28 changed files with 934 additions and 350 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,2 @@
 *.enc filter=lfs diff=lfs merge=lfs -text
 *.cert filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,228 @@
-**target/
+# Created by https://www.gitignore.io/api/vim,rust,linux,emacs,windows,intellij+all,visualstudiocode
 # Edit at https://www.gitignore.io/?templates=vim,rust,linux,emacs,windows,intellij+all,visualstudiocode
 ### Emacs ###
 # -*- mode: gitignore; -*-
 *~
 \#*\#
 /.emacs.desktop
 /.emacs.desktop.lock
 *.elc
 auto-save-list
 tramp
 .\#*
 # Org-mode
 .org-id-locations
 *_archive
 # flymake-mode
 *_flymake.*
 # eshell files
 /eshell/history
 /eshell/lastdir
 # elpa packages
 /elpa/
 # reftex files
 *.rel
 # AUCTeX auto folder
 /auto/
 # cask packages
 .cask/
 dist/
 # Flycheck
 flycheck_*.el
 # server auth directory
 /server/
 # projectiles files
 .projectile
 # directory configuration
 .dir-locals.el
 # network security
 /network-security.data
 ### Intellij+all ###
 # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm
 # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
 # User-specific stuff
 .idea/**/workspace.xml
 .idea/**/tasks.xml
 .idea/**/usage.statistics.xml
 .idea/**/dictionaries
 .idea/**/shelf
 # Generated files
 .idea/**/contentModel.xml
 # Sensitive or high-churn files
 .idea/**/dataSources/
 .idea/**/dataSources.ids
 .idea/**/dataSources.local.xml
 .idea/**/sqlDataSources.xml
 .idea/**/dynamic.xml
 .idea/**/uiDesigner.xml
 .idea/**/dbnavigator.xml
 # Gradle
 .idea/**/gradle.xml
 .idea/**/libraries
 # Gradle and Maven with auto-import
 # When using Gradle or Maven with auto-import, you should exclude module files,
 # since they will be recreated, and may cause churn.  Uncomment if using
 # auto-import.
 # .idea/modules.xml
 # .idea/*.iml
 # .idea/modules
 # *.iml
 # *.ipr
 # CMake
 cmake-build-*/
 # Mongo Explorer plugin
 .idea/**/mongoSettings.xml
 # File-based project format
 *.iws
 # IntelliJ
 out/
 # mpeltonen/sbt-idea plugin
 .idea_modules/
 # JIRA plugin
 atlassian-ide-plugin.xml
 # Cursive Clojure plugin
 .idea/replstate.xml
 # Crashlytics plugin (for Android Studio and IntelliJ)
 com_crashlytics_export_strings.xml
 crashlytics.properties
 crashlytics-build.properties
 fabric.properties
 # Editor-based Rest Client
 .idea/httpRequests
 # Android studio 3.1+ serialized cache file
 .idea/caches/build_file_checksums.ser
 ### Intellij+all Patch ###
 # Ignores the whole .idea folder and all .iml files
 # See https://github.com/joeblau/gitignore.io/issues/186 and https://github.com/joeblau/gitignore.io/issues/360
 .idea/
 # Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-249601023
 *.iml
 modules.xml
 .idea/misc.xml
 *.ipr
 # Sonarlint plugin
 .idea/sonarlint
 ### Linux ###
 # temporary files which can be created if a process still has a handle open of a deleted file
 .fuse_hidden*
 # KDE directory preferences
 .directory
 # Linux trash folder which might appear on any partition or disk
 .Trash-*
 # .nfs files are created when an open file is removed but is still being accessed
 .nfs*
 ### Rust ###
 # Generated by Cargo
 # will have compiled files and executables
 /target/
 # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
 # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
 Cargo.lock
 # These are backup files generated by rustfmt
 **/*.rs.bk
-*.cbor
+
-*.yaml
+### Vim ###
 # Swap
 [._]*.s[a-v][a-z]
 [._]*.sw[a-p]
 [._]s[a-rt-v][a-z]
 [._]ss[a-gi-z]
 [._]sw[a-p]
 # Session
 Session.vim
 Sessionx.vim
 # Temporary
 .netrwhist
 # Auto-generated tag files
 tags
 # Persistent undo
 [._]*.un~
 # Coc configuration directory
 .vim
 ### VisualStudioCode ###
 .vscode/*
 !.vscode/settings.json
 !.vscode/tasks.json
 !.vscode/launch.json
 !.vscode/extensions.json
 ### VisualStudioCode Patch ###
 # Ignore all local history of files
 .history
 ### Windows ###
 # Windows thumbnail cache files
 Thumbs.db
 Thumbs.db:encryptable
 ehthumbs.db
 ehthumbs_vista.db
 # Dump file
 *.stackdump
 # Folder config file
 [Dd]esktop.ini
 # Recycle Bin used on file shares
 $RECYCLE.BIN/
 # Windows Installer files
 *.cab
 *.msi
 *.msix
 *.msm
 *.msp
 # Windows shortcuts
 *.lnk
 # End of https://www.gitignore.io/api/vim,rust,linux,emacs,windows,intellij+all,visualstudiocode
--- a/Cargo.lock
+++ b/Cargo.lock
@ -36,13 +36,13 @@ dependencies = [
 ]
 [[package]]
-name = "bitflags"
+name = "base64"
-version = "1.2.1"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
-name = "bumpalo"
+name = "bitflags"
-version = "3.1.1"
+version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
@ -81,10 +81,12 @@ dependencies = [
 [[package]]
 name = "coffer-client"
-version = "0.2.0"
+version = "0.4.0"
 dependencies = [
 "coffer-common 0.4.0",
 "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "exec 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "futures 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
 "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)",
 "serde_cbor 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)",
@ -94,26 +96,28 @@ dependencies = [
 [[package]]
 name = "coffer-common"
-version = "0.1.0"
+version = "0.4.0"
 dependencies = [
- "bumpalo 3.1.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
 "quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
 "seckey 0.9.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)",
 "serde_cbor 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)",
 "serde_json 1.0.44 (registry+https://github.com/rust-lang/crates.io-index)",
 "sodiumoxide 0.2.5 (registry+https://github.com/rust-lang/crates.io-index)",
 "tokio 0.2.9 (registry+https://github.com/rust-lang/crates.io-index)",
 "toml 0.5.5 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "coffer-companion"
-version = "0.2.0"
+version = "0.4.0"
 dependencies = [
- "coffer-common 0.1.0",
+ "coffer-common 0.4.0",
 "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
 "log 0.4.8 (registry+https://github.com/rust-lang/crates.io-index)",
 "quick-error 1.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
 "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)",
@ -125,10 +129,10 @@ dependencies = [
 [[package]]
 name = "coffer-server"
-version = "0.2.0"
+version = "0.4.0"
 dependencies = [
 "bytes 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)",
- "coffer-common 0.1.0",
+ "coffer-common 0.4.0",
 "env_logger 0.7.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "futures 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
 "hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)",
@ -365,11 +369,6 @@ dependencies = [
 "libc 0.2.65 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "itoa"
 version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "kernel32-sys"
 version = "0.2.2"
@ -612,11 +611,6 @@ name = "rle-decode-fast"
 version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "ryu"
 version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "seckey"
 version = "0.9.1"
@ -653,16 +647,6 @@ dependencies = [
 "syn 1.0.8 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "serde_json"
 version = "1.0.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
 "itoa 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)",
 "ryu 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)",
