@ -1,6 +1,6 @@
 ### `lair-keystore --help`
 ```text
-lair_keystore 0.4.3
+lair_keystore 0.4.4
 secret lair private keystore
 
 USAGE:

crates/lair_keystore/src/docs/import-seed-help.md

@@ -1,6 +1,6 @@
 ### `lair-keystore import-seed --help`
 ```text
-lair-keystore-import-seed 0.4.3
+lair-keystore-import-seed 0.4.4
 Load a seed bundle into this lair-keystore instance.
 Note, this operation requires capturing the pid_file,
 make sure you do not have a lair-server running.

crates/lair_keystore/src/docs/init-help.md

@@ -1,6 +1,6 @@
 ### `lair-keystore init --help`
 ```text
-lair-keystore-init 0.4.3
+lair-keystore-init 0.4.4
 Set up a new lair private keystore.
 
 USAGE:

crates/lair_keystore/src/docs/server-help.md

@@ -1,6 +1,6 @@
 ### `lair-keystore server --help`
 ```text
-lair-keystore-server 0.4.3
+lair-keystore-server 0.4.4
 Run a lair keystore server instance. Note you must
 have initialized a config file first with
 'lair-keystore init'.

crates/lair_keystore/src/docs/url-help.md

@@ -1,6 +1,6 @@
 ### `lair-keystore url --help`
 ```text
-lair-keystore-url 0.4.3
+lair-keystore-url 0.4.4
 Print the connection_url for a configured lair-keystore
 server to stdout and exit.
 

crates/lair_keystore_api/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "lair_keystore_api"
-version = "0.4.3"
+version = "0.4.4"
 description = "secret lair private keystore API library"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/holochain/lair"

crates/lair_keystore_api/src/in_proc_keystore.rs

@@ -205,6 +205,29 @@ mod tests {
 
         assert_eq!(b"hello", &*msg);
 
+        let (nonce, cipher) = client
+            .crypto_box_xsalsa_by_sign_pub_key(
+                seed_info_ref.ed25519_pub_key.clone(),
+                seed_info_ref2.ed25519_pub_key.clone(),
+                None,
+                b"world"[..].into(),
+            )
+            .await
+            .unwrap();
+
+        let msg = client
+            .crypto_box_xsalsa_open_by_sign_pub_key(
+                seed_info_ref.ed25519_pub_key,
+                seed_info_ref2.ed25519_pub_key,
+                None,
+                nonce,
+                cipher,
+            )
+            .await
+            .unwrap();
+
+        assert_eq!(b"world", &*msg);
+
         let data = Arc::new([1, 2, 3_u8]);
         let signature = client
             .sign_by_pub_key(

crates/lair_keystore_api/src/lair_api.rs

@@ -109,6 +109,12 @@ pub use crypto_box_xsalsa_by_pub_key::*;
 mod crypto_box_xsalsa_open_by_pub_key;
 pub use crypto_box_xsalsa_open_by_pub_key::*;
 
+mod crypto_box_xsalsa_by_sign_pub_key;
+pub use crypto_box_xsalsa_by_sign_pub_key::*;
+
+mod crypto_box_xsalsa_open_by_sign_pub_key;
+pub use crypto_box_xsalsa_open_by_sign_pub_key::*;
+
 mod new_wka_tls_cert;
 pub use new_wka_tls_cert::*;
 
@@ -199,6 +205,22 @@ pub enum LairApiEnum {
     /// A "crypto_box_open" decryption response.
     ResCryptoBoxXSalsaOpenByPubKey(LairApiResCryptoBoxXSalsaOpenByPubKey),
 
+    /// Request "crypto_box" encryption.
+    ReqCryptoBoxXSalsaBySignPubKey(LairApiReqCryptoBoxXSalsaBySignPubKey),
+
+    /// A "crypto_box" encryption response.
+    ResCryptoBoxXSalsaBySignPubKey(LairApiResCryptoBoxXSalsaBySignPubKey),
+
+    /// Request "crypto_box_open" decryption.
+    ReqCryptoBoxXSalsaOpenBySignPubKey(
+        LairApiReqCryptoBoxXSalsaOpenBySignPubKey,
+    ),
+
+    /// A "crypto_box_open" decryption response.
+    ResCryptoBoxXSalsaOpenBySignPubKey(
+        LairApiResCryptoBoxXSalsaOpenBySignPubKey,
+    ),
+
     /// Instruct lair to generate a new wka tls certificate
     /// from cryptographically secure random data with given tag.
     ReqNewWkaTlsCert(LairApiReqNewWkaTlsCert),
@@ -291,6 +313,18 @@ impl LairApiEnum {
             Self::ResCryptoBoxXSalsaOpenByPubKey(
                 LairApiResCryptoBoxXSalsaOpenByPubKey { msg_id, .. },
