Bip32SecureKeyHandler

class cometa.key_handler.secure_key_handler.Bip32SecureKeyHandler[source]

Bases: ABC

Defines the contract for a secure key handler that manages a BIP32 hierarchical deterministic (HD) root key.

Implementations of this interface are responsible for keeping the root private key secure. The key should only be decrypted for the brief duration of a cryptographic operation in the case of in-memory implementations, after which it must be securely wiped from memory to minimize exposure.

abstract sign_transaction(transaction, derivation_paths)[source]

Signs a transaction using BIP32-derived keys.

Parameters:

  • transaction (Transaction) – The transaction to be signed.

  • derivation_paths (list[DerivationPath]) – An array of derivation paths specifying which keys are required to sign the transaction.

Returns:

A VkeyWitnessSet containing the generated signatures.

Return type:

VkeyWitnessSet

Note

During this operation, the root private key is temporarily decrypted in memory and securely wiped immediately after use.

abstract sign_data(data, derivation_path)[source]

Signs arbitrary data using a BIP32-derived key.

Parameters:

  • data (str) – The hex-encoded data to be signed.

  • derivation_path (DerivationPath) – The derivation path specifying which key to use.

Returns:

A dict with ‘signature’ and ‘key’ (public key) as hex strings.

Return type:

dict[str, str]

abstract get_private_key(derivation_path)[source]

Retrieves the securely stored private key.

Parameters:

derivation_path (DerivationPath) – The derivation path specifying which key to retrieve.

Returns:

The Ed25519PrivateKey.

Return type:

Ed25519PrivateKey

Warning

This operation exposes the private key in memory and should be used with extreme caution. The caller is responsible for securely handling and wiping the key from memory after use.

abstract get_account_public_key(path)[source]

Derives and returns an extended account public key from the root key.

Parameters:

path (AccountDerivationPath) – The derivation path for the account (purpose, coin_type, account).

Returns:

The derived extended account public key.

Return type:

Bip32PublicKey

Note

This operation requires the root private key, which is temporarily decrypted in memory and securely wiped immediately after use.

abstract serialize()[source]

Serializes the encrypted root key and its configuration for secure storage. This allows the handler’s state to be saved and later restored via deserialize.

Returns:

The encrypted and serialized key handler data.

Return type:

bytes