 "serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 [[package]]
 name = "serde_yaml"
 version = "0.8.11"
@ -932,8 +916,8 @@ dependencies = [
 "checksum ansi_term 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
 "checksum arc-swap 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)" = "d7b8a9123b8027467bce0099fe556c628a53c8d83df0507084c31e9ba2e39aff"
 "checksum atty 0.2.13 (registry+https://github.com/rust-lang/crates.io-index)" = "1803c647a3ec87095e7ae7acfca019e98de5ec9a7d01343f611cf3152ed71a90"
 "checksum base64 0.11.0 (registry+https://github.com/rust-lang/crates.io-index)" = "b41b7ea54a0c9d92199de89e20e58d49f02f8e699814ef3fdf266f6f748d15c7"
 "checksum bitflags 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cf1de2fe8c75bc145a2f577add951f8134889b4795d47466a54a5c846d691693"
 "checksum bumpalo 3.1.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8fe2567a8d8a3aedb4e39aa39e186d5673acfd56393c6ac83b2bc5bd82f4369c"
 "checksum byteorder 1.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "a7c3dd8985a7111efc5c80b44e23ecdd8c007de8ade3b96595387e812b957cf5"
 "checksum bytes 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)" = "10004c15deb332055f7a4a208190aed362cf9a7c2f6ab70a305fba50e1105f38"
 "checksum cc 1.0.47 (registry+https://github.com/rust-lang/crates.io-index)" = "aa87058dce70a3ff5621797f1506cb837edd02ac4c0ae642b4542dce802908b8"
@ -966,7 +950,6 @@ dependencies = [
 "checksum hex 0.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "023b39be39e3a2da62a94feb433e91e8bcd37676fbc8bea371daf52b7a769a3e"
 "checksum humantime 1.3.0 (registry+https://github.com/rust-lang/crates.io-index)" = "df004cfca50ef23c36850aaaa59ad52cc70d0e90243c3c7737a4dd32dc7a3c4f"
 "checksum iovec 0.1.4 (registry+https://github.com/rust-lang/crates.io-index)" = "b2b3ea6ff95e175473f8ffe6a7eb7c00d054240321b84c57051175fe3c1e075e"
 "checksum itoa 0.4.4 (registry+https://github.com/rust-lang/crates.io-index)" = "501266b7edd0174f8530248f87f99c88fbe60ca4ef3dd486835b8d8d53136f7f"
 "checksum kernel32-sys 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)" = "7507624b29483431c0ba2d82aece8ca6cdba9382bff4ddd0f7490560c056098d"
 "checksum lazy_static 1.4.0 (registry+https://github.com/rust-lang/crates.io-index)" = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
 "checksum libc 0.2.65 (registry+https://github.com/rust-lang/crates.io-index)" = "1a31a0627fdf1f6a39ec0dd577e101440b7db22672c0901fe00a9a6fbb5c24e8"
@ -997,12 +980,10 @@ dependencies = [
 "checksum regex 1.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "dc220bd33bdce8f093101afe22a037b8eb0e5af33592e6a9caafff0d4cb81cbd"
 "checksum regex-syntax 0.6.12 (registry+https://github.com/rust-lang/crates.io-index)" = "11a7e20d1cce64ef2fed88b66d347f88bd9babb82845b2b858f3edbf59a4f716"
 "checksum rle-decode-fast 1.0.1 (registry+https://github.com/rust-lang/crates.io-index)" = "cabe4fa914dec5870285fa7f71f602645da47c486e68486d2b4ceb4a343e90ac"
 "checksum ryu 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)" = "bfa8506c1de11c9c4e4c38863ccbe02a305c8188e85a05a784c9e11e1c3910c8"
 "checksum seckey 0.9.1 (registry+https://github.com/rust-lang/crates.io-index)" = "c819d0a699db7622e4ee55a651f992242f754481f97de3024dc548adcce13237"
 "checksum serde 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)" = "0c4b39bd9b0b087684013a792c59e3e07a46a01d2322518d8a1104641a0b1be0"
 "checksum serde_cbor 0.10.2 (registry+https://github.com/rust-lang/crates.io-index)" = "f7081ed758ec726a6ed8ee7e92f5d3f6e6f8c3901b1f972e3a4a2f2599fad14f"
 "checksum serde_derive 1.0.102 (registry+https://github.com/rust-lang/crates.io-index)" = "ca13fc1a832f793322228923fbb3aba9f3f44444898f835d31ad1b74fa0a2bf8"
 "checksum serde_json 1.0.44 (registry+https://github.com/rust-lang/crates.io-index)" = "48c575e0cc52bdd09b47f330f646cf59afc586e9c4e3ccd6fc1f625b8ea1dad7"
 "checksum serde_yaml 0.8.11 (registry+https://github.com/rust-lang/crates.io-index)" = "691b17f19fc1ec9d94ec0b5864859290dff279dbd7b03f017afda54eb36c3c35"
 "checksum signal-hook-registry 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "94f478ede9f64724c5d173d7bb56099ec3e2d9fc2774aac65d34b8b890405f41"
 "checksum slab 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "c111b5bd5695e56cffe5129854aa230b39c93a305372fdbb2668ca2394eea9f8"
--- a/Design.org
+++ b/Design.org
@ -1,36 +1,35 @@
 * Communication
 ** Frame 
-   Header ::: content-length: u64 | message-type: u8 ::: 72 bit, fixed
+   Header ::: content-length: u16 | message-type: u8 ::: 3 byte, fixed
   Body   ::: content: [u8; content-length]          ::: conent-length byte, variable
-   Numbers are in network byte order.
+   Unsigned integers in network byte order.
 ** Message Types
-   | Ordinal | Type  | Body Format     | Direction | Transitions      | Description                                  |
+   | Ordinal | Type        | Body Format     | Direction | Transitions              | Description                               |
-   |---------+-------+-----------------+-----------+------------------+----------------------------------------------|
+   |---------+-------------+-----------------+-----------+--------------------------+-------------------------------------------|
-   |       0 | Hello | Public Key      | C -> S    | Waiting for Link | Initiates communication                      |
+   |    0x00 | Hello       | Client PK       | C -> S    | Link, KeyNotFound, Error | Initiates communication                   |
-   |       1 | Link  | <empty>         | S -> C    | Put, Get         | Link established, communication can start    |
+   |    0x01 | Link        | <empty>         | S -> C    | Get, Bye                 | Link established, communication can start |
-   |       2 | Put   | Coffer (sealed) | C -> S    | OkPut            | Merge a ~Coffer~ for the client              |
+   |    0x02 | Get         | <empt>          | C -> S    | OkGet, Error             | Retrieve a secrets for the client         |
-   |       3 | Get   | Coffer (sealed) | C -> S    | OkGet            | Retrieve a ~Coffer~ for the client           |
+   |    0x03 | OkGet       | Coffer (sealed) | S -> C    | Bye                      | Send secrets to the client                |
-   |       4 | OkPut | <empty>         | S -> C    | Put, Get         | ~Coffer~ was successfully merged             |
+   |    0x99 | Bye         | Client PK       | C -> S    | •                        | Close connection                          |
-   |       5 | OkGet | Coffer (sealed) | S -> C    | Put, Get         | Return a sealed ~Coffer~ for a ~Get~ request |
+   |    0xaa | KeyNotFound | Client PK       | S -> C    | •                        | PK unknown to server                      |
-   |      63 | Bye   |                 | C -> S    |                  | Close connection                             |
+   |    0xff | Error       | UTF-8 String    | S -> C    | •                        | Generic server error with reason          |
   |     127 | Error |                 | S -> C    |                  | Generic server error                         |
   - Error can be returned at any stage
   - Communication can end at any stage. Communication ends when connection is closed by either side.
