Runar Keys

Standards-compliant key and certificate management for the Runar network.

Highlights

• X.509 certificates with proper CA hierarchy (user/mobile CA → node certs)
• Single cryptographic suite: ECDSA P-256 for signing; AES-GCM for symmetric
• CSR-based issuance and full signature/validity verification
• Envelope encryption helpers for network and profile keys

Install

[dependencies]
runar-keys = "0.1"

Quick start

use runar_common::logging::{Component, Logger};
use runar_keys::{MobileKeyManager, CertificateRequest};
use std::sync::Arc;

let logger = Arc::new(Logger::new_root(Component::Node, "node-123"));
let mut mobile = MobileKeyManager::new(logger)?;

// Initialize mobile user identity and derive agreement pubkey
let _user_agreement_pub = mobile.initialize_user_identity()?;

// Node side: generate key pair and CSR subject
let subject = "CN=node-123,O=Runar,C=US";
let node_key = runar_keys::certificate::EcdsaKeyPair::new()?;
let csr_der = CertificateRequest::create(&node_key, subject)?;

// Simulated setup token
let setup = runar_keys::mobile::SetupToken {
    node_public_key: node_key.public_key_bytes(),
    node_agreement_public_key: node_key.public_key_bytes(),
    csr_der,
    node_id: "node-123".into(),
};

// Mobile issues the certificate
let msg = mobile.process_setup_token(&setup)?;
mobile.validate_certificate(&msg.node_certificate)?;

Envelope encryption

// Generate a network data key and encrypt data for the network and profile
let network_id = mobile.generate_network_data_key()?;
let profile_pub = mobile.derive_user_profile_key("default")?;

let env = mobile.encrypt_with_envelope(b"secret", Some(&network_id), vec![profile_pub])?;
let pt = mobile.decrypt_with_network(&env)?;
assert_eq!(pt, b"secret");

MSRV

Minimum supported Rust version: 1.70.0

License

MIT license. See LICENSE.