diem_secure_storage/crypto_storage.rs
1// Copyright (c) The Diem Core Contributors
2// SPDX-License-Identifier: Apache-2.0
3
4// Copyright 2021 Conflux Foundation. All rights reserved.
5// Conflux is free software and distributed under GNU General Public License.
6// See http://www.gnu.org/licenses/
7
8use crate::Error;
9use diem_types::validator_config::{
10 ConsensusPrivateKey, ConsensusPublicKey, ConsensusSignature,
11};
12use enum_dispatch::enum_dispatch;
13use serde::{Deserialize, Serialize};
14
15/// CryptoStorage provides an abstraction for secure generation and handling of
16/// cryptographic keys.
17#[enum_dispatch]
18pub trait CryptoStorage {
19 /// Securely generates a new named Consensus private key. The behavior for
20 /// calling this interface multiple times with the same name is
21 /// implementation specific.
22 fn create_key(&mut self, name: &str) -> Result<ConsensusPublicKey, Error>;
23
24 /// Returns the Consensus private key stored at 'name'.
25 fn export_private_key(
26 &self, name: &str,
27 ) -> Result<ConsensusPrivateKey, Error>;
28
29 /// An optional API that allows importing private keys and storing them at
30 /// the provided name. This is not intended to be used in production and
31 /// the API may throw unimplemented if not used correctly. As this is
32 /// purely a testing API, there is no defined behavior for importing a
33 /// key for a given name if that name already exists. It only exists to
34 /// allow Diem to be run in test environments where a set of
35 /// deterministic keys must be generated.
36 fn import_private_key(
37 &mut self, name: &str, key: ConsensusPrivateKey,
38 ) -> Result<(), Error>;
39
40 /// Returns the Consensus private key stored at 'name' and identified by
41 /// 'version', which is the corresponding public key. This may fail even
42 /// if the 'named' key exists but the version is not present.
43 fn export_private_key_for_version(
44 &self, name: &str, version: ConsensusPublicKey,
45 ) -> Result<ConsensusPrivateKey, Error>;
46
47 /// Returns the Consensus public key stored at 'name'.
48 fn get_public_key(&self, name: &str) -> Result<PublicKeyResponse, Error>;
49
50 /// Returns the previous version of the Consensus public key stored at
51 /// 'name'. For the most recent version, see 'get_public_key(..)' above.
52 fn get_public_key_previous_version(
53 &self, name: &str,
54 ) -> Result<ConsensusPublicKey, Error>;
55
56 /// Rotates an Consensus private key. Future calls without version to this
57 /// 'named' key will return the rotated key instance. The previous key
58 /// is retained and can be accessed via the version. At most two
59 /// versions are expected to be retained.
60 fn rotate_key(&mut self, name: &str) -> Result<ConsensusPublicKey, Error>;
61
62 /// Signs the provided securely-hashable struct, using the 'named' private
63 /// key.
64 // The FQDNs on the next line help macros don't remove them
65 fn sign<T: diem_crypto::hash::CryptoHash + serde::Serialize>(
66 &self, name: &str, message: &T,
67 ) -> Result<ConsensusSignature, Error>;
68
69 /// Signs the provided securely-hashable struct, using the 'named' and
70 /// 'versioned' private key. This may fail even if the 'named' key
71 /// exists but the version is not present.
72 // The FQDNs on the next line help macros, don't remove them
73 fn sign_using_version<T: diem_crypto::hash::CryptoHash + serde::Serialize>(
74 &self, name: &str, version: ConsensusPublicKey, message: &T,
75 ) -> Result<ConsensusSignature, Error>;
76}
77
78#[derive(Debug, Deserialize, PartialEq, Serialize)]
79#[serde(tag = "data")]
80pub struct PublicKeyResponse {
81 /// Time since Unix Epoch in seconds.
82 pub last_update: u64,
83 /// ConsensusPublicKey stored at the provided key
84 pub public_key: ConsensusPublicKey,
85}