feat: support fixed identity

Cargo.toml

@@ -34,8 +34,11 @@ ic-cdk = "0.17"
 ic-cdk-timers = "0.11"
 ic-stable-structures = "0.6"
 icrc-ledger-types = "0.1"
+ic-certification = "2.6"
+ic-canister-sig-creation = "1.1"
 getrandom = { version = "0.2", features = ["custom"] }
 coset = "0.3"
 aes-gcm = "0.10"
 ic-crypto-secp256k1 = { git = "https://github.com/dfinity/ic/", rev = "5d202894864f4db4a5a46f44422aebc80c3d321b" }
 ic-crypto-ed25519 = { git = "https://github.com/dfinity/ic/", rev = "5d202894864f4db4a5a46f44422aebc80c3d321b" }
+ic-crypto-standalone-sig-verifier = { git = "https://github.com/dfinity/ic/", rev = "5d202894864f4db4a5a46f44422aebc80c3d321b" }

canister_ids.json

@@ -1,5 +1,9 @@
 {
+  "__Candid_UI": {
+    "local": "bnz7o-iuaaa-aaaaa-qaaaa-cai"
+  },
   "ic_cose_canister": {
-    "ic": "53cyg-yyaaa-aaaap-ahpua-cai"
+    "ic": "53cyg-yyaaa-aaaap-ahpua-cai",
+    "local": "53cyg-yyaaa-aaaap-ahpua-cai"
   }
 }

src/ic_cose_canister/Cargo.toml

@@ -25,5 +25,8 @@ ic-cdk-timers = { workspace = true }
 ic-stable-structures = { workspace = true }
 ic-crypto-secp256k1 = { workspace = true }
 ic-crypto-ed25519 = { workspace = true }
+ic-canister-sig-creation = { workspace = true }
+ic-certification = { workspace = true }
+ic-crypto-standalone-sig-verifier = { workspace = true }
 getrandom = { version = "0.2", features = ["custom"] }
 ic_cose_types = { path = "../ic_cose_types", version = "0.4" }

src/ic_cose_canister/README.md

@@ -23,31 +23,43 @@
   ecdh_cose_encrypted_key : (SettingPath, ECDHInput) -> (Result_3);
   ecdsa_public_key : (opt PublicKeyInput) -> (Result_4) query;
   ecdsa_sign : (SignInput) -> (Result_5);
+  get_delegation : (blob, blob, nat64) -> (Result_6) query;
   namespace_add_auditors : (text, vec principal) -> (Result);
+  namespace_add_delegator : (NamespaceDelegatorsInput) -> (Result_7);
   namespace_add_managers : (text, vec principal) -> (Result);
   namespace_add_users : (text, vec principal) -> (Result);
+  namespace_get_delegators : (text, text) -> (Result_7) query;
+  namespace_get_fixed_identity : (text, text) -> (Result_8) query;
   namespace_get_info : (text) -> (Result_1) query;
   namespace_remove_auditors : (text, vec principal) -> (Result);
+  namespace_remove_delegator : (NamespaceDelegatorsInput) -> (Result);
   namespace_remove_managers : (text, vec principal) -> (Result);
   namespace_remove_users : (text, vec principal) -> (Result);
-  namespace_top_up : (text, nat) -> (Result_6);
+  namespace_sign_delegation : (SignDelegationInput) -> (Result_9);
+  namespace_top_up : (text, nat) -> (Result_10);
   namespace_update_info : (UpdateNamespaceInput) -> (Result);
   schnorr_public_key : (SchnorrAlgorithm, opt PublicKeyInput) -> (
       Result_4,
     ) query;
   schnorr_sign : (SchnorrAlgorithm, SignInput) -> (Result_5);
   schnorr_sign_identity : (SchnorrAlgorithm, SignIdentityInput) -> (Result_5);
   setting_add_readers : (SettingPath, vec principal) -> (Result);
-  setting_create : (SettingPath, CreateSettingInput) -> (Result_7);
-  setting_get : (SettingPath) -> (Result_8) query;
-  setting_get_archived_payload : (SettingPath) -> (Result_9) query;
-  setting_get_info : (SettingPath) -> (Result_8) query;
+  setting_create : (SettingPath, CreateSettingInput) -> (Result_11);
+  setting_get : (SettingPath) -> (Result_12) query;
+  setting_get_archived_payload : (SettingPath) -> (Result_13) query;
+  setting_get_info : (SettingPath) -> (Result_12) query;
   setting_remove_readers : (SettingPath, vec principal) -> (Result);
-  setting_update_info : (SettingPath, UpdateSettingInfoInput) -> (Result_7);
+  setting_update_info : (SettingPath, UpdateSettingInfoInput) -> (Result_11);
   setting_update_payload : (SettingPath, UpdateSettingPayloadInput) -> (
-      Result_7,
+      Result_11,
     );
-  state_get_info : () -> (Result_10) query;
+  state_get_info : () -> (Result_14) query;
+  validate2_admin_add_allowed_apis : (vec text) -> (Result_15);
+  validate2_admin_add_auditors : (vec principal) -> (Result_15);
+  validate2_admin_add_managers : (vec principal) -> (Result_15);
+  validate2_admin_remove_allowed_apis : (vec text) -> (Result_15);
+  validate2_admin_remove_auditors : (vec principal) -> (Result_15);
+  validate2_admin_remove_managers : (vec principal) -> (Result_15);
   validate_admin_add_allowed_apis : (vec text) -> (Result);
   validate_admin_add_auditors : (vec principal) -> (Result);
   validate_admin_add_managers : (vec principal) -> (Result);
@@ -67,6 +79,7 @@ Deploy to local network:
 dfx deploy ic_cose_canister
 
