From dfd80c2ff2439181a28e4bf4e150552e0679478b Mon Sep 17 00:00:00 2001 From: Mega Date: Tue, 29 Jul 2025 11:03:37 +0800 Subject: [PATCH 1/2] Fix missing test libra in Action Signed-off-by: Mega --- .github/workflows/base.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/base.yml b/.github/workflows/base.yml index f09bf0340..4662f1514 100644 --- a/.github/workflows/base.yml +++ b/.github/workflows/base.yml @@ -10,13 +10,11 @@ on: workflow_dispatch: pull_request: paths-ignore: - - 'alfs/**' - 'aries/**' - 'config/**' - 'docker/**' - 'docs/**' - 'moon/**' - - 'rust/**' - 'scripts/**' - 'third-party/**' - 'toolchains/**' @@ -105,6 +103,7 @@ jobs: cargo test --manifest-path ceres/Cargo.toml --all-features --no-fail-fast -- --nocapture cargo test --manifest-path vault/Cargo.toml --all-features --no-fail-fast -- --nocapture cargo test --manifest-path saturn/Cargo.toml --all-features --no-fail-fast -- --nocapture + cargo test --manifest-path libra/Cargo.toml --all-features --no-fail-fast -- --nocapture monobean: name: Test Monobean for ${{ matrix.os }} From dcb91f41dc6d5132bc01b1312b604dd9561d646e Mon Sep 17 00:00:00 2001 From: Eli Ma Date: Fri, 1 Aug 2025 09:39:15 +0800 Subject: [PATCH 2/2] Update README of Vault Signed-off-by: Eli Ma --- ceres/BUCK | 31 ---------- common/BUCK | 30 --------- jupiter/BUCK | 25 -------- mega/BUCK | 5 -- mono/BUCK | 65 -------------------- saturn/BUCK | 17 ------ vault/BUCK | 23 ------- vault/README.md | 154 ++++++++++++++++++++++++++++++++++++++++++++++- vault/src/pki.rs | 25 -------- 9 files changed, 153 insertions(+), 222 deletions(-) delete mode 100644 ceres/BUCK delete mode 100644 common/BUCK delete mode 100644 jupiter/BUCK delete mode 100644 mega/BUCK delete mode 100644 mono/BUCK delete mode 100644 saturn/BUCK delete mode 100644 vault/BUCK diff --git a/ceres/BUCK b/ceres/BUCK deleted file mode 100644 index a6fac72d7..000000000 --- a/ceres/BUCK +++ /dev/null @@ -1,31 +0,0 @@ -rust_library ( - name = "ceres", - srcs = glob(["src/**/*.rs"]), - crate_root = "src/lib.rs", - deps = [ - "//jupiter/callisto:callisto", - "//common:common", - "//mercury:mercury", - "//jupiter:jupiter", - "//third-party:anyhow", - "//third-party:tokio", - "//third-party:tokio-stream", - "//third-party:axum", - "//third-party:tracing", - "//third-party:serde", - "//third-party:serde_json", - "//third-party:clap", - "//third-party:chrono", - "//third-party:futures", - "//third-party:bytes", - "//third-party:async-trait", - "//third-party:rand", - "//third-party:sea-orm", - "//third-party:ring", - "//third-party:hex", - "//third-party:sysinfo", - ], - visibility = [ - 'PUBLIC', - ], -) diff --git a/common/BUCK b/common/BUCK deleted file mode 100644 index d05573319..000000000 --- a/common/BUCK +++ /dev/null @@ -1,30 +0,0 @@ -rust_library ( - name = "common", - srcs = [ - "src/lib.rs", - "src/config.rs", - "src/enums.rs", - "src/errors.rs", - "src/model.rs", - "src/utils.rs", - "config.toml", - ], - crate_root = "src/lib.rs", - deps = [ - "//third-party:axum", - "//third-party:anyhow", - "//third-party:sea-orm", - "//third-party:thiserror", - "//third-party:clap", - "//third-party:idgenerator", - "//third-party:serde", - "//third-party:config", - "//third-party:envsubst", - "//third-party:rand", - "//third-party:serde_json", - "//third-party:regex", - ], - visibility = [ - 'PUBLIC', - ], -) diff --git a/jupiter/BUCK b/jupiter/BUCK deleted file mode 100644 index 9748fa045..000000000 --- a/jupiter/BUCK +++ /dev/null @@ -1,25 +0,0 @@ -rust_library ( - name = "jupiter", - srcs = glob(["src/**/*.rs", "sqlite_20241204_init.sql"]), # soft link must be file, not directory, for buck2 reason - crate_root = "src/lib.rs", - deps = [ - "//jupiter/callisto:callisto", - "//common:common", - "//mercury:mercury", - "//saturn:saturn", - "//third-party:sea-orm", - "//third-party:tracing", - "//third-party:bytes", - "//third-party:chrono", - "//third-party:async-trait", - "//third-party:futures", - "//third-party:serde_json", - "//third-party:idgenerator", - "//third-party:serde", - "//third-party:tokio", - "//third-party:uuid", - ], - visibility = [ - 'PUBLIC', - ], -) diff --git a/mega/BUCK b/mega/BUCK deleted file mode 100644 index bb8563dfe..000000000 --- a/mega/BUCK +++ /dev/null @@ -1,5 +0,0 @@ -rust_binary( - name = "mega", - srcs = glob(["src/**/*.rs"]), - crate_root = "src/main.rs", -) diff --git a/mono/BUCK b/mono/BUCK