The highest tagged major version is
Documentation
¶
Overview ¶
Package staking includes a thin HTTP client to the external Lux KMS service (~/work/lux/kms, github.com/luxfi/kms). The KMS service speaks JSON over HTTP as its public contract — this file therefore stays on json/v2 by design. Do NOT migrate to ZAP: the wire format here is defined by the external service, not by us. Internal Lux paths that consume the keys MUST hash or copy the result into typed Go values before any internal codec.
Not to be confused with Hanzo KMS (~/work/hanzo/kms) which serves Hanzoai apps — Lux blockchain node staking uses Lux KMS only.
Index ¶
- Constants
- Variables
- func CheckHybridSignature(cert *Certificate, pqPubKey []byte, msg []byte, classicalSig, pqSig []byte) error
- func CheckSignature(cert *Certificate, msg []byte, signature []byte) error
- func InitNodePQKeyPair(keyPath, pubKeyPath string) error
- func InitNodeStakingKeyPair(keyPath, certPath string) error
- func LoadTLSCertFromBytes(keyBytes, certBytes []byte) (*tls.Certificate, error)
- func LoadTLSCertFromFiles(keyPath, certPath string) (*tls.Certificate, error)
- func NewCertAndKeyBytes() ([]byte, []byte, error)
- func NewCertAndKeyBytesFromKey(key *ecdsa.PrivateKey) ([]byte, []byte, error)
- func NewTLSCert() (*tls.Certificate, error)
- func ValidateRSAPublicKeyIsWellFormed(pub *rsa.PublicKey) error
- func VerifyPQSignature(pubKeyBytes, msg, sig []byte) error
- type Certificate
- type KMSConfig
- type KMSStakingKeys
- type MLDSAPublicKey
- type PQKeyPair
Constants ¶
const (
MaxCertificateLen = 2 * constants.KiB
)
Variables ¶
var ( ErrCertificateTooLarge = fmt.Errorf("staking: certificate length is greater than %d", MaxCertificateLen) ErrMalformedCertificate = errors.New("staking: malformed certificate") ErrMalformedTBSCertificate = errors.New("staking: malformed tbs certificate") ErrMalformedVersion = errors.New("staking: malformed version") ErrMalformedSerialNumber = errors.New("staking: malformed serial number") ErrMalformedSignatureAlgorithmIdentifier = errors.New("staking: malformed signature algorithm identifier") ErrMalformedIssuer = errors.New("staking: malformed issuer") ErrMalformedValidity = errors.New("staking: malformed validity") ErrMalformedSPKI = errors.New("staking: malformed spki") ErrMalformedPublicKeyAlgorithmIdentifier = errors.New("staking: malformed public key algorithm identifier") ErrMalformedSubjectPublicKey = errors.New("staking: malformed subject public key") ErrMalformedOID = errors.New("staking: malformed oid") ErrInvalidRSAPublicKey = errors.New("staking: invalid RSA public key") ErrInvalidRSAModulus = errors.New("staking: invalid RSA modulus") ErrInvalidRSAPublicExponent = errors.New("staking: invalid RSA public exponent") ErrRSAModulusNotPositive = errors.New("staking: RSA modulus is not a positive number") ErrUnsupportedRSAModulusBitLen = errors.New("staking: unsupported RSA modulus bitlen") ErrRSAModulusIsEven = errors.New("staking: RSA modulus is an even number") ErrUnsupportedRSAPublicExponent = errors.New("staking: unsupported RSA public exponent") ErrFailedUnmarshallingEllipticCurvePoint = errors.New("staking: failed to unmarshal elliptic curve point") ErrUnknownPublicKeyAlgorithm = errors.New("staking: unknown public key algorithm") )
var ( ErrMLDSAVerificationFailure = errors.New("staking: ML-DSA verification failure") ErrInvalidPQKeySize = errors.New("staking: invalid post-quantum key size") )
var ( ErrUnsupportedAlgorithm = errors.New("staking: cannot verify signature: unsupported algorithm") ErrECDSAVerificationFailure = errors.New("staking: ECDSA verification failure") )
Functions ¶
func CheckHybridSignature ¶ added in v1.23.2
func CheckHybridSignature(cert *Certificate, pqPubKey []byte, msg []byte, classicalSig, pqSig []byte) error
CheckHybridSignature verifies both classical (ECDSA/RSA) and post-quantum (ML-DSA) signatures. This provides defense-in-depth: if either algorithm is broken, the other still protects.
func CheckSignature ¶
func CheckSignature(cert *Certificate, msg []byte, signature []byte) error
CheckSignature verifies that the signature is a valid signature over signed from the certificate.
