< Summary - Combined Code Coverage

Information

Class:	NLightning.Infrastructure.Protocol.Services.SecretStorageService
Assembly:	NLightning.Infrastructure
File(s):	/home/runner/work/nlightning/nlightning/src/NLightning.Infrastructure/Protocol/Services/SecretStorageService.cs
Tag:	30_15166811759

Line coverage

92%

Covered lines:	61
Uncovered lines:	5
Coverable lines:	66
Total lines:	197
Line coverage:	92.4%

Branch coverage

90%

Covered branches:	29
Total branches:	32
Branch coverage:	90.6%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Metrics

Method	Branch coverage	Crap Score	Cyclomatic complexity	Line coverage
.ctor()	100%	1	1	100%
InsertSecret(...)	90%	10.01	10	95.45%
DeriveOldSecret(...)	100%	6	6	100%
GetBucketIndex(...)	75%	4.25	4	75%
DeriveSecret(...)	100%	4	4	100%
FreeSecret(...)	50%	2.02	2	83.33%
ReleaseUnmanagedResources()	100%	4	4	100%
Dispose(...)	100%	2	2	100%
Dispose()	100%	1	1	100%
Finalize()	100%	2	1	0%

File(s)

/home/runner/work/nlightning/nlightning/src/NLightning.Infrastructure/Protocol/Services/SecretStorageService.cs

