affinidi-secrets-resolver 0.5.5

Common utilities for Affinidi Trust Development Kit.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

//! ML-DSA (FIPS 204) Secret generation.
//!
//! Private material is stored as the 32-byte seed `xi`. Public material is
//! the FIPS 204 encoded verifying key. No JWK representation is defined by
//! W3C `di-quantum-safe`, so `SecretMaterial::JWK` is not produced for these
//! keys — callers should use `from_multibase` / `get_*_keymultibase` instead.

use affinidi_crypto::KeyType;
use base64::{Engine, prelude::BASE64_URL_SAFE_NO_PAD};
use rand::{TryRng, rngs::SysRng};

use crate::secrets::{Secret, SecretMaterial, SecretType};

fn random_kid() -> String {
    BASE64_URL_SAFE_NO_PAD.encode(SysRng.try_next_u64().unwrap().to_ne_bytes())
}

impl Secret {
    /// Creates a random ML-DSA-44 signing key pair.
    /// `kid`: Key ID, if none specified a random value is assigned.
    /// `seed`: Optional 32-byte seed (xi) for deterministic generation.
    pub fn generate_ml_dsa_44(kid: Option<&str>, seed: Option<&[u8; 32]>) -> Self {
        let kp = affinidi_crypto::ml_dsa::generate_ml_dsa_44(seed);
        Secret {
            id: kid.map(str::to_string).unwrap_or_else(random_kid),
            type_: SecretType::Multikey,
            secret_material: SecretMaterial::PrivateKeyMultibase(String::new()),
            private_bytes: kp.private_bytes,
            public_bytes: kp.public_bytes,
            key_type: KeyType::MlDsa44,
        }
    }

    /// Creates a random ML-DSA-65 signing key pair.
    pub fn generate_ml_dsa_65(kid: Option<&str>, seed: Option<&[u8; 32]>) -> Self {
        let kp = affinidi_crypto::ml_dsa::generate_ml_dsa_65(seed);
        Secret {
            id: kid.map(str::to_string).unwrap_or_else(random_kid),
            type_: SecretType::Multikey,
            secret_material: SecretMaterial::PrivateKeyMultibase(String::new()),
            private_bytes: kp.private_bytes,
            public_bytes: kp.public_bytes,
            key_type: KeyType::MlDsa65,
        }
    }

    /// Creates a random ML-DSA-87 signing key pair.
    pub fn generate_ml_dsa_87(kid: Option<&str>, seed: Option<&[u8; 32]>) -> Self {
        let kp = affinidi_crypto::ml_dsa::generate_ml_dsa_87(seed);
        Secret {
            id: kid.map(str::to_string).unwrap_or_else(random_kid),
            type_: SecretType::Multikey,
            secret_material: SecretMaterial::PrivateKeyMultibase(String::new()),
            private_bytes: kp.private_bytes,
            public_bytes: kp.public_bytes,
            key_type: KeyType::MlDsa87,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn generate_ml_dsa_44_deterministic() {
        let a = Secret::generate_ml_dsa_44(Some("k1"), Some(&[1u8; 32]));
        let b = Secret::generate_ml_dsa_44(Some("k1"), Some(&[1u8; 32]));
        assert_eq!(a.public_bytes, b.public_bytes);
        assert_eq!(a.private_bytes.len(), 32);
        assert_eq!(a.public_bytes.len(), 1312);
    }
}