vault: spec-conformance fixes from review (task: vault/review-vault-sync)

- EncryptionKey: remove Clone (move-only per spec), add custom redacting
  Debug impl, make new() private (cfg(test)), add pub(crate) key_bytes()
  accessor, make encrypt/decrypt pub(crate) module-internal helpers
- CachedKey: refactor to wrap DerivedKey (per service.md) with cached_at
  and last_accessed fields; add key_type()/private_key()/public_key()
  accessors
- Mnemonic: store validated Bip39Mnemonic to eliminate unwrap() in
  to_seed(); enable bip39 zeroize feature so inner is zeroized on drop
- Fix clippy: remove unused import in drop_tracker tests, use struct
  init syntax instead of field reassignment with Default
- Move low-level EncryptionKey round-trip/wrong-key tests from
  integration tests to unit tests (encrypt/decrypt now pub(crate))
This commit is contained in:
2026-06-23 14:07:24 +00:00
parent 968e3a09ee
commit 41f0fc7843
7 changed files with 172 additions and 103 deletions

View File

@@ -18,7 +18,6 @@
//! representation handles clamping differently.
use alknet_vault::derivation::{derive_path_from_seed, PATHS};
use alknet_vault::encryption::{decrypt, encrypt, EncryptionKey, CURRENT_KEY_VERSION};
use alknet_vault::mnemonic::{Language, Mnemonic};
use alknet_vault::protocol::KeyType;
@@ -305,36 +304,6 @@ fn test_aes256gcm_known_key_encrypt_decrypt() {
);
}
/// AES-256-GCM: encrypt/decrypt round-trip through our EncryptionKey API.
#[test]
fn test_aes256gcm_encryption_key_round_trip() {
let key_bytes: [u8; 32] = [0x42u8; 32];
let key = EncryptionKey::new(key_bytes, CURRENT_KEY_VERSION);
let plaintext = "known-plaintext-for-aes-256-gcm-test";
let encrypted = encrypt(plaintext, &key).unwrap();
let decrypted = decrypt(&encrypted, &key).unwrap();
assert_eq!(
decrypted, plaintext,
"Round-trip through our API must preserve plaintext"
);
}
/// AES-256-GCM: wrong key produces decryption failure.
#[test]
fn test_aes256gcm_wrong_key_fails() {
let key1 = EncryptionKey::new([0x01u8; 32], CURRENT_KEY_VERSION);
let key2 = EncryptionKey::new([0x02u8; 32], CURRENT_KEY_VERSION);
let plaintext = "test-data-for-wrong-key";
let encrypted = encrypt(plaintext, &key1).unwrap();
let result = decrypt(&encrypted, &key2);
assert!(result.is_err(), "Decryption with wrong key must fail");
}
// ---------------------------------------------------------------------------
// Alknet-specific regression tests
// ---------------------------------------------------------------------------