modularize

adamspofford-dfinity · adamspofford-dfinity · commit 67d9d5d0eab9 · 2025-05-29T08:32:28.000-07:00
diff --git a/bin/icp-cli/src/commands/identity/default.rs b/bin/icp-cli/src/commands/identity/default.rs
@@ -10,14 +10,14 @@ pub struct DefaultCmd {
 }
 
 pub fn exec(env: &Env, cmd: DefaultCmd) -> Result<DefaultIdentityMessage, DefaultIdentityError> {
-    let list = icp_identity::load_identity_list(env.dirs())?;
+    let list = icp_identity::manifest::load_identity_list(env.dirs())?;
     ensure!(
         list.identities.contains_key(&cmd.name),
         NoSuchIdentitySnafu { name: &cmd.name }
     );
-    let mut defaults = icp_identity::load_identity_defaults(env.dirs())?;
+    let mut defaults = icp_identity::manifest::load_identity_defaults(env.dirs())?;
     defaults.default = cmd.name.clone();
-    icp_identity::write_identity_defaults(env.dirs(), &defaults)?;
+    icp_identity::manifest::write_identity_defaults(env.dirs(), &defaults)?;
     Ok(DefaultIdentityMessage {
         default: cmd.name.clone(),
     })
diff --git a/bin/icp-cli/src/commands/identity/import.rs b/bin/icp-cli/src/commands/identity/import.rs
@@ -6,7 +6,10 @@ use camino::{Utf8Path, Utf8PathBuf};
 use clap::{ArgGroup, Parser};
 use dialoguer::Password;
 use icp_fs::fs;
-use icp_identity::{CreateFormat, CreateIdentityError, IdentityKey};
+use icp_identity::{
+    CreateIdentityError,
+    key::{CreateFormat, IdentityKey},
+};
 use itertools::Itertools;
 use k256::{Secp256k1, SecretKey};
 use parse_display::Display;
@@ -122,7 +125,7 @@ fn import_from_pem(
         )?,
         _ => unreachable!(),
     };
-    icp_identity::create_identity(
+    icp_identity::key::create_identity(
         env.dirs(),
         name,
         IdentityKey::Secp256k1(key),
@@ -229,7 +232,7 @@ fn import_from_seed_phrase(env: &Env, name: &str, phrase: &str) -> Result<(), De
     let seed = Seed::new(&mnemonic, "");
     let pk = XPrv::derive_from_path(seed.as_bytes(), &path).context(DerivationSnafu)?;
     let key = SecretKey::from(pk.private_key());
-    icp_identity::create_identity(
+    icp_identity::key::create_identity(
         env.dirs(),
         name,
         IdentityKey::Secp256k1(key),
diff --git a/bin/icp-cli/src/commands/identity/list.rs b/bin/icp-cli/src/commands/identity/list.rs
@@ -9,8 +9,8 @@ use std::fmt::{self, Display, Formatter};
 pub struct ListCmd;
 
 pub fn exec(env: &Env, _cmd: ListCmd) -> Result<ListKeysMessage, ListKeysError> {
-    let list = icp_identity::load_identity_list(env.dirs())?;
-    let defaults = icp_identity::load_identity_defaults(env.dirs())?;
+    let list = icp_identity::manifest::load_identity_list(env.dirs())?;
+    let defaults = icp_identity::manifest::load_identity_defaults(env.dirs())?;
     Ok(ListKeysMessage {
         identities: list.identities.into_keys().collect_vec(),
         default: defaults.default,
diff --git a/bin/icp-cli/src/commands/identity/new.rs b/bin/icp-cli/src/commands/identity/new.rs
@@ -5,7 +5,10 @@ use bip39::{Language, Mnemonic, MnemonicType, Seed};
 use camino::Utf8PathBuf;
 use clap::Parser;
 use icp_fs::fs;
-use icp_identity::{CreateFormat, CreateIdentityError, IdentityKey};
+use icp_identity::{
+    CreateIdentityError,
+    key::{CreateFormat, IdentityKey},
+};
 use k256::SecretKey;
 use parse_display::Display;
 use serde::Serialize;
@@ -24,7 +27,7 @@ pub fn exec(env: &Env, cmd: NewCmd) -> Result<NewIdentityMessage, NewIdentityErr
     let seed = Seed::new(&mnemonic, "");
     let pk = XPrv::derive_from_path(seed.as_bytes(), &path).context(DerivationSnafu)?;
     let key = SecretKey::from(pk.private_key());
-    icp_identity::create_identity(
+    icp_identity::key::create_identity(
         env.dirs(),
         &cmd.name,
         IdentityKey::Secp256k1(key),
diff --git a/bin/icp-cli/src/env.rs b/bin/icp-cli/src/env.rs
@@ -39,14 +39,14 @@ impl Env {
     }
     pub fn load_identity(&self) -> Result<Arc<dyn Identity>, LoadIdentityError> {
         if let Some(identity) = &self.identity {
