src/dls/store.rs

use openssl::symm::Mode;
use std::borrow::Cow;
use std::path::{Path, PathBuf};
use tokio::{fs, io::AsyncWriteExt};

pub type Salt = [u8; 16];
pub type Key = [u8; 32];
pub type Hash = Vec<u8>;

pub fn hash_password(salt: &[u8], passphrase: &str) -> Result<Key> {
    let hash = argon2::hash_raw(
        passphrase.as_bytes(),
        salt,
        &argon2::Config {
            variant: argon2::Variant::Argon2id,
            hash_length: 32,
            time_cost: 1,
            mem_cost: 64 << 10,
            thread_mode: argon2::ThreadMode::Parallel,
            lanes: 4,
            ..Default::default()
        },
    )
    .map_err(Error::Hash)?;

    Ok(hash.try_into().unwrap())
}

pub struct Store {
    path: PathBuf,
    key: Option<Key>,
}

impl Store {
    pub fn new(path: impl Into<PathBuf>) -> Self {
        Self {
            path: path.into(),
            key: None,
        }
    }

    pub async fn unlock(&mut self, passphrase: &str) -> Result<()> {
        let keys = self.read_keys().await?;

        let salt = keys.salt;

        let user_key = hash_password(&salt, passphrase)?;
        let user_hash = openssl::sha::sha512(&user_key);

        for nk in keys.keys {
            if nk.hash != user_hash {
                continue;
            }

            // build iv+data from salt
            let mut enc_data = Vec::with_capacity(salt.len() + nk.enc_key.len());
            enc_data.extend_from_slice(&salt);
            enc_data.extend_from_slice(&nk.enc_key);

            let key = crypt(&enc_data, &user_key, Mode::Decrypt)?;
            let key = key.try_into().map_err(|_| Error::InvalidKey)?;

            self.key = Some(key);
            return Ok(());
        }

        Err(Error::KeyNotFound)
    }

    pub async fn read(&self, path: impl AsRef<Path>) -> Result<Vec<u8>> {
        let enc_data = self.read_file(path.as_ref().with_extension("data")).await?;
        self.decrypt(&enc_data)
    }
    pub async fn read_to_string(&self, path: impl AsRef<Path>) -> Result<String> {
        let path = path.as_ref();
        String::from_utf8(self.read(path).await?).map_err(|_| Error::InvalidUtf8(path.into()))
    }

    pub async fn write(&self, path: impl AsRef<Path>, data: &[u8]) -> Result<()> {
        let enc_data = self.encrypt(data)?;
        safe_write(self.path.join(&path).with_extension("data"), &enc_data).await
    }

    async fn read_keys(&self) -> Result<Keys<'_>> {
        let keys = self.read_file(".keys").await?;
        let Some(keys) = keys.strip_prefix(b"{json}") else {
            return Err(Error::InvalidKeys);
        };

        serde_json::from_slice(keys).map_err(Error::KeysParse)
    }

    async fn read_file(&self, subpath: impl AsRef<Path>) -> Result<Vec<u8>> {
        let path = self.path.join(subpath);
        fs::read(&path).await.map_err(|e| Error::Read(path, e))
    }

    fn encrypt(&self, src: &[u8]) -> Result<Vec<u8>> {
        self.crypt(src, Mode::Encrypt)
    }
    fn decrypt(&self, src: &[u8]) -> Result<Vec<u8>> {
        self.crypt(src, Mode::Decrypt)
    }
    fn crypt(&self, src: &[u8], mode: Mode) -> Result<Vec<u8>> {
        let key = self.key.as_ref().ok_or(Error::NotUnlocked)?;
        crypt(src, key, mode)
    }
}

async fn safe_write(path: impl AsRef<Path>, contents: &[u8]) -> Result<()> {
    let path = path.as_ref();
    let tmp = path.with_added_extension("new");

    let tmp_err = |e| Error::Write(tmp.clone(), e);

    let mut file = fs::OpenOptions::new()
        .create(true)
        .truncate(true)
        .write(true)
        .open(&tmp)
        .await
        .map_err(tmp_err)?;

    file.write_all(contents).await.map_err(tmp_err)?;
    file.sync_all().await.map_err(tmp_err)?;
    file.shutdown().await.map_err(tmp_err)?;

    fs::rename(tmp, &path)
        .await
        .map_err(|e| Error::Write(path.into(), e))
}

fn crypt(mut src: &[u8], key: &Key, mode: Mode) -> Result<Vec<u8>> {
    use openssl::symm::{Cipher, Crypter};

    let mut iv = [0u8; 16];
    let mut dst: Vec<u8>;
    let crypt_dst: &mut [u8];

    match mode {
        Mode::Encrypt => {
            getrandom::fill(&mut iv).unwrap();
            dst = vec![0u8; iv.len() + src.len()];
            dst[..iv.len()].copy_from_slice(&iv);
            crypt_dst = &mut dst[iv.len()..];
        }
        Mode::Decrypt => {
            iv = src[..iv.len()]
                .try_into()
                .map_err(|_| Error::DecryptInputToSmall)?;
            src = &src[iv.len()..];
            dst = vec![0u8; src.len()];
            crypt_dst = &mut dst;
        }
    }

    let cipher = Cipher::aes_256_cfb128();
    Crypter::new(cipher, mode, key, Some(&iv))
        .expect("Failed to init AES")
        .update(src, crypt_dst)
        .expect("AES CFB encrypt/decrypt failed");

