phalanx_crypto/
key_manager.rs

1//! Advanced key management for Phalanx Protocol
2//! 
3//! Provides enterprise-grade key lifecycle management, rotation scheduling,
4//! backup/recovery, and security compliance features.
5
6use crate::{
7    Identity, PublicKey, 
8    error::{PhalanxError, Result},
9    crypto::{SymmetricKey, derive_phalanx_key, contexts},
10    message::{GroupMessage, MessageContent},
11};
12use std::collections::{HashMap, BTreeMap, HashSet};
13use std::time::{SystemTime, Duration, UNIX_EPOCH};
14use tokio::sync::{RwLock, Mutex};
15use serde::{Serialize, Deserialize};
16use tracing::{debug, info, warn, error, instrument};
17use async_trait::async_trait;
18
19/// Advanced key manager for Phalanx groups
20pub struct AdvancedKeyManager {
21    /// Current active keys by group
22    active_keys: RwLock<HashMap<[u8; 32], KeySet>>,
23    /// Key rotation schedules
24    rotation_schedules: RwLock<HashMap<[u8; 32], RotationSchedule>>,
25    /// Key backup storage
26    backup_storage: RwLock<Box<dyn KeyBackupStorage>>,
27    /// Key derivation cache
28    derivation_cache: RwLock<HashMap<KeyDerivationRequest, CachedKey>>,
29    /// Security policies
30    security_policies: RwLock<SecurityPolicies>,
31    /// Key usage statistics
32    usage_stats: RwLock<HashMap<[u8; 32], KeyUsageStats>>,
33    /// Pending key operations
34    pending_operations: Mutex<Vec<PendingKeyOperation>>,
35    /// HSM integration (if available)
36    hsm_provider: Option<Box<dyn HsmProvider>>,
37}
38
39/// Complete key set for a group
40#[derive(Debug, Clone, Serialize, Deserialize)]
41pub struct KeySet {
42    /// Current encryption key
43    pub current_key: EncryptionKeyInfo,
44    /// Previous keys for decryption
45    pub previous_keys: BTreeMap<u64, EncryptionKeyInfo>,
46    /// Key exchange keys by member
47    pub member_keys: HashMap<[u8; 32], MemberKeyInfo>,
48    /// Root key for derivation
49    pub root_key: RootKeyInfo,
50    /// Key metadata
51    pub metadata: KeyMetadata,
52}
53
54/// Information about an encryption key
55#[derive(Debug, Clone, Serialize, Deserialize)]
56pub struct EncryptionKeyInfo {
57    /// Key sequence number
58    pub sequence: u64,
59    /// Symmetric encryption key
60    pub key: SymmetricKey,
61    /// Key creation timestamp
62    pub created_at: SystemTime,
63    /// Key expiration timestamp
64    pub expires_at: Option<SystemTime>,
65    /// Key derivation info
66    pub derivation: KeyDerivation,
67    /// Usage statistics
68    pub usage_count: u64,
69    /// Security level
70    pub security_level: SecurityLevel,
71}
72
73/// Information about a member's keys
74#[derive(Debug, Clone, Serialize, Deserialize)]
75pub struct MemberKeyInfo {
76    /// Member public key
77    pub public_key: PublicKey,
78    /// Key exchange public key
79    pub kx_public_key: [u8; 32],
80    /// Shared secrets with this member
81    pub shared_secrets: HashMap<u64, [u8; 32]>,
82    /// Member key status
83    pub status: MemberKeyStatus,
84    /// Last key update
85    pub last_updated: SystemTime,
86}
87
88/// Root key information for key derivation
89#[derive(Debug, Clone, Serialize, Deserialize)]
90pub struct RootKeyInfo {
91    /// Root key identifier
92    pub key_id: [u8; 32],
93    /// Key derivation parameters
94    pub derivation_params: KeyDerivationParams,
95    /// Root key creation time
96    pub created_at: SystemTime,
97    /// Root key version
98    pub version: u32,
99    /// Security classification
100    pub classification: SecurityClassification,
101}
102
103/// Key metadata for management
104#[derive(Debug, Clone, Serialize, Deserialize)]
105pub struct KeyMetadata {
106    /// Group identifier
107    pub group_id: [u8; 32],
108    /// Key set version
109    pub version: u64,
110    /// Creation timestamp
111    pub created_at: SystemTime,
112    /// Last rotation timestamp
113    pub last_rotation: Option<SystemTime>,
114    /// Rotation policy
115    pub rotation_policy: RotationPolicy,
116    /// Backup policy
117    pub backup_policy: BackupPolicy,
118    /// Compliance tags
119    pub compliance_tags: HashSet<String>,
120}
121
122/// Key rotation schedule
123#[derive(Debug, Clone, Serialize, Deserialize)]
124pub struct RotationSchedule {
125    /// Next rotation time
126    pub next_rotation: SystemTime,
127    /// Rotation interval
128    pub interval: Duration,
129    /// Automatic rotation enabled
130    pub auto_rotate: bool,
131    /// Rotation policy
132    pub policy: RotationPolicy,
133    /// Retry configuration
134    pub retry_config: RetryConfig,
135}
136
137/// Key rotation policy
138#[derive(Debug, Clone, Serialize, Deserialize)]
139pub struct RotationPolicy {
140    /// Maximum key age before forced rotation
141    pub max_key_age: Duration,
142    /// Maximum usage count before rotation
143    pub max_usage_count: u64,
144    /// Rotation trigger conditions
145    pub triggers: HashSet<RotationTrigger>,
146    /// Pre-rotation notification time
147    pub notification_time: Duration,
148    /// Emergency rotation capability
149    pub emergency_rotation: bool,
150}
151
152/// Key backup policy
153#[derive(Debug, Clone, Serialize, Deserialize)]
154pub struct BackupPolicy {
155    /// Backup enabled
156    pub enabled: bool,
157    /// Backup frequency
158    pub frequency: Duration,
159    /// Retention period
160    pub retention_period: Duration,
