You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
218 lines
5.0 KiB
218 lines
5.0 KiB
package keyset |
|
|
|
import ( |
|
"encoding/hex" |
|
"encoding/json" |
|
"fmt" |
|
"os" |
|
"path/filepath" |
|
"sync" |
|
"time" |
|
|
|
"github.com/decred/dcrd/dcrec/secp256k1/v4" |
|
) |
|
|
|
// keysetData is the JSON-serializable form of a Keyset. |
|
type keysetData struct { |
|
ID string `json:"id"` |
|
PrivateKey string `json:"private_key"` // hex-encoded |
|
CreatedAt int64 `json:"created_at"` |
|
ActiveAt int64 `json:"active_at"` |
|
ExpiresAt int64 `json:"expires_at"` |
|
VerifyEnd int64 `json:"verify_end"` |
|
Active bool `json:"active"` |
|
} |
|
|
|
// fileStoreData is the top-level JSON structure. |
|
type fileStoreData struct { |
|
Version int `json:"version"` |
|
Keysets []keysetData `json:"keysets"` |
|
UpdatedAt int64 `json:"updated_at"` |
|
} |
|
|
|
// FileStore persists keysets to a JSON file. |
|
type FileStore struct { |
|
path string |
|
mu sync.RWMutex |
|
keysets map[string]*Keyset |
|
} |
|
|
|
// NewFileStore creates a new file-based keyset store. |
|
// The directory will be created if it doesn't exist. |
|
func NewFileStore(path string) (*FileStore, error) { |
|
// Ensure directory exists |
|
dir := filepath.Dir(path) |
|
if err := os.MkdirAll(dir, 0700); err != nil { |
|
return nil, fmt.Errorf("keyset: failed to create directory: %w", err) |
|
} |
|
|
|
store := &FileStore{ |
|
path: path, |
|
keysets: make(map[string]*Keyset), |
|
} |
|
|
|
// Load existing keysets if file exists |
|
if err := store.load(); err != nil && !os.IsNotExist(err) { |
|
return nil, fmt.Errorf("keyset: failed to load keysets: %w", err) |
|
} |
|
|
|
return store, nil |
|
} |
|
|
|
// load reads keysets from the file. |
|
func (s *FileStore) load() error { |
|
data, err := os.ReadFile(s.path) |
|
if err != nil { |
|
return err |
|
} |
|
|
|
var fileData fileStoreData |
|
if err := json.Unmarshal(data, &fileData); err != nil { |
|
return fmt.Errorf("keyset: failed to parse file: %w", err) |
|
} |
|
|
|
s.mu.Lock() |
|
defer s.mu.Unlock() |
|
|
|
for _, kd := range fileData.Keysets { |
|
keyset, err := s.fromData(kd) |
|
if err != nil { |
|
// Log but continue - don't fail on single corrupt keyset |
|
continue |
|
} |
|
s.keysets[keyset.ID] = keyset |
|
} |
|
|
|
return nil |
|
} |
|
|
|
// save writes all keysets to the file. |
|
func (s *FileStore) save() error { |
|
s.mu.RLock() |
|
defer s.mu.RUnlock() |
|
|
|
keysets := make([]keysetData, 0, len(s.keysets)) |
|
for _, k := range s.keysets { |
|
keysets = append(keysets, s.toData(k)) |
|
} |
|
|
|
fileData := fileStoreData{ |
|
Version: 1, |
|
Keysets: keysets, |
|
UpdatedAt: time.Now().Unix(), |
|
} |
|
|
|
data, err := json.MarshalIndent(fileData, "", " ") |
|
if err != nil { |
|
return fmt.Errorf("keyset: failed to marshal: %w", err) |
|
} |
|
|
|
// Write atomically using temp file |
