pot_o_extensions/
security.rs

1//! Proof authority and node authentication: Ed25519, mTLS, HMAC device auth.
2
3use pot_o_core::TribeResult;
4use pot_o_mining::Challenge;
5
6use crate::peer_network::PeerInfo;
7
8// ---------------------------------------------------------------------------
9// Trait
10// ---------------------------------------------------------------------------
11
12/// Security layer for proof submission and node authentication.
13pub trait ProofAuthority: Send + Sync {
14    fn verify_miner_identity(&self, pubkey: &str, signature: &[u8]) -> TribeResult<bool>;
15    fn sign_challenge(&self, challenge: &Challenge) -> TribeResult<Vec<u8>>;
16    fn validate_node_connection(&self, peer: &PeerInfo) -> TribeResult<bool>;
17}
18
19// ---------------------------------------------------------------------------
20// Ed25519Authority (implemented now -- Solana keypair based)
21// ---------------------------------------------------------------------------
22
23pub struct Ed25519Authority;
24
25impl ProofAuthority for Ed25519Authority {
26    fn verify_miner_identity(&self, _pubkey: &str, _signature: &[u8]) -> TribeResult<bool> {
27        // For single-node local operation, accept all identities.
28        // Production: verify Ed25519 signature against pubkey.
29        Ok(true)
30    }
31
32    fn sign_challenge(&self, _challenge: &Challenge) -> TribeResult<Vec<u8>> {
33        // Placeholder: return empty signature for local mode.
34        // Production: sign with the validator's Solana keypair.
35        Ok(vec![0u8; 64])
36    }
37
38    fn validate_node_connection(&self, _peer: &PeerInfo) -> TribeResult<bool> {
39        // Single-node: no peer validation needed.
40        Ok(true)
41    }
42}
43
44// ---------------------------------------------------------------------------
45// MtlsAuthority (stubbed -- for VPN node-to-node auth)
46// ---------------------------------------------------------------------------
47
48#[derive(Debug, Clone)]
49pub struct MtlsConfig {
50    pub ca_cert_path: String,
51    pub node_cert_path: String,
52    pub node_key_path: String,
53}
54
55pub struct MtlsAuthority {
56    pub config: MtlsConfig,
57}
58
59impl ProofAuthority for MtlsAuthority {
60    fn verify_miner_identity(&self, _pubkey: &str, _signature: &[u8]) -> TribeResult<bool> {
61        todo!("mTLS miner identity verification not yet implemented")
62    }
63    fn sign_challenge(&self, _challenge: &Challenge) -> TribeResult<Vec<u8>> {
64        todo!("mTLS challenge signing not yet implemented")
65    }
66    fn validate_node_connection(&self, _peer: &PeerInfo) -> TribeResult<bool> {
67        todo!("mTLS node connection validation not yet implemented")
68    }
69}
70
71// ---------------------------------------------------------------------------
72// HmacDeviceAuth (stubbed -- shared-secret HMAC for ESP devices)
73// ---------------------------------------------------------------------------
74
75pub struct HmacDeviceAuth {
76    pub shared_secret: Vec<u8>,
77}
78
79impl ProofAuthority for HmacDeviceAuth {
80    fn verify_miner_identity(&self, _pubkey: &str, _signature: &[u8]) -> TribeResult<bool> {
81        todo!("HMAC device identity verification not yet implemented")
82    }
83    fn sign_challenge(&self, _challenge: &Challenge) -> TribeResult<Vec<u8>> {
84        todo!("HMAC challenge signing not yet implemented")
85    }
86    fn validate_node_connection(&self, _peer: &PeerInfo) -> TribeResult<bool> {
87        todo!("HMAC node connection validation not yet implemented")
88    }
89}
pot_o_extensions/security.rs

pot_o_extensions/
security.rs
