feat(server::crypto): add Shamir secret sharing utilities

Wraps vsss_rs Gf256::split_array / combine_array into thin split_key / combine_shares helpers. Also widens derive_key salt parameter from &[u8;16] to &[u8] to accommodate the 32-byte share salts.
2026-06-12 19:42:56 +02:00
parent 3e5f0cb3df
commit 50fe18d6ce
3 changed files with 38 additions and 10 deletions
--- a/server/crates/arbiter-server/src/crypto/mod.rs
+++ b/server/crates/arbiter-server/src/crypto/mod.rs
@@ -1,5 +1,5 @@
 use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
-use encryption::v1::{Nonce, Salt};
+use encryption::v1::Nonce;

 use argon2::{Algorithm, Argon2};
 use chacha20poly1305::{
@@ -13,6 +13,7 @@ use rand::{

 pub mod encryption;
 pub mod integrity;
+pub mod shamir;

 pub struct KeyCell(pub SafeCell<Key>);
 impl From<SafeCell<Key>> for KeyCell {
@@ -94,7 +95,7 @@ impl KeyCell {
 }

 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
-pub fn derive_key(password: &mut SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+pub fn derive_key(password: &mut SafeCell<Vec<u8>>, salt: &[u8]) -> KeyCell {
    let params = {
        #[cfg(debug_assertions)]
        {
@@ -132,10 +133,10 @@ mod tests {
    #[test]
    fn encrypt_decrypt() {
        static PASSWORD: &[u8] = b"password";
-        let password = SafeCell::new(PASSWORD.to_vec());
+        let mut password = SafeCell::new(PASSWORD.to_vec());
        let salt = generate_salt();

-        let mut key = derive_key(password, &salt);
+        let mut key = derive_key(&mut password, &salt);
        let nonce = Nonce(*b"unique nonce 123 1231233"); // 24 bytes for XChaCha20Poly1305
        let associated_data = b"associated data";
        let mut buffer = b"secret data".to_vec();