staking

package
v1.23.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 26, 2026 License: BSD-3-Clause Imports: 25 Imported by: 5

Documentation

Index

Constants

View Source 
const (
	MaxCertificateLen = 2 * constants.KiB
)

Variables

View Source 
var (
	ErrCertificateTooLarge                   = fmt.Errorf("staking: certificate length is greater than %d", MaxCertificateLen)
	ErrMalformedCertificate                  = errors.New("staking: malformed certificate")
	ErrMalformedTBSCertificate               = errors.New("staking: malformed tbs certificate")
	ErrMalformedVersion                      = errors.New("staking: malformed version")
	ErrMalformedSerialNumber                 = errors.New("staking: malformed serial number")
	ErrMalformedSignatureAlgorithmIdentifier = errors.New("staking: malformed signature algorithm identifier")
	ErrMalformedIssuer                       = errors.New("staking: malformed issuer")
	ErrMalformedValidity                     = errors.New("staking: malformed validity")
	ErrMalformedSPKI                         = errors.New("staking: malformed spki")
	ErrMalformedPublicKeyAlgorithmIdentifier = errors.New("staking: malformed public key algorithm identifier")
	ErrMalformedSubjectPublicKey             = errors.New("staking: malformed subject public key")
	ErrMalformedOID                          = errors.New("staking: malformed oid")
	ErrInvalidRSAPublicKey                   = errors.New("staking: invalid RSA public key")
	ErrInvalidRSAModulus                     = errors.New("staking: invalid RSA modulus")
	ErrInvalidRSAPublicExponent              = errors.New("staking: invalid RSA public exponent")
	ErrRSAModulusNotPositive                 = errors.New("staking: RSA modulus is not a positive number")
	ErrUnsupportedRSAModulusBitLen           = errors.New("staking: unsupported RSA modulus bitlen")
	ErrRSAModulusIsEven                      = errors.New("staking: RSA modulus is an even number")
	ErrUnsupportedRSAPublicExponent          = errors.New("staking: unsupported RSA public exponent")
	ErrFailedUnmarshallingEllipticCurvePoint = errors.New("staking: failed to unmarshal elliptic curve point")
	ErrUnknownPublicKeyAlgorithm             = errors.New("staking: unknown public key algorithm")
)
View Source 
var (
	ErrMLDSAVerificationFailure = errors.New("staking: ML-DSA verification failure")
	ErrInvalidPQKeySize         = errors.New("staking: invalid post-quantum key size")
)
View Source 
var (
	ErrUnsupportedAlgorithm     = errors.New("staking: cannot verify signature: unsupported algorithm")
	ErrECDSAVerificationFailure = errors.New("staking: ECDSA verification failure")
)

Functions

func CheckHybridSignature added in v1.23.2 

func CheckHybridSignature(cert *Certificate, pqPubKey []byte, msg []byte, classicalSig, pqSig []byte) error

CheckHybridSignature verifies both classical (ECDSA/RSA) and post-quantum (ML-DSA) signatures. This provides defense-in-depth: if either algorithm is broken, the other still protects.

func CheckSignature 

func CheckSignature(cert *Certificate, msg []byte, signature []byte) error

CheckSignature verifies that the signature is a valid signature over signed from the certificate.

Ref: https://github.com/golang/go/blob/go1.19.12/src/crypto/x509/x509.go#L793-L797 Ref: https://github.com/golang/go/blob/go1.19.12/src/crypto/x509/x509.go#L816-L879

func InitNodePQKeyPair added in v1.23.2 

func InitNodePQKeyPair(keyPath, pubKeyPath string) error

InitNodePQKeyPair generates and stores an ML-DSA key pair for hybrid staking. The keys will be placed at [keyPath] and [pubKeyPath]. If there is already a file at [keyPath], returns nil (no-op).

func InitNodeStakingKeyPair 

func InitNodeStakingKeyPair(keyPath, certPath string) error

InitNodeStakingKeyPair generates a self-signed TLS key/cert pair to use in staking. The key and files will be placed at [keyPath] and [certPath], respectively. If there is already a file at [keyPath], returns nil.

func LoadTLSCertFromBytes 

func LoadTLSCertFromBytes(keyBytes, certBytes []byte) (*tls.Certificate, error)

func LoadTLSCertFromFiles 

func LoadTLSCertFromFiles(keyPath, certPath string) (*tls.Certificate, error)

func NewCertAndKeyBytes 

func NewCertAndKeyBytes() ([]byte, []byte, error)

Creates a new staking private key / staking certificate pair. Returns the PEM byte representations of both.

func NewCertAndKeyBytesFromKey added in v1.22.45 

func NewCertAndKeyBytesFromKey(key *ecdsa.PrivateKey) ([]byte, []byte, error)

NewCertAndKeyBytesFromKey creates a staking cert from an existing ECDSA P-256 private key. This allows deterministic NodeID generation from a seed. IMPORTANT: Uses deterministic signing for reproducible certificates.

func NewTLSCert 

func NewTLSCert() (*tls.Certificate, error)

func ValidateRSAPublicKeyIsWellFormed 

func ValidateRSAPublicKeyIsWellFormed(pub *rsa.PublicKey) error

ValidateRSAPublicKeyIsWellFormed validates the given RSA public key

func VerifyPQSignature added in v1.23.2 

func VerifyPQSignature(pubKeyBytes, msg, sig []byte) error

VerifyPQSignature verifies an ML-DSA signature given a public key

Types

type Certificate 

type Certificate = ids.Certificate

Certificate is an alias to ids.Certificate

func ParseCertificate 

func ParseCertificate(bytes []byte) (*Certificate, error)

ParseCertificate parses a single certificate from the given ASN.1.

This function does not validate that the certificate is valid to be used against normal TLS implementations.

Ref: https://github.com/golang/go/blob/go1.19.12/src/crypto/x509/parser.go#L789-L968

type MLDSAPublicKey added in v1.23.2 

type MLDSAPublicKey struct {
	Key  *mldsa.PublicKey
	Mode mldsa.Mode
}

MLDSAPublicKey wraps an ML-DSA public key to satisfy the crypto.PublicKey interface

type PQKeyPair added in v1.23.2 

type PQKeyPair struct {
	PrivateKey *mldsa.PrivateKey
	PublicKey  *mldsa.PublicKey
	Mode       mldsa.Mode
}

PQKeyPair represents a post-quantum ML-DSA key pair for hybrid staking

func LoadPQKeyPair added in v1.23.2 

func LoadPQKeyPair(keyPath, pubKeyPath string) (*PQKeyPair, error)

LoadPQKeyPair loads an ML-DSA key pair from PEM files

func NewPQKeyPair added in v1.23.2 

func NewPQKeyPair() (*PQKeyPair, error)

NewPQKeyPair generates a new ML-DSA-65 key pair (NIST Level 3, 192-bit security)

func (*PQKeyPair) PrivateKeyBytes added in v1.23.2 

func (kp *PQKeyPair) PrivateKeyBytes() []byte

PrivateKeyBytes returns the serialized private key

func (*PQKeyPair) PublicKeyBytes added in v1.23.2 

func (kp *PQKeyPair) PublicKeyBytes() []byte

PublicKeyBytes returns the serialized public key

func (*PQKeyPair) Sign added in v1.23.2 

func (kp *PQKeyPair) Sign(msg []byte) ([]byte, error)

Sign creates an ML-DSA signature over the given message

func (*PQKeyPair) Verify added in v1.23.2 

func (kp *PQKeyPair) Verify(msg, sig []byte) bool

Verify checks an ML-DSA signature

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.