161    /// Encryption for backups
162    pub backup_encryption: BackupEncryption,
163    /// Backup verification
164    pub verify_backups: bool,
165    /// Geographic distribution
166    pub geo_distribution: Option<GeoDistribution>,
167}
168
169/// Security policies for key management
170#[derive(Debug, Clone, Serialize, Deserialize)]
171pub struct SecurityPolicies {
172    /// Minimum key strength
173    pub min_key_strength: SecurityLevel,
174    /// Required compliance frameworks
175    pub compliance_frameworks: HashSet<ComplianceFramework>,
176    /// Key escrow requirements
177    pub key_escrow: Option<KeyEscrowPolicy>,
178    /// Audit requirements
179    pub audit_policy: AuditPolicy,
180    /// Access control policies
181    pub access_control: AccessControlPolicy,
182}
183
184/// Key usage statistics
185#[derive(Debug, Clone, Default, Serialize, Deserialize)]
186pub struct KeyUsageStats {
187    /// Total operations
188    pub total_operations: u64,
189    /// Encryption operations
190    pub encryption_count: u64,
191    /// Decryption operations
192    pub decryption_count: u64,
193    /// Key derivation operations
194    pub derivation_count: u64,
195    /// First use timestamp
196    pub first_used: Option<SystemTime>,
197    /// Last use timestamp
198    pub last_used: Option<SystemTime>,
199    /// Bytes processed
200    pub bytes_processed: u64,
201    /// Error count
202    pub error_count: u64,
203}
204
205/// Pending key operation
206#[derive(Debug, Clone, Serialize, Deserialize)]
207pub struct PendingKeyOperation {
208    /// Operation ID
209    pub operation_id: [u8; 32],
210    /// Group ID
211    pub group_id: [u8; 32],
212    /// Operation type
213    pub operation: KeyOperation,
214    /// Scheduled execution time
215    pub scheduled_at: SystemTime,
216    /// Operation priority
217    pub priority: OperationPriority,
218    /// Retry count
219    pub retry_count: u32,
220    /// Dependencies
221    pub dependencies: Vec<[u8; 32]>,
222}
223
224/// Key derivation request for caching
225#[derive(Debug, Clone, Hash, PartialEq, Eq)]
226pub struct KeyDerivationRequest {
227    /// Base key identifier
228    pub base_key_id: [u8; 32],
229    /// Derivation context
230    pub context: String,
231    /// Additional parameters
232    pub params: Vec<u8>,
233}
234
235/// Cached derived key
236#[derive(Debug, Clone)]
237pub struct CachedKey {
238    /// Derived key
239    pub key: SymmetricKey,
240    /// Cache timestamp
241    pub cached_at: SystemTime,
242    /// Cache TTL
243    pub ttl: Duration,
244    /// Usage count since cached
245    pub usage_count: u64,
246}
247
248/// Types of key operations
249#[derive(Debug, Clone, Serialize, Deserialize)]
250pub enum KeyOperation {
251    /// Rotate group keys
252    Rotate {
253        /// New key sequence
254        sequence: u64,
255        /// Rotation reason
256        reason: RotationReason,
257    },
258    /// Generate new keys
259    Generate {
260        /// Key type
261        key_type: KeyType,
262        /// Security level
263        security_level: SecurityLevel,
264    },
265    /// Backup keys
266    Backup {
267        /// Backup destination
268        destination: BackupDestination,
269        /// Include historical keys
270        include_history: bool,
271    },
272    /// Restore keys
273    Restore {
274        /// Restore source
275        source: BackupSource,
276        /// Restore point
277        restore_point: SystemTime,
278    },
279    /// Derive keys
280    Derive {
281        /// Derivation context
282        context: String,
283        /// Parameters
284        params: HashMap<String, Vec<u8>>,
285    },
286    /// Clean up old keys
287    Cleanup {
288        /// Cutoff time
289        cutoff_time: SystemTime,
290        /// Preserve count
291        preserve_count: u32,
292    },
293}
294
295/// Various enums and supporting types
296#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
297pub enum RotationTrigger {
298    TimeExpired,
299    UsageExceeded,
300    SecurityBreach,
301    MembershipChange,
302    ComplianceRequirement,
303    ManualRequest,
304    EmergencyRotation,
305}
306
307#[derive(Debug, Clone, Serialize, Deserialize)]
308pub enum RotationReason {
309    Scheduled,
310    Emergency,
311    Compromise,
312    Compliance,
313    MembershipChange,
314    Manual,
315}
316
317#[derive(Debug, Clone, Serialize, Deserialize)]
318pub enum KeyType {
319    Encryption,
320    Authentication,
321    KeyExchange,
322    Derivation,
323}
324
325#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
326pub enum SecurityLevel {
327    Standard,
328    High,
329    Critical,
330    TopSecret,
331}
332
333#[derive(Debug, Clone, Serialize, Deserialize)]
334pub enum MemberKeyStatus {
335    Active,
336    Revoked,
337    Expired,
338    Pending,
339}
340
341#[derive(Debug, Clone, Serialize, Deserialize)]
342pub enum SecurityClassification {
343    Public,
344    Internal,
345    Confidential,
346    Secret,
347    TopSecret,
348}
349
350#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
351pub enum ComplianceFramework {
352    FIPS140_2,
353    CommonCriteria,
354    NIST,
355    ISO27001,
356    SOX,
357    GDPR,
358    HIPAA,
359}
360
361#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
362pub enum OperationPriority {
363    Low,
364    Normal,
365    High,
366    Emergency,
367}
368
