refactor!: move factory_root_keys mod code to shared

notmandatory · notmandatory · commit 4694844977f5 · 2025-08-30T21:15:29.000-05:00
Also update README completed commands.
diff --git a/README.md b/README.md
@@ -20,15 +20,15 @@ It is up to the crate user to send and receive the raw cktap APDU messages via N
 #### Shared Commands
 
 - [x] [status](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#status)
-- [x] [read](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#status) (messages)
-  - [x] response verification
-- [x] [derive](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#derive) (messages)
+- [x] [read](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#read)
   - [x] response verification
+- [x] [derive](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#derive)
+  - [ ] response verification
 - [x] [certs](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#certs)
 - [x] [new](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#new)
-- [x] [nfc](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#nfc)
-- [x] [sign](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#sign) (messages)
-  - [ ] response verification
+- [ ] [nfc](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#nfc)
+- [x] [sign](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#sign)
+  - [x] response verification
 - [x] [wait](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#wait)
 
 #### SATSCARD-Only Commands
@@ -39,31 +39,49 @@ It is up to the crate user to send and receive the raw cktap APDU messages via N
 #### TAPSIGNER-Only Commands
 
 - [x] [change](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#change)
-- [x] [xpub](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#xpub)
+- [ ] [xpub](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#xpub)
 - [x] [backup](https://github.com/coinkite/coinkite-tap-proto/blob/master/docs/protocol.md#backup)
 
-### Automated Testing with Emulator
+### Automated and CLI Testing with Emulator
+
+#### Prerequisites
 
 1. Install dependencies for [cktap emulator](https://github.com/coinkite/coinkite-tap-proto/blob/master/emulator/README.md)
-2. run tests with emulator: `just test`
+
+#### Run tests with emulator
+
+```
+just test
+```
+
+#### Run CLI with emulated card reader
+
+```
+just start # for SATSCARD emulator
+just start -t # for TAPSIGNER emulator
+just run_emu --help
+just run_emu certs
+just run_emu read
+just stop # stop emulator
+```
 
 ### Manual Testing with real cards
 
 #### Prerequisites
 
-1. USB PCSC NFC card reader, for example:
+1. Get USB PCSC NFC card reader, for example:
    - [OMNIKEY 5022 CL](https://www.hidglobal.com/products/omnikey-5022-reader)
-2. Coinkite SATSCARD, TAPSIGNER, or SATSCHIP cards
-   Install vendor PCSC driver
-3. Connect NFC reader to desktop system
-4. Place SATSCARD, TAPSIGNER, or SATSCHIP on reader
+2. Get Coinkite SATSCARD, TAPSIGNER, or SATSCHIP cards
+3. Install card reader PCSC driver
+4. Connect USB PCSC NFC reader to desktop system
+5. Place SATSCARD, TAPSIGNER, or SATSCHIP on reader
 
-#### Run CLI
+#### Run CLI with desktop USB PCSC NFC card reader
 
 ```
-cargo run -p cktap-cli -- --help
-cargo run -p cktap-cli -- certs
-cargo run -p cktap-cli -- read
+just run --help
+just run certs
+just run read
 ```
 
 ## Minimum Supported Rust Version (MSRV)
diff --git a/cktap-ffi/src/lib.rs b/cktap-ffi/src/lib.rs
@@ -16,7 +16,7 @@ use crate::sats_chip::SatsChip;
 use crate::tap_signer::TapSigner;
 use futures::lock::Mutex;
 use rust_cktap::Network;
-use rust_cktap::factory_root_key::FactoryRootKey;
+use rust_cktap::shared::FactoryRootKey;
 use rust_cktap::shared::{Certificate, Read};
 use std::fmt::Debug;
 use std::str::FromStr;
diff --git a/lib/src/factory_root_key.rs b/lib/src/factory_root_key.rs
diff --git a/lib/src/lib.rs b/lib/src/lib.rs
@@ -20,7 +20,6 @@ use bitcoin::key::rand::Rng as _;
 
 pub(crate) mod apdu;
 pub mod error;
-pub mod factory_root_key;
 pub mod sats_card;
 pub mod sats_chip;
 pub mod shared;
diff --git a/lib/src/shared.rs b/lib/src/shared.rs
@@ -1,7 +1,6 @@
 // Copyright (c) 2025 rust-cktap contributors
 // SPDX-License-Identifier: MIT OR Apache-2.0
 
-use crate::factory_root_key::FactoryRootKey;
 use crate::{CardError, CkTapCard, CkTapError, SatsCard, TapSigner};
 use crate::{apdu::*, rand_nonce};
 
@@ -12,14 +11,63 @@ use bitcoin::secp256k1::ecdsa::{RecoverableSignature, RecoveryId, Signature};
 use bitcoin::secp256k1::{All, Message, Secp256k1};
 use bitcoin_hashes::sha256;
 
-use std::convert::TryFrom;
-
 use crate::error::{CertsError, ReadError, StatusError};
 use crate::sats_chip::SatsChip;
 use async_trait::async_trait;
+use bitcoin_hashes::hex::DisplayHex;
+use std::convert::TryFrom;
+use std::fmt;
 use std::fmt::Debug;
 use std::sync::Arc;
 
+/// Published Coinkite factory root keys.
+const PUB_FACTORY_ROOT_KEY: &str =
+    "03028a0e89e70d0ec0d932053a89ab1da7d9182bdc6d2f03e706ee99517d05d9e1";
+/// Obsolete dev value, but keeping for a little while longer.
+const DEV_FACTORY_ROOT_KEY: &str =
+    "027722ef208e681bac05f1b4b3cc478d6bf353ac9a09ff0c843430138f65c27bab";
+
+pub enum FactoryRootKey {
+    Pub(secp256k1::PublicKey),
+    Dev(secp256k1::PublicKey),
+}
+
+impl TryFrom<secp256k1::PublicKey> for FactoryRootKey {
+    type Error = CertsError;
+
+    fn try_from(pubkey: secp256k1::PublicKey) -> Result<Self, CertsError> {
+        match pubkey.serialize().to_lower_hex_string().as_str() {
+            PUB_FACTORY_ROOT_KEY => Ok(FactoryRootKey::Pub(pubkey)),
+            DEV_FACTORY_ROOT_KEY => Ok(FactoryRootKey::Dev(pubkey)),
+            _ => Err(CertsError::InvalidRootCert(
+                pubkey.serialize().to_lower_hex_string(),
+            )),
+        }
+    }
+}
+
+impl FactoryRootKey {
+    pub fn name(&self) -> String {
+        match &self {
+            FactoryRootKey::Pub(_) => "Root Factory Certificate".to_string(),
+            FactoryRootKey::Dev(_) => "Root Factory Certificate (TESTING ONLY)".to_string(),
+        }
+    }
+}
+
+impl Debug for FactoryRootKey {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match &self {
+            FactoryRootKey::Pub(pk) => {
+                write!(f, "FactoryRootKey::Pub({pk:?})")
+            }
+            FactoryRootKey::Dev(pk) => {
+                write!(f, "FactoryRootKey::Dev({pk:?})")
+            }
+        }
+    }
+}
+
 /// Helper functions for authenticated commands.
 pub trait Authentication {
     fn secp(&self) -> &Secp256k1<All>;