deleted file mode 100644 index d1dd6e448..000000000 --- a/mono/BUCK +++ /dev/null @@ -1,65 +0,0 @@ -load("@prelude//rust:cargo_package.bzl", "cargo") - -cargo.rust_binary( - name = "mono", - srcs = glob(["src/**/*.rs"]), - crate_root = "src/main.rs", - deps = [ - "//jupiter/callisto:callisto", - "//common:common", - "//jupiter:jupiter", - "//ceres:ceres", - "//taurus:taurus", - "//saturn:saturn", - "//vault:vault", - "//third-party:anyhow", - "//third-party:axum", - "//third-party:axum-server", - "//third-party:tower", - "//third-party:tracing", - "//third-party:tracing-subscriber", - "//third-party:tracing-appender", - "//third-party:russh", - "//third-party:serde", - "//third-party:serde_json", - "//third-party:chrono", - "//third-party:futures", - "//third-party:bytes", - "//third-party:clap", - "//third-party:tower-http", - "//third-party:axum-extra", - "//third-party:tokio", - "//third-party:tokio-stream", - "//third-party:async-stream", - "//third-party:reqwest", - "//third-party:uuid", - "//third-party:regex", - "//third-party:ed25519-dalek", - "//third-party:lazy_static", - "//third-party:ctrlc", - "//third-party:oauth2", - "//third-party:base64", - "//third-party:async-session", - "//third-party:http", - "//third-party:cedar-policy", - "//third-party:jemallocator" - ], - platform = { - "linux": dict(deps = ["//third-party:jemallocator"]), - "macos": dict(deps = ["//third-party:jemallocator"]), - "windows": dict(deps = ["//third-party:mimalloc"]), - }, - env = { - "CARGO_MANIFEST_DIR": ".", - "CARGO_PKG_AUTHORS": "Quanyi Ma ", - "CARGO_PKG_DESCRIPTION": "Mega-mono", - "CARGO_PKG_NAME": "mono", - "CARGO_PKG_VERSION": "0.1.0", - "CARGO_PKG_VERSION_MAJOR": "0", - "CARGO_PKG_VERSION_MINOR": "1", - "CARGO_PKG_VERSION_PATCH": "0", - }, - visibility = [ - "PUBLIC", - ], -) \ No newline at end of file diff --git a/saturn/BUCK b/saturn/BUCK deleted file mode 100644 index d05e2fe5c..000000000 --- a/saturn/BUCK +++ /dev/null @@ -1,17 +0,0 @@ -rust_library ( - name = "saturn", - srcs = glob(["src/**/*.rs", "mega_policies.cedar", "mega.cedarschema"]), - crate_root = "src/lib.rs", - deps = [ - "//third-party:serde", - "//third-party:serde_json", - "//third-party:tracing", - "//third-party:tracing-subscriber", - "//third-party:thiserror", - "//third-party:cedar-policy", - "//third-party:itertools", - ], - visibility = [ - 'PUBLIC', - ], -) diff --git a/vault/BUCK b/vault/BUCK deleted file mode 100644 index 08e192602..000000000 --- a/vault/BUCK +++ /dev/null @@ -1,23 +0,0 @@ -load("@prelude//rust:cargo_package.bzl", "cargo") - -cargo.rust_library ( - name = "vault", - srcs = glob(["src/**/*.rs"]), - crate_root = "src/lib.rs", - deps = [ - "//third-party/rust/crates/hex/0.4.3:hex", - "//third-party/rust/crates/lazy_static/1.5.0:lazy_static", - "//third-party/rust/crates/serde/1.0.217:serde", - "//third-party/rust/crates/go-defer/0.1.0:go-defer", - "//third-party/rust/crates/smallvec/1.13.2:smallvec", - "//third-party/rust/crates/bs58/0.5.1:bs58", - "//third-party/rust/crates/openssl/0.10.68:openssl", - "//third-party:rusty_vault", - "//third-party:serde_json", - "//third-party:secp256k1", - "//third-party:tokio", - "//third-party:async-std", - "//third-party:pgp", - ], - visibility = ["PUBLIC"], -) diff --git a/vault/README.md b/vault/README.md index e3027e91d..05fc59d28 100644 --- a/vault/README.md +++ b/vault/README.md @@ -1 +1,153 @@ -## Vault Module \ No newline at end of file +## Vault Module + +A secure cryptographic vault module for the Mega project, providing unified interfaces for secret management, cryptographic operations, and certificate handling. + +## Overview +The Vault module is a comprehensive security library that integrates multiple cryptographic functionalities including: + +- Secret Management : Secure storage and retrieval of sensitive data +- PGP Operations : Key generation, signing, and encryption using OpenPGP +- PKI (Public Key Infrastructure) : Certificate authority operations and X.509 certificate management +- Nostr Identity : Decentralized identity management using Nostr protocol +- Vault Core Integration : Seamless integration with HashiCorp Vault-compatible backends + + +## Features + +### 🔐 Secret Management +- Generic vault interface for storing and retrieving secrets +- Prefix-based key organization +- Type-safe secret operations + +### 🔑 PGP Support +- RSA and ECDSA key generation +- Key pair management (public/private) +- Armored key format support +- Configurable key parameters and encryption + +### 📜 PKI Operations +- Certificate Authority (CA) initialization +- X.509 certificate issuance +- Certificate verification (time and signature) +- Role-based certificate management + +### 🌐 Nostr Identity +- Secp256k1 key pair generation +- Base58-encoded identity management +- Automatic key persistence + +### 🏗️ Architecture +- VaultCore : Main vault implementation using RustyVault +- JupiterBackend : Custom storage backend integration +- Trait-based Design : Extensible interfaces for different vault implementations + +## Quick Start + +### Basic Vault Usage + +```Rust +use vault::{Vault, integration::vault_core::VaultCore}; +use jupiter::storage::Storage; + +// Initialize vault core +let storage = Storage::new(/* your storage config */); +let vault_core = VaultCore::new(storage); + +// Define your vault implementation +struct MyVault { + core: VaultCore, +} + +impl Vault for MyVault { + type Core = VaultCore; + const VAULT_PREFIX: &'static str = "my_app"; + + fn core(&self) -> &Self::Core { + &self.core + } +} + +// Use the vault +let my_vault = MyVault { core: vault_core }; +my_vault.save_to_vault("api_key", "secret_value"); +let secret = my_vault.get_from_vault("api_key".to_string()); +``` + +### PGP Operations + +```Rust +use vault::pgp::KeyType; +use vault::integration::vault_core::VaultCore; + +// Generate PGP key pair +let vault_core = VaultCore::new(storage); +let params = VaultCore::params( + KeyType::Rsa(2048), + Some("passphrase".to_string()), + "user@example.com" +); +let (public_key, secret_key) = vault_core.gen_pgp_keypair(params, Some("passphrase".to_string())); + +// Save keys to vault +vault_core.save_keys(public_key, secret_key); + +// Load keys from vault +let public_key = vault_core.load_pub_key(); +let secret_key = vault_core.load_sec_key().await; +``` + +### PKI Certificate Management + +```Rust +use serde_json::json; + +// Configure certificate role +vault_core.config_role(json!({ + "ttl": "60d", + "max_ttl": "365d", + "key_type": "rsa", + "key_bits": 4096, + "country": "US", + "organization": "My Organization" +})); + +// Issue a certificate +let (cert_pem, private_key) = vault_core.issue_cert(json!({ + "common_name": "example.com", + "alt_names": ["www.example.com", "api.example.com"] +})); + +// Verify certificate +let is_valid = vault_core.verify_cert(cert_pem.as_bytes()); +``` + +### Nostr Identity + +```Rust +// Load or generate Nostr identity +let (nostr_id, secret_key) = vault_core.load_nostr_pair(); +let peer_id = vault_core.load_nostr_peerid(); +let keypair = vault_core.load_nostr_secp_pair(); + +println!("Nostr ID: {}", nostr_id); +``` + +## Configuration +The vault module uses the following configuration: + +- Storage Backend : Integrates with Jupiter storage system +- Vault Directory : ~/.mega/vault/ (configurable) +- Core Key File : core_key.json for vault unsealing +- Seal Configuration : 10 secret shares, 5 threshold +## Dependencies +- rusty_vault : HashiCorp Vault-compatible core +- openssl : PKI and certificate operations +- pgp : OpenPGP implementation +- secp256k1 : Elliptic curve cryptography for Nostr +- serde_json : JSON serialization +- tokio : Async runtime support +## Security Considerations +- All secret keys are encrypted at rest +- Vault core uses AES-GCM encryption +- Configurable key sharing and threshold schemes +- Secure random number generation for all cryptographic operations \ No newline at end of file diff --git a/vault/src/pki.rs b/vault/src/pki.rs index 37cba8966..bd4d4bd33 100644 --- a/vault/src/pki.rs +++ b/vault/src/pki.rs @@ -166,31 +166,6 @@ impl VaultCore { } } -// TODO use mock core to test -// #[cfg(test)] -// mod tests { -// use super::*; -// use std::fs; -// use std::io::Write; - -// #[tokio::test] -// async fn test_pki_issue() { -// let (cert_pem, private_key) = issue_cert(json!({ -// "ttl": "10d", -// "common_name": "oqpXWgEhXa1WDqMWBnpUW4jvrxGqJKVuJATy4MSPdKNS", //nostr id -// })) -// .await; - -// println!("cert_pem: {}", cert_pem); -// println!("private_key: {}", private_key); - -// assert!(verify_cert(cert_pem.as_ref()).await); - -// let mut file = fs::File::create("/tmp/cert.crt").unwrap(); -// file.write_all(cert_pem.as_ref()).unwrap(); -// } -// } - #[allow(clippy::await_holding_lock)] #[cfg(test)] mod tests_raw {