diem_secure_storage/crypto_storage.rs
1// Copyright (c) The Diem Core Contributors
2// SPDX-License-Identifier: Apache-2.0
3
4// Copyright 2021 Conflux Foundation. All rights reserved.
5// Conflux is free software and distributed under GNU General Public License.
6// See http://www.gnu.org/licenses/
7
8use crate::Error;
9use diem_types::validator_config::{
10 ConsensusPrivateKey, ConsensusPublicKey, ConsensusSignature,
11};
12use serde::{Deserialize, Serialize};
13
14/// CryptoStorage provides an abstraction for secure generation and handling of
15/// cryptographic keys.
16pub trait CryptoStorage {
17 /// Securely generates a new named Consensus private key. The behavior for
18 /// calling this interface multiple times with the same name is
19 /// implementation specific.
20 fn create_key(&mut self, name: &str) -> Result<ConsensusPublicKey, Error>;
21
22 /// Returns the Consensus private key stored at 'name'.
23 fn export_private_key(
24 &self, name: &str,
25 ) -> Result<ConsensusPrivateKey, Error>;
26
27 /// An optional API that allows importing private keys and storing them at
28 /// the provided name. This is not intended to be used in production and
29 /// the API may throw unimplemented if not used correctly. As this is
30 /// purely a testing API, there is no defined behavior for importing a
31 /// key for a given name if that name already exists. It only exists to
32 /// allow Diem to be run in test environments where a set of
33 /// deterministic keys must be generated.
34 fn import_private_key(
35 &mut self, name: &str, key: ConsensusPrivateKey,
36 ) -> Result<(), Error>;
37
38 /// Returns the Consensus private key stored at 'name' and identified by
39 /// 'version', which is the corresponding public key. This may fail even
40 /// if the 'named' key exists but the version is not present.
41 fn export_private_key_for_version(
42 &self, name: &str, version: ConsensusPublicKey,
43 ) -> Result<ConsensusPrivateKey, Error>;
44
45 /// Returns the Consensus public key stored at 'name'.
46 fn get_public_key(&self, name: &str) -> Result<PublicKeyResponse, Error>;
47
48 /// Returns the previous version of the Consensus public key stored at
49 /// 'name'. For the most recent version, see 'get_public_key(..)' above.
50 fn get_public_key_previous_version(
51 &self, name: &str,
52 ) -> Result<ConsensusPublicKey, Error>;
53
54 /// Rotates an Consensus private key. Future calls without version to this
55 /// 'named' key will return the rotated key instance. The previous key
56 /// is retained and can be accessed via the version. At most two
57 /// versions are expected to be retained.
58 fn rotate_key(&mut self, name: &str) -> Result<ConsensusPublicKey, Error>;
59
60 /// Signs the provided securely-hashable struct, using the 'named' private
61 /// key.
62 // The FQDNs on the next line help macros don't remove them
63 fn sign<T: diem_crypto::hash::CryptoHash + serde::Serialize>(
64 &self, name: &str, message: &T,
65 ) -> Result<ConsensusSignature, Error>;
66
67 /// Signs the provided securely-hashable struct, using the 'named' and
68 /// 'versioned' private key. This may fail even if the 'named' key
69 /// exists but the version is not present.
70 // The FQDNs on the next line help macros, don't remove them
71 fn sign_using_version<T: diem_crypto::hash::CryptoHash + serde::Serialize>(
72 &self, name: &str, version: ConsensusPublicKey, message: &T,
73 ) -> Result<ConsensusSignature, Error>;
74}
75
76#[derive(Debug, Deserialize, PartialEq, Serialize)]
77#[serde(tag = "data")]
78pub struct PublicKeyResponse {
79 /// Time since Unix Epoch in seconds.
80 pub last_update: u64,
81 /// ConsensusPublicKey stored at the provided key
82 pub public_key: ConsensusPublicKey,
83}