Documentation
¶
Overview ¶
Package keys provides Canton key generation and encryption for custodial key management. This package is used to generate Canton keypairs for users and encrypt them for secure storage. Uses secp256k1 (same curve as Ethereum) for compatibility with user wallets.
Index ¶
- func DeriveEVMAddressFromPublicKey(compressedPubKey []byte) string
- func GenerateMasterKey() ([]byte, error)
- func MarshalSPKIPublicKey(x, y *big.Int) ([]byte, error)
- func MasterKeyFromBase64(encoded string) ([]byte, error)
- func MasterKeyToBase64(key []byte) string
- func Secp256k1() elliptic.Curve
- func VerifyDER(compressedPubKey []byte, hash []byte, derSig []byte) error
- type CantonKeyPair
- func (kp *CantonKeyPair) Fingerprint() (string, error)
- func (kp *CantonKeyPair) PrivateKeyHex() string
- func (kp *CantonKeyPair) PublicKeyBase64() string
- func (kp *CantonKeyPair) PublicKeyHex() string
- func (kp *CantonKeyPair) SPKIPublicKey() ([]byte, error)
- func (kp *CantonKeyPair) Sign(message []byte) ([]byte, error)
- func (kp *CantonKeyPair) SignDER(message []byte) ([]byte, error)
- func (kp *CantonKeyPair) SignHash(hash []byte) ([]byte, error)
- func (kp *CantonKeyPair) SignHashDER(hash []byte) ([]byte, error)
- func (kp *CantonKeyPair) Verify(message, signature []byte) bool
- type KeyCipher
- type MasterKeyCipher
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DeriveEVMAddressFromPublicKey ¶
DeriveEVMAddressFromPublicKey derives an EVM address from a compressed secp256k1 public key. This is used for Canton native users to generate an EVM-compatible address for MetaMask access.
If decompression fails (e.g., invalid public key), it falls back to using the Keccak256 hash of the compressed key (last 20 bytes with 0x prefix).
func GenerateMasterKey ¶
GenerateMasterKey generates a new random 32-byte master key for encrypting Canton keys. This should be stored securely (environment variable, secrets manager, etc.)
func MarshalSPKIPublicKey ¶
MarshalSPKIPublicKey encodes an uncompressed EC point (x, y) on secp256k1 as a DER-encoded X.509 SubjectPublicKeyInfo structure.
func MasterKeyFromBase64 ¶
MasterKeyFromBase64 decodes a base64-encoded master key
func MasterKeyToBase64 ¶
MasterKeyToBase64 encodes a master key as base64 for storage
Types ¶
type CantonKeyPair ¶
type CantonKeyPair struct {
PublicKey []byte // 33-byte compressed secp256k1 public key
PrivateKey []byte // 32-byte secp256k1 private key
}
CantonKeyPair represents a Canton signing keypair using secp256k1
func CantonKeyPairFromPrivateKey ¶
func CantonKeyPairFromPrivateKey(privKey []byte) (*CantonKeyPair, error)
CantonKeyPairFromPrivateKey reconstructs a full keypair from a 32-byte private key.
func DeriveCantonKeyPair ¶
func DeriveCantonKeyPair(evmAddress string, serverSeed []byte) (*CantonKeyPair, error)
DeriveCantonKeyPair deterministically derives a Canton keypair from an EVM address and server seed. This allows the same keypair to be regenerated if needed (though the encrypted key is preferred). Uses HKDF with SHA-256 for key derivation.
func GenerateCantonKeyPair ¶
func GenerateCantonKeyPair() (*CantonKeyPair, error)
GenerateCantonKeyPair generates a new secp256k1 keypair for Canton signing This uses the same curve as Ethereum for potential wallet integration
func (*CantonKeyPair) Fingerprint ¶
func (kp *CantonKeyPair) Fingerprint() (string, error)
Fingerprint returns the Canton key fingerprint: multihash-encoded SHA-256 of the SPKI public key bytes with hash purpose 12.
func (*CantonKeyPair) PrivateKeyHex ¶
func (kp *CantonKeyPair) PrivateKeyHex() string
PrivateKeyHex returns the private key as a hex string with 0x prefix (for MetaMask import)
func (*CantonKeyPair) PublicKeyBase64 ¶
func (kp *CantonKeyPair) PublicKeyBase64() string
PublicKeyBase64 returns the public key as a base64 string
func (*CantonKeyPair) PublicKeyHex ¶
func (kp *CantonKeyPair) PublicKeyHex() string
PublicKeyHex returns the public key as a hex string (for display/logging)
func (*CantonKeyPair) SPKIPublicKey ¶
func (kp *CantonKeyPair) SPKIPublicKey() ([]byte, error)
SPKIPublicKey returns the public key in X.509 SubjectPublicKeyInfo DER format.
func (*CantonKeyPair) Sign ¶
func (kp *CantonKeyPair) Sign(message []byte) ([]byte, error)
Sign signs a message with the private key using ECDSA with SHA-256 Returns the signature in DER format (compatible with Canton)
func (*CantonKeyPair) SignDER ¶
func (kp *CantonKeyPair) SignDER(message []byte) ([]byte, error)
SignDER signs a message with SHA-256 and returns an ASN.1 DER-encoded ECDSA signature. This is the format Canton requires for Interactive Submission and topology signing.
func (*CantonKeyPair) SignHash ¶
func (kp *CantonKeyPair) SignHash(hash []byte) ([]byte, error)
SignHash signs a pre-hashed message (useful when Canton provides the hash)
func (*CantonKeyPair) SignHashDER ¶
func (kp *CantonKeyPair) SignHashDER(hash []byte) ([]byte, error)
SignHashDER signs a pre-hashed 32-byte digest and returns an ASN.1 DER-encoded signature. Use this when Canton provides the hash directly (PrepareSubmission, GenerateExternalPartyTopology).
func (*CantonKeyPair) Verify ¶
func (kp *CantonKeyPair) Verify(message, signature []byte) bool
Verify verifies a signature against a message
type KeyCipher ¶
type KeyCipher interface {
Encrypt(key []byte) (string, error)
Decrypt(encryptedKey string) ([]byte, error)
}
KeyCipher encrypts and decrypts Canton private keys.
type MasterKeyCipher ¶
type MasterKeyCipher struct {
// contains filtered or unexported fields
}
MasterKeyCipher implements KeyCipher using AES-256-GCM with a 32-byte master key.
func NewMasterKeyCipher ¶
func NewMasterKeyCipher(masterKey []byte) *MasterKeyCipher
NewMasterKeyCipher creates a MasterKeyCipher from a 32-byte master key.
Source Files