zephyrfs/zephyrfs-node / 585cb7b

+# Phase 2: Advanced cryptography

+ring = "0.17"              # AES-256-GCM, SHA-256, secure crypto primitives

+scrypt = "0.11"            # Key derivation from passwords

+zeroize = "1.7"            # Secure memory clearing

+constant_time_eq = "0.3"   # Timing-safe comparisons

+rand_core = "0.6"          # Cryptographic randomness

+

+# TLS and networking security

+rustls = "0.23"            # TLS 1.3 implementation

+rustls-pemfile = "2.0"     # Certificate management

+

+//! Content addressing system for ZephyrFS

+//!

+//! Provides cryptographic content identifiers and verification using Blake3 and SHA-256.

+//! Content IDs are used for integrity verification and deduplication.

+

+use crate::crypto::{ContentHasher, VerificationHasher};

+use blake3::Hasher as Blake3Hasher;

+use serde::{Deserialize, Serialize};

+use sha2::{Digest, Sha256};

+use std::fmt;

+

+/// Content identifier - cryptographic hash of data

+#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]

+pub struct ContentId {

+    /// Hash algorithm used

+    pub algorithm: HashAlgorithm,

+    /// Hash bytes

+    pub hash: Vec<u8>,

+}

+

+/// Supported hash algorithms

+#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]

+pub enum HashAlgorithm {

+    Blake3,

+    Sha256,

+}

+

+impl ContentId {

+    /// Generate content ID from data

+    pub fn generate(data: &[u8], hasher: &ContentHasher) -> Self {

+        match hasher {

+            ContentHasher::Blake3 => {

+                let mut hasher = Blake3Hasher::new();

+                hasher.update(data);

+                let hash = hasher.finalize();

+                

+                Self {

+                    algorithm: HashAlgorithm::Blake3,

+                    hash: hash.as_bytes().to_vec(),

+                }

+            }

+            ContentHasher::Sha256 => {

+                let mut hasher = Sha256::new();

+                hasher.update(data);

+                let hash = hasher.finalize();

+                

+                Self {

+                    algorithm: HashAlgorithm::Sha256,

+                    hash: hash.to_vec(),

+                }

+            }

+        }

+    }

+

+    /// Create from existing hash bytes and algorithm

+    pub fn from_hash(algorithm: HashAlgorithm, hash: Vec<u8>) -> Self {

+        Self { algorithm, hash }

+    }

+

+    /// Get hash bytes

+    pub fn hash_bytes(&self) -> &[u8] {

+        &self.hash

+    }

+

+    /// Get algorithm used

+    pub fn algorithm(&self) -> &HashAlgorithm {

+        &self.algorithm

+    }

+

+    /// Convert to hex string representation

+    pub fn to_hex(&self) -> String {

+        hex::encode(&self.hash)

+    }

+

+    /// Create from hex string

+    pub fn from_hex(algorithm: HashAlgorithm, hex_str: &str) -> Result<Self, hex::FromHexError> {

+        let hash = hex::decode(hex_str)?;

+        Ok(Self { algorithm, hash })

+    }

+

+    /// Get expected hash length for algorithm

+    pub fn expected_length(&self) -> usize {

+        match self.algorithm {

+            HashAlgorithm::Blake3 => 32,  // Blake3 output is 32 bytes

+            HashAlgorithm::Sha256 => 32,  // SHA-256 output is 32 bytes

+        }

+    }

+

+    /// Validate hash length matches algorithm

+    pub fn is_valid(&self) -> bool {

+        self.hash.len() == self.expected_length()

+    }

+

+    /// Create a multihash-style prefix for the content ID

+    pub fn multihash_prefix(&self) -> Vec<u8> {

+        let mut prefix = Vec::new();

+        

+        // Add algorithm identifier

+        match self.algorithm {

+            HashAlgorithm::Blake3 => {

+                prefix.push(0x1e); // Blake3 multicodec

+                prefix.push(32);   // Hash length

+            }

+            HashAlgorithm::Sha256 => {

+                prefix.push(0x12); // SHA-256 multicodec

+                prefix.push(32);   // Hash length

+            }

+        }

+        

+        prefix.extend_from_slice(&self.hash);

+        prefix

+    }

+

+    /// Parse from multihash format

+    pub fn from_multihash(data: &[u8]) -> Result<Self, String> {

+        if data.len() < 2 {

+            return Err("Multihash too short".to_string());

+        }

+

+        let algorithm = match data[0] {

+            0x1e => HashAlgorithm::Blake3,

+            0x12 => HashAlgorithm::Sha256,

+            _ => return Err(format!("Unsupported hash algorithm: {}", data[0])),

+        };

+

+        let expected_len = data[1] as usize;

+        if data.len() != expected_len + 2 {

+            return Err(format!(

+                "Invalid multihash length: expected {}, got {}",

+                expected_len + 2,

+                data.len()

+            ));

+        }

+

+        let hash = data[2..].to_vec();

+        let content_id = Self { algorithm, hash };

+

+        if !content_id.is_valid() {

+            return Err("Invalid hash length for algorithm".to_string());

+        }

+

+        Ok(content_id)

+    }

+}

+

+impl fmt::Display for ContentId {

+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {

+        write!(f, "{}:{}", 

+            match self.algorithm {

+                HashAlgorithm::Blake3 => "blake3",

+                HashAlgorithm::Sha256 => "sha256",

+            },

+            self.to_hex()

