dls: basic offline store ops

Cargo.lock

@@ -161,9 +161,9 @@ checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
 
 [[package]]
 name = "cc"
-version = "1.2.61"
+version = "1.2.62"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d"
+checksum = "a1dce859f0832a7d088c4f1119888ab94ef4b5d6795d1ce05afb7fe159d79f98"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -218,9 +218,9 @@ dependencies = [
 
 [[package]]
 name = "clap_complete"
-version = "4.6.3"
+version = "4.6.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "660c0520455b1013b9bcb0393d5f643d7e4454fb69c915b8d6d2aa0e9a45acc3"
+checksum = "e3e962dae2b1e5007fe9e3db363ddc43a8bf25546d279f7a8a4401204690e80c"
 dependencies = [
  "clap",
  "clap_lex",
@@ -310,7 +310,7 @@ dependencies = [
 
 [[package]]
 name = "dkl"
-version = "1.2.2"
+version = "1.2.1"
 dependencies = [
  "async-compression",
  "base32",
@@ -324,6 +324,7 @@ dependencies = [
  "fastrand",
  "futures",
  "futures-util",
+ "getrandom 0.4.2",
  "glob",
  "hex",
  "human-units",
@@ -572,9 +573,9 @@ dependencies = [
 
 [[package]]
 name = "hashbrown"
-version = "0.17.0"
+version = "0.17.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51"
+checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a"
 
 [[package]]
 name = "heck"
@@ -841,7 +842,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
 dependencies = [
  "equivalent",
- "hashbrown 0.17.0",
+ "hashbrown 0.17.1",
  "serde",
  "serde_core",
 ]
@@ -852,16 +853,6 @@ version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
 
-[[package]]
-name = "iri-string"
-version = "0.7.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20"
-dependencies = [
- "memchr",
- "serde",
-]
-
 [[package]]
 name = "is_executable"
 version = "1.0.5"
@@ -919,9 +910,9 @@ dependencies = [
 
 [[package]]
 name = "js-sys"
-version = "0.3.97"
+version = "0.3.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1840c94c045fbcf8ba2812c95db44499f7c64910a912551aaaa541decebcacf"
+checksum = "67df7112613f8bfd9150013a0314e196f4800d3201ae742489d999db2f979f08"
 dependencies = [
  "cfg-if",
  "futures-util",
@@ -1014,9 +1005,9 @@ dependencies = [
 
 [[package]]
 name = "nix"
-version = "0.31.2"
+version = "0.31.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3"
+checksum = "cf20d2fde8ff38632c426f1165ed7436270b44f199fc55284c38276f9db47c3d"
 dependencies = [
  "bitflags",
  "cfg-if",
@@ -1047,15 +1038,14 @@ checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
 
 [[package]]
 name = "openssl"
-version = "0.10.78"
+version = "0.10.79"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f38c4372413cdaaf3cc79dd92d29d7d9f5ab09b51b10dded508fb90bb70b9222"
+checksum = "bf0b434746ee2832f4f0baf10137e1cabb18cbe6912c69e2e33263c45250f542"
 dependencies = [
  "bitflags",
  "cfg-if",
  "foreign-types",
  "libc",
- "once_cell",
  "openssl-macros",
  "openssl-sys",
 ]
@@ -1079,9 +1069,9 @@ checksum = "7c87def4c32ab89d880effc9e097653c8da5d6ef28e6b539d313baaacfbafcbe"
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.114"
+version = "0.9.115"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13ce1245cd07fcc4cfdb438f7507b0c7e4f3849a69fd84d52374c66d83741bb6"
+checksum = "158fe5b292746440aa6e7a7e690e55aeb72d41505e2804c23c6973ad0e9c9781"
 dependencies = [
  "cc",
  "libc",
@@ -1289,9 +1279,9 @@ dependencies = [
 
 [[package]]
 name = "rpassword"
-version = "7.5.1"
+version = "7.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2501c67132bd19c3005b0111fba298907ef002c8c1cf68e25634707e38bf66fe"
+checksum = "5ac5b223d9738ef56e0b98305410be40fa0941bf6036c56f1506751e43552d64"
 dependencies = [
  "libc",
  "rtoolbox",
@@ -1617,9 +1607,9 @@ dependencies = [
 