    Ok(dst)
}

pub type Result<T> = std::result::Result<T, Error>;

#[derive(Debug, thiserror::Error)]
pub enum Error {
    #[error("hash error: {0}")]
    Hash(argon2::Error),
    #[error("read {0} failed: {1}")]
    Read(PathBuf, std::io::Error),
    #[error("write {0} failed: {1}")]
    Write(PathBuf, std::io::Error),
    #[error("read {0} failed: invalid UTF-8")]
    InvalidUtf8(PathBuf),
    #[error("invalid keys data")]
    InvalidKeys,
    #[error("invalid key")]
    InvalidKey,
    #[error("keys parse error: {0}")]
    KeysParse(serde_json::Error),
    #[error("key not found")]
    KeyNotFound,
    #[error("store not unlocked")]
    NotUnlocked,
    #[error("decrypt input too small")]
    DecryptInputToSmall,
}

#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
#[serde(rename_all = "PascalCase")]
struct Keys<'t> {
    salt: Salt,
    keys: Vec<NamedKey<'t>>,
}

#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
#[serde(rename_all = "PascalCase")]
struct NamedKey<'t> {
    name: Cow<'t, str>,
    hash: Hash,
    enc_key: Key,
}
dls: basic offline store ops 2026-05-11 12:00:44 +02:00			`use openssl::symm::Mode;`
			`use std::borrow::Cow;`
			`use std::path::{Path, PathBuf};`
			`use tokio::{fs, io::AsyncWriteExt};`

			`pub type Salt = [u8; 16];`
			`pub type Key = [u8; 32];`
			`pub type Hash = Vec<u8>;`

			`pub fn hash_password(salt: &[u8], passphrase: &str) -> Result<Key> {`
dls: add password hash function 2026-03-16 11:06:19 +01:00			`let hash = argon2::hash_raw(`
			`passphrase.as_bytes(),`
			`salt,`
			`&argon2::Config {`
			`variant: argon2::Variant::Argon2id,`
			`hash_length: 32,`
			`time_cost: 1,`
dls: basic offline store ops 2026-05-11 12:00:44 +02:00			`mem_cost: 64 << 10,`
dls: add password hash function 2026-03-16 11:06:19 +01:00			`thread_mode: argon2::ThreadMode::Parallel,`
			`lanes: 4,`
			`..Default::default()`
			`},`
dls: basic offline store ops 2026-05-11 12:00:44 +02:00			`)`
			`.map_err(Error::Hash)?;`

			`Ok(hash.try_into().unwrap())`
			`}`

			`pub struct Store {`
			`path: PathBuf,`
			`key: Option<Key>,`
			`}`

			`impl Store {`
			`pub fn new(path: impl Into<PathBuf>) -> Self {`
			`Self {`
			`path: path.into(),`
			`key: None,`
			`}`
			`}`

			`pub async fn unlock(&mut self, passphrase: &str) -> Result<()> {`
			`let keys = self.read_keys().await?;`

			`let salt = keys.salt;`

			`let user_key = hash_password(&salt, passphrase)?;`
			`let user_hash = openssl::sha::sha512(&user_key);`

			`for nk in keys.keys {`
			`if nk.hash != user_hash {`
			`continue;`
			`}`

			`// build iv+data from salt`
			`let mut enc_data = Vec::with_capacity(salt.len() + nk.enc_key.len());`
			`enc_data.extend_from_slice(&salt);`
			`enc_data.extend_from_slice(&nk.enc_key);`

			`let key = crypt(&enc_data, &user_key, Mode::Decrypt)?;`
			`let key = key.try_into().map_err(\|_\| Error::InvalidKey)?;`

			`self.key = Some(key);`
			`return Ok(());`
			`}`

			`Err(Error::KeyNotFound)`
			`}`

			`pub async fn read(&self, path: impl AsRef<Path>) -> Result<Vec<u8>> {`
			`let enc_data = self.read_file(path.as_ref().with_extension("data")).await?;`
			`self.decrypt(&enc_data)`
			`}`
			`pub async fn read_to_string(&self, path: impl AsRef<Path>) -> Result<String> {`
			`let path = path.as_ref();`
			`String::from_utf8(self.read(path).await?).map_err(\|_\| Error::InvalidUtf8(path.into()))`
			`}`

			`pub async fn write(&self, path: impl AsRef<Path>, data: &[u8]) -> Result<()> {`
			`let enc_data = self.encrypt(data)?;`
			`safe_write(self.path.join(&path).with_extension("data"), &enc_data).await`
			`}`