   - Seal is determined by communication direction:
     C -> S: sealed by server public key, client private key
     S -> C: sealed by client public key, server private key
   - Secrets returned as sealed cbor
 * Coffer
-  - Multitree with each leave terminating in a Vec<u8>
+  - Sharded KV-Store
-  - Nodes (except leaves = key path) are utf8 strings
+  - Keys are UTF-8 Strings
-  - A ~Put~ request must contain a fully determined ~Coffer~ (all leaves are values)
+  - Typed values as defined by TOML: String, Integer, Float, Boolean
-  - A ~Get~ request contains a partially determined ~Coffer~ (values are ignored)
+    - No Dates support
-    - If a node resolves to a parent, the subtree (which is also a ~Coffer~) is returned
+    - No binary data support
-    - If a node resolves to a leave, the partial ~Coffer~ terminating in the leave and its value are returned
+    - Floats and Integers are 32 bit
 * Coffer Server
  A ~coffer-server~ can support multiple clients by means of /sharding/ the
  keyspace. Clients are uniquely identified by their public key.
@ -43,26 +42,29 @@
    key. No tampered requests can be sent or communication data collected except
    the private keys are compromised.
-* Coffer YAML
+* Coffer Definition (TOML)
-** Secrets Definition  
+  Encrypted Authentication: SK of coffer-companion, PK of coffer-server
   Encrypted with: SK of coffer-companion, PK of coffer-server
-   #+BEGIN_SRC yaml
+  #+BEGIN_SRC yaml
-     # Names for ids (public keys) of clients
+    # IDs (public keys) of clients
-     [clients]
+    file.id = "AAAA-AAAA-AAAA-AAAA"
-     file = "AAAA-AAAA-AAAA-AAAA"
+    bin.id = "FFFF-FFFF-FFFF-FFFF"
     bin = "FFFF-FFFF-FFFF-FFFF"
-     # Secrets for a named client (defined in clients)
+    # Secrets for a named client (defined in clients)
-     [file]
+    [file]
-     secretkey = "secret value"
+    secretkey = "secret value"
-     secretkey2 = "secret value2"
+    secretkey2 = "secret value2"
-   #+END_SRC
+  #+END_SRC
-** Secret Response
+* Coffer Response
-   file client executes GET to server
+  Encrypted Authentication: SK of coffer-server, PK of coffer-client
  Format: cbor
  CofferResponse = List<CofferSecret>
  CofferSecret {
    key: UTF-8 String,
    value: CofferValue
  }
-   #+BEGIN_SRC yaml
+  CofferValue = String | Integer | Float | Boolean | Date
     secretkey = "secret value"
     secretkey2 = "secret value2"
   #+END_SRC
--- a/7
+++ b/7
@ -7,7 +7,10 @@ release:
 	cargo build --release
 publish:
-	docker pull clux/muslrust
+	podman pull clux/muslrust
-	docker run -v $(CURDIR):/volume --rm -t clux/muslrust cargo build --release
+	podman run -v .:/volume:Z --rm -t clux/muslrust cargo build --release
 	strip target/x86_64-unknown-linux-musl/release/coffer-server
 	strip target/x86_64-unknown-linux-musl/release/coffer-client
 	strip target/x86_64-unknown-linux-musl/release/coffer-companion
 .PHONY: default release publish
--- a/coffer-client/Cargo.toml
+++ b/coffer-client/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "coffer-client"
-version = "0.2.0"
+version = "0.4.0"
 authors = ["Armin Friedl <dev@friedl.net>"]
 edition = "2018"
@ -16,4 +16,9 @@ serde = { version = "1.0", features = ["derive"]}
 serde_yaml = "0.8"
 serde_cbor = "0.10.2"
 # Executing subcommand
-exec = "0.3.1"
+exec = "0.3.1"
 # Lighter alternative to tokio for
 # driving shared frame creation
 futures = "0.3.1"
 coffer-common = { path = "../coffer-common" }
--- a/coffer-client/src/main.rs
+++ b/coffer-client/src/main.rs
@ -1,27 +1,28 @@
 #[allow(unused_imports)]
 use log::{debug, error, info, trace, warn};
 use std::net::SocketAddr;
 use env_logger;
 use structopt::StructOpt;
-use std::fs::File;
+
-use std::error::Error;
+use std:: {
-use std::net::TcpStream;
+    net::{SocketAddr, TcpStream},
-use std::path::PathBuf;
+    error::Error,
-use std::io::BufRead;
+    path::PathBuf,
-use std::io::BufReader;
+    io::{Write, Read},
-use std::io::Write;
+    convert::{TryInto, TryFrom}
 };
 use coffer_common::certificate::Certificate;
 use coffer_common::coffer::{CofferShard, CofferValue};
 #[derive(StructOpt, Debug)]
 struct Args {
    /// Address of the coffer server
-    #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
+    #[structopt(short, long, env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
-    server_address: SocketAddr,
+    server_address: String,
-    /// Path to the request file sent to the server
+    #[structopt(short, long, parse(from_os_str), env = "COFFER_CLIENT_CERTIFICATE", hide_env_values = true)]
-    #[structopt(parse(from_os_str), env = "COFFER_REQUEST", hide_env_values = true)]
+    certificate: PathBuf,
    secrets: PathBuf,
    /// The subcommand spawned by coffer-client
    cmd: String,
@ -34,14 +35,39 @@ fn main() -> Result<(), Box<dyn Error>> {
    env_logger::init();
    let args = Args::from_args();
-    info!{"Connecting to coffer server"}
+    debug!{"Reading certificate"}
-    let stream: TcpStream = TcpStream::connect(args.server_address)?;
+    let cert = Certificate::new_from_cbor(&args.certificate)?;
-    info!{"Parsing key requests"}
+    debug!{"Connecting to coffer server"}
-    let keys = parse_from_path(&args.secrets)?;
+    let mut stream: TcpStream = TcpStream::connect(args.server_address)?;
-    info!{"Reading secrets"}
+    debug!{"Sending hello"}
-    retrieve_secrets(&keys, stream)?;
+    let hello = framed(0x00, cert.public_key());
    stream.write_all(&hello)?;
    debug!{"Sending get"}
    let get = framed(0x02, Vec::new());
    stream.write_all(&get)?;
    debug!{"Reading shard"}
    let header = read_header(&mut stream).unwrap();
    let shard = read_message(header.0, &mut stream).unwrap();
    debug!{"Got encrypted shard {:?}", shard}
    debug!{"Sending bye"}
    let bye = framed(0x99, Vec::new());
    stream.write_all(&bye)?;
    debug!{"Decrypting shard"}
    let shard_clear = cert.open(&shard).unwrap();
    let shard_de = serde_cbor::from_slice::<CofferShard>(&shard_clear).unwrap();
    debug!{"Setting environment"}
    for (key, val) in shard_de.0 {
        if let CofferValue::String(val_s) = val {
            std::env::set_var(key.trim(), val_s.trim());
        }
    }
    info!{"Spawning coffer'ed command, reaping coffer"}
    reap_coffer(&args.cmd, &args.cmd_args);
@ -49,28 +75,7 @@ fn main() -> Result<(), Box<dyn Error>> {
    Err("Could not spawn sub-command".into())
 }
-fn retrieve_secrets(keys: &Vec<String>, mut stream: TcpStream) -> Result<(), Box<dyn Error>>{
+fn reap_coffer(cmd: &str, args: &[String]) {
    for k in keys {
        let buf = serde_cbor::to_vec(&k)?;
        info!{"Sending key request {} as {:?}", k, buf}
        stream.write_all(&buf.len().to_be_bytes())?;
        stream.write_all(&buf)?;
        info!{"Reading response"}
        let mut reader = BufReader::new(&stream); // get buffered reader for line-wise reading from stream
        // read line
        let mut resp = String::new();
        reader.read_line(&mut resp)?;
        info!{"Retrieved secret. Setting environment"}
        std::env::set_var(k.trim(), resp.trim());
    }
    Ok(())
 }
 fn reap_coffer(cmd: &str, args: &Vec<String>) {
    let mut cmd = exec::Command::new(cmd);
    // TODO Push cmd as first arg if not already set?
