vault: spec-conformance fixes from review (task: vault/review-vault-sync)

- EncryptionKey: remove Clone (move-only per spec), add custom redacting
  Debug impl, make new() private (cfg(test)), add pub(crate) key_bytes()
  accessor, make encrypt/decrypt pub(crate) module-internal helpers
- CachedKey: refactor to wrap DerivedKey (per service.md) with cached_at
  and last_accessed fields; add key_type()/private_key()/public_key()
  accessors
- Mnemonic: store validated Bip39Mnemonic to eliminate unwrap() in
  to_seed(); enable bip39 zeroize feature so inner is zeroized on drop
- Fix clippy: remove unused import in drop_tracker tests, use struct
  init syntax instead of field reassignment with Default
- Move low-level EncryptionKey round-trip/wrong-key tests from
  integration tests to unit tests (encrypt/decrypt now pub(crate))
This commit is contained in:
2026-06-23 14:07:24 +00:00
parent 968e3a09ee
commit 41f0fc7843
7 changed files with 172 additions and 103 deletions

View File

@@ -194,9 +194,9 @@ impl VaultServiceHandle {
if let Some(cached) = inner.cache.get(path) {
return Ok(DerivedKey {
key_type: cached.key_type.clone(),
private_key: cached.private_key.clone(),
public_key: cached.public_key.clone(),
key_type: cached.key_type().clone(),
private_key: cached.private_key().to_vec(),
public_key: cached.public_key().to_vec(),
});
}
@@ -204,8 +204,12 @@ impl VaultServiceHandle {
let key = derivation::derive_path_from_seed(seed.as_bytes(), path)?;
let private_key = key.private_key().to_vec();
let public_key = key.public_key().to_vec();
let cached = CachedKey::new(KeyType::Ed25519, private_key.clone(), public_key.clone());
inner.cache.insert(path, cached);
let derived = DerivedKey {
key_type: KeyType::Ed25519,
private_key: private_key.clone(),
public_key: public_key.clone(),
};
inner.cache.insert(path, CachedKey::new(derived));
Ok(DerivedKey {
key_type: KeyType::Ed25519,
private_key,
@@ -222,9 +226,9 @@ impl VaultServiceHandle {
if let Some(cached) = inner.cache.get(path) {
return Ok(DerivedKey {
key_type: cached.key_type.clone(),
private_key: cached.private_key.clone(),
public_key: cached.public_key.clone(),
key_type: cached.key_type().clone(),
private_key: cached.private_key().to_vec(),
public_key: cached.public_key().to_vec(),
});
}
@@ -232,8 +236,12 @@ impl VaultServiceHandle {
let key = derivation::derive_path_from_seed(seed.as_bytes(), path)?;
let private_key = key.private_key().to_vec();
let public_key = key.public_key().to_vec();
let cached = CachedKey::new(KeyType::Aes256Gcm, private_key.clone(), public_key.clone());
inner.cache.insert(path, cached);
let derived = DerivedKey {
key_type: KeyType::Aes256Gcm,
private_key: private_key.clone(),
public_key: public_key.clone(),
};
inner.cache.insert(path, CachedKey::new(derived));
Ok(DerivedKey {
key_type: KeyType::Aes256Gcm,
private_key,
@@ -273,9 +281,9 @@ impl VaultServiceHandle {
if let Some(cached) = inner.cache.get(path) {
return Ok(DerivedKey {
key_type: cached.key_type.clone(),
private_key: cached.private_key.clone(),
public_key: cached.public_key.clone(),
key_type: cached.key_type().clone(),
private_key: cached.private_key().to_vec(),
public_key: cached.public_key().to_vec(),
});
}
@@ -284,9 +292,12 @@ impl VaultServiceHandle {
let key = crate::ethereum::derive_secp256k1_path(seed.as_bytes(), path)?;
let private_key = key.private_key().to_vec();
let public_key = key.public_key().to_vec();
let cached =
CachedKey::new(KeyType::Secp256k1, private_key.clone(), public_key.clone());
inner.cache.insert(path, cached);
let derived = DerivedKey {
key_type: KeyType::Secp256k1,
private_key: private_key.clone(),
public_key: public_key.clone(),
};
inner.cache.insert(path, CachedKey::new(derived));
Ok(DerivedKey {
key_type: KeyType::Secp256k1,
private_key,