 |
Signet Forge 0.1.0
C++20 Parquet library with AI-native extensions
|
DEMO |
|
Signet Forge 0.1.0
C++20 Parquet library with AI-native extensions
|
DEMO |
Namespaces | |
| namespace | detail |
Classes | |
| class | Aes256 |
| AES-256 block cipher (FIPS-197). More... | |
| class | AesCtr |
| AES-256 in Counter Mode (CTR) as specified in NIST SP 800-38A. More... | |
| class | AesCtrCipher |
| AES-256-CTR adapter – wraps the low-level AesCtr class behind ICipher. More... | |
| class | AesGcm |
| AES-256 in Galois/Counter Mode (GCM) as specified in NIST SP 800-38D. More... | |
| class | AesGcmCipher |
| AES-256-GCM adapter – wraps the low-level AesGcm class behind ICipher. More... | |
| struct | AlgorithmPolicy |
| Algorithm deprecation entry. More... | |
| struct | CipherFactory |
| Factory for creating cipher instances from algorithm enum + raw key. More... | |
| struct | ColumnKeySpec |
| Specifies the encryption key for a single Parquet column. More... | |
| class | CryptoShredder |
| Per-subject key store supporting cryptographic erasure. More... | |
| class | DilithiumSign |
| Dilithium-3 digital signature scheme (NIST FIPS 204 / ML-DSA-65). More... | |
| struct | EncryptionConfig |
| Top-level configuration structure that drives FileEncryptor / FileDecryptor. More... | |
| struct | EncryptionKeyMetadata |
| Per-key metadata stored alongside encrypted Parquet components. More... | |
| class | FileDecryptor |
| Decrypts Parquet modules using the keys from an EncryptionConfig. More... | |
| struct | FileEncryptionProperties |
| Stored in the Parquet FileMetaData.encryption_algorithm field. More... | |
| class | FileEncryptor |
| Encrypts Parquet modules (footer, column metadata, data pages) using the keys and algorithm specified in an EncryptionConfig. More... | |
| class | HsmClientStub |
| Test stub implementing IKmsClient using software AES Key Wrap. More... | |
| class | HybridKem |
| Hybrid Key Encapsulation combining Kyber-768 (post-quantum) and X25519 (classical). More... | |
| class | ICipher |
| Abstract cipher interface — unified API for authenticated (GCM) and unauthenticated (CTR) encryption. More... | |
| class | IKmsClient |
| Abstract KMS client interface for DEK/KEK key wrapping. More... | |
| struct | KeyRotationRequest |
| Key rotation request describing old → new key transition. More... | |
| struct | KeyRotationResult |
| Key rotation result. More... | |
| class | KyberKem |
| Kyber-768 Key Encapsulation Mechanism (NIST FIPS 203 / ML-KEM-768). More... | |
| struct | PostQuantumConfig |
| Configuration for post-quantum encryption in Parquet Modular Encryption. More... | |
| class | SecureKeyBuffer |
| RAII container for sensitive key material with mlock and secure zeroization. More... | |
Enumerations | |
| enum class | KeyMode : int32_t { INTERNAL = 0 , EXTERNAL = 1 } |
| How the encryption key is stored or referenced. More... | |
| enum class | EncryptionAlgorithm : int32_t { AES_GCM_V1 = 0 , AES_GCM_CTR_V1 = 1 } |
| Encryption algorithm identifier. More... | |
| enum class | MetadataFormat : int32_t { TLV = 0 , THRIFT = 1 } |
| Wire format for key metadata serialization. More... | |
| enum class | AlgorithmStatus : int32_t { ACCEPTABLE = 0 , DEPRECATED = 1 , DISALLOWED = 2 , LEGACY = 3 } |
| Algorithm lifecycle status per NIST SP 800-131A. More... | |
Functions | |
| bool | crypto_self_test () |
| Run power-on self-tests (Known Answer Tests) for all crypto primitives. | |
| std::array< uint8_t, 32 > | hkdf_extract (const uint8_t *salt, size_t salt_size, const uint8_t *ikm, size_t ikm_size) |
| HKDF-Extract (RFC 5869 §2.2): Extract a pseudorandom key from input keying material. | |
| bool | hkdf_expand (const std::array< uint8_t, 32 > &prk, const uint8_t *info, size_t info_size, uint8_t *output, size_t output_size) |
| HKDF-Expand (RFC 5869 §2.3): Expand PRK to output keying material. | |
| bool | hkdf (const uint8_t *salt, size_t salt_size, const uint8_t *ikm, size_t ikm_size, const uint8_t *info, size_t info_size, uint8_t *output, size_t output_size) |
| HKDF one-shot (RFC 5869): Extract-then-Expand in one call. | |
| expected< void > | validate_key_mode_for_production (KeyMode mode) |
| Check if INTERNAL key mode is allowed in the current build. | |
| bool | is_real_pq_crypto () noexcept |
| Runtime query: returns true if post-quantum crypto is backed by real liboqs implementations (Kyber-768, Dilithium-3), false if using bundled stubs. | |
Variables | |
| constexpr size_t | PME_REQUIRED_KEY_SIZE = 32 |
| Required AES-256 key size for all PME operations (NIST SP 800-131A). | |
| constexpr size_t | PME_AES128_KEY_SIZE = 16 |
| AES-128 key size — detected for interop diagnostics only (Gap P-7). | |
|
strong |
Algorithm lifecycle status per NIST SP 800-131A.