@ -80,8 +85,76 @@ fn reap_coffer(cmd: &str, args: &Vec<String>) {
    error!{"Could not execute sub-command {}", err};
 }
-fn parse_from_path(path: &PathBuf) -> Result<Vec<String>, Box<dyn Error>> {
+pub fn read_header<T>(reader: &mut T) -> Option<(u64, u8)>
-    let sec_file = File::open(path)?;
+where T: Read
 {
    let mut header: [u8; 9] = [0u8;9]; // header buffer
    match reader.read_exact(&mut header)
    {
        Ok(_) => debug!{"Read {} bytes for header", 9},
        Err(err) => {
            error!{"Error while reading header: {}", err}
            return None;
        }
    }
-    Ok(serde_yaml::from_reader::<_, Vec<String>>(sec_file)?)
+    trace!{"Header buffer {:?}", header}
    let msg_size: u64 = u64::from_be_bytes(
        header[0..8]
            .try_into()
            .unwrap());
    let msg_type: u8 = u8::from_be_bytes(
        header[8..9]
            .try_into()
            .unwrap());
    debug!{"Message size: {}, Message type: {}", msg_size, msg_type}
    Some((msg_size, msg_type))
 }
 pub fn read_message<T>(msg_size: u64, reader: &mut T) -> Option<Vec<u8>>
 where T: Read
 {
    // TODO: possible to use unallocated memory instead?
    // -> https://doc.rust-lang.org/beta/std/mem/union.MaybeUninit.html
    // TODO: 32 bit usize? Can't allocate a 64 bit length buffer anyway?
    let mut message = Vec::with_capacity(msg_size.try_into().unwrap());
    // need to set the size, because otherwise it is assumed to be 0, since
    // the vec is allocated but uninitialized at this point, we don't want to
    // pre-allocate a potentially huge buffer with 0x00, so unsafe set size.
    unsafe {message.set_len(msg_size.try_into().unwrap());}
    match reader.read_exact(&mut message)
    {
        Ok(_) => debug!{"Read {} bytes for message", msg_size},
        Err(err) => {
            error!{"Error while reading message: {}", err}
            return None;
        }
    }
    trace!{"Read message {:?}", message}
    Some(message)
 }
 pub fn framed(msg_type: u8, data: Vec<u8>) -> Vec<u8>
 {
    trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data}
    // TODO magic number
    let mut frame: Vec<u8> = Vec::with_capacity(data.len() + 72);
    unsafe {frame.set_len(8);}
    frame.splice(0..8, u64::try_from(data.len())
                 .unwrap()
                 .to_be_bytes()
                 .iter()
                 .cloned());
    frame.push(msg_type);
    frame.extend(&data);
    frame
 }
--- a/coffer-common/Cargo.toml
+++ b/coffer-common/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "coffer-common"
-version = "0.1.0"
+version = "0.4.0"
 authors = ["armin"]
 edition = "2018"
@ -15,13 +15,15 @@ export = []
 # Base tools
 log = "^0.4"
 env_logger = "^0.7"
 quick-error = "^1.2"
 # Serialization
 serde = { version = "^1.0", features = ["derive"]}
 serde_cbor = "^0.10"
 serde_json = "^1.0"
 toml = "^0.5"
-quick-error = "^1.2"
+base64 = "^0.11"
 hex = "^0.4"
 # Key management/Cryptography
 sodiumoxide = "^0.2"
 seckey = "^0.9"
-# Memory management
+#Communication
-bumpalo = { version = "^3.1", features = ["collections"]}
+tokio = { version="^0.2.9", features = ["full"]}
--- a/coffer-common/src/certificate.rs
+++ b/coffer-common/src/certificate.rs
@ -83,6 +83,15 @@ impl Certificate {
        Ok(cbor)
    }
    pub fn public_key(&self) -> Vec<u8> {
        self.inner.read().public_key.as_ref().to_owned()
    }
    #[cfg(feature = "export")]
    pub fn secret_key(&self) -> Vec<u8> {
        self.inner.read().private_key.as_ref().to_owned()
    }
    pub fn open(&self, c: &[u8]) -> Result<Vec<u8>, CertificateError> {
        let pk = &self.inner.read().public_key;
        let sk = &self.inner.read().private_key;
@ -90,6 +99,12 @@ impl Certificate {
        sealedbox::open(c, pk, sk)
            .map_err(|_| CertificateError::Crypto)
    }
    pub fn seal(&self, message: &[u8]) -> Result<Vec<u8>, CertificateError> {
        let pk = &self.inner.read().public_key;
        Ok(sealedbox::seal(message, pk))
    }
 }
 impl <T: AsRef<Path>> From<T> for Certificate {
--- a/coffer-common/src/coffer.rs
+++ b/coffer-common/src/coffer.rs
@ -1,8 +1,14 @@
 //! A storage container for client data
 #[allow(unused_imports)]
 use log::{debug, error, info, trace, warn};
 use std::fmt::Debug;
 use std::path::Path;
 use std::fs::File;
 use std::io::{BufReader, Read};
 use toml::Value as TomlValue;
 use serde::{Serialize, Deserialize};
 use quick_error::quick_error;
@ -29,39 +35,104 @@ pub enum CofferValue {
    String(String),
    /// A 32-bit integer
    Integer(i32),
-    /// An opaque blob of data
+    /// A 32-bit float
-    Blob(Vec<u8>)
+    Float(f32),
    // A boolean
    Boolean(bool)
 }
-/// A path to a value
+#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq, Hash)]
-#[derive(Clone, Eq, PartialEq, Hash, Debug, Serialize, Deserialize)]
+pub struct CofferKey {
-pub struct CofferPath(pub Vec<String>);
+    pub shard: String,
    pub key: String
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct CofferShard(pub Vec<(String, CofferValue)>);
 /// Interface for interacting with a `Coffer`
 pub trait Coffer {
    /// Put `value` at `path`. Errors if there is already a value at `path`.
-    fn put(&mut self, path: CofferPath, value: CofferValue) -> CofferResult<()>;
+    fn put(&mut self, key: CofferKey, value: CofferValue) -> CofferResult<()>;
    /// Push `value` to `path`. Replaces existing values.
-    fn push(&mut self, path: CofferPath, value: CofferValue);
+    fn push(&mut self, key: CofferKey, value: CofferValue);
    /// Retrieve `value` at path. Errors if there is no `value` at path.
-    fn get(&self, path: CofferPath) -> CofferResult<CofferValue>;
+    fn get(&self, key: &CofferKey) -> CofferResult<CofferValue>;
 }
-impl <T> From<Vec<T>> for CofferPath
+    /// Retrieve `value` at path. Errors if there is no `value` at path.