|
tmpPath := s.path + ".tmp" |
|
if err := os.WriteFile(tmpPath, data, 0600); err != nil { |
|
return fmt.Errorf("keyset: failed to write temp file: %w", err) |
|
} |
|
|
|
if err := os.Rename(tmpPath, s.path); err != nil { |
|
os.Remove(tmpPath) |
|
return fmt.Errorf("keyset: failed to rename temp file: %w", err) |
|
} |
|
|
|
return nil |
|
} |
|
|
|
// toData converts a Keyset to its JSON form. |
|
func (s *FileStore) toData(k *Keyset) keysetData { |
|
return keysetData{ |
|
ID: k.ID, |
|
PrivateKey: hex.EncodeToString(k.SerializePrivateKey()), |
|
CreatedAt: k.CreatedAt.Unix(), |
|
ActiveAt: k.ActiveAt.Unix(), |
|
ExpiresAt: k.ExpiresAt.Unix(), |
|
VerifyEnd: k.VerifyEnd.Unix(), |
|
Active: k.Active, |
|
} |
|
} |
|
|
|
// fromData reconstructs a Keyset from its JSON form. |
|
func (s *FileStore) fromData(kd keysetData) (*Keyset, error) { |
|
privKeyBytes, err := hex.DecodeString(kd.PrivateKey) |
|
if err != nil { |
|
return nil, fmt.Errorf("keyset: invalid private key hex: %w", err) |
|
} |
|
|
|
if len(privKeyBytes) != 32 { |
|
return nil, fmt.Errorf("keyset: private key must be 32 bytes") |
|
} |
|
|
|
privKey := secp256k1.PrivKeyFromBytes(privKeyBytes) |
|
pubKey := privKey.PubKey() |
|
|
|
return &Keyset{ |
|
ID: kd.ID, |
|
PrivateKey: privKey, |
|
PublicKey: pubKey, |
|
CreatedAt: time.Unix(kd.CreatedAt, 0), |
|
ActiveAt: time.Unix(kd.ActiveAt, 0), |
|
ExpiresAt: time.Unix(kd.ExpiresAt, 0), |
|
VerifyEnd: time.Unix(kd.VerifyEnd, 0), |
|
Active: kd.Active, |
|
}, nil |
|
} |
|
|
|
// SaveKeyset persists a keyset. |
|
func (s *FileStore) SaveKeyset(k *Keyset) error { |
|
s.mu.Lock() |
|
s.keysets[k.ID] = k |
|
s.mu.Unlock() |
|
|
|
return s.save() |
|
} |
|
|
|
// LoadKeyset loads a keyset by ID. |
|
func (s *FileStore) LoadKeyset(id string) (*Keyset, error) { |
|
s.mu.RLock() |
|
defer s.mu.RUnlock() |
|
|
|
if k, ok := s.keysets[id]; ok { |
|
return k, nil |
|
} |
|
return nil, nil |
|
} |
|
|
|
// ListActiveKeysets returns all keysets that can be used for signing. |
|
func (s *FileStore) ListActiveKeysets() ([]*Keyset, error) { |
|
s.mu.RLock() |
|
defer s.mu.RUnlock() |
|
|
|
result := make([]*Keyset, 0) |
|
for _, k := range s.keysets { |
|
if k.IsActiveForSigning() { |
|
result = append(result, k) |
|
} |
|
} |
|
return result, nil |
|
} |
|
|
|
// ListVerificationKeysets returns all keysets that can be used for verification. |
|
func (s *FileStore) ListVerificationKeysets() ([]*Keyset, error) { |
|
s.mu.RLock() |
|
defer s.mu.RUnlock() |
|
|
|
result := make([]*Keyset, 0) |
|
for _, k := range s.keysets { |
|
if k.IsValidForVerification() { |
|
result = append(result, k) |
|
} |
|
} |
|
return result, nil |
|
} |
|
|
|
// DeleteKeyset removes a keyset from storage. |
|
func (s *FileStore) DeleteKeyset(id string) error { |
|
s.mu.Lock() |
|
delete(s.keysets, id) |
|
s.mu.Unlock() |
|
|
|
return s.save() |
|
}
|
|
|