mls: change NostrMls::exporter_secret output value to [u8;32]

Change `NostrMls::exporter_secret` output value to `[u8;32]`, to enforce size limit.

Author: erskingardner

crates/nostr-mls-memory-storage/src/lib.rs

@@ -350,12 +350,12 @@ mod tests {
         let group_exporter_secret_0 = GroupExporterSecret {
             mls_group_id: mls_group_id.clone(),
             epoch: 0,
-            secret: vec![1, 2, 3, 4],
+            secret: [0u8; 32],
         };
         let group_exporter_secret_1 = GroupExporterSecret {
             mls_group_id: mls_group_id.clone(),
             epoch: 1,
-            secret: vec![5, 6, 7, 8],
+            secret: [0u8; 32],
         };
         nostr_storage
             .save_group_exporter_secret(group_exporter_secret_0.clone())

crates/nostr-mls-sqlite-storage/src/db.rs

@@ -106,7 +106,7 @@ pub fn row_to_group_relay(row: &Row) -> SqliteResult<GroupRelay> {
 pub fn row_to_group_exporter_secret(row: &Row) -> SqliteResult<GroupExporterSecret> {
     let mls_group_id: GroupId = GroupId::from_slice(row.get_ref("mls_group_id")?.as_blob()?);
     let epoch: u64 = row.get("epoch")?;
-    let secret: Vec<u8> = row.get("secret")?;
+    let secret: [u8; 32] = row.get("secret")?;
 
     Ok(GroupExporterSecret {
         mls_group_id,

crates/nostr-mls-sqlite-storage/src/groups.rs

@@ -385,7 +385,7 @@ mod tests {
         let secret1 = GroupExporterSecret {
             mls_group_id: mls_group_id.clone(),
             epoch: 1,
-            secret: vec![5, 6, 7, 8],
+            secret: [0u8; 32],
         };
 
         // Save the secret
@@ -396,13 +396,13 @@ mod tests {
             .get_group_exporter_secret(&mls_group_id, 1)
             .unwrap()
             .unwrap();
-        assert_eq!(retrieved_secret.secret, vec![5, 6, 7, 8]);
+        assert_eq!(retrieved_secret.secret, [0u8; 32]);
 
         // Create a second secret with same group_id and epoch but different secret value
         let secret2 = GroupExporterSecret {
             mls_group_id: mls_group_id.clone(),
             epoch: 1,
-            secret: vec![9, 10, 11, 12],
+            secret: [0u8; 32],
         };
 
         // Save the second secret - this should replace the first one due to the "OR REPLACE" in the SQL
@@ -413,13 +413,13 @@ mod tests {
             .get_group_exporter_secret(&mls_group_id, 1)
             .unwrap()
             .unwrap();
-        assert_eq!(retrieved_secret.secret, vec![9, 10, 11, 12]);
+        assert_eq!(retrieved_secret.secret, [0u8; 32]);
 
         // Verify we can still save a different epoch
         let secret3 = GroupExporterSecret {
             mls_group_id: mls_group_id.clone(),
             epoch: 2,
-            secret: vec![13, 14, 15, 16],
+            secret: [0u8; 32],
         };
 
         storage.save_group_exporter_secret(secret3).unwrap();
@@ -434,7 +434,7 @@ mod tests {
             .unwrap()
             .unwrap();
 
-        assert_eq!(retrieved_secret1.secret, vec![9, 10, 11, 12]);
-        assert_eq!(retrieved_secret2.secret, vec![13, 14, 15, 16]);
+        assert_eq!(retrieved_secret1.secret, [0u8; 32]);
+        assert_eq!(retrieved_secret2.secret, [0u8; 32]);
     }
 }

crates/nostr-mls-sqlite-storage/src/lib.rs

@@ -319,13 +319,13 @@ mod tests {
         let secret_epoch_0 = GroupExporterSecret {
             mls_group_id: mls_group_id.clone(),
             epoch: 0,
-            secret: vec![1, 2, 3, 4],
+            secret: [0u8; 32],
         };
 
         let secret_epoch_1 = GroupExporterSecret {
             mls_group_id: mls_group_id.clone(),
             epoch: 1,
-            secret: vec![5, 6, 7, 8],
+            secret: [0u8; 32],
         };
 