 [[package]]
 name = "tokio"
-version = "1.52.1"
+version = "1.52.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
+checksum = "8fc7f01b389ac15039e4dc9531aa973a135d7a4135281b12d7c1bc79fd57fffe"
 dependencies = [
  "bytes",
  "libc",
@@ -1682,20 +1672,20 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.8"
+version = "0.6.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51"
 dependencies = [
  "bitflags",
  "bytes",
  "futures-util",
  "http",
  "http-body",
- "iri-string",
  "pin-project-lite",
  "tower",
  "tower-layer",
  "tower-service",
+ "url",
 ]
 
 [[package]]
@@ -1824,9 +1814,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.120"
+version = "0.2.121"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df52b6d9b87e0c74c9edfa1eb2d9bf85e5d63515474513aa50fa181b3c4f5db1"
+checksum = "49ace1d07c165b0864824eee619580c4689389afa9dc9ed3a4c75040d82e6790"
 dependencies = [
  "cfg-if",
  "once_cell",
@@ -1837,9 +1827,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.70"
+version = "0.4.71"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "af934872acec734c2d80e6617bbb5ff4f12b052dd8e6332b0817bce889516084"
+checksum = "96492d0d3ffba25305a7dc88720d250b1401d7edca02cc3bcd50633b424673b8"
 dependencies = [
  "js-sys",
  "wasm-bindgen",
@@ -1847,9 +1837,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.120"
+version = "0.2.121"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78b1041f495fb322e64aca85f5756b2172e35cd459376e67f2a6c9dffcedb103"
+checksum = "8e68e6f4afd367a562002c05637acb8578ff2dea1943df76afb9e83d177c8578"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -1857,9 +1847,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.120"
+version = "0.2.121"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9dcd0ff20416988a18ac686d4d4d0f6aae9ebf08a389ff5d29012b05af2a1b41"
+checksum = "d95a9ec35c64b2a7cb35d3fead40c4238d0940c86d107136999567a4703259f2"
 dependencies = [
  "bumpalo",
  "proc-macro2",
@@ -1870,9 +1860,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.120"
+version = "0.2.121"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49757b3c82ebf16c57d69365a142940b384176c24df52a087fb748e2085359ea"
+checksum = "c4e0100b01e9f0d03189a92b96772a1fb998639d981193d7dbab487302513441"
 dependencies = [
  "unicode-ident",
 ]
@@ -1926,9 +1916,9 @@ dependencies = [
 
 [[package]]
 name = "web-sys"
-version = "0.3.97"
+version = "0.3.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2eadbac71025cd7b0834f20d1fe8472e8495821b4e9801eb0a60bd1f19827602"
+checksum = "4b572dff8bcf38bad0fa19729c89bb5748b2b9b1d8be70cf90df697e3a8f32aa"
 dependencies = [
  "js-sys",
  "wasm-bindgen",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "dkl"
-version = "1.2.2"
+version = "1.2.1"
 edition = "2024"
 
 [profile.release]
@@ -23,6 +23,7 @@ eyre = "0.6.12"
 fastrand = "2.3.0"
 futures = "0.3.31"
 futures-util = "0.3.31"
+getrandom = "0.4.2"
 glob = "0.3.2"
 hex = "0.4.3"
 human-units = "0.5.3"

src/bin/dls.rs

@@ -3,6 +3,7 @@ use clap::{CommandFactory, Parser, Subcommand};
 use eyre::format_err;
 use futures_util::Stream;
 use futures_util::StreamExt;
+use std::path::PathBuf;
 use std::time::{Duration, SystemTime};
 use tokio::fs;
 use tokio::io::{AsyncWrite, AsyncWriteExt};
@@ -40,6 +41,11 @@ enum Command {
     Hash {
         salt: String,
     },
+    Store {
+        store_path: PathBuf,
+        #[command(subcommand)]
+        op: StoreOp,
+    },
 }
 
