lightning_storage_server/client/
auth.rs

1use bitcoin_hashes::sha256::Hash as Sha256Hash;
2use bitcoin_hashes::Hash;
3use secp256k1::ecdh::SharedSecret;
4use secp256k1::{PublicKey, SecretKey};
5
6/// A non-priviledged authentication token.
7/// This token cannot be used for HMAC operations, so is suitable
8/// for an untrusted proxy.
9pub struct Auth {
10    /// Client pubkey
11    pub client_id: PublicKey,
12    /// SHA256 of ECDH of client and server keys
13    pub token: Vec<u8>,
14}
15
16impl Auth {
17    pub fn auth_token(&self) -> Vec<u8> {
18        self.token.clone()
19    }
20}
21
22/// A priviledged authentication token.
23/// This allows authentication to the server and also performing HMAC operations.
24/// For non-privileged access, use [`Auth`].
25#[derive(Clone)]
26pub struct PrivAuth {
27    /// Client pubkey
28    pub client_id: PublicKey,
29    /// ECDH of client and server keys
30    pub shared_secret: Vec<u8>,
31}
32
33impl PrivAuth {
34    pub fn new_for_client(client_key: &SecretKey, server_id: &PublicKey) -> Self {
35        let secp = secp256k1::Secp256k1::new();
36        let shared_secret = SharedSecret::new(server_id, client_key).secret_bytes().to_vec();
37        let client_id = PublicKey::from_secret_key(&secp, client_key);
38        Self { client_id, shared_secret }
39    }
40
41    pub fn new_for_server(server_key: &SecretKey, client_id: &PublicKey) -> Self {
42        let shared_secret = SharedSecret::new(client_id, server_key).secret_bytes().to_vec();
43        Self { client_id: client_id.clone(), shared_secret }
44    }
45
46    /// Unpriviledged authentication token
47    pub fn auth(&self) -> Auth {
48        let token = self.auth_token();
49        Auth { client_id: self.client_id.clone(), token }
50    }
51
52    /// SHA256 of shared_secret
53    pub fn auth_token(&self) -> Vec<u8> {
54        Sha256Hash::hash(&self.shared_secret).to_vec()
55    }
56}
lightning_storage_server/client/auth.rs

lightning_storage_server/client/
auth.rs