369/// Supporting structures
370#[derive(Debug, Clone, Serialize, Deserialize)]
371pub struct KeyDerivation {
372    pub method: DerivationMethod,
373    pub parameters: HashMap<String, Vec<u8>>,
374    pub context: String,
375}
376
377#[derive(Debug, Clone, Serialize, Deserialize)]
378pub struct KeyDerivationParams {
379    pub method: DerivationMethod,
380    pub salt: [u8; 32],
381    pub iterations: u32,
382    pub key_length: usize,
383}
384
385#[derive(Debug, Clone, Serialize, Deserialize)]
386pub enum DerivationMethod {
387    HKDF,
388    PBKDF2,
389    Scrypt,
390    Argon2,
391}
392
393#[derive(Debug, Clone, Serialize, Deserialize)]
394pub struct RetryConfig {
395    pub max_retries: u32,
396    pub base_delay: Duration,
397    pub max_delay: Duration,
398    pub backoff_multiplier: f64,
399}
400
401#[derive(Debug, Clone, Serialize, Deserialize)]
402pub struct BackupEncryption {
403    pub enabled: bool,
404    pub key_id: Option<[u8; 32]>,
405    pub cipher: String,
406}
407
408#[derive(Debug, Clone, Serialize, Deserialize)]
409pub struct GeoDistribution {
410    pub regions: Vec<String>,
411    pub min_replicas: u32,
412    pub consistency_level: ConsistencyLevel,
413}
414
415#[derive(Debug, Clone, Serialize, Deserialize)]
416pub enum ConsistencyLevel {
417    Eventual,
418    Strong,
419    Linearizable,
420}
421
422#[derive(Debug, Clone, Serialize, Deserialize)]
423pub struct KeyEscrowPolicy {
424    pub enabled: bool,
425    pub trustees: Vec<String>,
426    pub threshold: u32,
427    pub escrow_duration: Duration,
428}
429
430#[derive(Debug, Clone, Serialize, Deserialize)]
431pub struct AuditPolicy {
432    pub enabled: bool,
433    pub log_all_operations: bool,
434    pub retention_period: Duration,
435    pub compliance_reporting: bool,
436}
437
438#[derive(Debug, Clone, Serialize, Deserialize)]
439pub struct AccessControlPolicy {
440    pub require_authentication: bool,
441    pub multi_factor_auth: bool,
442    pub role_based_access: bool,
443    pub audit_access: bool,
444}
445
446#[derive(Debug, Clone, Serialize, Deserialize)]
447pub enum BackupDestination {
448    Local { path: String },
449    Remote { url: String, credentials: String },
450    HSM { module_id: String },
451    Cloud { provider: String, config: HashMap<String, String> },
452}
453
454#[derive(Debug, Clone, Serialize, Deserialize)]
455pub enum BackupSource {
456    Local { path: String },
457    Remote { url: String, credentials: String },
458    HSM { module_id: String },
459    Cloud { provider: String, config: HashMap<String, String> },
460}
461
462/// Trait for key backup storage
463#[async_trait]
464pub trait KeyBackupStorage: Send + Sync {
465    async fn store_backup(&self, group_id: [u8; 32], keyset: &KeySet, metadata: &BackupMetadata) -> Result<BackupId>;
466    async fn retrieve_backup(&self, backup_id: BackupId) -> Result<(KeySet, BackupMetadata)>;
467    async fn list_backups(&self, group_id: [u8; 32]) -> Result<Vec<BackupInfo>>;
468    async fn delete_backup(&self, backup_id: BackupId) -> Result<()>;
469    async fn verify_backup(&self, backup_id: BackupId) -> Result<bool>;
470}
471
472/// Trait for HSM integration
473#[async_trait]
474pub trait HsmProvider: Send + Sync {
475    async fn generate_key(&self, key_type: KeyType, security_level: SecurityLevel) -> Result<HsmKeyHandle>;
476    async fn derive_key(&self, base_key: HsmKeyHandle, context: &str, params: &[u8]) -> Result<HsmKeyHandle>;
477    async fn encrypt(&self, key_handle: HsmKeyHandle, plaintext: &[u8], aad: &[u8]) -> Result<Vec<u8>>;
478    async fn decrypt(&self, key_handle: HsmKeyHandle, ciphertext: &[u8], aad: &[u8]) -> Result<Vec<u8>>;
479    async fn export_key(&self, key_handle: HsmKeyHandle) -> Result<Vec<u8>>;
480    async fn import_key(&self, key_data: &[u8], key_type: KeyType) -> Result<HsmKeyHandle>;
481}
482
483/// Supporting types for backup and HSM
484pub type BackupId = [u8; 32];
485pub type HsmKeyHandle = String;
486
487#[derive(Debug, Clone, Serialize, Deserialize)]
488pub struct BackupMetadata {
489    pub backup_id: BackupId,
490    pub group_id: [u8; 32],
491    pub created_at: SystemTime,
492    pub version: u64,
493    pub encryption: BackupEncryption,
494    pub compression: bool,
495    pub integrity_hash: [u8; 32],
496}
497
498#[derive(Debug, Clone, Serialize, Deserialize)]
499pub struct BackupInfo {
500    pub backup_id: BackupId,
501    pub created_at: SystemTime,
502    pub size: u64,
503    pub version: u64,
504    pub verified: bool,
505}
506
507impl Default for SecurityPolicies {
508    fn default() -> Self {
509        Self {
510            min_key_strength: SecurityLevel::Standard,
511            compliance_frameworks: HashSet::new(),
512            key_escrow: None,
513            audit_policy: AuditPolicy {
514                enabled: true,
515                log_all_operations: false,
516                retention_period: Duration::from_secs(365 * 24 * 3600), // 1 year
517                compliance_reporting: false,
518            },
519            access_control: AccessControlPolicy {
520                require_authentication: true,
521                multi_factor_auth: false,
522                role_based_access: false,
523                audit_access: true,
524            },
525        }
526    }
527}
528
529impl Default for RotationPolicy {
530    fn default() -> Self {
531        Self {