			`async fn read_keys(&self) -> Result<Keys<'_>> {`
			`let keys = self.read_file(".keys").await?;`
			`let Some(keys) = keys.strip_prefix(b"{json}") else {`
			`return Err(Error::InvalidKeys);`
			`};`

			`serde_json::from_slice(keys).map_err(Error::KeysParse)`
			`}`

			`async fn read_file(&self, subpath: impl AsRef<Path>) -> Result<Vec<u8>> {`
			`let path = self.path.join(subpath);`
			`fs::read(&path).await.map_err(\|e\| Error::Read(path, e))`
			`}`

			`fn encrypt(&self, src: &[u8]) -> Result<Vec<u8>> {`
			`self.crypt(src, Mode::Encrypt)`
			`}`
			`fn decrypt(&self, src: &[u8]) -> Result<Vec<u8>> {`
			`self.crypt(src, Mode::Decrypt)`
			`}`
			`fn crypt(&self, src: &[u8], mode: Mode) -> Result<Vec<u8>> {`
			`let key = self.key.as_ref().ok_or(Error::NotUnlocked)?;`
			`crypt(src, key, mode)`
			`}`
			`}`

			`async fn safe_write(path: impl AsRef<Path>, contents: &[u8]) -> Result<()> {`
			`let path = path.as_ref();`
			`let tmp = path.with_added_extension("new");`

			`let tmp_err = \|e\| Error::Write(tmp.clone(), e);`

			`let mut file = fs::OpenOptions::new()`
			`.create(true)`
			`.truncate(true)`
			`.write(true)`
			`.open(&tmp)`
			`.await`
			`.map_err(tmp_err)?;`

			`file.write_all(contents).await.map_err(tmp_err)?;`
			`file.sync_all().await.map_err(tmp_err)?;`
			`file.shutdown().await.map_err(tmp_err)?;`

			`fs::rename(tmp, &path)`
			`.await`
			`.map_err(\|e\| Error::Write(path.into(), e))`
			`}`

			`fn crypt(mut src: &[u8], key: &Key, mode: Mode) -> Result<Vec<u8>> {`
			`use openssl::symm::{Cipher, Crypter};`

			`let mut iv = [0u8; 16];`
			`let mut dst: Vec<u8>;`
			`let crypt_dst: &mut [u8];`

			`match mode {`
			`Mode::Encrypt => {`
			`getrandom::fill(&mut iv).unwrap();`
			`dst = vec![0u8; iv.len() + src.len()];`
			`dst[..iv.len()].copy_from_slice(&iv);`
			`crypt_dst = &mut dst[iv.len()..];`
			`}`
			`Mode::Decrypt => {`
			`iv = src[..iv.len()]`
			`.try_into()`
			`.map_err(\|_\| Error::DecryptInputToSmall)?;`
			`src = &src[iv.len()..];`
			`dst = vec![0u8; src.len()];`
			`crypt_dst = &mut dst;`
			`}`
			`}`

			`let cipher = Cipher::aes_256_cfb128();`
			`Crypter::new(cipher, mode, key, Some(&iv))`
			`.expect("Failed to init AES")`
			`.update(src, crypt_dst)`
			`.expect("AES CFB encrypt/decrypt failed");`

			`Ok(dst)`
			`}`

			`pub type Result<T> = std::result::Result<T, Error>;`

			`#[derive(Debug, thiserror::Error)]`
			`pub enum Error {`
			`#[error("hash error: {0}")]`
			`Hash(argon2::Error),`
			`#[error("read {0} failed: {1}")]`
			`Read(PathBuf, std::io::Error),`
			`#[error("write {0} failed: {1}")]`
			`Write(PathBuf, std::io::Error),`
			`#[error("read {0} failed: invalid UTF-8")]`
			`InvalidUtf8(PathBuf),`
			`#[error("invalid keys data")]`
			`InvalidKeys,`
			`#[error("invalid key")]`
			`InvalidKey,`
			`#[error("keys parse error: {0}")]`
			`KeysParse(serde_json::Error),`
			`#[error("key not found")]`
			`KeyNotFound,`
			`#[error("store not unlocked")]`
			`NotUnlocked,`
			`#[error("decrypt input too small")]`
			`DecryptInputToSmall,`
			`}`

			`#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]`
			`#[serde(rename_all = "PascalCase")]`
			`struct Keys<'t> {`
			`salt: Salt,`
			`keys: Vec<NamedKey<'t>>,`
			`}`
dls: add password hash function 2026-03-16 11:06:19 +01:00
dls: basic offline store ops 2026-05-11 12:00:44 +02:00			`#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]`
			`#[serde(rename_all = "PascalCase")]`
			`struct NamedKey<'t> {`
			`name: Cow<'t, str>,`
			`hash: Hash,`
			`enc_key: Key,`
dls: add password hash function 2026-03-16 11:06:19 +01:00			`}`