An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
style: apply cargo fmt to device_key module
+36
-17
+35
-16
apps/identity-wallet/src-tauri/src/device_key.rs
+35
-16
apps/identity-wallet/src-tauri/src/device_key.rs
···
52
52
Ok(bytes) => bytes,
53
53
Err(_) => {
54
54
// No key yet — generate a new P-256 keypair via the crypto crate.
55
-
let keypair = crypto::generate_p256_keypair()
56
-
.map_err(|_| DeviceKeyError::KeyGenerationFailed)?;
55
+
let keypair =
56
+
crypto::generate_p256_keypair().map_err(|_| DeviceKeyError::KeyGenerationFailed)?;
57
57
// Deref Zeroizing<[u8; 32]> to [u8; 32], then collect as Vec<u8>.
58
58
let bytes = keypair.private_key_bytes.to_vec();
59
-
crate::keychain::store_item(ACCOUNT, &bytes)
60
-
.map_err(|e| DeviceKeyError::KeychainError { message: e.to_string() })?;
59
+
crate::keychain::store_item(ACCOUNT, &bytes).map_err(|e| {
60
+
DeviceKeyError::KeychainError {
61
+
message: e.to_string(),
62
+
}
63
+
})?;
61
64
bytes
62
65
}
63
66
};
64
67
65
68
// Reconstruct the public key from stored private bytes.
66
-
let signing_key = SigningKey::from_slice(&private_bytes)
67
-
.map_err(|_| DeviceKeyError::KeychainError { message: "invalid stored key bytes".into() })?;
69
+
let signing_key =
70
+
SigningKey::from_slice(&private_bytes).map_err(|_| DeviceKeyError::KeychainError {
71
+
message: "invalid stored key bytes".into(),
72
+
})?;
68
73
let encoded = signing_key.verifying_key().to_encoded_point(true); // compressed (33 bytes)
69
74
let compressed = encoded.as_bytes();
70
75
let multibase = multibase::encode(multibase::Base::Base58Btc, compressed);
···
76
81
let mut multikey = Vec::with_capacity(2 + compressed.len());
77
82
multikey.extend_from_slice(P256_MULTICODEC);
78
83
multikey.extend_from_slice(compressed);
79
-
let key_id = format!("did:key:{}", multibase::encode(multibase::Base::Base58Btc, &multikey));
84
+
let key_id = format!(
85
+
"did:key:{}",
86
+
multibase::encode(multibase::Base::Base58Btc, &multikey)
87
+
);
80
88
81
89
Ok(DevicePublicKey { multibase, key_id })
82
90
}
83
91
84
92
#[cfg(any(target_os = "macos", all(target_os = "ios", target_env = "sim")))]
85
93
pub fn sign(data: &[u8]) -> Result<Vec<u8>, DeviceKeyError> {
86
-
use p256::ecdsa::{Signature, SigningKey};
87
94
use p256::ecdsa::signature::Signer;
95
+
use p256::ecdsa::{Signature, SigningKey};
88
96
89
97
const ACCOUNT: &str = "device-rotation-key-priv";
90
98
91
99
// If the key doesn't exist, signal that get_or_create must be called first.
92
-
let private_bytes = crate::keychain::get_item(ACCOUNT)
93
-
.map_err(|_| DeviceKeyError::KeyNotFound)?;
100
+
let private_bytes =
101
+
crate::keychain::get_item(ACCOUNT).map_err(|_| DeviceKeyError::KeyNotFound)?;
94
102
95
-
let signing_key = SigningKey::from_slice(&private_bytes)
96
-
.map_err(|_| DeviceKeyError::SigningFailed)?;
103
+
let signing_key =
104
+
SigningKey::from_slice(&private_bytes).map_err(|_| DeviceKeyError::SigningFailed)?;
97
105
98
106
// sign() uses the deterministic Signer impl (RFC 6979 nonce).
99
107
// It internally hashes `data` with SHA-256 before signing.
···
129
137
#[test]
130
138
fn get_or_create_returns_valid_multibase() {
131
139
let result = get_or_create().expect("get_or_create should succeed");
132
-
assert!(result.multibase.starts_with('z'), "multibase must start with 'z'");
140
+
assert!(
141
+
result.multibase.starts_with('z'),
142
+
"multibase must start with 'z'"
143
+
);
133
144
let (_, decoded) = multibase::decode(&result.multibase).expect("multibase must decode");
134
145
assert_eq!(decoded.len(), 33, "compressed P-256 point must be 33 bytes");
135
146
}
···
139
150
fn get_or_create_is_idempotent() {
140
151
let first = get_or_create().expect("first call should succeed");
141
152
let second = get_or_create().expect("second call should succeed");
142
-
assert_eq!(first.multibase, second.multibase, "multibase must be stable");
153
+
assert_eq!(
154
+
first.multibase, second.multibase,
155
+
"multibase must be stable"
156
+
);
143
157
assert_eq!(first.key_id, second.key_id, "key_id must be stable");
144
158
}
145
159
···
168
182
get_or_create().expect("must have key before signing");
169
183
let sig1 = sign(b"determinism test").expect("first sign should succeed");
170
184
let sig2 = sign(b"determinism test").expect("second sign should succeed");
171
-
assert_eq!(sig1, sig2, "same data with same key must produce same signature");
185
+
assert_eq!(
186
+
sig1, sig2,
187
+
"same data with same key must produce same signature"
188
+
);
172
189
}
173
190
174
191
// AC3.3 — sign before get_or_create returns KeyNotFound
···
195
212
let json2 = serde_json::to_value(&err2).unwrap();
196
213
assert_eq!(json2["code"], "KEY_NOT_FOUND");
197
214
198
-
let err3 = DeviceKeyError::KeychainError { message: "os error".into() };
215
+
let err3 = DeviceKeyError::KeychainError {
216
+
message: "os error".into(),
217
+
};
199
218
let json3 = serde_json::to_value(&err3).unwrap();
200
219
assert_eq!(json3["code"], "KEYCHAIN_ERROR");
201
220
assert_eq!(json3["message"], "os error");