Salt sk with pk

Author: Bennett Hardwick

src/crypto/mod.rs

@@ -5,8 +5,10 @@ mod unsealed;
 use crate::traits::{Encryptable, ReadConversionError, Searchable, WriteConversionError};
 use cipherstash_client::{
     credentials::{vitur_credentials::ViturToken, Credentials},
-    encryption::{Encryption, EncryptionError, Plaintext, TypeParseError},
-    schema::column::Index,
+    encryption::{
+        compound_indexer::{CompoundIndex, ExactIndex},
+        Encryption, EncryptionError, Plaintext, TypeParseError,
+    },
 };
 use thiserror::Error;
 
@@ -56,15 +58,26 @@ pub(crate) fn all_index_keys<E: Searchable + Encryptable>(sort_key: &str) -> Vec
         .collect()
 }
 
-pub(crate) fn hmac<C>(value: &str, cipher: &Encryption<C>) -> Result<String, EncryptionError>
+pub(crate) fn hmac<C>(
+    field: &str,
+    value: &str,
+    salt: Option<&str>,
+    cipher: &Encryption<C>,
+) -> Result<String, EncryptionError>
 where
     C: Credentials<Token = ViturToken>,
 {
     let plaintext = Plaintext::Utf8Str(Some(value.to_string()));
-    let index_type = Index::new_unique().index_type;
+    let index = CompoundIndex::new(ExactIndex::new(field, vec![]));
 
     cipher
-        .index(&plaintext, &index_type)?
+        .compound_index(
+            &index,
+            plaintext,
+            // passing None here results in no terms so pass an empty string
+            Some(salt.unwrap_or("")),
+            16,
+        )?
         .as_binary()
         .map(hex::encode)
         .ok_or(EncryptionError::IndexingError(

src/crypto/sealer.rs

@@ -64,11 +64,11 @@ impl<T> Sealer<T> {
         let mut sk = self.inner.sort_key();
 
         if T::is_partition_key_encrypted() {
-            pk = hmac(&pk, cipher)?;
+            pk = hmac("pk", &pk, None, cipher)?;
         }
 
         if T::is_sort_key_encrypted() {
-            sk = hmac(&sk, cipher)?;
+            sk = hmac("sk", &sk, Some(pk.as_str()), cipher)?;
         }
 
         let mut table_entry = TableEntry::new_with_attributes(
@@ -142,7 +142,12 @@ impl<T> Sealer<T> {
                         .clone()
                         .set_term(hex::encode(term))
                         // TODO: HMAC the sort key, too (users#index_name#pk)
-                        .set_sk(hmac(&format!("{}#{}#{}", &sk, index_name, i), cipher)?),
+                        .set_sk(hmac(
+                            "sk",
+                            &format!("{}#{}#{}", &sk, index_name, i),
+                            Some(pk.as_str()),
+                            cipher,
+                        )?),
                 ))
             })
             .chain(once(Ok(Sealed(table_entry.clone()))))

src/encrypted_table/mod.rs

@@ -125,11 +125,11 @@ impl EncryptedTable {
         let PrimaryKeyParts { mut pk, mut sk } = k.into().into_parts::<T>();
 
         if T::is_partition_key_encrypted() {
-            pk = hmac(&pk, &self.cipher)?;
+            pk = hmac("pk", &pk, None, &self.cipher)?;
         }
 
         if T::is_sort_key_encrypted() {
-            sk = hmac(&sk, &self.cipher)?;
+            sk = hmac("sk", &sk, Some(pk.as_str()), &self.cipher)?;
         }
 
         Ok(PrimaryKeyParts { pk, sk })
@@ -168,7 +168,7 @@ impl EncryptedTable {
 
         let sk_to_delete = all_index_keys::<E>(&sk)
             .into_iter()
-            .map(|x| hmac(&x, &self.cipher))
+            .map(|x| hmac("sk", &x, Some(pk.as_str()), &self.cipher))
             .chain([Ok(sk)])
             .collect::<Result<Vec<_>, _>>()?;
 
@@ -226,7 +226,7 @@ impl EncryptedTable {
         }
 
         for index_sk in all_index_keys::<T>(&sk) {
-            let index_sk = hmac(&index_sk, &self.cipher)?;
+            let index_sk = hmac("sk", &index_sk, Some(pk.as_str()), &self.cipher)?;
 
             if seen_sk.contains(&index_sk) {
                 continue;