keystore

package
v0.27.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 16, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package keystore provides key management for Cardano stake pool operators. It wraps pool credentials (VRF, KES, OpCert) and handles KES key evolution as the blockchain progresses through KES periods.

Index

Constants

View Source 
const (
	// DefaultSlotsPerKESPeriod is the number of slots in a KES period on preview.
	// After this many slots, the KES key must be evolved to the next period.
	// Preview value: 129600 slots = 1.5 days (at 1 second per slot)
	DefaultSlotsPerKESPeriod = 129600

	// DefaultMaxKESEvolutions is the maximum number of times a KES key can evolve.
	// For Cardano's KES depth of 6, this is 2^6 - 2 = 62 evolutions.
	// After this many evolutions, a new operational certificate must be issued.
	DefaultMaxKESEvolutions = 62

	// DefaultSlotDuration is the default slot duration on preview (1 second).
	DefaultSlotDuration = time.Second
)

KES (Key Evolving Signature) constants for Cardano. These values are defined in the Shelley genesis configuration and determine how often KES keys must be evolved. Default values are for the preview network (Dingo's default network).

Variables

View Source 
var (
	ErrKeysNotLoaded    = errors.New("keys not loaded")
	ErrVRFKeyNotLoaded  = errors.New("VRF key not loaded")
	ErrKESKeyNotLoaded  = errors.New("KES key not loaded")
	ErrOpCertNotLoaded  = errors.New("operational certificate not loaded")
	ErrAlreadyRunning   = errors.New("keystore already running")
	ErrNotRunning       = errors.New("keystore not running")
	ErrInsecureFileMode = errors.New("insecure file mode")
)

Common errors returned by KeyStore operations.

Functions

func DefaultKESPeriodDuration 

func DefaultKESPeriodDuration() time.Duration

DefaultKESPeriodDuration returns the KES period duration using preview defaults. This is approximately 1.5 days.

func DefaultOpCertLifetimeDuration 

func DefaultOpCertLifetimeDuration() time.Duration

DefaultOpCertLifetimeDuration returns the OpCert lifetime using preview defaults.

func DefaultOpCertLifetimeSlots 

func DefaultOpCertLifetimeSlots() uint64

DefaultOpCertLifetimeSlots returns the OpCert lifetime using preview defaults. This is approximately 93 days (62 periods * 1.5 days per period).

func KESPeriodDuration 

func KESPeriodDuration(slotsPerPeriod uint64, slotDuration time.Duration) time.Duration

KESPeriodDuration returns the approximate wall-clock duration of a KES period. This is useful for calculating when the next evolution will occur.

func KESPeriodEndSlot 

func KESPeriodEndSlot(period, slotsPerPeriod uint64) uint64

KESPeriodEndSlot returns the last slot of the given KES period. Returns 0 if slotsPerPeriod is 0 to avoid underflow.

func KESPeriodStartSlot 

func KESPeriodStartSlot(period, slotsPerPeriod uint64) uint64

KESPeriodStartSlot returns the first slot of the given KES period.

func OpCertLifetimeDuration 

func OpCertLifetimeDuration(
	slotsPerPeriod, maxEvolutions uint64,
	slotDuration time.Duration,
) time.Duration

OpCertLifetimeDuration returns the approximate wall-clock duration an OpCert is valid.

func OpCertLifetimeSlots 

func OpCertLifetimeSlots(slotsPerPeriod, maxEvolutions uint64) uint64

OpCertLifetimeSlots returns the total number of slots an OpCert is valid for.

func SlotToKESPeriod 

func SlotToKESPeriod(slot, slotsPerPeriod uint64) uint64

SlotToKESPeriod converts a slot number to a KES period. Returns 0 if slotsPerPeriod is 0 to avoid division by zero.

Types

type ExpiryWarningThresholds 

type ExpiryWarningThresholds struct {
	// Critical: OpCert is about to expire, cannot produce blocks soon
	Critical uint64
	// Warning: OpCert should be renewed soon
	Warning uint64
	// Info: OpCert expiry is approaching
	Info uint64
}

ExpiryWarningThresholds defines warning thresholds for OpCert expiry. These are the number of KES periods remaining before expiry.

func DefaultExpiryWarningThresholds 

func DefaultExpiryWarningThresholds() ExpiryWarningThresholds

DefaultExpiryWarningThresholds returns the default warning thresholds.

type KESSigner 

type KESSigner interface {
	// Sign signs a message at the specified KES period.
	Sign(period uint64, message []byte) ([]byte, error)
	// VKey returns the KES verification key.
	VKey() []byte
	// CurrentPeriod returns the current KES period the key is evolved to.
	CurrentPeriod() uint64
}

KESSigner provides KES signing capabilities for block production.

type KeyStore 

type KeyStore struct {
	// contains filtered or unexported fields
}

KeyStore manages pool credentials and KES key evolution.