 # or with arguments
+# dfx canister create --specified-id 53cyg-yyaaa-aaaap-ahpua-cai ic_cose_canister
 dfx deploy ic_cose_canister --argument "(opt variant {Init =
   record {
     name = \"LDC Labs\";

src/ic_cose_canister/ic_cose_canister.did

@@ -1,5 +1,5 @@
-type ChainArgs = variant { Upgrade : UpgradeArgs; Init : InitArgs };
 type CreateNamespaceInput = record {
+  session_expires_in_ms : opt nat64;
   managers : vec principal;
   desc : opt text;
   name : text;
@@ -20,6 +20,11 @@ type CreateSettingOutput = record {
   created_at : nat64;
   version : nat32;
 };
+type Delegation = record {
+  pubkey : blob;
+  targets : opt vec principal;
+  expiration : nat64;
+};
 type ECDHInput = record { public_key : blob; nonce : blob };
 type ECDHOutput = record { public_key : blob; payload : blob };
 type InitArgs = record {
@@ -32,9 +37,16 @@ type InitArgs = record {
   subnet_size : nat64;
   vetkd_key_name : text;
 };
+type InstallArgs = variant { Upgrade : UpgradeArgs; Init : InitArgs };
+type NamespaceDelegatorsInput = record {
+  ns : text;
+  delegators : vec principal;
+  name : text;
+};
 type NamespaceInfo = record {
   status : int8;
   updated_at : nat64;
+  session_expires_in_ms : nat64;
   managers : vec principal;
   payload_bytes_total : nat64;
   desc : text;
@@ -43,6 +55,7 @@ type NamespaceInfo = record {
   created_at : nat64;
   auditors : vec principal;
   settings_total : nat64;
+  fixed_id_names : vec record { text; vec principal };
   user_settings_total : nat64;
   users : vec principal;
   visibility : nat8;
@@ -52,16 +65,20 @@ type PublicKeyInput = record { ns : text; derivation_path : vec blob };
 type PublicKeyOutput = record { public_key : blob; chain_code : blob };
 type Result = variant { Ok; Err : text };
 type Result_1 = variant { Ok : NamespaceInfo; Err : text };
-type Result_10 = variant { Ok : StateInfo; Err : text };
-type Result_11 = variant { Ok : text; Err : text };
+type Result_10 = variant { Ok : nat; Err : text };
+type Result_11 = variant { Ok : CreateSettingOutput; Err : text };
+type Result_12 = variant { Ok : SettingInfo; Err : text };
+type Result_13 = variant { Ok : SettingArchivedPayload; Err : text };
+type Result_14 = variant { Ok : StateInfo; Err : text };
+type Result_15 = variant { Ok : text; Err : text };
 type Result_2 = variant { Ok : vec NamespaceInfo; Err : text };
 type Result_3 = variant { Ok : ECDHOutput; Err : text };
 type Result_4 = variant { Ok : PublicKeyOutput; Err : text };
 type Result_5 = variant { Ok : blob; Err : text };
-type Result_6 = variant { Ok : nat; Err : text };
-type Result_7 = variant { Ok : CreateSettingOutput; Err : text };
-type Result_8 = variant { Ok : SettingInfo; Err : text };
-type Result_9 = variant { Ok : SettingArchivedPayload; Err : text };
+type Result_6 = variant { Ok : SignedDelegation; Err : text };
+type Result_7 = variant { Ok : vec principal; Err : text };
+type Result_8 = variant { Ok : principal; Err : text };
+type Result_9 = variant { Ok : SignDelegationOutput; Err : text };
 type SchnorrAlgorithm = variant { ed25519; bip340secp256k1 };
 type SettingArchivedPayload = record {
   dek : opt blob;
@@ -90,12 +107,24 @@ type SettingPath = record {
   version : nat32;
   user_owned : bool;
 };
+type SignDelegationInput = record {
+  ns : text;
+  sig : blob;
+  name : text;
+  pubkey : blob;
+};
+type SignDelegationOutput = record {
+  user_key : blob;
+  seed : blob;
+  expiration : nat64;
+};
 type SignIdentityInput = record { ns : text; audience : text };
 type SignInput = record {
   ns : text;
   derivation_path : vec blob;
   message : blob;
 };
+type SignedDelegation = record { signature : blob; delegation : Delegation };
 type StateInfo = record {
   freezing_threshold : nat64;
   ecdsa_key_name : text;
@@ -113,6 +142,7 @@ type StateInfo = record {
 };
 type UpdateNamespaceInput = record {
   status : opt int8;