-            icp_identity::load_identity(
+            icp_identity::key::load_identity(
                 &self.dirs,
-                &icp_identity::load_identity_list(&self.dirs)?,
+                &icp_identity::manifest::load_identity_list(&self.dirs)?,
                 identity,
                 || todo!(),
             )
         } else {
-            icp_identity::load_identity_in_context(&self.dirs, || todo!())
+            icp_identity::key::load_identity_in_context(&self.dirs, || todo!())
         }
     }
     pub fn dirs(&self) -> &IcpCliDirs {
diff --git a/lib/icp-identity/src/key.rs b/lib/icp-identity/src/key.rs
@@ -0,0 +1,193 @@
+use crate::{
+    CreateIdentityError, LoadIdentityError, WriteIdentityError,
+    manifest::{
+        IdentityKeyAlgorithm, IdentityList, IdentitySpec, PemFormat, load_identity_defaults,
+        load_identity_list, write_identity_list,
+    },
+    s_create::*,
+    s_load::*,
+};
+use ic_agent::{
+    Identity,
+    identity::{AnonymousIdentity, Secp256k1Identity},
+};
+use icp_dirs::IcpCliDirs;
+use icp_fs::fs;
+use pem::Pem;
+use pkcs8::{
+    DecodePrivateKey, EncodePrivateKey, EncryptedPrivateKeyInfo, PrivateKeyInfo, SecretDocument,
+    pkcs5::pbes2::Parameters,
+};
+use rand::RngCore;
+use scrypt::Params;
+use sec1::{der::Decode, pem::PemLabel};
+use snafu::{OptionExt, ResultExt, ensure};
+use std::{
+    path::{Path, PathBuf},
+    sync::Arc,
+};
+use zeroize::Zeroizing;
+
+pub fn load_identity(
+    dirs: &IcpCliDirs,
+    list: &IdentityList,
+    name: &str,
+    password_func: impl FnOnce() -> Result<String, String>,
+) -> Result<Arc<dyn Identity>, LoadIdentityError> {
+    // todo support p256, ed25519
+    let identity = list
+        .identities
+        .get(name)
+        .context(NoSuchIdentitySnafu { name })?;
+    match identity {
+        IdentitySpec::Pem { format, algorithm } => {
+            load_pem_identity(dirs, name, format, algorithm, password_func)
+        }
+        IdentitySpec::Anonymous => Ok(Arc::new(AnonymousIdentity)),
+    }
+}
+
+fn load_pem_identity(
+    dirs: &IcpCliDirs,
+    name: &str,
+    format: &PemFormat,
+    algorithm: &IdentityKeyAlgorithm,
+    password_func: impl FnOnce() -> Result<String, String>,
+) -> Result<Arc<dyn Identity>, LoadIdentityError> {
+    let pem_path = key_pem_path(dirs, name);
+    let pem = fs::read_to_string(&pem_path)?;
+    let doc = pem
+        .parse::<Pem>()
+        .context(ParsePemSnafu { path: &pem_path })?;
+    match format {
+        PemFormat::Pbes2 => load_pbes2_identity(&doc, algorithm, password_func, &pem_path),
+        PemFormat::Plaintext => load_plaintext_identity(&doc, algorithm, &pem_path),
+    }
+}
+
+fn load_pbes2_identity(
+    doc: &Pem,
+    algorithm: &IdentityKeyAlgorithm,
+    password_func: impl FnOnce() -> Result<String, String>,
+    path: &Path,
+) -> Result<Arc<dyn Identity>, LoadIdentityError> {
+    assert!(
+        doc.tag() == pkcs8::EncryptedPrivateKeyInfo::PEM_LABEL,
+        "internal error: wrong identity format found"
+    );
+    let password =
+        password_func().map_err(|message| LoadIdentityError::GetPasswordError { message })?;
+    match algorithm {
+        IdentityKeyAlgorithm::Secp256k1 => {
+            let key = k256::SecretKey::from_pkcs8_encrypted_der(doc.contents(), &password)
+                .context(ParseKeySnafu { path })?;
+            Ok(Arc::new(Secp256k1Identity::from_private_key(key)))
+        }
+    }
+}
+
+fn load_plaintext_identity(
+    doc: &Pem,
+    algorithm: &IdentityKeyAlgorithm,
+    path: &Path,
+) -> Result<Arc<dyn Identity>, LoadIdentityError> {
+    assert!(
+        doc.tag() == PrivateKeyInfo::PEM_LABEL,
+        "internal error: wrong identity format found"
+    );
+    match algorithm {
+        IdentityKeyAlgorithm::Secp256k1 => {
+            let key =
+                k256::SecretKey::from_pkcs8_der(doc.contents()).context(ParseKeySnafu { path })?;
+            Ok(Arc::new(Secp256k1Identity::from_private_key(key)))