 #[derive(Subcommand)]
@@ -96,6 +102,12 @@ enum ClusterCommand {
     },
 }
 
+#[derive(Subcommand)]
+enum StoreOp {
+    Get { data_path: PathBuf },
+    Set { data_path: PathBuf, value: String },
+}
+
 #[tokio::main(flavor = "current_thread")]
 async fn main() -> eyre::Result<()> {
     clap_complete::CompleteEnv::with_factory(Cli::command).complete();
@@ -231,6 +243,18 @@ async fn main() -> eyre::Result<()> {
             println!("hash (hex):    {}", hex::encode(&hash));
             println!("hash (base64): {}", dkl::base64_encode(&hash));
         }
+        C::Store { store_path, op } => {
+            let mut s = dls::store::Store::new(store_path);
+            s.unlock(&std::env::var("DLS_STORE_PW").unwrap()).await?;
+
+            match op {
+                StoreOp::Get { data_path } => {
+                    let mut data = std::io::Cursor::new(s.read(data_path).await?);
+                    tokio::io::copy(&mut data, &mut tokio::io::stdout()).await?;
+                }
+                StoreOp::Set { data_path, value } => s.write(data_path, value.as_bytes()).await?,
+            }
+        }
     };
 
     Ok(())

src/dls/store.rs

@@ -1,4 +1,13 @@
-pub fn hash_password(salt: &[u8], passphrase: &str) -> argon2::Result<[u8; 32]> {
+use openssl::symm::Mode;
+use std::borrow::Cow;
+use std::path::{Path, PathBuf};
+use tokio::{fs, io::AsyncWriteExt};
+
+pub type Salt = [u8; 16];
+pub type Key = [u8; 32];
+pub type Hash = Vec<u8>;
+
+pub fn hash_password(salt: &[u8], passphrase: &str) -> Result<Key> {
     let hash = argon2::hash_raw(
         passphrase.as_bytes(),
         salt,
@@ -6,12 +15,191 @@ pub fn hash_password(salt: &[u8], passphrase: &str) -> argon2::Result<[u8; 32]>
             variant: argon2::Variant::Argon2id,
             hash_length: 32,
             time_cost: 1,
-            mem_cost: 65536,
+            mem_cost: 64 << 10,
             thread_mode: argon2::ThreadMode::Parallel,
             lanes: 4,
             ..Default::default()
         },
-    )?;
+    )
+    .map_err(Error::Hash)?;
 
