alee/relicario
1
0
Fork 0
Code Issues Pull Requests 4 Actions Packages Projects Releases Wiki Activity

feat(wasm): secure device API (private keys never cross to JS)

Browse Source 
- register_device() generates signing + deploy keypairs via core device
  module, stores them in DEVICE_STATE (once_cell Lazy<Mutex>), and
  returns only public keys to JS
- sign_for_git() signs data using the internal signing key
- get_device_info() returns name and public keys; returns null if not
  registered
- clear_device() zeroes and drops device state (logout / re-registration)
- Removed generate_device_keypair() which exposed raw private key bytes

Fixes audit I5: private key material no longer crosses the WASM boundary.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
adlee-was-taken
2026-05-02 12:27:50 -04:00
parent 520f6ec72c
commit fb1f28161c
3 changed files with 116 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
crates/relicario-wasm/Cargo.toml
View File

@@ -19,6 +19,7 @@ ed25519-dalek = { version = "2", features = ["rand_core"] }
base64 = "0.22"
hex = "0.4"
rand = "0.8"
once_cell = "1"
[dev-dependencies]
wasm-bindgen-test = "0.3"