         // Save the exporter secrets
@@ -362,7 +362,7 @@ mod tests {
         let updated_secret_0 = GroupExporterSecret {
             mls_group_id: mls_group_id.clone(),
             epoch: 0,
-            secret: vec![9, 10, 11, 12],
+            secret: [0u8; 32],
         };
         storage
             .save_group_exporter_secret(updated_secret_0.clone())
@@ -378,7 +378,7 @@ mod tests {
         let invalid_secret = GroupExporterSecret {
             mls_group_id: non_existent_group_id.clone(),
             epoch: 0,
-            secret: vec![1, 2, 3, 4],
+            secret: [0u8; 32],
         };
         let result = storage.save_group_exporter_secret(invalid_secret);
         assert!(result.is_err());

crates/nostr-mls-storage/src/groups/types.rs

@@ -178,7 +178,7 @@ pub struct GroupExporterSecret {
     /// The epoch
     pub epoch: u64,
     /// The secret
-    pub secret: Vec<u8>,
+    pub secret: [u8; 32],
 }
 
 #[cfg(test)]
@@ -311,27 +311,33 @@ mod tests {
     #[test]
     fn test_group_exporter_secret_serialization() {
         let secret = GroupExporterSecret {
-            mls_group_id: GroupId::from_slice(vec![1, 2, 3].as_slice()),
+            mls_group_id: GroupId::from_slice(&[1, 2, 3]),
             epoch: 42,
-            secret: vec![4, 5, 6],
+            secret: [0u8; 32],
         };
 
         let serialized = serde_json::to_value(&secret).unwrap();
         assert_eq!(serialized["mls_group_id"]["value"]["vec"], json!([1, 2, 3]));
         assert_eq!(serialized["epoch"], json!(42));
-        assert_eq!(serialized["secret"], json!([4, 5, 6]));
+        assert_eq!(
+            serialized["secret"],
+            json!([
+                0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+                0, 0, 0, 0
+            ])
+        );
 
         // Test deserialization
         let deserialized: GroupExporterSecret = serde_json::from_value(serialized).unwrap();
         assert_eq!(deserialized.epoch, 42);
-        assert_eq!(deserialized.secret, vec![4, 5, 6]);
+        assert_eq!(deserialized.secret, [0u8; 32]);
     }
 
     #[test]
     fn test_group_relay_serialization() {
         let relay = GroupRelay {
             relay_url: RelayUrl::from_str("wss://relay.example.com").unwrap(),
-            mls_group_id: GroupId::from_slice(vec![1, 2, 3].as_slice()),
+            mls_group_id: GroupId::from_slice(&[1, 2, 3]),
         };
 
         let serialized = serde_json::to_value(&relay).unwrap();

crates/nostr-mls/src/groups.rs

@@ -130,8 +130,12 @@ where
             Some(group_exporter_secret) => Ok(group_exporter_secret),
             // If it's not already in the storage, export the secret and save it
             None => {
-                let export_secret: Vec<u8> =
-                    group.export_secret(&self.provider, "nostr", b"nostr", 32)?;
+                let export_secret: [u8; 32] = group
+                    .export_secret(&self.provider, "nostr", b"nostr", 32)?
+                    .try_into()
+                    .map_err(|_| {
+                        Error::Group("Failed to convert export secret to [u8; 32]".to_string())
+                    })?;
                 let group_exporter_secret = group_types::GroupExporterSecret {
                     mls_group_id: group_id.clone(),
                     epoch: group.epoch().as_u64(),