-where T: AsRef<str>
+    fn get_shard<T>(&self, shard: T) -> CofferResult<CofferShard>
-{
+    where T: AsRef<str>;
-    fn from(val: Vec<T>) -> Self {
+
-        CofferPath::from(&val)
+    fn from_toml_file(toml_path: &Path) -> Self
-    }
+    where Self: Coffer + Default
-}
+    {
-
+        // read the secrets file into a temporary string
-impl <T> From<&Vec<T>> for CofferPath
+        let mut file = BufReader::new(File::open(toml_path).unwrap());
-where T: AsRef<str>
+        let mut secrets_buf = String::new();
-{
+        file.read_to_string(&mut secrets_buf).unwrap();
-    fn from(val: &Vec<T>) -> Self {
+
-        let col = val.iter().map(|p| {(*p).as_ref().to_owned()}).collect();
+        Coffer::from_toml(&secrets_buf)
-        CofferPath(col)
+    }
    fn from_toml(toml: &str) -> Self
    where Self: Coffer + Default
    {
        // call implementation to create an empty coffer
        let mut coffer = Self::default();
        // parse the string into a toml Table
        let clients: toml::value::Table = match toml.parse::<TomlValue>().unwrap() {
            TomlValue::Table(t) => t,
            _ => panic!{"Invalid secrets file"}
        };
        coffer.from_toml_table(&clients);
        coffer
    }
    fn from_toml_table(&mut self, toml_table: &toml::value::Table) {
        // table has an no id, recourse into subtables
        if toml_table.get("id").is_none() {
            for (_key, val) in toml_table.iter() {
                match val {
                    TomlValue::Table(subtable) => {
                        self.from_toml_table(subtable);
                    },
                    _ => panic!{"Invalid secrets file"}
                }
            }
            return;
        }
        /*
         * Parse a single shard/table, this is known to have an id
         *
         * [files]
         * id = "ABC-DEF-GHE"
         * secret_string = "secret value1"
         * secret_int = 12345
         * secret_bool = true
         */
        let shard = toml_table.get("id").and_then(|id| id.as_str()).unwrap();
        for (key, val) in toml_table {
            if "id" == key { continue } // ids are for sharding
            let value = match val {
                TomlValue::String(s) => CofferValue::String(s.to_owned()),
                TomlValue::Integer(i) => CofferValue::Integer(*i as i32),
                TomlValue::Float(f) => CofferValue::Float(*f as f32),
                TomlValue::Boolean(b) => CofferValue::Boolean(*b),
                _ => panic!{"Value {:?} unsupported", val}
            };
            let key =  key.to_owned();
            let shard = shard.to_string();
            self.put(CofferKey{shard, key}, value).unwrap();
        }
    }
 }
--- a/coffer-common/src/keyring.rs
+++ b/coffer-common/src/keyring.rs
@ -1,12 +1,15 @@
 #[allow(unused_imports)]
 use log::{debug, error, info, trace, warn};
 use std::path::Path;
 use std::collections::HashMap;
 use quick_error::quick_error;
 use sodiumoxide::crypto::box_;
 use sodiumoxide::crypto::sealedbox;
 use toml::Value as TomlValue;
 use crate::certificate::{Certificate, CertificateError};
 quick_error! {
@ -17,6 +20,12 @@ quick_error! {
        Certificate(err: CertificateError) {
            from()
        }
        HexDecodeError(err: hex::FromHexError) {
            from()
        }
        IoError(err: std::io::Error) {
            from()
        }
        Msg(err: &'static str) {
            from(err)
            display("{}", err)
@ -40,6 +49,49 @@ impl Keyring {
        }
    }
    pub fn new_from_path<T>(certificate_path: T) -> Keyring
    where T: AsRef<Path>
    {
        Keyring {
            certificate: Certificate::from(certificate_path),
            known_keys: HashMap::new()
        }
    }
    pub fn add_known_keys_toml(&mut self, toml: &str) -> Result<(), KeyringError> {
        // parse the string into a toml Table
        let clients: toml::value::Table = match toml.parse::<TomlValue>().unwrap() {
            TomlValue::Table(t) => t,
            _ => panic!{"Invalid secrets file"}
        };
        self.add_known_keys_toml_table(&clients)?;
        debug!{"Known keys {:?}", self.known_keys}
        Ok(())
    }
    fn add_known_keys_toml_table(&mut self, toml_table: &toml::value::Table) -> Result<(), KeyringError> {
         // table has an no id, recourse into subtables
        if toml_table.get("id").is_none() {
            debug!{"{:?}", toml_table}
            for (_key, val) in toml_table.iter() {
                match val {
                    TomlValue::Table(subtable) => {
                        self.add_known_keys_toml_table(subtable)?;
                    },
                    _ => panic!{"Invalid secrets file"}
                }
            }
            return Ok(());
        }
        let shard = toml_table.get("id").and_then(|id| id.as_str()).ok_or(KeyringError::Msg("Invalid key parsing state"))?;
        self.add_known_key(&hex::decode(shard)?)
    }
    pub fn add_known_key(&mut self, key: &[u8]) -> Result<(), KeyringError> {
        let public_key = box_::PublicKey::from_slice(key)
            .ok_or(KeyringError::InvalidClientKey)?;
@ -50,7 +102,7 @@ impl Keyring {
    pub fn open(&self, message: &[u8]) -> Result<Vec<u8>, KeyringError> {
        self.certificate.open(message)
-            .map_err(|e| KeyringError::from(e))
+            .map_err(KeyringError::from)
    }
    pub fn seal(&self, client: &[u8], message: &[u8]) -> Result<Vec<u8>, KeyringError> {
--- a/coffer-companion/Cargo.toml
+++ b/coffer-companion/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "coffer-companion"
-version = "0.2.0"
+version = "0.4.0"
 authors = ["Armin Friedl <dev@friedl.net>"]
 edition = "2018"
@ -14,6 +14,7 @@ structopt = "0.3"
 quick-error = "1.2"
 # Key management/Cryptography 
 sodiumoxide = "0.2.5"
 hex = "^0.4"
 # Communication
 serde = { version = "1.0", features = ["derive"]}
 serde_cbor = "0.10.2"
--- a/coffer-companion/src/certificate.rs
+++ b/coffer-companion/src/certificate.rs
@ -13,5 +13,11 @@ pub fn generate_key(out: PathBuf) {
        .expect(&format!{"Could not create out file {}", &out.display()});
    writer.write_all(&cert).unwrap();
-
+}
 pub fn info(out: PathBuf) {
    let cert = Certificate::new_from_cbor(out).unwrap();
    println!{"Public Key: {}", hex::encode_upper(cert.public_key())}
    println!{"Secret Key: {}", hex::encode_upper(cert.secret_key())}
 }
--- a/coffer-companion/src/client.rs
+++ b/coffer-companion/src/client.rs
@ -0,0 +1,110 @@
 #[allow(unused_imports)]
 use log::{debug, error, info, trace, warn};
 use std::path::PathBuf;
 use std::convert::{TryFrom, TryInto};
 use std::net::{TcpStream};
 use std::io::{Write, Read};
 use coffer_common::certificate::Certificate;
 use coffer_common::coffer::CofferShard;
 use serde_cbor;
 pub fn print_get(out: PathBuf) {
    let cert = Certificate::new_from_cbor(out).unwrap();
    let hello = framed(0x00, cert.public_key());
    let get = framed(0x02, Vec::new());
    let bye = framed(0x99, Vec::new());
    let mut listener = TcpStream::connect("127.0.0.1:9187").unwrap();
    listener.write_all(&hello).unwrap();
    listener.write_all(&get).unwrap();
    let header = read_header(&mut listener).unwrap();
    let shard = read_message(header.0, &mut listener).unwrap();
    debug!{"Got encrypted shard {:?}", shard}
    listener.write_all(&bye).unwrap();
    let shard_clear = cert.open(&shard).unwrap();
    let shard_de = serde_cbor::from_slice::<CofferShard>(&shard_clear).unwrap();
    println!{"{:?}", shard_de}
 }
 fn framed(msg_type: u8, data: Vec<u8>) -> Vec<u8>
 {
    trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data}
    // TODO magic number
    let mut frame: Vec<u8> = Vec::with_capacity(data.len() + 72);
    unsafe {frame.set_len(8);}
    frame.splice(0..8, u64::try_from(data.len())
                 .unwrap()
                 .to_be_bytes()
                 .iter()
                 .cloned());
    frame.push(msg_type);
    frame.extend(&data);
    frame
 }
 fn read_header<T>(reader: &mut T) -> Option<(u64, u8)>
 where T: Read
 {
    let mut header: [u8; 9] = [0u8;9]; // header buffer
    match reader.read_exact(&mut header)
    {
        Ok(_) => debug!{"Read {} bytes for header", 9},
        Err(err) => {
            error!{"Error while reading header: {}", err}
            return None;
        }
    }
    trace!{"Header buffer {:?}", header}
    let msg_size: u64 = u64::from_be_bytes(
        header[0..8]
            .try_into()
            .unwrap());
    let msg_type: u8 = u8::from_be_bytes(
        header[8..9]
            .try_into()
            .unwrap());
    debug!{"Message size: {}, Message type: {}", msg_size, msg_type}
    Some((msg_size, msg_type))
 }
 fn read_message<T>(msg_size: u64, reader: &mut T) -> Option<Vec<u8>>
 where T: Read
 {
    // TODO: possible to use unallocated memory instead?
