spark_rust/signer/traits/

ecies.rs

//! # ECIES encryption operations for Spark wallet
//!
//! This module defines the ECIES (Elliptic Curve Integrated Encryption Scheme)
//! capabilities required for the Spark wallet. ECIES is used for secure key exchange
//! between wallet participants, particularly during transfer operations.
//!
//! ECIES provides a way to:
//! - Securely encrypt a secret key using a recipient's public key
//! - Decrypt an encrypted secret key using the recipient's private key
//!
//! In Spark, this is critical for transferring funds between users, where leaf private
//! keys need to be securely transmitted from sender to receiver.

use bitcoin::{
    secp256k1::{PublicKey, SecretKey},
    Network,
};

use crate::error::SparkSdkError;

/// Trait for ECIES encryption operations in the Spark wallet.
///
/// This trait provides methods for encrypting and decrypting secret keys using
/// the ECIES (Elliptic Curve Integrated Encryption Scheme) algorithm. ECIES enables
/// secure key exchange between users in operations like transfers, where the sender
/// needs to securely transmit leaf private keys to the receiver.
///
/// The implementation follows standard ECIES practices:
/// - Generates an ephemeral key pair
/// - Derives a shared secret using ECDH
/// - Uses the shared secret to encrypt/decrypt the data
/// - Provides authenticated encryption to prevent tampering
pub trait SparkSignerEcies {
    /// Encrypts a secret key using the ECIES algorithm.
    ///
    /// This method encrypts a secret key so that only the owner of the corresponding
    /// private key for `receiver_public_key` can decrypt it. This is typically used
    /// during transfers to securely send leaf private keys to another user.
    ///
    /// # Arguments
    /// * `receiver_public_key` - The public key of the recipient who will be able
    ///   to decrypt the secret key. This is typically the identity public key of
    ///   the recipient's wallet.
    /// * `pubkey_for_sk_to_encrypt` - The public key corresponding to the secret key
    ///   that will be encrypted. The method will find the secret key in the wallet
    ///   based on this public key.
    ///
    /// # Returns
    /// * `Ok(Vec<u8>)` - The encrypted secret key as a vector of bytes
    /// * `Err(SparkSdkError)` - If encryption fails, typically because the secret key
    ///   corresponding to `pubkey_for_sk_to_encrypt` cannot be found
    ///
    /// # Security Considerations
    /// The encrypted data contains all necessary information for decryption by the
    /// intended recipient, including the ephemeral public key. No pre-shared secrets
    /// are required beyond the recipient's public key.
    ///
    /// # Example
    /// ```no_run
    /// # use spark_rust::signer::traits::ecies::SparkSignerEcies;
    /// # use spark_rust::signer::default_signer::DefaultSigner;
    /// # use bitcoin::secp256k1::PublicKey;
    /// # async fn example(signer: DefaultSigner, recipient_pubkey: PublicKey, leaf_pubkey: PublicKey) -> Result<(), Box<dyn std::error::Error>> {
    /// // Encrypt a leaf secret key for transfer to another user
    /// let encrypted_key = signer.encrypt_secret_key_with_ecies(
    ///     &recipient_pubkey, // The recipient's identity public key
    ///     &leaf_pubkey       // The public key for the leaf secret key to encrypt
    /// )?;
    ///
    /// // The encrypted_key can now be safely transmitted to the recipient
    /// # Ok(())
    /// # }
    /// ```
    fn encrypt_secret_key_with_ecies(
        &self,
        receiver_public_key: &PublicKey,
        pubkey_for_sk_to_encrypt: &PublicKey,
    ) -> Result<Vec<u8>, SparkSdkError>;

    /// Decrypts a secret key using the ECIES algorithm.
    ///
    /// This method decrypts a secret key that was encrypted with the wallet's identity
    /// public key. This is typically used during transfer receipt to obtain leaf private
    /// keys sent by another user.
    ///
    /// # Arguments
    /// * `ciphertext` - The encrypted secret key data. Can be any type that implements
    ///                  `AsRef<[u8]>`, such as `Vec<u8>` or `&[u8]`.
    /// * `network` - The Bitcoin network to use, which affects the derivation path for
    ///               the identity key used in decryption.
    ///
    /// # Returns
    /// * `Ok(SecretKey)` - The decrypted secret key
    /// * `Err(SparkSdkError)` - If decryption fails, typically due to invalid ciphertext
    ///                         or if the wallet doesn't have the correct identity private key
    ///
    /// # Security Considerations
    /// This method uses the wallet's identity private key for decryption. The implementation
    /// must ensure that this key is securely managed and that decrypted secret keys are
    /// properly protected after decryption.
    ///
    /// # Example
    /// ```no_run
    /// # use spark_rust::signer::traits::ecies::SparkSignerEcies;
    /// # use spark_rust::signer::default_signer::DefaultSigner;
    /// # use bitcoin::Network;
    /// # async fn example(signer: DefaultSigner, encrypted_key: Vec<u8>) -> Result<(), Box<dyn std::error::Error>> {
    /// // Decrypt a secret key received from another user
    /// let decrypted_secret_key = signer.decrypt_secret_key_with_ecies(
    ///     encrypted_key,
    ///     Network::Bitcoin
    /// )?;
    ///
    /// // The decrypted_secret_key can now be used (typically inserted into the wallet)
    /// # Ok(())
    /// # }
    /// ```
    fn decrypt_secret_key_with_ecies<T>(
        &self,
        ciphertext: T,
        network: Network,
    ) -> Result<SecretKey, SparkSdkError>
    where
        T: AsRef<[u8]>;
}