1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
// This file is part of radicle-link
// <https://github.com/radicle-dev/radicle-link>
//
// Copyright (C) 2019-2020 The Radicle Team <dev@radicle.xyz>
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 3 or
// later as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
//! `radicle-keystore` aims to become the sole abstraction over storage of key
//! material in the Radicle ecosystem.
//!
//! Radicle employs two kinds of keys: ones which may leave your device (e.g.
//! onto an HSM), and ones that shouldn't. For the first kind, we will
//! eventually provide an implementation of [`Keystore`] which interfaces
//! directly with system keychains or hardware devices, while for the second
//! kind matters are a bit more complicated: we recommend to use the
//! [`file::FileStorage`] implementation, which stores keys in encrypted form on
//! the filesystem. This is to discourage (accidental) key sharing via backup or
//! cross-device syncing setups the user might have.
//!
//! The choice of [`crypto::Crypto`] (and relatedly [`pinentry::Pinentry`]) may
//! however be used to store the passphrase for a key-derivation scheme (as
//! employed by [`crypto::Pwhash`]) in some system keychain, or offload
//! encryption entirely to an external system (such as GPG, or a password
//! manager).
#[macro_use]
extern crate async_trait;
#[macro_use]
extern crate lazy_static;
pub use secstr::SecStr;
pub mod crypto;
pub mod file;
pub mod memory;
pub mod pinentry;
pub mod sign;
#[cfg(test)]
pub(crate) mod test;
pub use file::FileStorage;
pub use memory::MemoryStorage;
/// Named pair of public / secret key.
pub struct Keypair<PK, SK> {
pub public_key: PK,
pub secret_key: SK,
}
pub trait SecretKeyExt: Sized {
type Metadata;
type Error;
fn from_bytes_and_meta(bytes: SecStr, metadata: &Self::Metadata) -> Result<Self, Self::Error>;
fn metadata(&self) -> Self::Metadata;
}
/// Abstraction over secure storage for private key material.
pub trait Keystore {
type PublicKey: From<Self::SecretKey>;
type SecretKey: SecretKeyExt<Metadata = Self::Metadata>;
type Metadata;
type Error: std::error::Error;
/// Securely store secret key `key` in the keystore.
///
/// The key may carry [`Keystore::Metadata`], which is stored alongside the
/// key material. The metadata, as well as the public portion of the
/// key, may be stored in clear, so as to not require prompting the user
/// when retrieving those values.
///
/// Key rotation is not (yet) part of this API, thus `put_key` MUST return
/// an error if an equivalent key is already present in the storage
/// backend.
fn put_key(&mut self, key: Self::SecretKey) -> Result<(), Self::Error>;
/// Retrieve both the secret and public parts of the stored key material.
fn get_key(&self) -> Result<Keypair<Self::PublicKey, Self::SecretKey>, Self::Error>;
/// Retrieve only the public part of the key material, along with any
/// metadata.
fn show_key(&self) -> Result<(Self::PublicKey, Self::Metadata), Self::Error>;
}