Skip to main content

breez_sdk_spark/signer/
mod.rs

1use crate::SdkError;
2use bitcoin::bip32::DerivationPath;
3use bitcoin::hashes::{Hmac, sha256};
4use bitcoin::secp256k1::{self, Message, ecdsa::RecoverableSignature};
5
6/// Core signing capability: key derivation and ECDSA/Schnorr signatures. Every
7/// signer provides this. ECIES and HMAC are separate, optional capabilities
8/// (see [`EciesSigner`], [`HmacSigner`]): a policy-restricted signer that can't
9/// release key material provides signing only.
10#[macros::async_trait]
11pub trait BreezSigner: Send + Sync {
12    /// Signs a pre-hashed message using ECDSA at the given derivation path.
13    ///
14    /// The caller must create the Message from a 32-byte hash digest before calling this method.
15    async fn sign_ecdsa(
16        &self,
17        message: Message,
18        path: &DerivationPath,
19    ) -> Result<secp256k1::ecdsa::Signature, SdkError>;
20
21    /// Signs a pre-hashed message using recoverable ECDSA at the given derivation path.
22    ///
23    /// The caller must create the Message from a 32-byte hash digest before calling.
24    async fn sign_ecdsa_recoverable(
25        &self,
26        message: Message,
27        path: &DerivationPath,
28    ) -> Result<RecoverableSignature, SdkError>;
29
30    async fn sign_hash_schnorr(
31        &self,
32        hash: &[u8],
33        path: &DerivationPath,
34    ) -> Result<secp256k1::schnorr::Signature, SdkError>;
35
36    async fn derive_public_key(
37        &self,
38        path: &DerivationPath,
39    ) -> Result<secp256k1::PublicKey, SdkError>;
40}
41
42/// ECIES encryption/decryption, keyed off a derivation path. Optional: it needs
43/// local access to key material, so a signer that keeps keys in a restricted
44/// enclave may not offer it.
45#[macros::async_trait]
46pub trait EciesSigner: Send + Sync {
47    async fn encrypt_ecies(
48        &self,
49        message: &[u8],
50        path: &DerivationPath,
51    ) -> Result<Vec<u8>, SdkError>;
52
53    async fn decrypt_ecies(
54        &self,
55        message: &[u8],
56        path: &DerivationPath,
57    ) -> Result<Vec<u8>, SdkError>;
58}
59
60/// HMAC-SHA256 keyed off a derivation path (LNURL-auth). Optional: it needs
61/// local access to key material, so a signer that keeps keys in a restricted
62/// enclave may not offer it.
63#[macros::async_trait]
64pub trait HmacSigner: Send + Sync {
65    /// Computes HMAC-SHA256 using a key derived at the given path.
66    async fn hmac_sha256(
67        &self,
68        key_path: &DerivationPath,
69        input: &[u8],
70    ) -> Result<Hmac<sha256::Hash>, SdkError>;
71}
72
73// External signer support - private adapter
74mod adapter;
75mod default_external;
76mod default_external_spark;
77
78// External spark signer support - private adapter
79mod external_spark_adapter;
80
81// Public external signer API
82pub mod external;
83pub mod external_spark;
84pub mod external_spark_types;
85pub mod external_types;
86
87// Re-export only the external signer traits and types
88pub use external::{ExternalBreezSigner, ExternalSigningSigner};
89pub use external_spark::ExternalSparkSigner;
90pub use external_spark_types::*;
91pub use external_types::*;
92
93// Internal-only exports (used by adapter and builder)
94pub(crate) use adapter::{ExternalBreezSignerAdapter, ExternalSigningSignerAdapter};
95pub(crate) use default_external::DefaultExternalSigner;
96pub(crate) use default_external_spark::DefaultExternalSparkSigner;
97pub(crate) use external_spark_adapter::ExternalSparkSignerAdapter;
98pub mod breez;
99pub mod lnurl_auth;
100pub mod rtsync;