+        )

+    }

+}

+

+/// Content verification utilities

+pub struct ContentVerifier;

+

+impl ContentVerifier {

+    /// Verify data matches expected content ID

+    pub fn verify(data: &[u8], expected_id: &ContentId, hasher: &VerificationHasher) -> bool {

+        let computed_id = match hasher {

+            VerificationHasher::Blake3 => ContentId::generate(data, &ContentHasher::Blake3),

+            VerificationHasher::Sha256 => ContentId::generate(data, &ContentHasher::Sha256),

+        };

+

+        // Must use same algorithm and hash must match

+        computed_id.algorithm == expected_id.algorithm && 

+        computed_id.hash == expected_id.hash

+    }

+

+    /// Verify data with multiple hash algorithms (for maximum security)

+    pub fn verify_multi(data: &[u8], expected_ids: &[ContentId]) -> bool {

+        for expected_id in expected_ids {

+            let hasher = match expected_id.algorithm {

+                HashAlgorithm::Blake3 => VerificationHasher::Blake3,

+                HashAlgorithm::Sha256 => VerificationHasher::Sha256,

+            };

+

+            if !Self::verify(data, expected_id, &hasher) {

+                return false;

+            }

+        }

+        true

+    }

+

+    /// Compute multiple hashes for data (Blake3 + SHA-256 for maximum security)

+    pub fn compute_multi_hash(data: &[u8]) -> Vec<ContentId> {

+        vec![

+            ContentId::generate(data, &ContentHasher::Blake3),

+            ContentId::generate(data, &ContentHasher::Sha256),

+        ]

+    }

+

+    /// Create integrity proof for data chunk

+    pub fn create_integrity_proof(data: &[u8]) -> IntegrityProof {

+        IntegrityProof {

+            blake3_hash: ContentId::generate(data, &ContentHasher::Blake3),

+            sha256_hash: ContentId::generate(data, &ContentHasher::Sha256),

+            data_length: data.len() as u64,

+        }

+    }

+

+    /// Verify data against integrity proof

+    pub fn verify_integrity_proof(data: &[u8], proof: &IntegrityProof) -> bool {

+        if data.len() as u64 != proof.data_length {

+            return false;

+        }

+

+        let blake3_ok = Self::verify(data, &proof.blake3_hash, &VerificationHasher::Blake3);

+        let sha256_ok = Self::verify(data, &proof.sha256_hash, &VerificationHasher::Sha256);

+

+        blake3_ok && sha256_ok

+    }

+}

+

+/// Integrity proof containing multiple hashes for maximum security

+#[derive(Debug, Clone, Serialize, Deserialize)]

+pub struct IntegrityProof {

+    pub blake3_hash: ContentId,

+    pub sha256_hash: ContentId,

+    pub data_length: u64,

+}

+

+impl IntegrityProof {

+    /// Get the primary content ID (Blake3 for performance)

+    pub fn primary_id(&self) -> &ContentId {

+        &self.blake3_hash

+    }

+

+    /// Get the secondary content ID (SHA-256 for compatibility)

+    pub fn secondary_id(&self) -> &ContentId {

+        &self.sha256_hash

+    }

+

+    /// Convert to multihash format (primary hash only)

+    pub fn to_multihash(&self) -> Vec<u8> {

+        self.blake3_hash.multihash_prefix()

+    }

+}

+

+/// Content addressing utilities for file chunks

+pub struct ChunkAddressing;

+

+impl ChunkAddressing {

+    /// Generate content ID for a file chunk with metadata

+    pub fn chunk_id(chunk_data: &[u8], chunk_index: u64, file_id: &[u8]) -> ContentId {

+        let mut hasher = Blake3Hasher::new();

+        

+        // Include chunk metadata in hash for uniqueness

+        hasher.update(b"ZephyrFS-chunk-v1:");

+        hasher.update(&chunk_index.to_be_bytes());

+        hasher.update(b":");

+        hasher.update(file_id);

+        hasher.update(b":");

+        hasher.update(chunk_data);

+        

+        let hash = hasher.finalize();

+        ContentId {

+            algorithm: HashAlgorithm::Blake3,

+            hash: hash.as_bytes().to_vec(),

+        }

+    }

+

+    /// Generate file-level content ID from chunk IDs

+    pub fn file_id_from_chunks(chunk_ids: &[ContentId]) -> ContentId {

+        let mut hasher = Blake3Hasher::new();

+        hasher.update(b"ZephyrFS-file-v1:");

+        

+        for chunk_id in chunk_ids {

+            hasher.update(&chunk_id.hash);

+        }

+        

+        let hash = hasher.finalize();

+        ContentId {

+            algorithm: HashAlgorithm::Blake3,

+            hash: hash.as_bytes().to_vec(),

+        }

+    }

+

+    /// Create Merkle tree root from chunk hashes

+    pub fn merkle_root(chunk_ids: &[ContentId]) -> ContentId {

+        if chunk_ids.is_empty() {

+            // Empty file hash

+            return ContentId::generate(b"", &ContentHasher::Blake3);

+        }

+

+        if chunk_ids.len() == 1 {

+            return chunk_ids[0].clone();

