Interface Bip32SecureKeyHandler

Defines the contract for a secure key handler that manages a BIP32 hierarchical deterministic (HD) root key.

Implementations of this interface are responsible for keeping the root private key secure. The key should only be decrypted for the brief duration of a cryptographic operation in the case of in-memory implementations, after which thy must be securely wiped from memory to minimize exposure.

interface Bip32SecureKeyHandler {
    getAccountPublicKey(
        path: AccountDerivationPath,
    ): Promise<Bip32PublicKey>;
    getPrivateKey(derivationPath: DerivationPath): Promise<Ed25519PrivateKey>;
    serialize(): Promise<Uint8Array>;
    signData(
        data: string,
        derivationPath: DerivationPath,
    ): Promise<{ key: string; signature: string }>;
    signTransaction(
        txCbor: string,
        derivationPaths: DerivationPath[],
    ): Promise<VkeyWitnessSet>;
}

Implemented by

Methods

getAccountPublicKey getPrivateKey serialize signData signTransaction

Methods

getAccountPublicKey

  • getAccountPublicKey(path: AccountDerivationPath): Promise<Bip32PublicKey>

  • Derives and returns an extended account public key from the root key.

    Parameters

    Returns Promise<Bip32PublicKey>

    A promise that resolves with the derived extended account public key.

    Note

    This operation requires the root private key, which is temporarily decrypted in memory and securely wiped immediately after use.

getPrivateKey

  • getPrivateKey(derivationPath: DerivationPath): Promise<Ed25519PrivateKey>

  • Retrieves the securely stored private key.

    Parameters

    • derivationPath: DerivationPath

      The derivation path specifying which key to retrieve.

    Returns Promise<Ed25519PrivateKey>

    A promise that resolves with the private key.

    Warning

    This operation exposes the private key in memory and should be used with extreme caution. The caller is responsible for securely handling and wiping the key from memory after use.

serialize

  • serialize(): Promise<Uint8Array>

  • Serializes the encrypted root key and its configuration for secure storage. This allows the handler's state to be saved and later restored via a deserialize function.

    Returns Promise<Uint8Array>

    A promise that resolves with the encrypted and serialized key handler data.

signData

  • signData(
        data: string,
        derivationPath: DerivationPath,
    ): Promise<{ key: string; signature: string }>

  • Signs arbitrary data using a BIP32-derived key.

    Parameters

    • data: string

      The hex-encoded data to be signed.

    • derivationPath: DerivationPath

      The derivation path specifying which key to use for signing.

    Returns Promise<{ key: string; signature: string }>

    A promise that resolves with an object containing the signature and the public key.

signTransaction

  • signTransaction(
        txCbor: string,
        derivationPaths: DerivationPath[],
    ): Promise<VkeyWitnessSet>

  • Signs a transaction using BIP32-derived keys.

    Parameters

    • txCbor: string

      The CBOR-encoded transaction hex string to be signed.

    • derivationPaths: DerivationPath[]

      An array of derivation paths specifying which keys are required to sign the transaction.

    Returns Promise<VkeyWitnessSet>

    A promise that resolves with the VkeyWitnessSet containing the generated signatures.

    Note

    During this operation, the root private key is temporarily decrypted in memory and securely wiped immediately after use.

Settings

Member Visibility

On This Page

Methods