Ref: https://github.com/golang/go/blob/go1.19.12/src/crypto/x509/x509.go#L793-L797 Ref: https://github.com/golang/go/blob/go1.19.12/src/crypto/x509/x509.go#L816-L879
func InitNodePQKeyPair ¶ added in v1.23.2
InitNodePQKeyPair generates and stores an ML-DSA key pair for hybrid staking. The keys will be placed at [keyPath] and [pubKeyPath]. If there is already a file at [keyPath], returns nil (no-op).
func InitNodeStakingKeyPair ¶
InitNodeStakingKeyPair generates a self-signed TLS key/cert pair to use in staking. The key and files will be placed at [keyPath] and [certPath], respectively. If there is already a file at [keyPath], returns nil.
func LoadTLSCertFromBytes ¶
func LoadTLSCertFromBytes(keyBytes, certBytes []byte) (*tls.Certificate, error)
func LoadTLSCertFromFiles ¶
func LoadTLSCertFromFiles(keyPath, certPath string) (*tls.Certificate, error)
func NewCertAndKeyBytes ¶
Creates a new staking private key / staking certificate pair. Returns the PEM byte representations of both.
func NewCertAndKeyBytesFromKey ¶ added in v1.22.45
func NewCertAndKeyBytesFromKey(key *ecdsa.PrivateKey) ([]byte, []byte, error)
NewCertAndKeyBytesFromKey creates a staking cert from an existing ECDSA P-256 private key. This allows deterministic NodeID generation from a seed. IMPORTANT: Uses deterministic signing for reproducible certificates.
func NewTLSCert ¶
func NewTLSCert() (*tls.Certificate, error)
func ValidateRSAPublicKeyIsWellFormed ¶
ValidateRSAPublicKeyIsWellFormed validates the given RSA public key
func VerifyPQSignature ¶ added in v1.23.2
VerifyPQSignature verifies an ML-DSA signature given a public key
Types ¶
type Certificate ¶
type Certificate = ids.Certificate
Certificate is an alias to ids.Certificate
func ParseCertificate ¶
func ParseCertificate(bytes []byte) (*Certificate, error)
ParseCertificate parses a single certificate from the given ASN.1.
This function does not validate that the certificate is valid to be used against normal TLS implementations.
Ref: https://github.com/golang/go/blob/go1.19.12/src/crypto/x509/parser.go#L789-L968
type KMSConfig ¶ added in v1.23.33
type KMSConfig struct {
Endpoint string // KMS API endpoint (e.g., https://kms.dev.lux.network)
SecretPath string // Path to the staking secret (e.g., /staking/devnet/node-0)
AuthToken string // Bearer token for KMS auth
}
KMSConfig for staking key retrieval
type KMSStakingKeys ¶ added in v1.23.33
type KMSStakingKeys struct {
TLSKey string `json:"tls_key"` // PEM-encoded TLS private key
TLSCert string `json:"tls_cert"` // PEM-encoded TLS certificate
SignerKey string `json:"signer_key"` // BLS signer key (hex-encoded)
}
KMSStakingKeys holds the staking key material from KMS
func FetchFromKMS ¶ added in v1.23.33
func FetchFromKMS(cfg KMSConfig) (*KMSStakingKeys, error)
FetchFromKMS retrieves staking keys from a KMS endpoint.
func FetchFromKMSEnv ¶ added in v1.23.33
func FetchFromKMSEnv() (*KMSStakingKeys, error)
FetchFromKMSEnv reads KMS config from environment variables and fetches staking keys.
type MLDSAPublicKey ¶ added in v1.23.2
MLDSAPublicKey wraps an ML-DSA public key to satisfy the crypto.PublicKey interface
type PQKeyPair ¶ added in v1.23.2
PQKeyPair represents a post-quantum ML-DSA key pair for hybrid staking
func LoadPQKeyPair ¶ added in v1.23.2
LoadPQKeyPair loads an ML-DSA key pair from PEM files
func NewPQKeyPair ¶ added in v1.23.2
NewPQKeyPair generates a new ML-DSA-65 key pair (NIST Level 3, 192-bit security)
func (*PQKeyPair) PrivateKeyBytes ¶ added in v1.23.2
PrivateKeyBytes returns the serialized private key
func (*PQKeyPair) PublicKeyBytes ¶ added in v1.23.2
PublicKeyBytes returns the serialized public key
Source Files