532            max_key_age: Duration::from_secs(30 * 24 * 3600), // 30 days
533            max_usage_count: 1_000_000,
534            triggers: {
535                let mut triggers = HashSet::new();
536                triggers.insert(RotationTrigger::TimeExpired);
537                triggers.insert(RotationTrigger::UsageExceeded);
538                triggers
539            },
540            notification_time: Duration::from_secs(24 * 3600), // 24 hours
541            emergency_rotation: true,
542        }
543    }
544}
545
546impl Default for BackupPolicy {
547    fn default() -> Self {
548        Self {
549            enabled: true,
550            frequency: Duration::from_secs(7 * 24 * 3600), // Weekly
551            retention_period: Duration::from_secs(90 * 24 * 3600), // 90 days
552            backup_encryption: BackupEncryption {
553                enabled: true,
554                key_id: None,
555                cipher: "ChaCha20-Poly1305".to_string(),
556            },
557            verify_backups: true,
558            geo_distribution: None,
559        }
560    }
561}
562
563impl AdvancedKeyManager {
564    /// Create a new advanced key manager
565    pub async fn new() -> Result<Self> {
566        Ok(Self {
567            active_keys: RwLock::new(HashMap::new()),
568            rotation_schedules: RwLock::new(HashMap::new()),
569            backup_storage: RwLock::new(Box::new(LocalBackupStorage::new("/tmp/phalanx_backups".to_string()).await?)),
570            derivation_cache: RwLock::new(HashMap::new()),
571            security_policies: RwLock::new(SecurityPolicies::default()),
572            usage_stats: RwLock::new(HashMap::new()),
573            pending_operations: Mutex::new(Vec::new()),
574            hsm_provider: None,
575        })
576    }
577    
578    /// Create a new key set for a group
579    #[instrument(skip(self, identity))]
580    pub async fn create_key_set(&self, group_id: [u8; 32], identity: &Identity) -> Result<KeySet> {
581        info!("Creating new key set for group {:?}", hex::encode(group_id));
582        
583        // Generate root key
584        let root_key_id = self.generate_random_bytes(32);
585        let root_key = RootKeyInfo {
586            key_id: root_key_id,
587            derivation_params: KeyDerivationParams {
588                method: DerivationMethod::HKDF,
589                salt: self.generate_random_bytes(32),
590                iterations: 100_000,
591                key_length: 32,
592            },
593            created_at: SystemTime::now(),
594            version: 1,
595            classification: SecurityClassification::Internal,
596        };
597        
598        // Generate initial encryption key
599        let encryption_key = self.generate_encryption_key(1, &root_key).await?;
600        
601        // Create member key info
602        let mut member_keys = HashMap::new();
603        let public_key = identity.public_key();
604        member_keys.insert(public_key.id(), MemberKeyInfo {
605            public_key,
606            kx_public_key: self.generate_random_bytes(32),
607            shared_secrets: HashMap::new(),
608            status: MemberKeyStatus::Active,
609            last_updated: SystemTime::now(),
610        });
611        
612        // Create key metadata
613        let metadata = KeyMetadata {
614            group_id,
615            version: 1,
616            created_at: SystemTime::now(),
617            last_rotation: None,
618            rotation_policy: RotationPolicy::default(),
619            backup_policy: BackupPolicy::default(),
620            compliance_tags: HashSet::new(),
621        };
622        
623        let key_set = KeySet {
624            current_key: encryption_key,
625            previous_keys: BTreeMap::new(),
626            member_keys,
627            root_key,
628            metadata,
629        };
630        
631        // Store the key set
632        let mut active_keys = self.active_keys.write().await;
633        active_keys.insert(group_id, key_set.clone());
634        
635        // Schedule rotation
636        self.schedule_rotation(group_id, &key_set.metadata.rotation_policy).await?;
637        
638        // Initialize usage stats
639        let mut usage_stats = self.usage_stats.write().await;
640        usage_stats.insert(group_id, KeyUsageStats::default());
641        
642        info!("Created key set for group {:?}", hex::encode(group_id));
643        Ok(key_set)
644    }
645    
646    /// Rotate keys for a group
647    #[instrument(skip(self))]
648    pub async fn rotate_keys(&self, group_id: [u8; 32], reason: RotationReason) -> Result<u64> {
649        info!("Rotating keys for group {:?}, reason: {:?}", hex::encode(group_id), reason);
650        
651        let mut active_keys = self.active_keys.write().await;
652        let key_set = active_keys.get_mut(&group_id)
653            .ok_or_else(|| PhalanxError::crypto("Group not found for rotation"))?;
654        
655        // Move current key to previous keys
656        let old_sequence = key_set.current_key.sequence;
657        let old_key = key_set.current_key.clone();
658        key_set.previous_keys.insert(old_sequence, old_key);
659        
660        // Generate new current key
661        let new_sequence = old_sequence + 1;
662        let new_key = self.generate_encryption_key(new_sequence, &key_set.root_key).await?;
