cyphr 0.1.0

Cyphr self-sovereign identity protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

//! Key type with lifecycle tracking.

use coz::Thumbprint;

/// Revocation information for a key.
#[derive(Debug, Clone)]
pub struct Revocation {
    /// Revocation timestamp (SPEC `rvk` field).
    pub rvk: i64,
    /// Thumbprint of key that performed revocation (None = self-revoke).
    pub by: Option<Thumbprint>,
}

/// Cyphr key with lifecycle tracking.
///
/// Extends the Coz key concept with Cyphr-specific fields for
/// tracking when keys were added, last used, and revoked.
#[derive(Debug, Clone)]
pub struct Key {
    /// Algorithm identifier (e.g., "ES256").
    pub alg: String,
    /// Key thumbprint.
    pub tmb: Thumbprint,
    /// Public key bytes.
    pub pub_key: Vec<u8>,
    /// When this key was first added to the principal.
    pub first_seen: i64,
    /// When this key last signed a valid coz/action.
    pub last_used: Option<i64>,
    /// Revocation info (None = active).
    pub revocation: Option<Revocation>,
    /// Optional human-readable label.
    pub tag: Option<String>,
}

impl Key {
    /// Returns true if the key is currently active (not revoked).
    pub fn is_active(&self) -> bool {
        self.revocation.is_none()
    }

    /// Returns true if the key was active at the given timestamp.
    ///
    /// Critical for validating historical cozies.
    pub fn is_active_at(&self, timestamp: i64) -> bool {
        self.revocation.as_ref().is_none_or(|r| timestamp < r.rvk)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn make_key(revocation: Option<Revocation>) -> Key {
        Key {
            alg: "ES256".to_string(),
            tmb: Thumbprint::from_bytes(vec![0u8; 32]),
            pub_key: vec![0u8; 64],
            first_seen: 1000,
            last_used: None,
            revocation,
            tag: None,
        }
    }

    #[test]
    fn is_active_no_revocation() {
        let key = make_key(None);
        assert!(key.is_active());
    }

    #[test]
    fn is_active_with_revocation() {
        let key = make_key(Some(Revocation {
            rvk: 2000,
            by: None,
        }));
        assert!(!key.is_active());
    }

    #[test]
    fn is_active_at_no_revocation() {
        let key = make_key(None);
        // Always active when not revoked
        assert!(key.is_active_at(0));
        assert!(key.is_active_at(1000));
        assert!(key.is_active_at(i64::MAX));
    }

    #[test]
    fn is_active_at_before_revocation() {
        let key = make_key(Some(Revocation {
            rvk: 2000,
            by: None,
        }));
        // Active before revocation time
        assert!(key.is_active_at(1999));
        assert!(key.is_active_at(0));
    }

    #[test]
    fn is_active_at_after_revocation() {
        let key = make_key(Some(Revocation {
            rvk: 2000,
            by: None,
        }));
        // Not active at or after revocation time (SPEC: now >= rvk is invalid)
        assert!(!key.is_active_at(2000));
        assert!(!key.is_active_at(2001));
    }
}