Merge pull request #173 from Dstack-TEE/sodiumbox

kvinwang · web-flow · commit bdbbc691b168 · 2025-05-15T19:44:36.000+08:00
Implement sodiumbox
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -3,6 +3,8 @@ version = "0.5.0"
 authors = ["Kevin Wang <wy721@qq.com>", "Leechael <Leechael@github.com>"]
 edition = "2021"
 license = "MIT"
+homepage = "https://github.com/Dstack-TEE/dstack"
+repository = "https://github.com/Dstack-TEE/dstack"
 
 [workspace]
 members = [
@@ -36,6 +38,7 @@ members = [
     "cert-client",
     "lspci",
     "sdk/rust",
+    "sodiumbox",
 ]
 resolver = "2"
 
@@ -62,6 +65,7 @@ key-provider-client = { path = "key-provider-client" }
 dstack-types = { path = "dstack-types" }
 cert-client = { path = "cert-client" }
 lspci = { path = "lspci" }
+sodiumbox = { path = "sodiumbox" }
 
 # Core dependencies
 anyhow = "1.0.97"
@@ -133,6 +137,10 @@ tokio-rustls = { version = "0.26.2", features = ["ring"] }
 x25519-dalek = { version = "2.0.1", features = ["static_secrets"] }
 sodiumoxide = "0.2.7"
 k256 = "0.13.4"
+# Additional RustCrypto dependencies for sealed box
+xsalsa20poly1305 = "0.9.0"
+salsa20 = "0.10"
+rand_core = "0.6.4"
 
 # Certificate/DNS
 hickory-resolver = "0.24.4"
diff --git a/dstack-util/Cargo.toml b/dstack-util/Cargo.toml
@@ -34,7 +34,6 @@ tdx-attest.workspace = true
 host-api = { workspace = true, features = ["client"] }
 cmd_lib.workspace = true
 toml.workspace = true
-key-provider-client.workspace = true
 dcap-qvl.workspace = true
 k256 = { workspace = true, features = ["ecdsa"] }
 dstack-types.workspace = true
@@ -44,6 +43,7 @@ cert-client.workspace = true
 x509-parser.workspace = true
 serde_yaml2.workspace = true
 bollard.workspace = true
+sodiumbox.workspace = true
 
 [dev-dependencies]
 rand.workspace = true
diff --git a/dstack-util/src/host_api.rs b/dstack-util/src/host_api.rs
@@ -5,8 +5,8 @@ use host_api::{
     client::{new_client, DefaultClient},
     Notification,
 };
-use key_provider_client::guest::{generate_keypair, open_sealed_box, PUBLICKEYBYTES};
 use ra_tls::attestation::validate_tcb;
+use sodiumbox::{generate_keypair, open_sealed_box, PUBLICKEYBYTES};
 use tracing::warn;
 
 pub(crate) struct KeyProvision {
@@ -67,7 +67,7 @@ impl HostApi {
     pub async fn get_sealing_key(&self) -> Result<KeyProvision> {
         let (pk, sk) = generate_keypair();
         let mut report_data = [0u8; 64];
-        report_data[..PUBLICKEYBYTES].copy_from_slice(&pk.0);
+        report_data[..PUBLICKEYBYTES].copy_from_slice(pk.as_bytes());
         let (_, quote) =
             tdx_attest::get_quote(&report_data, None).context("Failed to get quote")?;
 
diff --git a/key-provider-client/Cargo.toml b/key-provider-client/Cargo.toml
@@ -9,5 +9,4 @@ license.workspace = true
 anyhow.workspace = true
 serde = { workspace = true, features = ["derive"] }
 serde_json.workspace = true
-sodiumoxide.workspace = true
 tokio = { workspace = true, features = ["net", "io-util"] }
diff --git a/key-provider-client/src/guest.rs b/key-provider-client/src/guest.rs
diff --git a/key-provider-client/src/lib.rs b/key-provider-client/src/lib.rs
@@ -1,2 +1 @@
-pub mod guest;
 pub mod host;
diff --git a/sodiumbox/Cargo.toml b/sodiumbox/Cargo.toml
@@ -0,0 +1,15 @@
+[package]
+name = "sodiumbox"
+version = "0.1.0"
+edition = "2021"
+description = "Pure Rust implementation of libsodium's sealed box encryption"
+license.workspace = true
+homepage.workspace = true
+repository.workspace = true
+
+[dependencies]
+x25519-dalek.workspace = true
+xsalsa20poly1305.workspace = true
+salsa20.workspace = true
+rand_core.workspace = true
+blake2.workspace = true
diff --git a/sodiumbox/README.md b/sodiumbox/README.md
@@ -0,0 +1,53 @@
+# SodiumBox
+
+A pure Rust implementation of libsodium's sealed box encryption, compatible with libsodium/sodiumoxide but without any C dependencies.
+
+## Overview
+
+SodiumBox provides a standalone implementation of the sealed box functionality from libsodium (NaCl) using only pure Rust cryptographic libraries. It is designed to be a drop-in replacement for sodiumoxide's sealed box functionality.
+
+The implementation uses modern, well-maintained Rust cryptographic libraries:
+
+- `x25519-dalek` for Curve25519 key exchange
+- `xsalsa20poly1305` for authenticated encryption
+- `blake2` for key derivation
+- `salsa20` for the HSalsa20 function
+
+## Features
+
+- Generate X25519 keypairs for sealed box operations
+- Seal messages using a recipient's public key
+- Open sealed boxes created by libsodium/sodiumoxide
+- Pure Rust implementation with no C dependencies
+- Comprehensive test vectors based on libsodium's test suite
+
+## Usage
+
+```rust
+use sodiumbox::{generate_keypair, seal, open_sealed_box};
+
+// Generate a new keypair
+let (public_key, secret_key) = generate_keypair();
+
+// Create a message to encrypt
+let message = b"This is a secret message";
+
+// Seal the message for the recipient
+let sealed_box = seal(message, &public_key);
+
+// Open a sealed box
+let result = open_sealed_box(&sealed_box, &public_key, &secret_key);
+match result {
+    Ok(plaintext) => println!("Decrypted message: {:?}", plaintext),
+    Err(_) => println!("Failed to decrypt"),
+}
+```
+
+## License
+
+This crate is licensed under either of:
+
+- Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0)
+- MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)
+
+at your option.
diff --git a/sodiumbox/src/lib.rs b/sodiumbox/src/lib.rs