663        key_set.current_key = new_key;
664        
665        // Update metadata
666        key_set.metadata.version += 1;
667        key_set.metadata.last_rotation = Some(SystemTime::now());
668        
669        // Clean up old keys (keep last 10)
670        while key_set.previous_keys.len() > 10 {
671            if let Some((oldest_seq, _)) = key_set.previous_keys.iter().next() {
672                let oldest_seq = *oldest_seq;
673                key_set.previous_keys.remove(&oldest_seq);
674            }
675        }
676        
677        // Update usage stats
678        let mut usage_stats = self.usage_stats.write().await;
679        if let Some(stats) = usage_stats.get_mut(&group_id) {
680            stats.total_operations += 1;
681        }
682        
683        // Schedule next rotation
684        self.schedule_rotation(group_id, &key_set.metadata.rotation_policy).await?;
685        
686        // Create backup if enabled
687        if key_set.metadata.backup_policy.enabled {
688            self.create_backup(group_id).await?;
689        }
690        
691        info!("Rotated keys for group {:?} to sequence {}", hex::encode(group_id), new_sequence);
692        Ok(new_sequence)
693    }
694    
695    /// Add a new member to the key set
696    #[instrument(skip(self, identity))]
697    pub async fn add_member(&self, group_id: [u8; 32], identity: &Identity) -> Result<()> {
698        info!("Adding member to group {:?}", hex::encode(group_id));
699        
700        let mut active_keys = self.active_keys.write().await;
701        let key_set = active_keys.get_mut(&group_id)
702            .ok_or_else(|| PhalanxError::crypto("Group not found for member addition"))?;
703        
704        let public_key = identity.public_key();
705        let member_id = public_key.id();
706        
707        if key_set.member_keys.contains_key(&member_id) {
708            return Err(PhalanxError::crypto("Member already exists in group"));
709        }
710        
711        // Generate key exchange material for the new member
712        let kx_public_key = self.generate_random_bytes(32);
713        let member_info = MemberKeyInfo {
714            public_key,
715            kx_public_key,
716            shared_secrets: HashMap::new(),
717            status: MemberKeyStatus::Active,
718            last_updated: SystemTime::now(),
719        };
720        
721        key_set.member_keys.insert(member_id, member_info);
722        key_set.metadata.version += 1;
723        
724        info!("Added member {:?} to group {:?}", hex::encode(member_id), hex::encode(group_id));
725        
726        // Trigger key rotation due to membership change
727        if key_set.metadata.rotation_policy.triggers.contains(&RotationTrigger::MembershipChange) {
728            self.schedule_immediate_operation(group_id, KeyOperation::Rotate {
729                sequence: key_set.current_key.sequence + 1,
730                reason: RotationReason::MembershipChange,
731            }).await?;
732        }
733        
734        Ok(())
735    }
736    
737    /// Remove a member from the key set
738    #[instrument(skip(self))]
739    pub async fn remove_member(&self, group_id: [u8; 32], member_id: [u8; 32]) -> Result<()> {
740        info!("Removing member {:?} from group {:?}", hex::encode(member_id), hex::encode(group_id));
741        
742        let mut active_keys = self.active_keys.write().await;
743        let key_set = active_keys.get_mut(&group_id)
744            .ok_or_else(|| PhalanxError::crypto("Group not found for member removal"))?;
745        
746        if let Some(mut member_info) = key_set.member_keys.remove(&member_id) {
747            member_info.status = MemberKeyStatus::Revoked;
748            key_set.metadata.version += 1;
749            
750            info!("Removed member {:?} from group {:?}", hex::encode(member_id), hex::encode(group_id));
751            
752            // Trigger key rotation due to membership change
753            if key_set.metadata.rotation_policy.triggers.contains(&RotationTrigger::MembershipChange) {
754                self.schedule_immediate_operation(group_id, KeyOperation::Rotate {
755                    sequence: key_set.current_key.sequence + 1,
756                    reason: RotationReason::MembershipChange,
757                }).await?;
758            }
759        } else {
760            return Err(PhalanxError::crypto("Member not found in group"));
761        }
762        
763        Ok(())
764    }
765    
766    /// Get current encryption key for a group
767    #[instrument(skip(self))]
768    pub async fn get_encryption_key(&self, group_id: [u8; 32]) -> Result<SymmetricKey> {
769        let active_keys = self.active_keys.read().await;
770        let key_set = active_keys.get(&group_id)
771            .ok_or_else(|| PhalanxError::crypto("Group not found"))?;
772        
773        // Update usage stats
774        let mut usage_stats = self.usage_stats.write().await;
775        if let Some(stats) = usage_stats.get_mut(&group_id) {
776            stats.encryption_count += 1;
777            stats.total_operations += 1;
778            stats.last_used = Some(SystemTime::now());
779            if stats.first_used.is_none() {
780                stats.first_used = Some(SystemTime::now());
781            }
782        }
783        
784        Ok(key_set.current_key.key.clone())
785    }
