keyfork-shard: dynamic bit size for decrypted secret, up to 512 bits

keyfork-shard/src/bin/keyfork-shard-decrypt-openpgp.rs

@@ -92,7 +92,7 @@ fn run() -> Result<()> {
         .to_bytes();
 
     let share = decrypt_one(encrypted_messages.into(), &cert_list, encrypted_metadata)?;
-    assert_eq!(share.len(), 65, "non-constant share length");
+    assert!(share.len() <= 65, "invalid share length (too long)");
     const LEN: u8 = 24 * 3;
     let mut encrypted_payload = [(LEN - share.len() as u8); LEN as usize];
     encrypted_payload[..share.len()].copy_from_slice(&share);
@@ -100,12 +100,13 @@ fn run() -> Result<()> {
     let shared_key = Aes256Gcm::new_from_slice(&shared_secret)?;
     let bytes = shared_key.encrypt(their_nonce, share.as_slice()).unwrap();
 
+    // NOTE: Padding length is less than u8::MAX because 24 * 4 < u8::MAX
     const ENC_LEN: u8 = 24 * 4;
     let mut out_bytes = [(ENC_LEN - bytes.len() as u8); ENC_LEN as usize];
     assert!(bytes.len() < out_bytes.len(), "encrypted payload larger than acceptable limit");
     out_bytes[..bytes.len()].clone_from_slice(&bytes);
 
-    // safety: size of out_bytes is immutable and always % 32 == 0
+    // safety: size of out_bytes is constant and always % 4 == 0
     let mnemonic = unsafe { Mnemonic::from_raw_entropy(&out_bytes, Default::default()) };
 
     pm.prompt_message(&format!("Our payload: {mnemonic}"))?;