# [−][src]Crate ic_crypto_key_validation

Library crate for verifying the validity of a node's public key material.

Such verification is used, for example, to ensure that only valid node key material is stored in the registry or to check registry invariants.

Use `ValidNodePublicKeys::try_from(keys, node_id)`

to perform the validation
checks.

Validation of a *node's signing key* includes verifying that

- the key is present and well-formed
- the node ID derived from the key matches the
`node_id`

- the public key is valid, which includes checking that the key is a point on the curve and in the right subgroup

Validation of a *node's committee signing key* includes verifying that

- the key is present and well-formed
- the public key's proof of possession (PoP) is valid
- the public key is a point on the curve and in the right subgroup

Validation of a *node's DKG dealing encryption key* includes verifying
that

- the key is present and well-formed
- the public key's proof of possession (PoP) is valid
- the public key is a point on the curve and in the right subgroup

Validation of a *node's TLS certificate* includes verifying that

- the certificate is present and well-formed, i.e., formatted in X.509 version 3 and DER-encoded
- the certificate has a single subject common name (CN) that matches the
`node_id`

- the certificate has a single issuer common name (CN) that matches the subject CN (indicating that the certificate is self-signed)
- the certificate is NOT for a certificate authority. This means either 1)
there are no BasicConstraints extensions, or 2) if there are
BasicConstraints then one is
`CA`

and it's set to`False`

. - the certificate's notBefore date is latest in two minutes from now. This is to ensure that the certificate is already valid or becomes valid shortly. The grace period is to account for potential clock differences.
- the certificate's notAfter date indicates according to RFC 5280 (section 4.1.2.5) that the certificate has no well-defined expiration date.
- the certificate's signature algorithm is Ed25519 (OID 1.3.101.112)
- the certificate's public key is valid, which includes checking that the key is a point on the curve and in the right subgroup
- the certificate's signature is valid w.r.t. the certificate's public key, that is, the certificate is correctly self-signed

## Structs

KeyValidationError | A key validation error. |

ValidNodePublicKeys | Validated public key material of a node. |