Skip to main content

canic_core/dto/auth/
proof.rs

1//! Module: dto::auth::proof
2//!
3//! Responsibility: delegated root proof, issuer proof, and active proof DTOs.
4//! Does not own: proof verification, key validation, or storage mapping.
5//! Boundary: passive proof contracts carried by delegated tokens and issuer installs.
6
7use super::{DelegatedRoleGrant, DelegationAudience};
8use crate::{dto::prelude::*, ids::BuildNetwork};
9
10//
11// RootProof
12//
13
14#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
15pub enum RootProof {
16    IcChainKeyBatchSignatureV1(IcChainKeyBatchSignatureProofV1),
17}
18
19//
20// RootProofMode
21//
22
23#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
24pub enum RootProofMode {
25    ChainKeyBatch,
26}
27
28//
29// IssuerProof
30//
31
32#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
33pub enum IssuerProof {
34    IcCanisterSignatureV1(IcCanisterSignatureProofV1),
35}
36
37//
38// IcCanisterSignatureProofV1
39//
40
41#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
42pub struct IcCanisterSignatureProofV1 {
43    pub signature_cbor: Vec<u8>,
44    pub public_key_der: Vec<u8>,
45}
46
47//
48// ChainKeyAlgorithm
49//
50
51#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
52pub enum ChainKeyAlgorithm {
53    EcdsaSecp256k1,
54}
55
56//
57// ChainKeyKeyId
58//
59
60#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
61pub struct ChainKeyKeyId {
62    pub name: String,
63}
64
65//
66// RootKeyPolicyV1
67//
68
69#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
70pub struct RootKeyPolicyV1 {
71    pub root_canister_id: Principal,
72    pub proof_mode: RootProofMode,
73    pub algorithm: ChainKeyAlgorithm,
74    pub key_id: ChainKeyKeyId,
75    pub derivation_path_hash: [u8; 32],
76    pub public_key: Vec<u8>,
77    pub key_version: u64,
78    pub min_accepted_key_version: u64,
79    pub min_accepted_proof_epoch: u64,
80    pub min_accepted_registry_epoch: u64,
81    pub max_revocation_latency_ns: u64,
82    pub valid_from_ns: u64,
83    pub accept_until_ns: u64,
84    pub build_network: BuildNetwork,
85}
86
87//
88// DelegatedAuthRegistrySnapshotV1
89//
90
91#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
92pub struct DelegatedAuthRegistrySnapshotV1 {
93    pub schema_version: u16,
94    pub root_canister_id: Principal,
95    pub registry_epoch: u64,
96    pub proof_mode: RootProofMode,
97    pub root_key_policy_hash: [u8; 32],
98    pub issuer_policies: Vec<DelegatedAuthIssuerPolicySnapshotV1>,
99}
100
101//
102// DelegatedAuthIssuerPolicySnapshotV1
103//
104
105#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
106pub struct DelegatedAuthIssuerPolicySnapshotV1 {
107    pub issuer_canister_id: Principal,
108    pub enabled: bool,
109    pub preferred_proof_mode: RootProofMode,
110    pub allowed_audiences: Vec<DelegationAudience>,
111    pub allowed_grants: Vec<DelegatedRoleGrant>,
112    pub max_root_proof_ttl_ns: u64,
113    pub max_token_ttl_ns: u64,
114    pub issuer_proof_algorithm: IssuerProofAlgorithm,
115    pub issuer_proof_binding_hash: [u8; 32],
116    pub renewal_template_hash: [u8; 32],
117}
118
119//
120// IcChainKeyBatchSignatureProofV1
121//
122
123#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
124pub struct IcChainKeyBatchSignatureProofV1 {
125    pub header: ChainKeyBatchHeaderV1,
126    pub delegation_cert: ChainKeyDelegationCertV1,
127    pub issuer_witness: ChainKeyBatchWitnessV1,
128    pub signature: ChainKeyRootSignatureV1,
129}
130
131//
132// ChainKeyBatchHeaderV1
133//
134
135#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
136pub struct ChainKeyBatchHeaderV1 {
137    pub schema_version: u16,
138    pub root_canister_id: Principal,
139    pub batch_id: [u8; 32],
140    pub proof_epoch: u64,
141    pub registry_epoch: u64,
142    pub registry_hash: [u8; 32],
143    pub tree_root: [u8; 32],
144    pub not_before_ns: u64,
145    pub expires_at_ns: u64,
146    pub algorithm: ChainKeyAlgorithm,
147    pub key_id: ChainKeyKeyId,
148    pub derivation_path_hash: [u8; 32],