             ) => msg_id.clone(),
+            Self::ReqCryptoBoxXSalsaBySignPubKey(
+                LairApiReqCryptoBoxXSalsaBySignPubKey { msg_id, .. },
+            ) => msg_id.clone(),
+            Self::ResCryptoBoxXSalsaBySignPubKey(
+                LairApiResCryptoBoxXSalsaBySignPubKey { msg_id, .. },
+            ) => msg_id.clone(),
+            Self::ReqCryptoBoxXSalsaOpenBySignPubKey(
+                LairApiReqCryptoBoxXSalsaOpenBySignPubKey { msg_id, .. },
+            ) => msg_id.clone(),
+            Self::ResCryptoBoxXSalsaOpenBySignPubKey(
+                LairApiResCryptoBoxXSalsaOpenBySignPubKey { msg_id, .. },
+            ) => msg_id.clone(),
             Self::ReqNewWkaTlsCert(LairApiReqNewWkaTlsCert {
                 msg_id, ..
             }) => msg_id.clone(),

crates/lair_keystore_api/src/lair_api/crypto_box_xsalsa_by_sign_pub_key.rs

@@ -0,0 +1,103 @@
+use super::*;
+
+/// Request "crypto_box" encryption.
+#[derive(Debug, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct LairApiReqCryptoBoxXSalsaBySignPubKey {
+    /// Msg id to relate request / response.
+    pub msg_id: Arc<str>,
+
+    /// The pub key representing the sender.
+    pub sender_pub_key: Ed25519PubKey,
+
+    /// The pub key of the recipient.
+    pub recipient_pub_key: Ed25519PubKey,
+
+    /// If this new seed is to be deep_locked, the passphrase for that.
+    #[serde(skip_serializing_if = "Option::is_none", default)]
+    pub deep_lock_passphrase: Option<SecretDataSized<64, 81>>,
+
+    /// The data to encrypt
+    pub data: Arc<[u8]>,
+}
+
+impl LairApiReqCryptoBoxXSalsaBySignPubKey {
+    /// Make a crypto_box request.
+    pub fn new(
+        sender_pub_key: Ed25519PubKey,
+        recipient_pub_key: Ed25519PubKey,
+        deep_lock_passphrase: Option<SecretDataSized<64, 81>>,
+        data: Arc<[u8]>,
+    ) -> Self {
+        Self {
+            msg_id: new_msg_id(),
+            sender_pub_key,
+            recipient_pub_key,
+            deep_lock_passphrase,
+            data,
+        }
+    }
+}
+
+impl std::convert::TryFrom<LairApiEnum>
+    for LairApiReqCryptoBoxXSalsaBySignPubKey
+{
+    type Error = one_err::OneErr;
+
+    fn try_from(e: LairApiEnum) -> Result<Self, Self::Error> {
+        if let LairApiEnum::ReqCryptoBoxXSalsaBySignPubKey(s) = e {
+            Ok(s)
+        } else {
+            Err(format!("Invalid response type: {e:?}").into())
+        }
+    }
+}
+
+impl AsLairCodec for LairApiReqCryptoBoxXSalsaBySignPubKey {
+    fn into_api_enum(self) -> LairApiEnum {
+        LairApiEnum::ReqCryptoBoxXSalsaBySignPubKey(self)
+    }
+}
+
+/// A "crypto_box" encryption response.
+#[derive(Debug, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "camelCase")]
+#[non_exhaustive]
+pub struct LairApiResCryptoBoxXSalsaBySignPubKey {
+    /// Msg id to relate request / response.
+    pub msg_id: Arc<str>,
+
+    /// The generated nonce.
+    pub nonce: [u8; 24],
+
+    /// The encrypted bytes.
+    pub cipher: Arc<[u8]>,
+}
+
+impl std::convert::TryFrom<LairApiEnum>
+    for LairApiResCryptoBoxXSalsaBySignPubKey
+{
+    type Error = one_err::OneErr;
+
+    fn try_from(e: LairApiEnum) -> Result<Self, Self::Error> {
+        if let LairApiEnum::ResCryptoBoxXSalsaBySignPubKey(s) = e {
+            Ok(s)
+        } else {
+            Err(format!("Invalid response type: {e:?}").into())
+        }
+    }
+}
+
+impl AsLairCodec for LairApiResCryptoBoxXSalsaBySignPubKey {
+    fn into_api_enum(self) -> LairApiEnum {
+        LairApiEnum::ResCryptoBoxXSalsaBySignPubKey(self)
+    }
+}
+
+impl AsLairRequest for LairApiReqCryptoBoxXSalsaBySignPubKey {
+    type Response = LairApiResCryptoBoxXSalsaBySignPubKey;
+}
+
+impl AsLairResponse for LairApiResCryptoBoxXSalsaBySignPubKey {
+    type Request = LairApiReqCryptoBoxXSalsaBySignPubKey;
+}