    // -> https://doc.rust-lang.org/beta/std/mem/union.MaybeUninit.html
    // TODO: 32 bit usize? Can't allocate a 64 bit length buffer anyway?
    let mut message = Vec::with_capacity(msg_size.try_into().unwrap());
    // need to set the size, because otherwise it is assumed to be 0, since
    // the vec is allocated but uninitialized at this point, we don't want to
    // pre-allocate a potentially huge buffer with 0x00, so unsafe set size.
    unsafe {message.set_len(msg_size.try_into().unwrap());}
    match reader.read_exact(&mut message)
    {
        Ok(_) => debug!{"Read {} bytes for message", msg_size},
        Err(err) => {
            error!{"Error while reading message: {}", err}
            return None;
        }
    }
    trace!{"Read message {:?}", message}
    Some(message)
 }
--- a/coffer-companion/src/encrypt.rs
+++ b/coffer-companion/src/encrypt.rs
@ -2,13 +2,16 @@ use coffer_common::certificate::Certificate;
 use std::path::PathBuf;
 use std::fs::File;
 use std::io::Read;
 use std::io::Write;
-use serde::Deserialize;
+#[allow(unused)]
 use serde_yaml;
 pub fn encrypt_yaml(yaml:PathBuf, out: PathBuf, certificate: PathBuf) {
    let cert = Certificate::new_from_cbor(certificate).unwrap();
    let mut secrets = Vec::new();
    File::open(yaml).unwrap().read_to_end(&mut secrets).unwrap();
-    let  
+    let sealed = cert.seal(&secrets).unwrap();
    let mut out_file = File::create(out).unwrap();
    out_file.write_all(&sealed);
 }
--- a/coffer-companion/src/main.rs
+++ b/coffer-companion/src/main.rs
@ -1,20 +1,27 @@
 use std::path::PathBuf;
 use structopt::StructOpt;
-mod generate;
+mod certificate;
 mod encrypt;
 mod client;
 #[derive(StructOpt, Debug)]
 enum Args {
    Certificate {
        #[structopt(short, long, parse(from_os_str))]
-        out: PathBuf
+        out: PathBuf,
        #[structopt(short, long)]
        info: bool,
    },
    Encrypt {
        #[structopt(short, long, parse(from_os_str))]
        certificate: PathBuf,
        #[structopt(short, long, parse(from_os_str))]
        yaml: PathBuf,
        #[structopt(short, long, parse(from_os_str))]
-        out: PathBuf,
+        out: PathBuf
    },
    Client {
        #[structopt(short, long, parse(from_os_str))]
        certificate: PathBuf,
    }
@ -24,7 +31,15 @@ fn main() {
    let args: Args = Args::from_args();
    match args {
-        Args::Certificate {out} => generate::generate_key(out),
+        Args::Certificate {out, info} => {
-        Args::Encrypt {yaml, out, certificate} => {}
+            if info {  certificate::info(out) }
            else { certificate::generate_key(out) }
        }
        Args::Encrypt {certificate, yaml, out} => {
            encrypt::encrypt_yaml(yaml, out, certificate)
        }
        Args::Client {certificate} => {
            client::print_get(certificate)
        }
    }
 }
--- a/coffer-server/Cargo.toml
+++ b/coffer-server/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "coffer-server"
-version = "0.2.0"
+version = "0.4.0"
 authors = ["Armin Friedl <dev@friedl.net>"]
 edition = "2018"
--- a/coffer-server/src/coffer_map.rs
+++ b/coffer-server/src/coffer_map.rs
@ -1,47 +1,91 @@
-//! A simple, thread-safe coffer implementation backed by a hash map
+//! Thread-safe coffer implementation backed by hash map
 #[allow(unused_imports)]
 use log::{debug, error, info, trace, warn};
 use std::sync::RwLock;
 use std::sync::RwLockReadGuard;
 use std::sync::RwLockWriteGuard;
 use std::collections::HashMap;
 use coffer_common::coffer::*;
-pub struct CofferMap {
+type ShardedCoffer = HashMap<String, HashMap<String, CofferValue>>;
-    coffer: RwLock<HashMap<CofferPath, CofferValue>>
+pub struct CofferMap(RwLock<ShardedCoffer>);
 }
 impl CofferMap {
    pub fn new() -> CofferMap {
-        CofferMap {
+        CofferMap(RwLock::new(HashMap::new()))
-            coffer: RwLock::new(HashMap::new())
+    }
-        }
+
    fn read(&self) -> RwLockReadGuard<'_, ShardedCoffer> {
        self.0.read().unwrap()
    }
    fn write(&self) -> RwLockWriteGuard<'_, ShardedCoffer> {
        self.0.write().unwrap()
    }
 }
 impl Coffer for CofferMap {
-    fn put(&mut self, path: CofferPath, value: CofferValue) -> CofferResult<()> {
+    fn put(&mut self, key: CofferKey, value: CofferValue) -> CofferResult<()> {
-        let mut lock = self.coffer.write().unwrap();
+        let mut lock = self.write();
-        match (*lock).contains_key(&path) {
+        match lock.get_mut(&key.shard) {
-            true => Err(CofferError::Msg("test")),
+            Some(shard) => {
-            false => {(*lock).insert(path, value); Ok(())}
+                if shard.contains_key(&key.key) { Err(CofferError::Msg("Key exists")) }
                else { shard.insert(key.key, value); Ok(()) }
            }
            None => {
                lock.insert(key.shard.clone(), HashMap::new());
                lock.get_mut(&key.shard).unwrap().insert(key.key, value);
                Ok(())
            }
        }
    }
-    fn push(&mut self, path: CofferPath, value: CofferValue) {
+    fn push(&mut self, key: CofferKey, value: CofferValue) {
-        let mut lock = self.coffer.write().unwrap();
+        let mut lock = self.write();
-        (*lock).insert(path, value);
+        match lock.get_mut(&key.shard) {
            Some(shard) => {
                shard.insert(key.key, value);
            }
            None => {
                lock.insert(key.shard.clone(), HashMap::new());
                lock.get_mut(&key.shard).unwrap().insert(key.key, value);
            }
        }
    }
-    fn get(&self, path: CofferPath) -> CofferResult<CofferValue> {
+    fn get(&self, key: &CofferKey) -> CofferResult<CofferValue> {
-        let lock = self.coffer.read().unwrap();
+        let lock = self.read();
-        (*lock).get(&path)
+        let res = lock.get(&key.shard)
-            .and_then(|v| Some(v.clone()))
+            .and_then( |shard| { shard.get(&key.key) } )
-            .ok_or(CofferError::Msg("Key not found"))
+            .ok_or(CofferError::Msg("Key not found"))?;
        Ok(res.clone())
    }
    fn get_shard<T>(&self, shard: T) -> CofferResult<CofferShard>
    where T: AsRef<str>
    {
        let lock = self.read();
        debug!{"Coffer {:?}", *lock}
        let coffer_shard = lock.get(shard.as_ref())
            .ok_or(CofferError::Msg("Shard not found"))?;
        let mut res = CofferShard(Vec::new());
        for (k,v) in coffer_shard {
            res.0.push((k.clone(), v.clone()));
        }
        Ok(res)
    }
 }
--- a/coffer-server/src/main.rs
+++ b/coffer-server/src/main.rs
@ -4,33 +4,36 @@ use log::{debug, error, info, trace, warn};
 use env_logger;
 use std::path::PathBuf;
 use std::fs::File;
 use std::io::{Read};
 use structopt::StructOpt;
 use std::net::SocketAddr;
 use coffer_common::certificate::Certificate;
 use coffer_common::keyring::Keyring;
 use coffer_common::coffer::Coffer;
 mod server;
 mod coffer_map;
 mod protocol;
-use server::ServerBuilder;
+use server::Server;
 use coffer_map::CofferMap;
 #[derive(StructOpt, Debug)]
 struct Args {
    /// Path to the server certificate. Will be deleted after processing.