149    pub key_version: u64,
150}
151
152//
153// ChainKeyDelegationCertV1
154//
155
156#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
157pub struct ChainKeyDelegationCertV1 {
158    pub root_canister_id: Principal,
159    pub issuer_canister_id: Principal,
160    pub proof_epoch: u64,
161    pub issuer_proof_algorithm: IssuerProofAlgorithm,
162    pub issuer_proof_binding_hash: [u8; 32],
163    pub issuer_proof_binding: IssuerProofBinding,
164    pub max_token_ttl_ns: u64,
165    pub audience: DelegationAudience,
166    pub grants: Vec<DelegatedRoleGrant>,
167    pub not_before_ns: u64,
168    pub expires_at_ns: u64,
169    pub registry_epoch: u64,
170    pub registry_hash: [u8; 32],
171}
172
173//
174// ChainKeyRootSignatureV1
175//
176
177#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
178pub struct ChainKeyRootSignatureV1 {
179    pub algorithm: ChainKeyAlgorithm,
180    pub key_id: ChainKeyKeyId,
181    pub derivation_path: Vec<Vec<u8>>,
182    pub public_key: Vec<u8>,
183    pub signature: Vec<u8>,
184}
185
186//
187// ChainKeyBatchWitnessV1
188//
189
190#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
191pub struct ChainKeyBatchWitnessV1 {
192    pub steps: Vec<ChainKeyBatchWitnessStepV1>,
193}
194
195//
196// ChainKeyBatchWitnessStepV1
197//
198
199#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
200pub enum ChainKeyBatchWitnessStepV1 {
201    LeftSibling([u8; 32]),
202    RightSibling([u8; 32]),
203}
204
205//
206// IssuerProofAlgorithm
207//
208
209#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
210pub enum IssuerProofAlgorithm {
211    IcCanisterSignatureV1,
212}
213
214//
215// IssuerProofBinding
216//
217
218#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
219pub enum IssuerProofBinding {
220    IcCanisterSignatureV1 { seed_hash: [u8; 32] },
221}
222
223//
224// DelegationCert
225//
226
227#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
228pub struct DelegationCert {
229    pub root_pid: Principal,
230    pub issuer_pid: Principal,
231    pub issuer_proof_alg: IssuerProofAlgorithm,
232    pub issuer_proof_binding_hash: [u8; 32],
233    pub issuer_proof_binding: IssuerProofBinding,
234    pub issued_at_ns: u64,
235    pub not_before_ns: u64,
236    pub expires_at_ns: u64,
237    pub max_token_ttl_ns: u64,
238    pub aud: DelegationAudience,
239    pub grants: Vec<DelegatedRoleGrant>,
240}
241
242//
243// DelegationProof
244//
245
246#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
247pub struct DelegationProof {
248    pub cert: DelegationCert,
249    pub root_proof: RootProof,
250}
251
252//
253// ActiveDelegationProof
254//
255
256#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
257pub struct ActiveDelegationProof {
258    pub proof: DelegationProof,
259    pub cert_hash: [u8; 32],
260    pub not_before_ns: u64,
261    pub expires_at_ns: u64,
262    pub refresh_after_ns: u64,
263    pub installed_at_ns: u64,
264    pub installed_by: Principal,
265}
266
267//
268// InstallActiveDelegationProofRequest
269//
270
271#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
272pub struct InstallActiveDelegationProofRequest {
273    pub proof: DelegationProof,
274}
275
276//
277// InstallActiveDelegationProofResponse
278//
279
280#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
281pub struct InstallActiveDelegationProofResponse {
282    pub active_proof: ActiveDelegationProof,
283}
284
285//
286// ActiveDelegationProofStatus
287//
288
289#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
290pub enum ActiveDelegationProofStatus {
291    Missing,
292    Valid,
293    RefreshNeeded,
294    Expired,
295}
296
297//
298// ActiveDelegationProofStatusResponse
299//
300
301#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
302pub struct ActiveDelegationProofStatusResponse {
303    pub status: ActiveDelegationProofStatus,
304    pub root_pid: Option<Principal>,
305    pub issuer_pid: Option<Principal>,
306    pub cert_hash: Option<[u8; 32]>,
307    pub expires_at_ns: Option<u64>,
308    pub refresh_after_ns: Option<u64>,
309}