+        }

+

+        // Build Merkle tree bottom-up

+        let mut level: Vec<ContentId> = chunk_ids.to_vec();

+        

+        while level.len() > 1 {

+            let mut next_level = Vec::new();

+            

+            for pair in level.chunks(2) {

+                let mut hasher = Blake3Hasher::new();

+                hasher.update(b"ZephyrFS-merkle-v1:");

+                hasher.update(&pair[0].hash);

+                

+                if pair.len() == 2 {

+                    hasher.update(&pair[1].hash);

+                } else {

+                    // Odd number of nodes - hash with itself

+                    hasher.update(&pair[0].hash);

+                }

+                

+                let hash = hasher.finalize();

+                next_level.push(ContentId {

+                    algorithm: HashAlgorithm::Blake3,

+                    hash: hash.as_bytes().to_vec(),

+                });

+            }

+            

+            level = next_level;

+        }

+        

+        level.into_iter().next().unwrap()

+    }

+}

+

+#[cfg(test)]

+mod tests {

+    use super::*;

+

+    #[test]

+    fn test_content_id_generation() {

+        let data = b"Hello, ZephyrFS!";

+        

+        let blake3_id = ContentId::generate(data, &ContentHasher::Blake3);

+        let sha256_id = ContentId::generate(data, &ContentHasher::Sha256);

+

+        assert_eq!(blake3_id.algorithm, HashAlgorithm::Blake3);

+        assert_eq!(sha256_id.algorithm, HashAlgorithm::Sha256);

+        assert_eq!(blake3_id.hash.len(), 32);

+        assert_eq!(sha256_id.hash.len(), 32);

+        assert_ne!(blake3_id.hash, sha256_id.hash);

+    }

+

+    #[test]

+    fn test_content_verification() {

+        let data = b"Test data for verification";

+        let content_id = ContentId::generate(data, &ContentHasher::Blake3);

+

+        // Correct data should verify

+        assert!(ContentVerifier::verify(data, &content_id, &VerificationHasher::Blake3));

+

+        // Wrong data should not verify

+        let wrong_data = b"Wrong data";

+        assert!(!ContentVerifier::verify(wrong_data, &content_id, &VerificationHasher::Blake3));

+    }

+

+    #[test]

+    fn test_content_id_hex_serialization() {

+        let data = b"Serialization test";

+        let original_id = ContentId::generate(data, &ContentHasher::Blake3);

+        

+        let hex_str = original_id.to_hex();

+        let restored_id = ContentId::from_hex(HashAlgorithm::Blake3, &hex_str).unwrap();

+        

+        assert_eq!(original_id, restored_id);

+    }

+

+    #[test]

+    fn test_multihash_format() {

+        let data = b"Multihash test data";

+        let content_id = ContentId::generate(data, &ContentHasher::Blake3);

+        

+        let multihash = content_id.multihash_prefix();

+        let restored_id = ContentId::from_multihash(&multihash).unwrap();

+        

+        assert_eq!(content_id, restored_id);

+        

+        // Test SHA-256 as well

+        let sha256_id = ContentId::generate(data, &ContentHasher::Sha256);

+        let sha256_multihash = sha256_id.multihash_prefix();

+        let restored_sha256 = ContentId::from_multihash(&sha256_multihash).unwrap();

+        

+        assert_eq!(sha256_id, restored_sha256);

+    }

+

+    #[test]

+    fn test_integrity_proof() {

+        let data = b"Integrity proof test data";

+        let proof = ContentVerifier::create_integrity_proof(data);

+        

+        assert_eq!(proof.data_length, data.len() as u64);

+        assert_eq!(proof.blake3_hash.algorithm, HashAlgorithm::Blake3);

+        assert_eq!(proof.sha256_hash.algorithm, HashAlgorithm::Sha256);

+        

+        // Correct data should verify

+        assert!(ContentVerifier::verify_integrity_proof(data, &proof));

+        

+        // Wrong data should not verify

+        let wrong_data = b"Wrong data";

+        assert!(!ContentVerifier::verify_integrity_proof(wrong_data, &proof));

+    }

+

+    #[test]

+    fn test_chunk_addressing() {

+        let chunk_data = b"Chunk data for addressing test";

+        let file_id = b"test_file_12345";

+        

+        let chunk_id = ChunkAddressing::chunk_id(chunk_data, 0, file_id);

+        assert_eq!(chunk_id.algorithm, HashAlgorithm::Blake3);

+        assert_eq!(chunk_id.hash.len(), 32);

+        

+        // Different chunk index should produce different ID

+        let chunk_id2 = ChunkAddressing::chunk_id(chunk_data, 1, file_id);

+        assert_ne!(chunk_id, chunk_id2);

+        

+        // Different file ID should produce different ID

+        let chunk_id3 = ChunkAddressing::chunk_id(chunk_data, 0, b"different_file");

+        assert_ne!(chunk_id, chunk_id3);

+    }

+

+    #[test]

+    fn test_file_id_from_chunks() {

+        let chunk1 = ContentId::generate(b"chunk 1", &ContentHasher::Blake3);

+        let chunk2 = ContentId::generate(b"chunk 2", &ContentHasher::Blake3);

+        let chunk3 = ContentId::generate(b"chunk 3", &ContentHasher::Blake3);