786    
787    /// Get decryption key for a specific sequence
788    #[instrument(skip(self))]
789    pub async fn get_decryption_key(&self, group_id: [u8; 32], sequence: u64) -> Result<SymmetricKey> {
790        let active_keys = self.active_keys.read().await;
791        let key_set = active_keys.get(&group_id)
792            .ok_or_else(|| PhalanxError::crypto("Group not found"))?;
793        
794        let key = if sequence == key_set.current_key.sequence {
795            key_set.current_key.key.clone()
796        } else if let Some(prev_key) = key_set.previous_keys.get(&sequence) {
797            prev_key.key.clone()
798        } else {
799            return Err(PhalanxError::crypto(format!("Key sequence {} not found", sequence)));
800        };
801        
802        // Update usage stats
803        let mut usage_stats = self.usage_stats.write().await;
804        if let Some(stats) = usage_stats.get_mut(&group_id) {
805            stats.decryption_count += 1;
806            stats.total_operations += 1;
807            stats.last_used = Some(SystemTime::now());
808            if stats.first_used.is_none() {
809                stats.first_used = Some(SystemTime::now());
810            }
811        }
812        
813        Ok(key)
814    }
815    
816    /// Derive a specialized key for a specific context
817    #[instrument(skip(self))]
818    pub async fn derive_key(&self, group_id: [u8; 32], context: &str, params: &[u8]) -> Result<SymmetricKey> {
819        let request = KeyDerivationRequest {
820            base_key_id: group_id,
821            context: context.to_string(),
822            params: params.to_vec(),
823        };
824        
825        // Check cache first
826        {
827            let cache = self.derivation_cache.read().await;
828            if let Some(cached) = cache.get(&request) {
829                let age = SystemTime::now().duration_since(cached.cached_at).unwrap_or_default();
830                if age < cached.ttl {
831                    debug!("Using cached derived key for context: {}", context);
832                    return Ok(cached.key.clone());
833                }
834            }
835        }
836        
837        // Get base key
838        let active_keys = self.active_keys.read().await;
839        let key_set = active_keys.get(&group_id)
840            .ok_or_else(|| PhalanxError::crypto("Group not found"))?;
841        
842        // Derive new key
843        let derived_key = derive_phalanx_key(
844            key_set.current_key.key.as_bytes(),
845            context.as_bytes(),
846            contexts::KEY_DERIVATION,
847        );
848        
849        // Cache the derived key
850        {
851            let mut cache = self.derivation_cache.write().await;
852            cache.insert(request, CachedKey {
853                key: derived_key.clone(),
854                cached_at: SystemTime::now(),
855                ttl: Duration::from_secs(3600), // 1 hour
856                usage_count: 0,
857            });
858            
859            // Limit cache size
860            if cache.len() > 1000 {
861                let cutoff = SystemTime::now() - Duration::from_secs(1800);
862                cache.retain(|_, v| v.cached_at > cutoff);
863            }
864        }
865        
866        // Update usage stats
867        let mut usage_stats = self.usage_stats.write().await;
868        if let Some(stats) = usage_stats.get_mut(&group_id) {
869            stats.derivation_count += 1;
870            stats.total_operations += 1;
871        }
872        
873        debug!("Derived new key for context: {}", context);
874        Ok(derived_key)
875    }
876    
877    /// Create a backup of the key set
878    #[instrument(skip(self))]
879    pub async fn create_backup(&self, group_id: [u8; 32]) -> Result<BackupId> {
880        info!("Creating backup for group {:?}", hex::encode(group_id));
881        
882        let active_keys = self.active_keys.read().await;
883        let key_set = active_keys.get(&group_id)
884            .ok_or_else(|| PhalanxError::crypto("Group not found for backup"))?;
885        
886        let backup_id = self.generate_random_bytes(32);
887        let metadata = BackupMetadata {
888            backup_id,
889            group_id,
890            created_at: SystemTime::now(),
891            version: key_set.metadata.version,
892            encryption: key_set.metadata.backup_policy.backup_encryption.clone(),
893            compression: true,
894            integrity_hash: self.generate_random_bytes(32), // TODO: Calculate actual hash
895        };
896        
897        let backup_storage = self.backup_storage.read().await;
898        let stored_id = backup_storage.store_backup(group_id, key_set, &metadata).await?;
899        
900        info!("Created backup {:?} for group {:?}", hex::encode(stored_id), hex::encode(group_id));
901        Ok(stored_id)
902    }
903    
904    /// Process pending operations
905    #[instrument(skip(self))]
906    pub async fn process_pending_operations(&self) -> Result<usize> {
907        let now = SystemTime::now();
908        let mut pending = self.pending_operations.lock().await;
909        let mut processed = 0;
910        
911        let mut remaining_operations = Vec::new();
912        
913        for operation in pending.drain(..) {
914            if operation.scheduled_at <= now {