-    unsafe { Ok(hash.try_into().unwrap_unchecked()) }
+    Ok(hash.try_into().unwrap())
+}
+
+pub struct Store {
+    path: PathBuf,
+    key: Option<Key>,
+}
+
+impl Store {
+    pub fn new(path: impl Into<PathBuf>) -> Self {
+        Self {
+            path: path.into(),
+            key: None,
+        }
+    }
+
+    pub async fn unlock(&mut self, passphrase: &str) -> Result<()> {
+        let keys = self.read_keys().await?;
+
+        let salt = keys.salt;
+
+        let user_key = hash_password(&salt, passphrase)?;
+        let user_hash = openssl::sha::sha512(&user_key);
+
+        for nk in keys.keys {
+            if nk.hash != user_hash {
+                continue;
+            }
+
+            // build iv+data from salt
+            let mut enc_data = Vec::with_capacity(salt.len() + nk.enc_key.len());
+            enc_data.extend_from_slice(&salt);
+            enc_data.extend_from_slice(&nk.enc_key);
+
+            let key = crypt(&enc_data, &user_key, Mode::Decrypt)?;
+            let key = key.try_into().map_err(|_| Error::InvalidKey)?;
+
+            self.key = Some(key);
+            return Ok(());
+        }
+
+        Err(Error::KeyNotFound)
+    }
+
+    pub async fn read(&self, path: impl AsRef<Path>) -> Result<Vec<u8>> {
+        let enc_data = self.read_file(path.as_ref().with_extension("data")).await?;
+        self.decrypt(&enc_data)
+    }
+    pub async fn read_to_string(&self, path: impl AsRef<Path>) -> Result<String> {
+        let path = path.as_ref();
+        String::from_utf8(self.read(path).await?).map_err(|_| Error::InvalidUtf8(path.into()))
+    }
+
+    pub async fn write(&self, path: impl AsRef<Path>, data: &[u8]) -> Result<()> {
+        let enc_data = self.encrypt(data)?;
+        safe_write(self.path.join(&path).with_extension("data"), &enc_data).await
+    }
+
+    async fn read_keys(&self) -> Result<Keys<'_>> {
+        let keys = self.read_file(".keys").await?;
+        let Some(keys) = keys.strip_prefix(b"{json}") else {
+            return Err(Error::InvalidKeys);
+        };
+
+        serde_json::from_slice(keys).map_err(Error::KeysParse)
+    }
+
+    async fn read_file(&self, subpath: impl AsRef<Path>) -> Result<Vec<u8>> {
+        let path = self.path.join(subpath);
+        fs::read(&path).await.map_err(|e| Error::Read(path, e))
+    }
+
+    fn encrypt(&self, src: &[u8]) -> Result<Vec<u8>> {
+        self.crypt(src, Mode::Encrypt)
+    }
+    fn decrypt(&self, src: &[u8]) -> Result<Vec<u8>> {
+        self.crypt(src, Mode::Decrypt)
+    }
+    fn crypt(&self, src: &[u8], mode: Mode) -> Result<Vec<u8>> {
+        let key = self.key.as_ref().ok_or(Error::NotUnlocked)?;
+        crypt(src, key, mode)
+    }
+}
+
+async fn safe_write(path: impl AsRef<Path>, contents: &[u8]) -> Result<()> {
+    let path = path.as_ref();
+    let tmp = path.with_added_extension("new");
+
+    let tmp_err = |e| Error::Write(tmp.clone(), e);
+
+    let mut file = fs::OpenOptions::new()
+        .create(true)
+        .truncate(true)
+        .write(true)
+        .open(&tmp)
+        .await
+        .map_err(tmp_err)?;
+
+    file.write_all(contents).await.map_err(tmp_err)?;
+    file.sync_all().await.map_err(tmp_err)?;
+    file.shutdown().await.map_err(tmp_err)?;
+
+    fs::rename(tmp, &path)
+        .await
+        .map_err(|e| Error::Write(path.into(), e))
+}
+
+fn crypt(mut src: &[u8], key: &Key, mode: Mode) -> Result<Vec<u8>> {
+    use openssl::symm::{Cipher, Crypter};
+
+    let mut iv = [0u8; 16];
+    let mut dst: Vec<u8>;
+    let crypt_dst: &mut [u8];
+
+    match mode {
+        Mode::Encrypt => {
+            getrandom::fill(&mut iv).unwrap();
+            dst = vec![0u8; iv.len() + src.len()];
+            dst[..iv.len()].copy_from_slice(&iv);
+            crypt_dst = &mut dst[iv.len()..];
+        }
+        Mode::Decrypt => {
+            iv = src[..iv.len()]
+                .try_into()
+                .map_err(|_| Error::DecryptInputToSmall)?;
+            src = &src[iv.len()..];
+            dst = vec![0u8; src.len()];
+            crypt_dst = &mut dst;
+        }
+    }
+
+    let cipher = Cipher::aes_256_cfb128();
+    Crypter::new(cipher, mode, key, Some(&iv))
+        .expect("Failed to init AES")
+        .update(src, crypt_dst)
+        .expect("AES CFB encrypt/decrypt failed");
+
+    Ok(dst)
+}
+
+pub type Result<T> = std::result::Result<T, Error>;
+
+#[derive(Debug, thiserror::Error)]
+pub enum Error {
+    #[error("hash error: {0}")]
+    Hash(argon2::Error),
+    #[error("read {0} failed: {1}")]
+    Read(PathBuf, std::io::Error),
+    #[error("write {0} failed: {1}")]
+    Write(PathBuf, std::io::Error),
+    #[error("read {0} failed: invalid UTF-8")]
+    InvalidUtf8(PathBuf),
+    #[error("invalid keys data")]
+    InvalidKeys,
+    #[error("invalid key")]
+    InvalidKey,
+    #[error("keys parse error: {0}")]
+    KeysParse(serde_json::Error),
+    #[error("key not found")]
+    KeyNotFound,
+    #[error("store not unlocked")]
+    NotUnlocked,
+    #[error("decrypt input too small")]
+    DecryptInputToSmall,
+}
+
+#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "PascalCase")]
+struct Keys<'t> {
+    salt: Salt,
+    keys: Vec<NamedKey<'t>>,
+}
+
+#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
+#[serde(rename_all = "PascalCase")]
+struct NamedKey<'t> {
+    name: Cow<'t, str>,
+    hash: Hash,
+    enc_key: Key,
 }