+        

+        let file_id = ChunkAddressing::file_id_from_chunks(&[chunk1.clone(), chunk2.clone(), chunk3.clone()]);

+        assert_eq!(file_id.algorithm, HashAlgorithm::Blake3);

+        

+        // Different order should produce different file ID

+        let file_id2 = ChunkAddressing::file_id_from_chunks(&[chunk3, chunk1, chunk2]);

+        assert_ne!(file_id, file_id2);

+    }

+

+    #[test]

+    fn test_merkle_root() {

+        let chunk1 = ContentId::generate(b"chunk 1", &ContentHasher::Blake3);

+        let chunk2 = ContentId::generate(b"chunk 2", &ContentHasher::Blake3);

+        let chunk3 = ContentId::generate(b"chunk 3", &ContentHasher::Blake3);

+        let chunk4 = ContentId::generate(b"chunk 4", &ContentHasher::Blake3);

+        

+        // Single chunk

+        let root1 = ChunkAddressing::merkle_root(&[chunk1.clone()]);

+        assert_eq!(root1, chunk1);

+        

+        // Multiple chunks

+        let root2 = ChunkAddressing::merkle_root(&[chunk1.clone(), chunk2.clone()]);

+        let root4 = ChunkAddressing::merkle_root(&[chunk1, chunk2, chunk3, chunk4]);

+        

+        assert_ne!(root2, root4);

+        assert_eq!(root2.algorithm, HashAlgorithm::Blake3);

+        assert_eq!(root4.algorithm, HashAlgorithm::Blake3);

+        

+        // Empty chunks

+        let empty_root = ChunkAddressing::merkle_root(&[]);

+        assert_eq!(empty_root.algorithm, HashAlgorithm::Blake3);

+    }

+

+    #[test]

+    fn test_content_id_display() {

+        let content_id = ContentId::generate(b"display test", &ContentHasher::Blake3);

+        let display_str = format!("{}", content_id);

+        

+        assert!(display_str.starts_with("blake3:"));

+        assert_eq!(display_str.len(), 71); // "blake3:" (7) + hex hash (64)

+        

+        let sha256_id = ContentId::generate(b"display test", &ContentHasher::Sha256);

+        let sha256_str = format!("{}", sha256_id);

+        

+        assert!(sha256_str.starts_with("sha256:"));

+        assert_eq!(sha256_str.len(), 71); // "sha256:" (7) + hex hash (64)

+    }

+

+    #[test]

+    fn test_multi_hash_verification() {

+        let data = b"Multi hash verification test";

+        let blake3_id = ContentId::generate(data, &ContentHasher::Blake3);

+        let sha256_id = ContentId::generate(data, &ContentHasher::Sha256);

+        

+        let ids = vec![blake3_id, sha256_id];

+        

+        // Correct data should verify against all hashes

+        assert!(ContentVerifier::verify_multi(data, &ids));

+        

+        // Wrong data should fail verification

+        let wrong_data = b"Wrong data";

+        assert!(!ContentVerifier::verify_multi(wrong_data, &ids));

+    }

+}

+//! AES-256-GCM encryption implementation for ZephyrFS

+//! 

+//! Provides segment-level encryption using AES-256 in GCM mode for authenticated encryption.

+//! Each file segment is encrypted with its own derived key for maximum security isolation.

+

+use crate::crypto::{AesParams, KeyHierarchy, SecureBytes};

+use anyhow::{Context, Result};

+use ring::aead::{Aad, BoundKey, Nonce, NonceSequence, OpeningKey, SealingKey, UnboundKey, AES_256_GCM};

+use ring::error::Unspecified;

+use ring::rand::{SecureRandom, SystemRandom};

+use serde::{Deserialize, Serialize};

+use zeroize::{Zeroize, ZeroizeOnDrop};

+

+/// Default segment size for file encryption (1MB)

+pub const DEFAULT_SEGMENT_SIZE: usize = 1024 * 1024; // 1MB

+

+/// Encrypted data container with all necessary metadata for decryption

+#[derive(Debug, Clone, Serialize, Deserialize)]

+pub struct EncryptedData {

+    /// Segment index in the original file

+    pub segment_index: u64,

+    /// Encrypted data payload

+    pub ciphertext: Vec<u8>,

+    /// Nonce used for this encryption

+    pub nonce: [u8; 12],

+    /// Additional authenticated data (AAD) - segment metadata

+    pub aad: Vec<u8>,

+    /// Key derivation path for this segment

+    pub key_path: Vec<u32>,

+}

+

+/// File-level encryption operations

+pub struct FileEncryption {

+    params: AesParams,

+    segment_size: usize,

+    rng: SystemRandom,

+}

+

+impl FileEncryption {

+    pub fn new(params: &AesParams) -> Self {

+        Self {

+            params: params.clone(),

+            segment_size: DEFAULT_SEGMENT_SIZE,

+            rng: SystemRandom::new(),

+        }

+    }

+

+    pub fn with_segment_size(params: &AesParams, segment_size: usize) -> Self {

+        Self {

+            params: params.clone(),

+            segment_size,

+            rng: SystemRandom::new(),

+        }

+    }

+

+    /// Encrypt file data into multiple encrypted segments

+    pub fn encrypt_to_segments(

+        &self,

+        file_data: &[u8],

+        key_hierarchy: &KeyHierarchy,

+    ) -> Result<Vec<EncryptedData>> {

+        let mut encrypted_segments = Vec::new();

