alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(alknet-secret): make DerivedKey zeroize-on-drop, non-Clone, with redacted serialization

Browse Source 
Per ADR-038, DerivedKey.private_key now derives Zeroize with #[zeroize(drop)]
ensuring sensitive key material is zeroized before deallocation. DerivedKey
is now move-only (no Clone), and JSON/debug output redacts private_key as
"[REDACTED]". Deserialization still works for postcard/irpc wire format.

Also fixes clippy needless_borrows_for_generic_args in encryption.rs and
applies cargo fmt to existing code.
This commit is contained in:
glm-5.1
2026-06-10 06:16:38 +00:00
parent 8eb687afc0
commit eae47c366b
11 changed files with 220 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
crates/alknet-secret/tests/derivation_tests.rs
View File

@@ -22,13 +22,8 @@ fn test_encryption_key_derivation() {
let service = SecretServiceHandle::new();
service.unlock_new(24).unwrap();
let key = service
.derive_encryption_key(PATHS::ENCRYPTION)
.unwrap();
assert_eq!(
key.key_type,
alknet_secret::protocol::KeyType::Aes256Gcm
);
let key = service.derive_encryption_key(PATHS::ENCRYPTION).unwrap();
assert_eq!(key.key_type, alknet_secret::protocol::KeyType::Aes256Gcm);
}
#[test]
@@ -59,4 +54,4 @@ fn test_different_paths_different_keys() {
assert_ne!(identity_key.private_key, ssh_key.private_key);
assert_ne!(identity_key.public_key, ssh_key.public_key);
}
}

2
crates/alknet-secret/tests/encryption_tests.rs
View File

@@ -55,4 +55,4 @@ fn test_encrypted_data_serialization() {
let deserialized: alknet_secret::encryption::EncryptedData =
serde_json::from_str(&json).unwrap();
assert_eq!(deserialized, encrypted);
}
}

8
crates/alknet-secret/tests/service_tests.rs
View File

@@ -3,8 +3,8 @@
//! These tests verify the unlock/lock lifecycle, error conditions,
//! and that the service correctly manages state transitions.
use alknet_secret::service::{SecretServiceError, SecretServiceHandle};
use alknet_secret::derivation::PATHS;
use alknet_secret::service::{SecretServiceError, SecretServiceHandle};
#[test]
fn test_full_lifecycle() {
@@ -94,7 +94,5 @@ fn test_multiple_derive_paths_succeed() {
// All standard paths should work
let _identity = service.derive_ed25519(PATHS::IDENTITY).unwrap();
let _ssh = service.derive_ed25519(PATHS::SSH_HOST).unwrap();
let _enc = service
.derive_encryption_key(PATHS::ENCRYPTION)
.unwrap();
}
let _enc = service.derive_encryption_key(PATHS::ENCRYPTION).unwrap();
}