+  session_expires_in_ms : opt nat64;
   desc : opt text;
   name : text;
   max_payload_size : opt nat64;
@@ -135,7 +165,7 @@ type UpgradeArgs = record {
   name : opt text;
   subnet_size : opt nat64;
 };
-service : (opt ChainArgs) -> {
+service : (opt InstallArgs) -> {
   admin_add_allowed_apis : (vec text) -> (Result);
   admin_add_auditors : (vec principal) -> (Result);
   admin_add_managers : (vec principal) -> (Result);
@@ -147,37 +177,43 @@ service : (opt ChainArgs) -> {
   ecdh_cose_encrypted_key : (SettingPath, ECDHInput) -> (Result_3);
   ecdsa_public_key : (opt PublicKeyInput) -> (Result_4) query;
   ecdsa_sign : (SignInput) -> (Result_5);
+  get_delegation : (blob, blob, nat64) -> (Result_6) query;
   namespace_add_auditors : (text, vec principal) -> (Result);
+  namespace_add_delegator : (NamespaceDelegatorsInput) -> (Result_7);
   namespace_add_managers : (text, vec principal) -> (Result);
   namespace_add_users : (text, vec principal) -> (Result);
+  namespace_get_delegators : (text, text) -> (Result_7) query;
+  namespace_get_fixed_identity : (text, text) -> (Result_8) query;
   namespace_get_info : (text) -> (Result_1) query;
   namespace_remove_auditors : (text, vec principal) -> (Result);
+  namespace_remove_delegator : (NamespaceDelegatorsInput) -> (Result);
   namespace_remove_managers : (text, vec principal) -> (Result);
   namespace_remove_users : (text, vec principal) -> (Result);
-  namespace_top_up : (text, nat) -> (Result_6);
+  namespace_sign_delegation : (SignDelegationInput) -> (Result_9);
+  namespace_top_up : (text, nat) -> (Result_10);
   namespace_update_info : (UpdateNamespaceInput) -> (Result);
   schnorr_public_key : (SchnorrAlgorithm, opt PublicKeyInput) -> (
       Result_4,
     ) query;
   schnorr_sign : (SchnorrAlgorithm, SignInput) -> (Result_5);
   schnorr_sign_identity : (SchnorrAlgorithm, SignIdentityInput) -> (Result_5);
   setting_add_readers : (SettingPath, vec principal) -> (Result);
-  setting_create : (SettingPath, CreateSettingInput) -> (Result_7);
-  setting_get : (SettingPath) -> (Result_8) query;
-  setting_get_archived_payload : (SettingPath) -> (Result_9) query;
-  setting_get_info : (SettingPath) -> (Result_8) query;
+  setting_create : (SettingPath, CreateSettingInput) -> (Result_11);
+  setting_get : (SettingPath) -> (Result_12) query;
+  setting_get_archived_payload : (SettingPath) -> (Result_13) query;
+  setting_get_info : (SettingPath) -> (Result_12) query;
   setting_remove_readers : (SettingPath, vec principal) -> (Result);
-  setting_update_info : (SettingPath, UpdateSettingInfoInput) -> (Result_7);
+  setting_update_info : (SettingPath, UpdateSettingInfoInput) -> (Result_11);
   setting_update_payload : (SettingPath, UpdateSettingPayloadInput) -> (
-      Result_7,
+      Result_11,
     );
-  state_get_info : () -> (Result_10) query;
-  validate2_admin_add_allowed_apis : (vec text) -> (Result_11);
-  validate2_admin_add_auditors : (vec principal) -> (Result_11);
-  validate2_admin_add_managers : (vec principal) -> (Result_11);
-  validate2_admin_remove_allowed_apis : (vec text) -> (Result_11);
-  validate2_admin_remove_auditors : (vec principal) -> (Result_11);
-  validate2_admin_remove_managers : (vec principal) -> (Result_11);
+  state_get_info : () -> (Result_14) query;
+  validate2_admin_add_allowed_apis : (vec text) -> (Result_15);
+  validate2_admin_add_auditors : (vec principal) -> (Result_15);
+  validate2_admin_add_managers : (vec principal) -> (Result_15);
+  validate2_admin_remove_allowed_apis : (vec text) -> (Result_15);
+  validate2_admin_remove_auditors : (vec principal) -> (Result_15);
+  validate2_admin_remove_managers : (vec principal) -> (Result_15);
   validate_admin_add_allowed_apis : (vec text) -> (Result);
   validate_admin_add_auditors : (vec principal) -> (Result);
   validate_admin_add_managers : (vec principal) -> (Result);