| Enumerator | |
|---|---|
| ACCEPTABLE | Approved for use. |
| DEPRECATED | Still allowed but scheduled for removal. |
| DISALLOWED | Must not be used. |
| LEGACY | Only for processing existing data (no new encryption). |
Definition at line 914 of file key_metadata.hpp.
|
strong |
Encryption algorithm identifier.
These correspond to the Parquet specification's encryption algorithms: AES_GCM_V1 – AES-256-GCM for both footer and column data. Provides authenticated encryption everywhere. AES_GCM_CTR_V1 – AES-256-GCM for footer (authenticated), AES-256-CTR for column data (faster, integrity from page checksums). This is the Parquet standard default.
| Enumerator | |
|---|---|
| AES_GCM_V1 | AES-256-GCM for both footer and column data. |
| AES_GCM_CTR_V1 | AES-256-GCM for footer, AES-256-CTR for column data (Parquet default). |
Definition at line 128 of file key_metadata.hpp.
|
strong |
How the encryption key is stored or referenced.
| Enumerator | |
|---|---|
| INTERNAL | Key material stored directly in file metadata (testing/dev). |
| EXTERNAL | Key referenced by KMS key ID; actual key resolved from KMS at runtime. |
Definition at line 58 of file key_metadata.hpp.
|
strong |
Wire format for key metadata serialization.
TLV: Signet v1 custom format (backward-compatible, existing files). THRIFT: Parquet spec Thrift Compact Protocol (cross-implementation interop).
| Enumerator | |
|---|---|
| TLV | Signet v1 custom TLV format. |
| THRIFT | Parquet Thrift Compact Protocol (spec-compliant) |
Definition at line 897 of file key_metadata.hpp.
|
inline |
Run power-on self-tests (Known Answer Tests) for all crypto primitives.
Tests AES-256 block cipher, AES-256-GCM (AEAD), and AES-256-CTR using NIST published test vectors. Should be called once at application startup.
Definition at line 756 of file cipher_interface.hpp.
|
inline |
|
inline |
HKDF-Expand (RFC 5869 §2.3): Expand PRK to output keying material.
| prk | Pseudorandom key from HKDF-Extract (32 bytes). |
| info | Context and application-specific info (may be empty). |
| info_size | Info length. |
| output | Buffer for output keying material. |
| output_size | Desired OKM length (max 255 * 32 = 8160 bytes). |
|
inline |
HKDF-Extract (RFC 5869 §2.2): Extract a pseudorandom key from input keying material.
PRK = HMAC-Hash(salt, IKM)
| salt | Optional salt (if empty, uses zero-filled key of HashLen bytes). |
| salt_size | Salt length. |
| ikm | Input keying material. |
| ikm_size | IKM length. |
|
inlinenoexcept |
Runtime query: returns true if post-quantum crypto is backed by real liboqs implementations (Kyber-768, Dilithium-3), false if using bundled stubs.
Note: when false, HybridKem still provides real classical security via X25519 ECDH — only the Kyber lattice portion is a structural placeholder.
Definition at line 93 of file post_quantum.hpp.
Check if INTERNAL key mode is allowed in the current build.
In production builds (SIGNET_REQUIRE_COMMERCIAL_LICENSE=ON), INTERNAL key mode should be rejected. This function provides a runtime check that can be called before file encryption.
| mode | The key mode to validate. |
Definition at line 948 of file key_metadata.hpp.
|
constexpr |
1.9.8