func NewKeyStore 

func NewKeyStore(config KeyStoreConfig) *KeyStore

NewKeyStore creates a new KeyStore with the given configuration.

func (*KeyStore) CurrentKESPeriod 

func (ks *KeyStore) CurrentKESPeriod() uint64

CurrentKESPeriod returns the current KES period the key is evolved to.

func (*KeyStore) EvolveKESTo 

func (ks *KeyStore) EvolveKESTo(targetPeriod uint64) error

EvolveKESTo evolves the KES key to the specified period.

func (*KeyStore) IsLoaded 

func (ks *KeyStore) IsLoaded() bool

IsLoaded returns true if all credentials have been loaded.

func (*KeyStore) KESSigner 

func (ks *KeyStore) KESSigner() KESSigner

KESSigner returns a KES signer for block signing. Returns nil if KES key is not loaded.

func (*KeyStore) LoadFromFiles 

func (ks *KeyStore) LoadFromFiles() error

LoadFromFiles loads all pool credentials from the configured file paths. Parses cardano-cli format key files.

func (*KeyStore) OpCert 

func (ks *KeyStore) OpCert() *OpCert

OpCert returns a copy of the operational certificate. Returns nil if not loaded.

func (*KeyStore) OpCertExpiryPeriod 

func (ks *KeyStore) OpCertExpiryPeriod() uint64

OpCertExpiryPeriod returns the KES period at which the OpCert expires.

func (*KeyStore) PeriodsRemaining 

func (ks *KeyStore) PeriodsRemaining(currentPeriod uint64) uint64

PeriodsRemaining returns how many KES periods remain before expiry.

func (*KeyStore) PoolID 

func (ks *KeyStore) PoolID() *lcommon.PoolId

PoolID returns the pool ID (Blake2b-224 of cold vkey). Returns nil if not loaded.

func (*KeyStore) Start 

func (ks *KeyStore) Start(ctx context.Context, slotClock SlotClock) error

Start begins KES evolution monitoring using the provided slot clock. The keystore will automatically evolve the KES key when the period advances.

func (*KeyStore) Stop 

func (ks *KeyStore) Stop() error

Stop halts KES evolution monitoring, zeros secret key material from memory, and cleans up resources.

func (*KeyStore) VRFSigner 

func (ks *KeyStore) VRFSigner() VRFSigner

VRFSigner returns a VRF signer for leader election. Returns nil if VRF key is not loaded.

func (*KeyStore) ValidateOpCert 

func (ks *KeyStore) ValidateOpCert() error

ValidateOpCert validates that the operational certificate matches the KES key.

type KeyStoreConfig 

type KeyStoreConfig struct {
	// VRFSKeyPath is the path to the VRF signing key file.
	VRFSKeyPath string
	// KESSKeyPath is the path to the KES signing key file.
	KESSKeyPath string
	// OpCertPath is the path to the operational certificate file.
	OpCertPath string
	// SlotsPerKESPeriod is the number of slots in a KES period.
	// Default: 129600 (preview network value)
	SlotsPerKESPeriod uint64
	// MaxKESEvolutions is the maximum number of KES evolutions.
	// Default: 62 (for KES depth 6)
	MaxKESEvolutions uint64
	// Logger for keystore events.
	Logger *slog.Logger
}

KeyStoreConfig holds configuration for the KeyStore.

func DefaultKeyStoreConfig 

func DefaultKeyStoreConfig() KeyStoreConfig

DefaultKeyStoreConfig returns the default configuration.

type OpCert 

type OpCert struct {
	KESVKey     []byte // KES verification key (32 bytes)
	IssueNumber uint64 // Certificate sequence number
	KESPeriod   uint64 // KES period when certificate was created
	Signature   []byte // Cold key signature (64 bytes)
	ColdVKey    []byte // Cold verification key (32 bytes)
}

OpCert represents an operational certificate that binds a KES key to a pool.

type SlotClock 

type SlotClock interface {
	// CurrentSlot returns the current slot number.
	CurrentSlot() (uint64, error)
	// Subscribe returns a channel that receives slot tick notifications.
	Subscribe() <-chan SlotTick
	// Unsubscribe removes a subscriber channel.
	Unsubscribe(ch <-chan SlotTick)
}

SlotClock provides slot information for KES evolution monitoring.

type SlotTick 

type SlotTick struct {
	Slot uint64
}

SlotTick represents a slot boundary notification (minimal interface).

type VRFSigner 

type VRFSigner interface {
	// Prove generates a VRF proof for the given input.
	// Returns (proof, output, error).
	Prove(alpha []byte) ([]byte, []byte, error)
	// VKey returns the VRF verification key.
	VKey() []byte
}

VRFSigner provides VRF signing capabilities for leader election.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.