+        let total_segments = (file_data.len() + self.segment_size - 1) / self.segment_size;

+

+        for (segment_index, chunk) in file_data.chunks(self.segment_size).enumerate() {

+            let segment_encryption = SegmentEncryption::new(&self.params, &self.rng);

+            let key_path = vec![segment_index as u32]; // Simple path for now

+            

+            let encrypted_data = segment_encryption.encrypt_segment(

+                chunk,

+                segment_index as u64,

+                key_hierarchy,

+                &key_path,

+            )?;

+

+            encrypted_segments.push(encrypted_data);

+        }

+

+        Ok(encrypted_segments)

+    }

+

+    /// Decrypt segments back to original file data

+    pub fn decrypt_from_segments(

+        &self,

+        encrypted_segments: &[EncryptedData],

+        key_hierarchy: &KeyHierarchy,

+    ) -> Result<Vec<u8>> {

+        // Sort segments by index to ensure correct order

+        let mut sorted_segments = encrypted_segments.to_vec();

+        sorted_segments.sort_by_key(|s| s.segment_index);

+

+        let mut decrypted_data = Vec::new();

+        

+        for encrypted_segment in sorted_segments {

+            let segment_encryption = SegmentEncryption::new(&self.params, &self.rng);

+            let decrypted_chunk = segment_encryption.decrypt_segment(

+                &encrypted_segment,

+                key_hierarchy,

+            )?;

+            

+            decrypted_data.extend_from_slice(&decrypted_chunk);

+        }

+

+        Ok(decrypted_data)

+    }

+}

+

+/// Segment-level encryption operations

+pub struct SegmentEncryption {

+    params: AesParams,

+    rng: SystemRandom,

+}

+

+impl SegmentEncryption {

+    pub fn new(params: &AesParams, rng: &SystemRandom) -> Self {

+        Self {

+            params: params.clone(),

+            rng: SystemRandom::new(), // Create new instance for thread safety

+        }

+    }

+

+    /// Encrypt a single file segment

+    pub fn encrypt_segment(

+        &self,

+        segment_data: &[u8],

+        segment_index: u64,

+        key_hierarchy: &KeyHierarchy,

+        key_path: &[u32],

+    ) -> Result<EncryptedData> {

+        // Derive segment-specific key

+        let segment_key = key_hierarchy.derive_segment_key(key_path)

+            .context("Failed to derive segment key")?;

+

+        // Generate random nonce

+        let mut nonce_bytes = [0u8; 12];

+        self.rng.fill(&mut nonce_bytes)

+            .map_err(|_| anyhow::anyhow!("Failed to generate random nonce"))?;

+

+        let nonce = Nonce::assume_unique_for_key(nonce_bytes);

+

+        // Prepare AAD (Additional Authenticated Data) with segment metadata

+        let aad_data = self.prepare_aad(segment_index, key_path)?;

+        let aad = Aad::from(&aad_data);

+

+        // Create sealing key

+        let unbound_key = UnboundKey::new(&AES_256_GCM, segment_key.as_bytes())

+            .map_err(|_| anyhow::anyhow!("Failed to create encryption key"))?;

+        

+        let mut sealing_key = SealingKey::new(unbound_key, NonceCounter::new());

+

+        // Encrypt the data

+        let mut ciphertext = segment_data.to_vec();

+        sealing_key.seal_in_place_append_tag(aad, &mut ciphertext)

+            .map_err(|_| anyhow::anyhow!("Failed to encrypt segment"))?;

+

+        Ok(EncryptedData {

+            segment_index,

+            ciphertext,

+            nonce: nonce_bytes,

+            aad: aad_data,

+            key_path: key_path.to_vec(),

+        })

+    }

+

+    /// Decrypt a single encrypted segment

+    pub fn decrypt_segment(

+        &self,

+        encrypted_data: &EncryptedData,

+        key_hierarchy: &KeyHierarchy,

+    ) -> Result<Vec<u8>> {

+        // Derive the same segment key used for encryption

+        let segment_key = key_hierarchy.derive_segment_key(&encrypted_data.key_path)

+            .context("Failed to derive segment key for decryption")?;

+

+        // Recreate nonce

+        let nonce = Nonce::assume_unique_for_key(encrypted_data.nonce);

+        let aad = Aad::from(&encrypted_data.aad);

+

+        // Create opening key  

+        let unbound_key = UnboundKey::new(&AES_256_GCM, segment_key.as_bytes())

+            .map_err(|_| anyhow::anyhow!("Failed to create decryption key"))?;

+            

+        let mut opening_key = OpeningKey::new(unbound_key, NonceCounter::new());

+

+        // Decrypt the data

+        let mut ciphertext = encrypted_data.ciphertext.clone();

+        let plaintext = opening_key.open_in_place(aad, &mut ciphertext)

+            .map_err(|_| anyhow::anyhow!("Failed to decrypt segment - authentication failed"))?;

+

+        Ok(plaintext.to_vec())

+    }

+

+    /// Prepare Additional Authenticated Data (AAD) for GCM

+    fn prepare_aad(&self, segment_index: u64, key_path: &[u32]) -> Result<Vec<u8>> {