    #[structopt(short, long, parse(from_os_str), env = "COFFER_SERVER_CERTIFICATE", hide_env_values = true)]
-    certificate: Option<PathBuf>,
+    certificate: PathBuf,
    /// Path to secrets file. Will be deleted after processing.
    /// Must be sealed by the public key of the server certificate
    #[structopt(short, long, parse(from_os_str), env = "COFFER_SERVER_SECRETS", hide_env_values = true)]
-    secrets: Option<PathBuf>,
+    secrets: PathBuf,
    /// Address, the coffer server should bind to
-    #[structopt(short, long, parse(try_from_str), env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
+    #[structopt(short, long, env = "COFFER_SERVER_ADDRESS", default_value = "127.0.0.1:9187")]
-    address: SocketAddr,
+    address: String, // unfortunately we have to take a opaque string here,
                     // since we can't parse a hostname otherwise.
                     // Parsers are not customizable yet in structopt
 }
 #[tokio::main]
@ -40,12 +43,23 @@ async fn main() {
    _print_banner();
-    let server = ServerBuilder::new()
+    // create keyring from server certificate
-        .with_keyring(args.certificate.and_then(|cert_path| Some(Keyring::new(Certificate::from(cert_path)))))
+    let mut keyring = Keyring::new_from_path(&args.certificate);
        .with_coffer(Some(CofferMap::new()))
        .build()
        .expect("Couldn't build server");
    // decrypt secrets file and put into coffer
    let mut secrets_file = File::open(&args.secrets).unwrap();
    let mut secrets_buf = Vec::new();
    secrets_file.read_to_end(&mut secrets_buf).unwrap();
    let secrets_buf_clear = String::from_utf8(keyring.open(&secrets_buf).unwrap()).unwrap();
    // read known client ids from secrets file
    keyring.add_known_keys_toml(&secrets_buf_clear).unwrap();
    // read secrets from secrets file
    let coffer = CofferMap::from_toml(&secrets_buf_clear);
    // start server
    let server = Server::new(keyring, coffer);
    server.run(args.address).await;
 }
--- a/coffer-server/src/protocol.rs
+++ b/coffer-server/src/protocol.rs
@ -2,23 +2,18 @@
 use log::{debug, error, info, trace, warn};
 use std::sync::Arc;
 use std::convert::{TryFrom, TryInto};
 use std::net::Shutdown;
-use tokio::io::{AsyncRead,
+use tokio::io::AsyncWriteExt;
                AsyncReadExt,
                AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio::sync::RwLock;
 use serde_cbor;
 use quick_error::quick_error;
-use coffer_common::coffer::{CofferValue,
+use coffer_common::coffer::Coffer;
                            CofferPath,
                            Coffer};
 use coffer_common::keyring::Keyring;
 use hex;
 quick_error! {
@ -38,25 +33,23 @@ quick_error! {
 enum State {
    Start,
    Link,
-    Error,
+    Bye,
    End
 }
 #[derive(Debug)]
 enum Request {
    Hello(Vec<u8>),
-    Put(Vec<u8>),
+    Get,
-    Get(Vec<u8>),
+    Bye
    Bye,
    Error
 }
 pub struct Protocol<C>
 where C: Coffer
 {
    stream: TcpStream,
-    coffer: Arc<RwLock<C>>,
+    coffer: Arc<C>,
-    keyring: Arc<RwLock<Keyring>>,
+    keyring: Arc<Keyring>,
    client: Option<Vec<u8>>,
    state: State
 }
@ -64,11 +57,7 @@ where C: Coffer
 impl<C> Protocol<C>
 where C: Coffer
 {
-    pub fn new(
+    pub fn new(stream: TcpStream, coffer: Arc<C>, keyring: Arc<Keyring>) -> Protocol<C>
        stream: TcpStream,
        coffer: Arc<RwLock<C>>,
        keyring: Arc<RwLock<Keyring>>
    ) -> Protocol<C>
    {
        let state = State::Start;
        let client = None;
@ -93,26 +82,71 @@ where C: Coffer
        // TODO restrict msg_size more, otherwise bad client could bring server
        //      to allocate vast amounts of memory
-        let (msg_size, msg_type) = Self::read_header(&mut reader).await
+        let (msg_size, msg_type) = frame::read_header(&mut reader).await
            .unwrap();
        // TODO only read message if message expected by message type
        //      currently relies on client sending good message
        //      (0x00 message size)
-        let message = Self::read_message(msg_size, &mut reader).await
+        let message = frame::read_message(msg_size, &mut reader).await
            .unwrap();
        match msg_type {
            0x00 => Request::Hello(message),
-            0x02 => Request::Put(message),
+            0x02 => Request::Get,
-            0x03 => Request::Get(message),
+            0x99 => Request::Bye,
-            0x63 => Request::Bye,
+            _ => panic!{"Invalid message type {}", msg_type}
            0xff => Request::Error,
               _ => Request::Error
        }
    }
-    async fn read_header<T>(reader: &mut T) -> Option<(u64, u8)>
+    async fn transit(&mut self, event: Request)
    {
        match (&self.state, event) {
            (State::Start, Request::Hello(pk)) => {
                debug!{"Reading public key"}
                self.client = Some(pk);
                self.state = State::Link;
            }
            (State::Link, Request::Get) => {
                debug!{"Writing response"}
                let shard_id = hex::encode_upper(self.client.as_ref().unwrap());
                let res = self.coffer
                    .get_shard(shard_id)
                    .unwrap();
                let response = self.keyring.seal(
                        &self.client.as_ref().unwrap(),
                        &serde_cbor::to_vec(&res).unwrap()
                    ).unwrap();
                // TODO magic number
                let frame = frame::framed(0x05u8, response).await;
                trace!{"OkGet Frame: {:?}", frame}
                // TODO Proper result handling
                self.stream.write_all(&frame).await.unwrap();
                self.stream.flush().await.unwrap();
                self.state = State::Bye;
            }
            (State::Link, Request::Bye) => self.state = State::End,
            (State::Bye, Request::Bye) => self.state = State::End,
            _ => self.state = State::End
        }
    }
 }
 mod frame {
    #[allow(unused_imports)]
    use log::{debug, error, info, trace, warn};
    use std::convert::{TryFrom, TryInto};
    use tokio::io::{AsyncRead, AsyncReadExt};
    pub async fn read_header<T>(reader: &mut T) -> Option<(u64, u8)>
    where T: AsyncRead + Unpin
    {
        let mut header: [u8; 9] = [0u8;9]; // header buffer
@ -141,7 +175,7 @@ where C: Coffer
        Some((msg_size, msg_type))
    }
-    async fn read_message<T>(msg_size: u64, reader: &mut T) -> Option<Vec<u8>>
+    pub async fn read_message<T>(msg_size: u64, reader: &mut T) -> Option<Vec<u8>>
    where T: AsyncRead + Unpin
    {
        // TODO: possible to use unallocated memory instead?