915                match self.execute_operation(operation.group_id, operation.operation.clone()).await {
916                    Ok(_) => {
917                        processed += 1;
918                        info!("Executed scheduled operation {:?} for group {:?}", 
919                              operation.operation, hex::encode(operation.group_id));
920                    },
921                    Err(e) => {
922                        error!("Failed to execute operation: {}", e);
923                        if operation.retry_count < 3 {
924                            let mut retried_op = operation;
925                            retried_op.retry_count += 1;
926                            retried_op.scheduled_at = now + Duration::from_secs(60 * (2u64.pow(retried_op.retry_count)));
927                            remaining_operations.push(retried_op);
928                        }
929                    }
930                }
931            } else {
932                remaining_operations.push(operation);
933            }
934        }
935        
936        *pending = remaining_operations;
937        Ok(processed)
938    }
939    
940    /// Get key usage statistics
941    pub async fn get_usage_stats(&self, group_id: [u8; 32]) -> Result<KeyUsageStats> {
942        let usage_stats = self.usage_stats.read().await;
943        Ok(usage_stats.get(&group_id).cloned().unwrap_or_default())
944    }
945    
946    /// Helper methods
947    async fn generate_encryption_key(&self, sequence: u64, root_key: &RootKeyInfo) -> Result<EncryptionKeyInfo> {
948        let key = derive_phalanx_key(
949            &root_key.key_id,
950            &sequence.to_be_bytes(),
951            contexts::KEY_DERIVATION,
952        );
953        
954        Ok(EncryptionKeyInfo {
955            sequence,
956            key,
957            created_at: SystemTime::now(),
958            expires_at: None,
959            derivation: KeyDerivation {
960                method: DerivationMethod::HKDF,
961                parameters: HashMap::new(),
962                context: "encryption_key".to_string(),
963            },
964            usage_count: 0,
965            security_level: SecurityLevel::Standard,
966        })
967    }
968    
969    async fn schedule_rotation(&self, group_id: [u8; 32], policy: &RotationPolicy) -> Result<()> {
970        let next_rotation = SystemTime::now() + policy.max_key_age;
971        let schedule = RotationSchedule {
972            next_rotation,
973            interval: policy.max_key_age,
974            auto_rotate: true,
975            policy: policy.clone(),
976            retry_config: RetryConfig {
977                max_retries: 3,
978                base_delay: Duration::from_secs(60),
979                max_delay: Duration::from_secs(3600),
980                backoff_multiplier: 2.0,
981            },
982        };
983        
984        let mut schedules = self.rotation_schedules.write().await;
985        schedules.insert(group_id, schedule);
986        
987        // Schedule the actual operation
988        self.schedule_operation(group_id, KeyOperation::Rotate {
989            sequence: 0, // Will be determined at execution time
990            reason: RotationReason::Scheduled,
991        }, next_rotation, OperationPriority::Normal).await?;
992        
993        Ok(())
994    }
995    
996    async fn schedule_operation(&self, group_id: [u8; 32], operation: KeyOperation, scheduled_at: SystemTime, priority: OperationPriority) -> Result<()> {
997        let operation_id = self.generate_random_bytes(32);
998        let pending_op = PendingKeyOperation {
999            operation_id,
1000            group_id,
1001            operation,
1002            scheduled_at,
1003            priority,
1004            retry_count: 0,
1005            dependencies: Vec::new(),
1006        };
1007        
1008        let mut pending = self.pending_operations.lock().await;
1009        pending.push(pending_op);
1010        pending.sort_by(|a, b| a.scheduled_at.cmp(&b.scheduled_at));
1011        
1012        Ok(())
1013    }
1014    
1015    async fn schedule_immediate_operation(&self, group_id: [u8; 32], operation: KeyOperation) -> Result<()> {
1016        self.schedule_operation(group_id, operation, SystemTime::now(), OperationPriority::High).await
1017    }
1018    
1019    async fn execute_operation(&self, group_id: [u8; 32], operation: KeyOperation) -> Result<()> {
1020        match operation {
1021            KeyOperation::Rotate { reason, .. } => {
1022                self.rotate_keys(group_id, reason).await?;
1023            },
1024            KeyOperation::Backup { .. } => {
1025                self.create_backup(group_id).await?;
1026            },
1027            KeyOperation::Cleanup { cutoff_time, preserve_count } => {
1028                self.cleanup_old_keys(group_id, cutoff_time, preserve_count).await?;
1029            },
1030            _ => {
1031                warn!("Unsupported operation type: {:?}", operation);
1032            }
1033        }
1034        Ok(())
1035    }
1036    
1037    async fn cleanup_old_keys(&self, group_id: [u8; 32], cutoff_time: SystemTime, preserve_count: u32) -> Result<()> {
1038        let mut active_keys = self.active_keys.write().await;
1039        let key_set = active_keys.get_mut(&group_id)
1040            .ok_or_else(|| PhalanxError::crypto("Group not found for cleanup"))?;