+        let mut aad = Vec::new();

+        

+        // Add segment index to AAD

+        aad.extend_from_slice(&segment_index.to_le_bytes());

+        

+        // Add key path to AAD for additional security

+        for path_element in key_path {

+            aad.extend_from_slice(&path_element.to_le_bytes());

+        }

+

+        // Add version identifier for future compatibility

+        aad.extend_from_slice(b"ZephyrFS-v1");

+

+        Ok(aad)

+    }

+}

+

+/// Nonce counter for GCM operations - ensures nonces are never reused

+#[derive(ZeroizeOnDrop)]

+struct NonceCounter {

+    counter: u64,

+}

+

+impl NonceCounter {

+    fn new() -> Self {

+        Self { counter: 0 }

+    }

+}

+

+impl NonceSequence for NonceCounter {

+    fn advance(&mut self) -> Result<Nonce, Unspecified> {

+        self.counter += 1;

+        

+        if self.counter == u64::MAX {

+            return Err(Unspecified);

+        }

+

+        let mut nonce_bytes = [0u8; 12];

+        nonce_bytes[4..].copy_from_slice(&self.counter.to_be_bytes());

+        

+        Ok(Nonce::assume_unique_for_key(nonce_bytes))

+    }

+}

+

+impl Zeroize for NonceCounter {

+    fn zeroize(&mut self) {

+        self.counter = 0;

+    }

+}

+

+#[cfg(test)]

+mod tests {

+    use super::*;

+    use crate::crypto::key_derivation::{KeyDerivation, DerivedKey};

+    use crate::crypto::CryptoParams;

+

+    fn create_test_hierarchy() -> Result<KeyHierarchy> {

+        let params = CryptoParams::default();

+        let key_derivation = KeyDerivation::new(&params.scrypt_params);

+        let derived_key = key_derivation.derive_from_password("test_password_123")?;

+        KeyHierarchy::new(derived_key)

+    }

+

+    #[test]

+    fn test_segment_encryption_roundtrip() -> Result<()> {

+        let params = CryptoParams::default().aes_params;

+        let hierarchy = create_test_hierarchy()?;

+        let rng = SystemRandom::new();

+        

+        let segment_encryption = SegmentEncryption::new(&params, &rng);

+        let test_data = b"Hello, ZephyrFS! This is test segment data for encryption.";

+        let key_path = vec![42];

+

+        // Encrypt

+        let encrypted = segment_encryption.encrypt_segment(

+            test_data,

+            1,

+            &hierarchy,

+            &key_path,

+        )?;

+

+        // Decrypt

+        let decrypted = segment_encryption.decrypt_segment(&encrypted, &hierarchy)?;

+

+        assert_eq!(test_data, decrypted.as_slice());

+        assert_eq!(encrypted.segment_index, 1);

+        assert_eq!(encrypted.key_path, vec![42]);

+        

+        Ok(())

+    }

+

+    #[test]

+    fn test_file_encryption_multiple_segments() -> Result<()> {

+        let params = CryptoParams::default().aes_params;

+        let hierarchy = create_test_hierarchy()?;

+        

+        let file_encryption = FileEncryption::with_segment_size(&params, 100); // Small segments for testing

+        let test_data = b"This is a longer test file that should be split into multiple segments for encryption testing. Each segment will be encrypted independently with its own derived key.";

+

+        // Encrypt file

+        let encrypted_segments = file_encryption.encrypt_to_segments(test_data, &hierarchy)?;

+        

+        // Should have multiple segments

+        assert!(encrypted_segments.len() > 1);

+

+        // Decrypt file

+        let decrypted_data = file_encryption.decrypt_from_segments(&encrypted_segments, &hierarchy)?;

+

+        assert_eq!(test_data, decrypted_data.as_slice());

+        

+        Ok(())

+    }

+

+    #[test]

+    fn test_encryption_authentication_failure() -> Result<()> {

+        let params = CryptoParams::default().aes_params;

+        let hierarchy = create_test_hierarchy()?;

+        let rng = SystemRandom::new();

+        

+        let segment_encryption = SegmentEncryption::new(&params, &rng);

+        let test_data = b"Test data for authentication failure";

+        let key_path = vec![1];

+

+        // Encrypt

+        let mut encrypted = segment_encryption.encrypt_segment(

+            test_data,

+            0,

+            &hierarchy,

+            &key_path,

+        )?;

+

+        // Tamper with ciphertext

+        encrypted.ciphertext[0] ^= 1;

+

+        // Decrypt should fail due to authentication failure

+        let result = segment_encryption.decrypt_segment(&encrypted, &hierarchy);

+        assert!(result.is_err());

+        

+        Ok(())

+    }

+

+    #[test]

+    fn test_different_segments_different_keys() -> Result<()> {

+        let params = CryptoParams::default().aes_params;

+        let hierarchy = create_test_hierarchy()?;

+        let rng = SystemRandom::new();

+        

+        let segment_encryption = SegmentEncryption::new(&params, &rng);

+        let test_data = b"Same data, different keys";

+

+        // Encrypt with different key paths

+        let encrypted1 = segment_encryption.encrypt_segment(

+            test_data, 0, &hierarchy, &[1]

+        )?;

+        

+        let encrypted2 = segment_encryption.encrypt_segment(

+            test_data, 0, &hierarchy, &[2]

+        )?;

+

+        // Ciphertexts should be different even with same plaintext

+        assert_ne!(encrypted1.ciphertext, encrypted2.ciphertext);

+        assert_ne!(encrypted1.key_path, encrypted2.key_path);

+        

+        Ok(())

+    }

+}

+//! Key derivation system for ZephyrFS

+//!

