sneak/secret
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: add derivation index to vault metadata for unique keys - Add VaultMetadata fields: DerivationIndex, LongTermKeyHash, MnemonicHash - Implement GetNextDerivationIndex() to track and increment indices for same mnemonics - Update init and import commands to use proper derivation indices - Add ComputeDoubleSHA256() for hash calculations - Save vault metadata on creation with all derivation information - Add comprehensive tests for metadata functionality. This ensures multiple vaults using the same mnemonic will derive different long-term keys by using incremented derivation indices. The mnemonic is double SHA256 hashed and stored to track which vaults share mnemonics. Fixes TODO item #5

Browse Source
This commit is contained in:
Jeffrey Paul
2025-05-29 16:23:29 -07:00
parent 1a1b11c5a3
commit 34d6870e6a
7 changed files with 378 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

175
internal/vault/metadata_test.go Normal file
View File

@@ -0,0 +1,175 @@
package vault
import (
"testing"
"path/filepath"
"git.eeqj.de/sneak/secret/pkg/agehd"
"github.com/spf13/afero"
)
func TestVaultMetadata(t *testing.T) {
fs := afero.NewMemMapFs()
stateDir := "/test/state"
t.Run("ComputeDoubleSHA256", func(t *testing.T) {
// Test data
data := []byte("test data")
hash := ComputeDoubleSHA256(data)
// Verify it's a valid hex string of 64 characters (32 bytes * 2)
if len(hash) != 64 {
t.Errorf("Expected hash length of 64, got %d", len(hash))
}
// Verify consistency
hash2 := ComputeDoubleSHA256(data)
if hash != hash2 {
t.Errorf("Hash should be consistent for same input")
}
// Verify different input produces different hash
hash3 := ComputeDoubleSHA256([]byte("different data"))
if hash == hash3 {
t.Errorf("Different input should produce different hash")
}
})
t.Run("GetNextDerivationIndex", func(t *testing.T) {
// Test with no existing vaults
index, err := GetNextDerivationIndex(fs, stateDir, "mnemonic-hash-1")
if err != nil {
t.Fatalf("Failed to get derivation index: %v", err)
}
if index != 0 {
t.Errorf("Expected index 0 for first vault, got %d", index)
}
// Create a vault with metadata
vaultDir := filepath.Join(stateDir, "vaults.d", "vault1")
if err := fs.MkdirAll(vaultDir, 0700); err != nil {
t.Fatalf("Failed to create vault directory: %v", err)
}
metadata1 := &VaultMetadata{
Name: "vault1",
DerivationIndex: 0,
MnemonicHash: "mnemonic-hash-1",
LongTermKeyHash: "key-hash-1",
}
if err := SaveVaultMetadata(fs, vaultDir, metadata1); err != nil {
t.Fatalf("Failed to save metadata: %v", err)
}
// Next index for same mnemonic should be 1
index, err = GetNextDerivationIndex(fs, stateDir, "mnemonic-hash-1")
if err != nil {
t.Fatalf("Failed to get derivation index: %v", err)
}
if index != 1 {
t.Errorf("Expected index 1 for second vault with same mnemonic, got %d", index)
}
// Different mnemonic should start at 0
index, err = GetNextDerivationIndex(fs, stateDir, "mnemonic-hash-2")
if err != nil {
t.Fatalf("Failed to get derivation index: %v", err)
}
if index != 0 {
t.Errorf("Expected index 0 for first vault with different mnemonic, got %d", index)
}
// Add another vault with same mnemonic but higher index
vaultDir2 := filepath.Join(stateDir, "vaults.d", "vault2")
if err := fs.MkdirAll(vaultDir2, 0700); err != nil {
t.Fatalf("Failed to create vault directory: %v", err)
}
metadata2 := &VaultMetadata{
Name: "vault2",
DerivationIndex: 5,
MnemonicHash: "mnemonic-hash-1",
LongTermKeyHash: "key-hash-2",
}
if err := SaveVaultMetadata(fs, vaultDir2, metadata2); err != nil {
t.Fatalf("Failed to save metadata: %v", err)
}
// Next index should be 6
index, err = GetNextDerivationIndex(fs, stateDir, "mnemonic-hash-1")
if err != nil {
t.Fatalf("Failed to get derivation index: %v", err)
}
if index != 6 {
t.Errorf("Expected index 6 after vault with index 5, got %d", index)
}
})
t.Run("MetadataPersistence", func(t *testing.T) {
vaultDir := filepath.Join(stateDir, "vaults.d", "test-vault")
if err := fs.MkdirAll(vaultDir, 0700); err != nil {
t.Fatalf("Failed to create vault directory: %v", err)
}
// Create and save metadata
metadata := &VaultMetadata{
Name: "test-vault",
DerivationIndex: 3,
MnemonicHash: "test-mnemonic-hash",
LongTermKeyHash: "test-key-hash",
}
if err := SaveVaultMetadata(fs, vaultDir, metadata); err != nil {
t.Fatalf("Failed to save metadata: %v", err)
}
// Load and verify
loaded, err := LoadVaultMetadata(fs, vaultDir)
if err != nil {
t.Fatalf("Failed to load metadata: %v", err)
}
if loaded.Name != metadata.Name {
t.Errorf("Name mismatch: expected %s, got %s", metadata.Name, loaded.Name)
}
if loaded.DerivationIndex != metadata.DerivationIndex {
t.Errorf("DerivationIndex mismatch: expected %d, got %d", metadata.DerivationIndex, loaded.DerivationIndex)
}
if loaded.MnemonicHash != metadata.MnemonicHash {
t.Errorf("MnemonicHash mismatch: expected %s, got %s", metadata.MnemonicHash, loaded.MnemonicHash)
}
if loaded.LongTermKeyHash != metadata.LongTermKeyHash {
t.Errorf("LongTermKeyHash mismatch: expected %s, got %s", metadata.LongTermKeyHash, loaded.LongTermKeyHash)
}
})
t.Run("DifferentKeysForDifferentIndices", func(t *testing.T) {
testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
// Derive keys with different indices
identity0, err := agehd.DeriveIdentity(testMnemonic, 0)
if err != nil {
t.Fatalf("Failed to derive identity with index 0: %v", err)
}
identity1, err := agehd.DeriveIdentity(testMnemonic, 1)
if err != nil {
t.Fatalf("Failed to derive identity with index 1: %v", err)
}
// Compute hashes
hash0 := ComputeDoubleSHA256([]byte(identity0.String()))
hash1 := ComputeDoubleSHA256([]byte(identity1.String()))
// Verify different indices produce different keys
if hash0 == hash1 {
t.Errorf("Different derivation indices should produce different keys")
}
// Verify public keys are also different
if identity0.Recipient().String() == identity1.Recipient().String() {
t.Errorf("Different derivation indices should produce different public keys")
}
})
}