Home Explore Help
Sign In
ltulloch
/
lox-extensions
1
1
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Add rotate keys functions to lib.rs

onyinyang 1 month ago
parent
b7571cfcac
commit
dc1fac9008
1 changed files with 51 additions and 0 deletions
Split View Show Diff Stats
  1. 51 0
      src/lib.rs

+ 51 - 0
src/lib.rs
View File 

@@ -399,6 +399,57 @@ impl BridgeAuth {
 
         }
 
     }
 
 
+    pub fn rotate_lox_keys(&mut self, rng: &mut (impl CryptoRng + RngCore)) {
 
+        let (updated_lox_priv, updated_lox_pub) = Lox::gen_keys(rng, true);
 
+        // Store the old keys until the next key rotation (this should happen no more than 511 days after the
 
+        // last rotation to ensure that all credentials issued with the old key can be updated
 
+        self.old_keys.lox_keys.push(OldKeyStore {
 
+            priv_key: self.lox_priv.clone(),
 
+            pub_key: self.lox_pub.clone(),
 
+        });
 
+        // Move the old lox id filter to the old_lox_id_filter
 
+        self.old_filters.lox_filter.push(self.id_filter.clone());
 
+        // TODO: Commit to the new keys and post the commitment somewhere public that can be verified
 
+        // by users, ideally
 
+        self.lox_priv = updated_lox_priv;
 
+        self.lox_pub = updated_lox_pub;
 
+        self.id_filter = Default::default();
 
+    }
 
+
 
+    pub fn rotate_invitation_keys(&mut self, rng: &mut (impl CryptoRng + RngCore)) {
 
+        let (updated_invitation_priv, updated_invitation_pub) = Invitation::gen_keys(rng, true);
 
+        // Store the old keys until the next key rotation (this should happen no more than 511 days after the
 
+        // last rotation to ensure that all credentials issued with the old key can be updated
 
+        self.old_keys.invitation_keys.push(OldKeyStore {
 
+            priv_key: self.invitation_priv.clone(),
 
+            pub_key: self.invitation_pub.clone(),
 
+        });
 
+        // Move the old invitation id filter to the old_invitation_id_filter
 
+        self.old_filters
 
+            .invitation_filter
 
+            .push(self.inv_id_filter.clone());
 
+        // TODO: Commit to the new keys and post the commitment somewhere public that can be verified
 
+        // by users, ideally
 
+        self.invitation_priv = updated_invitation_priv;
 
+        self.invitation_pub = updated_invitation_pub;
 
+        self.inv_id_filter = Default::default();
 
+    }
 
+
 
+    pub fn rotate_bridgedb_keys(&mut self, new_bridgedb_pub: VerifyingKey) {
 
+        // Store the old verifying key until the next key rotation (this should happen no more often than the
 
+        // we would reasonably expect a user to redeem an open invitation token to ensure that all invitations
 
+        // issued with the old key can be updated)
 
+        self.old_keys.bridgedb_key.push(self.bridgedb_pub);
 
+        // Move the old lox id filter to the old_lox_id_filter
 
+        self.old_filters
 
+            .openinv_filter
 
+            .push(self.bridgedb_pub_filter.clone());
 
+        // TODO: Commit to the new keys and post the commitment somewhere public that can be verified
 
+        // by users, ideally
 
+        self.bridgedb_pub = new_bridgedb_pub;
 
+        self.bridgedb_pub_filter = Default::default();
 
+    }
 
+
 
     /// Insert a set of open invitation bridges.
 
     ///
 
     /// Each of the bridges will be given its own open invitation