+//! Implements hierarchical deterministic key derivation following Tahoe-LAFS security model.

+//! Uses scrypt for password-based key derivation and HKDF for key hierarchy expansion.

+

+use crate::crypto::{ScryptParams, SecureBytes};

+use anyhow::{Context, Result};

+use ring::hkdf::{Salt, Prk, HKDF_SHA256};

+use ring::rand::{SecureRandom, SystemRandom};

+use scrypt::{scrypt, Params};

+use zeroize::{Zeroize, ZeroizeOnDrop};

+use std::collections::HashMap;

+

+/// Master key derived from user password using scrypt

+#[derive(ZeroizeOnDrop)]

+pub struct DerivedKey {

+    /// Master key material (32 bytes)

+    master_key: SecureBytes,

+    /// Salt used for derivation (32 bytes)  

+    salt: [u8; 32],

+    /// Verification hash for password checking (32 bytes)

+    verification_hash: [u8; 32],

+}

+

+impl DerivedKey {

+    /// Create DerivedKey from raw bytes (64 bytes total)

+    pub fn from_bytes(bytes: SecureBytes) -> Result<Self> {

+        if bytes.len() != 64 {

+            anyhow::bail!("DerivedKey requires exactly 64 bytes (32 master + 32 salt, verification derived)");

+        }

+

+        let mut master_key = SecureBytes::new(32);

+        let mut salt = [0u8; 32];

+

+        master_key.copy_from_slice(&bytes[0..32]);

+        salt.copy_from_slice(&bytes[32..64]);

+

+        // Derive verification hash using HKDF from master key and salt

+        let salt_obj = Salt::new(HKDF_SHA256, &salt);

+        let prk = salt_obj.extract(master_key.as_bytes());

+        let mut verification_hash = [0u8; 32];

+        prk.expand(&[b"ZephyrFS-verification-hash-v1"], HKDF_SHA256)

+            .map_err(|_| anyhow::anyhow!("HKDF expansion failed"))?

+            .fill(&mut verification_hash)

+            .map_err(|_| anyhow::anyhow!("HKDF fill failed"))?;

+

+        Ok(Self {

+            master_key,

+            salt,

+            verification_hash,

+        })

+    }

+

+    /// Export key material as bytes (for secure storage/transmission)

+    pub fn to_bytes(&self) -> SecureBytes {

+        let mut bytes = SecureBytes::new(64);

+        bytes[0..32].copy_from_slice(self.master_key.as_bytes());

+        bytes[32..64].copy_from_slice(&self.salt);

+        // Note: verification_hash is derived, not stored

+        bytes

+    }

+

+    /// Get master key bytes for HKDF

+    pub fn master_key(&self) -> &SecureBytes {

+        &self.master_key

+    }

+

+    /// Get salt used for derivation

+    pub fn salt(&self) -> &[u8; 32] {

+        &self.salt

+    }

+

+    /// Verify password against stored verification hash

+    pub fn verify_password(&self, password: &str, params: &ScryptParams) -> Result<bool> {

+        let mut derived = vec![0u8; params.output_len];

+        let scrypt_params = Params::new(

+            params.log_n, 

+            params.r, 

+            params.p, 

+            params.output_len

+        ).context("Invalid scrypt parameters")?;

+

+        scrypt(password.as_bytes(), &self.salt, &scrypt_params, &mut derived)

+            .context("Scrypt key derivation failed")?;

+

+        // Extract master key from derived output

+        let derived_master_key = &derived[0..32];

+

+        // Derive verification hash using HKDF (same as during creation)

+        let salt_obj = Salt::new(HKDF_SHA256, &self.salt);

+        let prk = salt_obj.extract(derived_master_key);

+        let mut computed_verification = [0u8; 32];

+        prk.expand(&[b"ZephyrFS-verification-hash-v1"], HKDF_SHA256)

+            .map_err(|_| anyhow::anyhow!("HKDF expansion failed"))?

+            .fill(&mut computed_verification)

+            .map_err(|_| anyhow::anyhow!("HKDF fill failed"))?;

+

+        // Check verification hash matches

+        let verification_ok = constant_time_eq::constant_time_eq(

+            &computed_verification, 

+            &self.verification_hash

+        );

+

+        // Clear derived key material

+        derived.zeroize();

+        computed_verification.zeroize();

+

+        Ok(verification_ok)

+    }

+}

+

+/// Password-based key derivation using scrypt

+pub struct KeyDerivation {

+    params: ScryptParams,

+    rng: SystemRandom,

+}

+

+impl KeyDerivation {

+    pub fn new(params: &ScryptParams) -> Self {

+        Self {

+            params: params.clone(),

+            rng: SystemRandom::new(),

+        }

+    }

+

+    /// Derive key from password with random salt

+    pub fn derive_from_password(&self, password: &str) -> Result<DerivedKey> {

+        // Generate random salt

+        let mut salt = [0u8; 32];