1041        
1042        let mut old_keys: Vec<_> = key_set.previous_keys.iter()
1043            .filter(|(_, key)| key.created_at < cutoff_time)
1044            .map(|(&seq, _)| seq)
1045            .collect();
1046        
1047        old_keys.sort();
1048        old_keys.reverse();
1049        
1050        // Keep the specified number of keys
1051        let to_remove = old_keys.len().saturating_sub(preserve_count as usize);
1052        for &seq in old_keys.iter().take(to_remove) {
1053            key_set.previous_keys.remove(&seq);
1054        }
1055        
1056        info!("Cleaned up {} old keys for group {:?}", to_remove, hex::encode(group_id));
1057        Ok(())
1058    }
1059    
1060    fn generate_random_bytes(&self, length: usize) -> [u8; 32] {
1061        use rand::RngCore;
1062        let mut rng = rand::thread_rng();
1063        let mut bytes = [0u8; 32];
1064        rng.fill_bytes(&mut bytes[..length.min(32)]);
1065        bytes
1066    }
1067}
1068
1069/// Local backup storage implementation
1070pub struct LocalBackupStorage {
1071    backup_dir: String,
1072}
1073
1074impl LocalBackupStorage {
1075    pub async fn new(backup_dir: String) -> Result<Self> {
1076        tokio::fs::create_dir_all(&backup_dir).await
1077            .map_err(|e| PhalanxError::crypto(format!("Failed to create backup directory: {}", e)))?;
1078        
1079        Ok(Self { backup_dir })
1080    }
1081}
1082
1083#[async_trait]
1084impl KeyBackupStorage for LocalBackupStorage {
1085    async fn store_backup(&self, group_id: [u8; 32], keyset: &KeySet, metadata: &BackupMetadata) -> Result<BackupId> {
1086        let backup_path = format!("{}/{}.backup", self.backup_dir, hex::encode(metadata.backup_id));
1087        
1088        let backup_data = bincode::serialize(&(keyset, metadata))
1089            .map_err(|e| PhalanxError::crypto(format!("Serialization failed: {}", e)))?;
1090        
1091        tokio::fs::write(&backup_path, backup_data).await
1092            .map_err(|e| PhalanxError::crypto(format!("Failed to write backup: {}", e)))?;
1093        
1094        Ok(metadata.backup_id)
1095    }
1096    
1097    async fn retrieve_backup(&self, backup_id: BackupId) -> Result<(KeySet, BackupMetadata)> {
1098        let backup_path = format!("{}/{}.backup", self.backup_dir, hex::encode(backup_id));
1099        
1100        let backup_data = tokio::fs::read(&backup_path).await
1101            .map_err(|e| PhalanxError::crypto(format!("Failed to read backup: {}", e)))?;
1102        
1103        let (keyset, metadata) = bincode::deserialize(&backup_data)
1104            .map_err(|e| PhalanxError::crypto(format!("Deserialization failed: {}", e)))?;
1105        
1106        Ok((keyset, metadata))
1107    }
1108    
1109    async fn list_backups(&self, _group_id: [u8; 32]) -> Result<Vec<BackupInfo>> {
1110        // TODO: Implement proper backup listing
1111        Ok(Vec::new())
1112    }
1113    
1114    async fn delete_backup(&self, backup_id: BackupId) -> Result<()> {
1115        let backup_path = format!("{}/{}.backup", self.backup_dir, hex::encode(backup_id));
1116        tokio::fs::remove_file(&backup_path).await
1117            .map_err(|e| PhalanxError::crypto(format!("Failed to delete backup: {}", e)))?;
1118        Ok(())
1119    }
1120    
1121    async fn verify_backup(&self, backup_id: BackupId) -> Result<bool> {
1122        let backup_path = format!("{}/{}.backup", self.backup_dir, hex::encode(backup_id));
1123        Ok(tokio::fs::metadata(&backup_path).await.is_ok())
1124    }
1125}
1126
1127#[cfg(test)]
1128mod tests {
1129    use super::*;
1130    
1131    #[tokio::test]
1132    async fn test_key_manager_creation() {
1133        let manager = AdvancedKeyManager::new().await.unwrap();
1134        assert!(manager.active_keys.read().await.is_empty());
1135    }
1136    
1137    #[tokio::test]
1138    async fn test_key_set_creation() {
1139        let manager = AdvancedKeyManager::new().await.unwrap();
1140        let identity = Identity::generate();
1141        let group_id = [1u8; 32];
1142        
1143        let key_set = manager.create_key_set(group_id, &identity).await.unwrap();
1144        assert_eq!(key_set.current_key.sequence, 1);
1145        assert_eq!(key_set.member_keys.len(), 1);
1146    }
1147    
1148    #[tokio::test]
1149    async fn test_key_rotation() {
1150        let manager = AdvancedKeyManager::new().await.unwrap();
1151        let identity = Identity::generate();
1152        let group_id = [1u8; 32];
1153        
1154        manager.create_key_set(group_id, &identity).await.unwrap();
1155        let new_sequence = manager.rotate_keys(group_id, RotationReason::Manual).await.unwrap();
1156        
1157        assert_eq!(new_sequence, 2);
1158    }
1159    
1160    #[tokio::test]
1161    async fn test_member_management() {
1162        let manager = AdvancedKeyManager::new().await.unwrap();
1163        let identity1 = Identity::generate();
1164        let identity2 = Identity::generate();
1165        let group_id = [1u8; 32];
1166        
1167        manager.create_key_set(group_id, &identity1).await.unwrap();
1168        manager.add_member(group_id, &identity2).await.unwrap();
1169        
1170        let key_set = manager.active_keys.read().await;
1171        let key_set = key_set.get(&group_id).unwrap();
1172        assert_eq!(key_set.member_keys.len(), 2);
1173    }
1174}