feat(core+cli): SecondFactor hint on ParamsFile (default image, back-compat)
Add SecondFactor enum (Image | Keyfile, serde lowercase) to relicario-core::crypto, re-export from lib.rs alongside KdfParams. Add #[serde(default)] second_factor field to ParamsFile in relicario-cli::session so existing params.json files (no field) still parse as Image. for_new_vault() initialises the field to Image. No unlock logic changed; that is deferred to Task 4. TDD: tests written RED first, then GREEN. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
This commit is contained in:
@@ -55,6 +55,29 @@ use zeroize::Zeroizing;
|
||||
|
||||
use crate::error::{RelicarioError, Result};
|
||||
|
||||
/// Which second-factor container a vault uses to supply its 256-bit secret.
|
||||
///
|
||||
/// This is a non-secret hint stored in params.json so that the CLI (and future
|
||||
/// clients) know which unlock branch to follow. It does **not** influence the
|
||||
/// KDF itself; only the container that delivers `image_secret` changes.
|
||||
///
|
||||
/// Serialized as lowercase via `serde(rename_all = "lowercase")`:
|
||||
/// - `"image"` — default; secret embedded in a reference JPEG via DCT stego
|
||||
/// - `"keyfile"` — secret stored in a plain key file (Task 4+)
|
||||
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default, Serialize, Deserialize)]
|
||||
#[serde(rename_all = "lowercase")]
|
||||
pub enum SecondFactor {
|
||||
/// The secret is embedded in a reference JPEG via DCT steganography.
|
||||
/// This is the original and default mode for every vault created before
|
||||
/// keyfile support was introduced.
|
||||
#[default]
|
||||
Image,
|
||||
/// The secret is stored in a plain key file on disk.
|
||||
/// Vaults with this hint require a key-file path at unlock time instead of
|
||||
/// a reference image.
|
||||
Keyfile,
|
||||
}
|
||||
|
||||
/// Current binary format version. Increment this if the ciphertext layout changes.
|
||||
pub const VERSION_BYTE: u8 = 0x02;
|
||||
|
||||
@@ -417,6 +440,17 @@ mod tests {
|
||||
assert_eq!(VERSION_BYTE, 0x02);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn second_factor_serde_behavior() {
|
||||
assert_eq!(serde_json::to_string(&SecondFactor::Image).unwrap(), "\"image\"");
|
||||
assert_eq!(serde_json::to_string(&SecondFactor::Keyfile).unwrap(), "\"keyfile\"");
|
||||
assert_eq!(
|
||||
serde_json::from_str::<SecondFactor>("\"keyfile\"").unwrap(),
|
||||
SecondFactor::Keyfile
|
||||
);
|
||||
assert_eq!(SecondFactor::default(), SecondFactor::Image);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn decrypt_rejects_v1_blob_with_typed_error() {
|
||||
// Construct a v1-style blob: [0x01][24 nonce bytes][16 tag bytes].
|
||||
|
||||
@@ -43,7 +43,7 @@ pub mod error;
|
||||
pub use error::{RelicarioError, Result};
|
||||
|
||||
pub mod crypto;
|
||||
pub use crypto::{decrypt, derive_master_key, encrypt, KdfParams, VERSION_BYTE};
|
||||
pub use crypto::{decrypt, derive_master_key, encrypt, KdfParams, SecondFactor, VERSION_BYTE};
|
||||
|
||||
pub mod ids;
|
||||
pub use ids::{AttachmentId, FieldId, ItemId};
|
||||
|
||||
Reference in New Issue
Block a user