#	Line	Line coverage
	`1`	`using System.Runtime.InteropServices;`
	`2`	`using System.Security.Cryptography;`
	`3`
	`4`	`namespace NLightning.Infrastructure.Protocol.Services;`
	`5`
	`6`	`using Crypto.Factories;`
	`7`	`using Crypto.Hashes;`
	`8`	`using Crypto.Interfaces;`
	`9`	`using Domain.Protocol.Services;`
	`10`	`using Models;`
	`11`
	`12`	`/// <summary>`
	`13`	`/// Provides efficient storage of per-commitment secrets`
	`14`	`/// </summary>`
	`15`	`public class SecretStorageService : ISecretStorageService`
	`16`	`{`
	`17`	`public const int SECRET_SIZE = 32;`
	`18`
48	`19`	`private readonly StoredSecret?[] _knownSecrets = new StoredSecret?[49];`
48	`20`	`private readonly ICryptoProvider _cryptoProvider = CryptoFactory.GetCryptoProvider();`
	`21`
	`22`	`/// <summary>`
	`23`	`/// Inserts a new secret and verifies it against existing secrets`
	`24`	`/// </summary>`
	`25`	`public bool InsertSecret(ReadOnlySpan<byte> secret, ulong index)`
	`26`	`{`
432	`27`	`if (secret is not { Length: SECRET_SIZE })`
0	`28`	`throw new ArgumentException($"Secret must be {SECRET_SIZE} bytes", nameof(secret));`
	`29`
	`30`	`// Find bucket for this secret`
432	`31`	`var bucket = GetBucketIndex(index);`
	`32`
432	`33`	`var storedSecret = new byte[SECRET_SIZE];`
432	`34`	`var derivedSecret = new byte[SECRET_SIZE];`
	`35`	`// Verify this secret can derive all previously known secrets`
10160	`36`	`for (var b = 0; b < bucket; b++)`
	`37`	`{`
4680	`38`	`if (_knownSecrets[b] == null)`
	`39`	`continue;`
	`40`
4488	`41`	`DeriveSecret(secret, bucket, _knownSecrets[b]!.Index, derivedSecret);`
	`42`
	`43`	`// Compare with stored secret (copied from secure memory)`
4488	`44`	`Marshal.Copy(_knownSecrets[b]!.SecretPtr, storedSecret, 0, SECRET_SIZE);`
	`45`
4488	`46`	`if (!CryptographicOperations.FixedTimeEquals(derivedSecret, storedSecret))`
	`47`	`{`
	`48`	`// Securely wipe the temporary copy`
32	`49`	`_cryptoProvider.MemoryZero(Marshal.UnsafeAddrOfPinnedArrayElement(storedSecret, 0), SECRET_SIZE);`
32	`50`	`_cryptoProvider.MemoryZero(Marshal.UnsafeAddrOfPinnedArrayElement(derivedSecret, 0), SECRET_SIZE);`
32	`51`	`return false; // Secret verification failed`
	`52`	`}`
	`53`
	`54`	`// Securely wipe the temporary copies`
4456	`55`	`_cryptoProvider.MemoryZero(Marshal.UnsafeAddrOfPinnedArrayElement(storedSecret, 0), SECRET_SIZE);`
4456	`56`	`_cryptoProvider.MemoryZero(Marshal.UnsafeAddrOfPinnedArrayElement(derivedSecret, 0), SECRET_SIZE);`
	`57`	`}`
	`58`
400	`59`	`if (_knownSecrets[bucket] != null)`
	`60`	`{`
	`61`	`// Free previous secret in this bucket if it exists`
104	`62`	`FreeSecret(_knownSecrets[bucket]!.SecretPtr);`
	`63`	`}`
	`64`
	`65`	`// Allocate secure memory for the new secret`
400	`66`	`var securePtr = _cryptoProvider.MemoryAlloc(SECRET_SIZE);`
	`67`
	`68`	`// Lock memory to prevent swapping`
400	`69`	`_cryptoProvider.MemoryLock(securePtr, SECRET_SIZE);`
	`70`
	`71`	`// Copy secret to secure memory`
400	`72`	`Marshal.Copy(secret.ToArray(), 0, securePtr, SECRET_SIZE);`
	`73`
	`74`	`// Store in the appropriate bucket`
400	`75`	`_knownSecrets[bucket] = new StoredSecret(index, securePtr);`
	`76`
400	`77`	`return true;`
	`78`	`}`
	`79`
	`80`	`/// <summary>`
	`81`	`/// Derives an old secret from a known higher-level secret`
	`82`	`/// </summary>`
	`83`	`public void DeriveOldSecret(ulong index, Span<byte> derivedSecret)`
	`84`	`{`
	`85`	`// Try to find a base secret that can derive this one`
1120	`86`	`for (var b = 0; b < _knownSecrets.Length; b++)`
	`87`	`{`
556	`88`	`if (_knownSecrets[b] == null)`
	`89`	`continue;`
	`90`
	`91`	`// Check if this secret can derive the requested index`
288	`92`	`var mask = ~((1UL << b) - 1);`
288	`93`	`if ((index & mask) != (_knownSecrets[b]!.Index & mask))`
	`94`	`{`
	`95`	`continue;`
	`96`	`}`
	`97`
	`98`	`// Found a base secret that can derive the requested one`
80	`99`	`var baseSecret = new byte[SECRET_SIZE];`
80	`100`	`Marshal.Copy(_knownSecrets[b]!.SecretPtr, baseSecret, 0, SECRET_SIZE);`
	`101`
80	`102`	`DeriveSecret(baseSecret, b, index, derivedSecret);`
	`103`
	`104`	`// Securely wipe the temporary base secret`
80	`105`	`_cryptoProvider.MemoryZero(Marshal.UnsafeAddrOfPinnedArrayElement(baseSecret, 0), SECRET_SIZE);`
	`106`
80	`107`	`return; // Success`
	`108`	`}`
	`109`
4	`110`	`throw new InvalidOperationException($"Cannot derive secret for index {index}");`
	`111`	`}`
	`112`
	`113`	`private static int GetBucketIndex(ulong index)`
	`114`	`{`
10272	`115`	`for (var b = 0; b < 48; b++)`
	`116`	`{`
5136	`117`	`if (((index >> b) & 1) == 1)`
	`118`	`{`
432	`119`	`return b;`
	`120`	`}`
	`121`	`}`
0	`122`	`return 48; // For index 0 (seed)`
	`123`	`}`
	`124`
	`125`	`private static void DeriveSecret(ReadOnlySpan<byte> baseSecret, int bits, ulong index, Span<byte> derivedSecret)`
	`126`	`{`
4568	`127`	`using var sha256 = new Sha256();`
	`128`
4568	`129`	`baseSecret.CopyTo(derivedSecret);`
	`130`
287040	`131`	`for (var b = bits - 1; b >= 0; b--)`
	`132`	`{`
138952	`133`	`if (((index >> b) & 1) == 0)`
	`134`	`{`
	`135`	`continue;`
	`136`	`}`
	`137`
69468	`138`	`derivedSecret[b / 8] ^= (byte)(1 << (b % 8));`
	`139`
69468	`140`	`sha256.AppendData(derivedSecret);`
69468	`141`	`sha256.GetHashAndReset(derivedSecret);`
	`142`	`}`
9136	`143`	`}`
	`144`
	`145`	`/// <summary>`
	`146`	`/// Securely frees a secret from memory`
	`147`	`/// </summary>`
	`148`	`private void FreeSecret(IntPtr secretPtr)`
	`149`	`{`
400	`150`	`if (secretPtr == IntPtr.Zero)`
0	`151`	`return;`
	`152`
	`153`	`// Wipe memory before freeing`
400	`154`	`_cryptoProvider.MemoryZero(secretPtr, SECRET_SIZE);`
	`155`
	`156`	`// Unlock memory`
400	`157`	`_cryptoProvider.MemoryUnlock(secretPtr, SECRET_SIZE);`
	`158`
	`159`	`// Free memory`
400	`160`	`_cryptoProvider.MemoryFree(secretPtr);`
400	`161`	`}`
	`162`
	`163`	`private void ReleaseUnmanagedResources()`
	`164`	`{`
	`165`	`// Free all secrets`
4800	`166`	`for (var i = 0; i < _knownSecrets.Length; i++)`
	`167`	`{`
2352	`168`	`if (_knownSecrets[i] == null)`
	`169`	`{`
	`170`	`continue;`
	`171`	`}`
	`172`
296	`173`	`FreeSecret(_knownSecrets[i]!.SecretPtr);`
296	`174`	`_knownSecrets[i] = null;`
	`175`	`}`
48	`176`	`}`
	`177`
	`178`	`private void Dispose(bool disposing)`
	`179`	`{`
48	`180`	`ReleaseUnmanagedResources();`
48	`181`	`if (disposing)`
	`182`	`{`
48	`183`	`_cryptoProvider.Dispose();`
	`184`	`}`
48	`185`	`}`
	`186`
	`187`	`public void Dispose()`
	`188`	`{`
48	`189`	`Dispose(true);`
48	`190`	`GC.SuppressFinalize(this);`
48	`191`	`}`
	`192`
	`193`	`~SecretStorageService()`
	`194`	`{`
0	`195`	`Dispose(false);`
0	`196`	`}`
	`197`	`}`

< Summary - Combined Code Coverage

Metrics

File(s)

/home/runner/work/nlightning/nlightning/src/NLightning.Infrastructure/Protocol/Services/SecretStorageService.cs

Methods/Properties