initial commit

Signed-off-by: Kamal Tufekcic <kamal@lo.sh>

soliton_py/src/identity.rs

@@ -0,0 +1,112 @@
+//! Identity key management: keygen, sign, verify, fingerprint.
+
+use crate::errors::to_py_err;
+use pyo3::prelude::*;
+use pyo3::types::PyBytes;
+
+/// An identity keypair (X-Wing + Ed25519 + ML-DSA-65).
+///
+/// Secret key material is zeroized when this object is garbage collected.
+/// For deterministic cleanup, call `close()` explicitly or use as a context
+/// manager: `with Identity.generate() as id: ...`
+#[pyclass]
+pub struct Identity {
+    pk: soliton::identity::IdentityPublicKey,
+    sk: Option<soliton::identity::IdentitySecretKey>,
+}
+
+#[pymethods]
+impl Identity {
+    /// Generate a fresh identity keypair.
+    #[staticmethod]
+    fn generate() -> PyResult<Self> {
+        let id = soliton::identity::generate_identity().map_err(to_py_err)?;
+        Ok(Self {
+            pk: id.public_key,
+            sk: Some(id.secret_key),
+        })
+    }
+
+    /// Reconstruct from serialized public + secret key bytes.
+    #[staticmethod]
+    fn from_bytes(pk_bytes: &[u8], sk_bytes: &[u8]) -> PyResult<Self> {
+        let pk = soliton::identity::IdentityPublicKey::from_bytes(pk_bytes.to_vec())
+            .map_err(to_py_err)?;
+        let sk = soliton::identity::IdentitySecretKey::from_bytes(sk_bytes.to_vec())
+            .map_err(to_py_err)?;
+        Ok(Self { pk, sk: Some(sk) })
+    }
+
+    /// Reconstruct a public-key-only identity (cannot sign).
+    #[staticmethod]
+    fn from_public_bytes(pk_bytes: &[u8]) -> PyResult<Self> {
+        let pk = soliton::identity::IdentityPublicKey::from_bytes(pk_bytes.to_vec())
+            .map_err(to_py_err)?;
+        Ok(Self { pk, sk: None })
+    }
+
+    /// Public key bytes.
+    fn public_key<'py>(&self, py: Python<'py>) -> Py<PyBytes> {
+        PyBytes::new(py, self.pk.as_bytes()).into()
+    }
+
+    /// Secret key bytes. Raises if this is a public-key-only identity.
+    fn secret_key<'py>(&self, py: Python<'py>) -> PyResult<Py<PyBytes>> {
+        let sk = self
+            .sk
+            .as_ref()
+            .ok_or_else(|| crate::errors::InvalidDataError::new_err("no secret key"))?;
+        Ok(PyBytes::new(py, sk.as_bytes()).into())
+    }
+
+    /// SHA3-256 fingerprint of the public key (32 bytes).
+    fn fingerprint<'py>(&self, py: Python<'py>) -> Py<PyBytes> {
+        let fp = soliton::primitives::sha3_256::hash(self.pk.as_bytes());
+        PyBytes::new(py, &fp).into()
+    }
+
+    /// Hex-encoded fingerprint.
+    fn fingerprint_hex(&self) -> String {
+        soliton::primitives::sha3_256::fingerprint_hex(self.pk.as_bytes())
+    }
+
+    /// Hybrid sign (Ed25519 + ML-DSA-65).
+    fn sign<'py>(&self, py: Python<'py>, message: &[u8]) -> PyResult<Py<PyBytes>> {
+        let sk = self
+            .sk
+            .as_ref()
+            .ok_or_else(|| crate::errors::InvalidDataError::new_err("no secret key"))?;
+        let sig = soliton::identity::hybrid_sign(sk, message).map_err(to_py_err)?;
+        Ok(PyBytes::new(py, sig.as_bytes()).into())
+    }
+
+    /// Verify a hybrid signature against this identity's public key.
+    fn verify(&self, message: &[u8], signature: &[u8]) -> PyResult<()> {
+        let sig = soliton::identity::HybridSignature::from_bytes(signature.to_vec())
+            .map_err(to_py_err)?;
+        soliton::identity::hybrid_verify(&self.pk, message, &sig).map_err(to_py_err)
+    }
+
+    /// Zeroize the secret key immediately.
+    fn close(&mut self) {
+        self.sk = None;
+    }
+
+    fn __enter__(slf: Py<Self>) -> Py<Self> {
+        slf
+    }
+
+    fn __exit__(
+        &mut self,
+        _exc_type: Option<&Bound<'_, PyAny>>,
+        _exc_val: Option<&Bound<'_, PyAny>>,
+        _exc_tb: Option<&Bound<'_, PyAny>>,
+    ) {
+        self.close();
+    }
+}
+
+pub fn register(m: &Bound<'_, PyModule>) -> PyResult<()> {
+    m.add_class::<Identity>()?;
+    Ok(())
+}