1use super::{DelegatedRoleGrant, DelegationAudience};
8use crate::{dto::prelude::*, ids::BuildNetwork};
9
10#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
15pub enum RootProof {
16 IcChainKeyBatchSignatureV1(IcChainKeyBatchSignatureProofV1),
17}
18
19#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
24pub enum RootProofMode {
25 ChainKeyBatch,
26}
27
28#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
33pub enum IssuerProof {
34 IcCanisterSignatureV1(IcCanisterSignatureProofV1),
35}
36
37#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
42pub struct IcCanisterSignatureProofV1 {
43 pub signature_cbor: Vec<u8>,
44 pub public_key_der: Vec<u8>,
45}
46
47#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
52pub enum ChainKeyAlgorithm {
53 EcdsaSecp256k1,
54}
55
56#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
61pub struct ChainKeyKeyId {
62 pub name: String,
63}
64
65#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
70pub struct RootKeyPolicyV1 {
71 pub root_canister_id: Principal,
72 pub proof_mode: RootProofMode,
73 pub algorithm: ChainKeyAlgorithm,
74 pub key_id: ChainKeyKeyId,
75 pub derivation_path_hash: [u8; 32],
76 pub public_key: Vec<u8>,
77 pub key_version: u64,
78 pub min_accepted_key_version: u64,
79 pub min_accepted_proof_epoch: u64,
80 pub min_accepted_registry_epoch: u64,
81 pub max_revocation_latency_ns: u64,
82 pub valid_from_ns: u64,
83 pub accept_until_ns: u64,
84 pub build_network: BuildNetwork,
85}
86
87#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
92pub struct DelegatedAuthRegistrySnapshotV1 {
93 pub schema_version: u16,
94 pub root_canister_id: Principal,
95 pub registry_epoch: u64,
96 pub proof_mode: RootProofMode,
97 pub root_key_policy_hash: [u8; 32],
98 pub issuer_policies: Vec<DelegatedAuthIssuerPolicySnapshotV1>,
99}
100
101#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
106pub struct DelegatedAuthIssuerPolicySnapshotV1 {
107 pub issuer_canister_id: Principal,
108 pub enabled: bool,
109 pub preferred_proof_mode: RootProofMode,
110 pub allowed_audiences: Vec<DelegationAudience>,
111 pub allowed_grants: Vec<DelegatedRoleGrant>,
112 pub max_root_proof_ttl_ns: u64,
113 pub max_token_ttl_ns: u64,
114 pub issuer_proof_algorithm: IssuerProofAlgorithm,
115 pub issuer_proof_binding_hash: [u8; 32],
116 pub renewal_template_hash: [u8; 32],
117}
118
119#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
124pub struct IcChainKeyBatchSignatureProofV1 {
125 pub header: ChainKeyBatchHeaderV1,
126 pub delegation_cert: ChainKeyDelegationCertV1,
127 pub issuer_witness: ChainKeyBatchWitnessV1,
128 pub signature: ChainKeyRootSignatureV1,
129}
130
131#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
136pub struct ChainKeyBatchHeaderV1 {
137 pub schema_version: u16,
138 pub root_canister_id: Principal,
139 pub batch_id: [u8; 32],
140 pub proof_epoch: u64,
141 pub registry_epoch: u64,
142 pub registry_hash: [u8; 32],
143 pub tree_root: [u8; 32],
144 pub not_before_ns: u64,
145 pub expires_at_ns: u64,
146 pub algorithm: ChainKeyAlgorithm,
147 pub key_id: ChainKeyKeyId,
148 pub derivation_path_hash: [u8; 32],
149 pub key_version: u64,
150}
151
152#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
157pub struct ChainKeyDelegationCertV1 {
158 pub root_canister_id: Principal,
159 pub issuer_canister_id: Principal,
160 pub proof_epoch: u64,
161 pub issuer_proof_algorithm: IssuerProofAlgorithm,
162 pub issuer_proof_binding_hash: [u8; 32],
163 pub issuer_proof_binding: IssuerProofBinding,
164 pub max_token_ttl_ns: u64,
165 pub audience: DelegationAudience,
166 pub grants: Vec<DelegatedRoleGrant>,
167 pub not_before_ns: u64,
168 pub expires_at_ns: u64,
169 pub registry_epoch: u64,
170 pub registry_hash: [u8; 32],
171}
172
173#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
178pub struct ChainKeyRootSignatureV1 {
179 pub algorithm: ChainKeyAlgorithm,
180 pub key_id: ChainKeyKeyId,
181 pub derivation_path: Vec<Vec<u8>>,
182 pub public_key: Vec<u8>,
183 pub signature: Vec<u8>,
184}
185
186#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
191pub struct ChainKeyBatchWitnessV1 {
192 pub steps: Vec<ChainKeyBatchWitnessStepV1>,
193}
194
195#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
200pub enum ChainKeyBatchWitnessStepV1 {
201 LeftSibling([u8; 32]),
202 RightSibling([u8; 32]),
203}
204
205#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
210pub enum IssuerProofAlgorithm {
211 IcCanisterSignatureV1,
212}
213
214#[derive(CandidType, Clone, Copy, Debug, Deserialize, Eq, PartialEq, Serialize)]
219pub enum IssuerProofBinding {
220 IcCanisterSignatureV1 { seed_hash: [u8; 32] },
221}
222
223#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
228pub struct DelegationCert {
229 pub root_pid: Principal,
230 pub issuer_pid: Principal,
231 pub issuer_proof_alg: IssuerProofAlgorithm,
232 pub issuer_proof_binding_hash: [u8; 32],
233 pub issuer_proof_binding: IssuerProofBinding,
234 pub issued_at_ns: u64,
235 pub not_before_ns: u64,
236 pub expires_at_ns: u64,
237 pub max_token_ttl_ns: u64,
238 pub aud: DelegationAudience,
239 pub grants: Vec<DelegatedRoleGrant>,
240}
241
242#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
247pub struct DelegationProof {
248 pub cert: DelegationCert,
249 pub root_proof: RootProof,
250}
251
252#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
257pub struct ActiveDelegationProof {
258 pub proof: DelegationProof,
259 pub cert_hash: [u8; 32],
260 pub not_before_ns: u64,
261 pub expires_at_ns: u64,
262 pub refresh_after_ns: u64,
263 pub installed_at_ns: u64,
264 pub installed_by: Principal,
265}
266
267#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
272pub struct InstallActiveDelegationProofRequest {
273 pub proof: DelegationProof,
274}
275
276#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
281pub struct InstallActiveDelegationProofResponse {
282 pub active_proof: ActiveDelegationProof,
283}
284
285#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
290pub enum ActiveDelegationProofStatus {
291 Missing,
292 Valid,
293 RefreshNeeded,
294 Expired,
295}
296
297#[derive(CandidType, Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
302pub struct ActiveDelegationProofStatusResponse {
303 pub status: ActiveDelegationProofStatus,
304 pub root_pid: Option<Principal>,
305 pub issuer_pid: Option<Principal>,
306 pub cert_hash: Option<[u8; 32]>,
307 pub expires_at_ns: Option<u64>,
308 pub refresh_after_ns: Option<u64>,
309}