@ -166,80 +200,7 @@ where C: Coffer
        Some(message)
    }
-    async fn transit(&mut self, event: Request)
+    pub async fn framed(msg_type: u8, data: Vec<u8>) -> Vec<u8>
    {
        match (&self.state, event) {
            (State::Start, Request::Hello(pk)) => {
                debug!{"Reading public key"}
                self.keyring.write().await
                    .add_known_key(&pk)
                    .unwrap();
                self.client = Some(pk);
                self.state = State::Link;
            }
            (State::Link, Request::Get(req)) => {
                debug!{"Writing response"}
                let mut req: CofferPath =
                    serde_cbor::from_slice(
                        &self.keyring.read().await
                            .open(&req)
                            .unwrap()
                    ).unwrap();
                req.0.insert(0, hex::encode(self.client.as_ref().unwrap()));
                let res = self.coffer.read().await
                    .get(req)
                    .unwrap();
                let response = self.keyring.read().await
                    .seal(
                        &self.client.as_ref().unwrap(),
                        &serde_cbor::to_vec(&res).unwrap()
                    ).unwrap();
                // TODO magic number
                let frame = Self::framed(0x05u8, response).await;
                trace!{"OkGet Frame: {:?}", frame}
                // TODO Proper result handling
                self.stream.write_all(&frame).await.unwrap();
                self.state = State::Link;
            }
            (State::Link, Request::Put(put)) => {
                debug!{"Putting secrets"}
                let mut put: Vec<(CofferPath, CofferValue)> =
                    serde_cbor::from_slice(
                        &self.keyring.read().await
                            .open(&put)
                            .unwrap()
                    ).unwrap();
                let key_string = hex::encode(self.client.as_ref().unwrap());
                put.iter_mut().map( |(cp, _cv)| &mut cp.0)
                    .for_each(|cp| cp.insert(0, key_string.clone()));
                for (coffer_path, coffer_value) in put {
                    self.coffer.write().await
                        .put(coffer_path, coffer_value)
                        .unwrap();
                }
                self.state = State::Link;
            }
            (_, Request::Bye) => self.state = State::End,
            (_, Request::Error) => self.state = State::End,
            _ => self.state = State::End
        }
    }
    async fn framed(msg_type: u8, data: Vec<u8>) -> Vec<u8>
    {
        trace!{"Creating frame for type: {:?}, data: {:?}", msg_type, data}
@ -258,4 +219,5 @@ where C: Coffer
        frame
    }
 }
--- a/coffer-server/src/server.rs
+++ b/coffer-server/src/server.rs
@ -5,14 +5,13 @@ use quick_error::quick_error;
 use tokio::net::{TcpListener};
 use tokio::stream::StreamExt;
 use tokio::sync::RwLock;
 use std::net::{ToSocketAddrs, SocketAddr};
 use std::sync::Arc;
 use coffer_common::keyring::Keyring;
 use coffer_common::coffer::Coffer;
-use coffer_common::certificate::{Certificate, CertificateError};
+use coffer_common::certificate::CertificateError;
 use crate::protocol::Protocol;
@ -35,13 +34,19 @@ quick_error! {
 pub struct Server<C>
 where C: Coffer
 {
-    keyring: Arc<RwLock<Keyring>>,
+    keyring: Arc<Keyring>,
-    coffer: Arc<RwLock<C>>
+    coffer: Arc<C>
 }
-impl <C> Server<C>
+impl <C> Server <C>
 where C: Coffer + Send + Sync + 'static
 {
    pub fn new(keyring: Keyring, coffer: C) -> Self {
        Server { keyring: Arc::new(keyring),
                 coffer: Arc::new(coffer) }
    }
    pub async fn run<T>(self, addr: T)
    where T: ToSocketAddrs
    {
@ -70,6 +75,7 @@ where C: Coffer + Send + Sync + 'static
                        let coffer = self.coffer.clone();
                        let protocol = Protocol::new(tcp_stream, coffer, keyring);
                        tokio::spawn(async move {
                            protocol.run().await;
                        });
@ -84,43 +90,3 @@ where C: Coffer + Send + Sync + 'static
        server.await
    }
 }
 pub struct ServerBuilder<C>
 where C: Coffer
 {
    keyring: Option<Keyring>,
    coffer: Option<C>
 }
 impl <'a, C> ServerBuilder<C>
 where C: Coffer + Default
 {
    pub fn new() -> ServerBuilder<C> {
        ServerBuilder {
            keyring: None,
            coffer: None
        }
    }
    pub fn with_keyring(mut self, keyring: Option<Keyring>) -> ServerBuilder<C> {
        self.keyring = keyring;
        self
    }
    pub fn with_coffer(mut self, coffer: Option<C>) -> ServerBuilder<C> {
        self.coffer = coffer;
        self
    }
    pub fn build(self) -> Result<Server<C>, ServerError> {
        let keyring = match self.keyring {
            Some(k) => Arc::new(RwLock::new(k)),
            None => {let cert = Certificate::new()?;
                     Arc::new(RwLock::new(Keyring::new(cert)))}
        };
        let coffer = Arc::new(RwLock::new(self.coffer.unwrap_or_else(|| { C::default() } )));
        Ok(Server {keyring, coffer})
    }
 }
--- a/testcoffer/client.cert
+++ b/testcoffer/client.cert
--- a/testcoffer/client1.cert
+++ b/testcoffer/client1.cert
--- a/testcoffer/client2.cert
+++ b/testcoffer/client2.cert
--- a/testcoffer/coffer.enc
+++ b/testcoffer/coffer.enc
--- a/testcoffer/coffer.yaml
+++ b/testcoffer/coffer.yaml
@ -0,0 +1,15 @@
 [test]
 id = "F11C86D52A70977D866F813903BC73DB4CB8AC40249DF668475B1BFE48AD1E41"
 key1 = "secret1"
 key2 = "secret2"
 [clients]
 [client.1]
 id = "00E4A58C6905C2932F73F4D3AB449507E0166E53ED52F769721618F8C836E736"
 client1key1 = "client1secret"
 client1key2 = "client1secret2"
 [client.2]
 id = "D4A39CD8C4695A70F758252E9D877ACE24BD3DE98BC09E90C37C06F99061CD5B"
 client2key1 = "client2secret"
 client2key2 = "client2secret2"
--- a/testcoffer/no_keys_client.cert
+++ b/testcoffer/no_keys_client.cert
--- a/testcoffer/server.cert
+++ b/testcoffer/server.cert
		`@ -0,0 +1,2 @@`
							`*.enc filter=lfs diff=lfs merge=lfs -text`
							`*.cert filter=lfs diff=lfs merge=lfs -text`