+        self.rng.fill(&mut salt)

+            .map_err(|_| anyhow::anyhow!("Failed to generate random salt"))?;

+

+        self.derive_from_password_with_salt(password, &salt)

+    }

+

+    /// Derive key from password with specific salt (for key recovery)

+    pub fn derive_from_password_with_salt(&self, password: &str, salt: &[u8; 32]) -> Result<DerivedKey> {

+        let scrypt_params = Params::new(

+            self.params.log_n,

+            self.params.r, 

+            self.params.p,

+            self.params.output_len

+        ).context("Invalid scrypt parameters")?;

+

+        let mut derived = vec![0u8; self.params.output_len];

+        scrypt(password.as_bytes(), salt, &scrypt_params, &mut derived)

+            .context("Scrypt key derivation failed")?;

+

+        // Split derived output: 32 bytes master key (64 bytes total now)

+        let mut master_key = SecureBytes::new(32);

+        master_key.copy_from_slice(&derived[0..32]);

+

+        // Derive verification hash using HKDF from master key and salt

+        let salt_obj = Salt::new(HKDF_SHA256, salt);

+        let prk = salt_obj.extract(master_key.as_bytes());

+        let mut verification_hash = [0u8; 32];

+        prk.expand(&[b"ZephyrFS-verification-hash-v1"], HKDF_SHA256)

+            .map_err(|_| anyhow::anyhow!("HKDF expansion failed"))?

+            .fill(&mut verification_hash)

+            .map_err(|_| anyhow::anyhow!("HKDF fill failed"))?;

+

+        // Clear the derived buffer

+        derived.zeroize();

+

+        Ok(DerivedKey {

+            master_key,

+            salt: *salt,

+            verification_hash,

+        })

+    }

+}

+

+/// Hierarchical key system for deriving segment-specific keys

+pub struct KeyHierarchy {

+    master_prk: Prk,

+    key_cache: HashMap<Vec<u32>, SecureBytes>,

+}

+

+impl KeyHierarchy {

+    /// Create new key hierarchy from derived master key

+    pub fn new(derived_key: DerivedKey) -> Result<Self> {

+        // Use HKDF to create pseudorandom key from master key

+        let salt = Salt::new(HKDF_SHA256, &derived_key.salt);

+        let prk = salt.extract(derived_key.master_key.as_bytes());

+

+        Ok(Self {

+            master_prk: prk,

+            key_cache: HashMap::new(),

+        })

+    }

+

+    /// Derive segment-specific encryption key

+    pub fn derive_segment_key(&self, key_path: &[u32]) -> Result<SecureBytes> {

+        // Check cache first

+        if let Some(cached_key) = self.key_cache.get(key_path) {

+            return Ok(cached_key.clone());

+        }

+

+        // Create info string from key path

+        let mut info = Vec::new();

+        info.extend_from_slice(b"ZephyrFS-segment-key-v1:");

+        for &path_element in key_path {

+            info.extend_from_slice(&path_element.to_be_bytes());

+        }

+

+        // Derive key using HKDF-Expand

+        let mut segment_key = SecureBytes::new(32); // AES-256 key size

+        self.master_prk.expand(&[&info], ring::hkdf::HKDF_SHA256)

+            .map_err(|_| anyhow::anyhow!("HKDF expansion failed"))?

+            .fill(segment_key.as_mut())?;

+

+        Ok(segment_key)

+    }

+

+    /// Derive file-level key (for file metadata encryption)

+    pub fn derive_file_key(&self, file_id: &[u8]) -> Result<SecureBytes> {

+        let mut info = Vec::new();

+        info.extend_from_slice(b"ZephyrFS-file-key-v1:");

+        info.extend_from_slice(file_id);

+

+        let mut file_key = SecureBytes::new(32);

+        self.master_prk.expand(&[&info], ring::hkdf::HKDF_SHA256)

+            .map_err(|_| anyhow::anyhow!("HKDF expansion failed"))?

+            .fill(file_key.as_mut())?;

+

+        Ok(file_key)

+    }

+

+    /// Derive capability key for zero-knowledge proofs

+    pub fn derive_capability_key(&self, capability_id: &[u8]) -> Result<SecureBytes> {

+        let mut info = Vec::new();

+        info.extend_from_slice(b"ZephyrFS-capability-key-v1:");

+        info.extend_from_slice(capability_id);

+

+        let mut capability_key = SecureBytes::new(32);

+        self.master_prk.expand(&[&info], ring::hkdf::HKDF_SHA256)

+            .map_err(|_| anyhow::anyhow!("HKDF expansion failed"))?

+            .fill(capability_key.as_mut())?;

+

+        Ok(capability_key)

+    }

+

+    /// Get public capability for sharing (non-sensitive key material)

+    pub fn get_public_capability(&self) -> Result<Vec<u8>> {

+        // Derive a public capability that can be shared without compromising security

+        let mut info = Vec::new();

+        info.extend_from_slice(b"ZephyrFS-public-capability-v1");

+

+        let mut public_cap = vec![0u8; 32];

+        self.master_prk.expand(&[&info], ring::hkdf::HKDF_SHA256)

+            .map_err(|_| anyhow::anyhow!("HKDF expansion failed"))?

+            .fill(&mut public_cap)?;

+

+        Ok(public_cap)

+    }

+