+        }
+    }
+}
+
+pub fn key_pem_path(dirs: &IcpCliDirs, name: &str) -> PathBuf {
+    dirs.identity_dir().join(format!("keys/{name}.pem"))
+}
+
+pub fn load_identity_in_context(
+    dirs: &IcpCliDirs,
+    password_func: impl FnOnce() -> Result<String, String>,
+) -> Result<Arc<dyn Identity>, LoadIdentityError> {
+    let defaults = load_identity_defaults(dirs)?;
+    let list = load_identity_list(dirs)?;
+    load_identity(dirs, &list, &defaults.default, password_func)
+}
+
+pub fn create_identity(
+    dirs: &IcpCliDirs,
+    name: &str,
+    key: IdentityKey,
+    format: CreateFormat,
+) -> Result<(), CreateIdentityError> {
+    let algorithm = match key {
+        IdentityKey::Secp256k1(_) => IdentityKeyAlgorithm::Secp256k1,
+    };
+    let pem_format = match format {
+        CreateFormat::Plaintext => PemFormat::Plaintext,
+        CreateFormat::Pbes2 { .. } => PemFormat::Pbes2,
+    };
+    let spec = IdentitySpec::Pem {
+        format: pem_format,
+        algorithm,
+    };
+    let mut identity_list = load_identity_list(dirs)?;
+    ensure!(
+        !identity_list.identities.contains_key(name),
+        IdentityAlreadyExistsSnafu { name }
+    );
+    let doc = match key {
+        IdentityKey::Secp256k1(key) => key.to_pkcs8_der().expect("infallible PKI encoding"),
+    };
+    let pem = match format {
+        CreateFormat::Plaintext => doc
+            .to_pem(PrivateKeyInfo::PEM_LABEL, Default::default())
+            .expect("infallible PKI encoding"),
+        CreateFormat::Pbes2 { password } => make_pkcs5_encrypted_pem(&doc, &password),
+    };
+    let pem_path = key_pem_path(dirs, name);
+    let parent = pem_path.parent().unwrap();
+    fs::create_dir_all(parent).map_err(WriteIdentityError::from)?;
+    fs::write(&pem_path, pem.as_bytes()).map_err(WriteIdentityError::from)?;
+    identity_list.identities.insert(name.to_string(), spec);
+    write_identity_list(dirs, &identity_list)?;
+    Ok(())
+}
+
+fn make_pkcs5_encrypted_pem(doc: &SecretDocument, password: &str) -> Zeroizing<String> {
+    let pki = PrivateKeyInfo::from_der(doc.as_bytes()).expect("infallible PKI roundtrip");
+    let mut salt = [0; 16];
+    let mut iv = [0; 16];
+    let mut rng = rand::rng();
+    rng.fill_bytes(&mut salt);
+    rng.fill_bytes(&mut iv);
+    let encrypted_doc = pki
+        .encrypt_with_params(
+            Parameters::scrypt_aes256cbc(
+                Params::new(17, 8, 1, 32).expect("valid scrypt params"),
+                &salt,
+                &iv,
+            )
+            .expect("valid pbes2 params"),
+            password,
+        )
+        .expect("infallible PKI encryption");
+    encrypted_doc
+        .to_pem(EncryptedPrivateKeyInfo::PEM_LABEL, Default::default())
+        .expect("infallible EPKI encoding")
+}
+
+#[derive(Debug, Clone)]
+pub enum IdentityKey {
+    Secp256k1(k256::SecretKey),
+}
+
+#[derive(Debug, Clone)]
+pub enum CreateFormat {
+    Plaintext,
+    Pbes2 { password: Zeroizing<String> },
+    // Keyring,
+}
diff --git a/lib/icp-identity/src/lib.rs b/lib/icp-identity/src/lib.rs
diff --git a/lib/icp-identity/src/manifest.rs b/lib/icp-identity/src/manifest.rs

Original file line number	Diff line number	Diff line change
`@@ -39,14 +39,14 @@ impl Env {`
`39`	`39`	`}`
`40`	`40`	`pub fn load_identity(&self) -> Result<Arc<dyn Identity>, LoadIdentityError> {`
`41`	`41`	`if let Some(identity) = &self.identity {`
`42`		`- icp_identity::load_identity(`
	`42`	`+ icp_identity::key::load_identity(`
`43`	`43`	`&self.dirs,`
`44`		`- &icp_identity::load_identity_list(&self.dirs)?,`
	`44`	`+ &icp_identity::manifest::load_identity_list(&self.dirs)?,`
`45`	`45`	`identity,`
`46`	`46`	`\|\| todo!(),`
`47`	`47`	`)`
`48`	`48`	`} else {`
`49`		`- icp_identity::load_identity_in_context(&self.dirs, \|\| todo!())`
	`49`	`+ icp_identity::key::load_identity_in_context(&self.dirs, \|\| todo!())`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`	`pub fn dirs(&self) -> &IcpCliDirs {`