// Copyright © StellaOps. All rights reserved. // SPDX-License-Identifier: AGPL-3.0-or-later // Sprint: SPRINT_20260112_018_CRYPTO_key_escrow_shamir // Tasks: ESCROW-003, ESCROW-005 namespace StellaOps.Cryptography.KeyEscrow; ///

/// A key share for escrow storage. /// Contains encrypted share data and metadata for recovery. ///

public sealed record KeyShare { ///

/// Unique identifier for this share. ///

public required Guid ShareId { get; init; } ///

/// Share index (1..N from Shamir splitting). ///

public required int Index { get; init; } ///

/// Encrypted share data (encrypted with escrow agent's public key or shared key). ///

public required byte[] EncryptedData { get; init; } ///

/// ID of the key that was split (for correlation during recovery). ///

public required string KeyId { get; init; } ///

/// Minimum number of shares needed to reconstruct (M in M-of-N). ///

public required int Threshold { get; init; } ///

/// Total number of shares created (N in M-of-N). ///

public required int TotalShares { get; init; } ///

/// When this share was created. ///

public required DateTimeOffset CreatedAt { get; init; } ///

/// When this share expires and should be deleted. ///

public required DateTimeOffset ExpiresAt { get; init; } ///

/// ID of the custodian (escrow agent) holding this share. ///

public required string CustodianId { get; init; } ///

/// SHA-256 checksum of the unencrypted share data (hex encoded). /// Used to verify share integrity after decryption. ///

public required string ChecksumHex { get; init; } ///

/// Schema version for forward compatibility. ///

public string SchemaVersion { get; init; } = "1.0.0"; ///

/// Key derivation info (salt, algorithm) if share is encrypted with derived key. ///

public ShareEncryptionInfo? EncryptionInfo { get; init; } } ///

/// Encryption metadata for a key share. ///

public sealed record ShareEncryptionInfo { ///

/// Encryption algorithm used (e.g., "AES-256-GCM"). ///

public required string Algorithm { get; init; } ///

/// Key derivation function if applicable (e.g., "PBKDF2-SHA256", "HKDF-SHA256"). ///

public string? KeyDerivationFunction { get; init; } ///

/// Salt for key derivation (base64 encoded). ///

public string? SaltBase64 { get; init; } ///

/// Iteration count for PBKDF2 (if applicable). ///

public int? Iterations { get; init; } ///

/// Nonce/IV for the encryption (base64 encoded). ///

public required string NonceBase64 { get; init; } ///

/// Authentication tag for AEAD (base64 encoded, if applicable). ///

public string? AuthTagBase64 { get; init; } } ///

/// Result of a key escrow operation. ///

public sealed record KeyEscrowResult { ///

/// Whether the escrow operation succeeded. ///

public required bool Success { get; init; } ///

/// ID of the escrowed key. ///

public required string KeyId { get; init; } ///

/// IDs of all created shares. ///

public required IReadOnlyList ShareIds { get; init; } ///

/// Threshold required for recovery. ///

public required int Threshold { get; init; } ///

/// Total shares created. ///

public required int TotalShares { get; init; } ///

/// When the shares expire. ///

public required DateTimeOffset ExpiresAt { get; init; } ///

/// Error message if operation failed. ///

public string? Error { get; init; } } ///

/// Request to recover a key from escrow. ///

public sealed record KeyRecoveryRequest { ///

/// ID of the key to recover. ///

public required string KeyId { get; init; } ///

/// Reason for the recovery (audit requirement). ///

public required string Reason { get; init; } ///

/// ID of the user initiating recovery. ///

public required string InitiatorId { get; init; } ///

/// IDs of custodians who have authorized recovery. ///

public required IReadOnlyList AuthorizingCustodians { get; init; } ///

/// Reference to dual-control ceremony if required. ///

public string? CeremonyId { get; init; } } ///

/// Result of a key recovery operation. ///

public sealed record KeyRecoveryResult { ///

/// Whether recovery succeeded. ///

public required bool Success { get; init; } ///

/// ID of the recovered key. ///

public required string KeyId { get; init; } ///

/// Recovered key material (cleared after use). ///

public byte[]? KeyMaterial { get; init; } ///

/// Number of shares used in recovery. ///

public int SharesUsed { get; init; } ///

/// Error message if recovery failed. ///

public string? Error { get; init; } ///

/// Recovery audit event ID for tracking. ///

public Guid? AuditEventId { get; init; } } ///

/// An escrow agent (custodian) who holds key shares. ///

public sealed record EscrowAgent { ///

/// Unique agent identifier. ///

public required string AgentId { get; init; } ///

/// Display name of the agent. ///

public required string Name { get; init; } ///

/// Contact email for recovery notifications. ///

public required string Email { get; init; } ///

/// Public key for encrypting shares to this agent (PEM encoded). ///

public required string PublicKeyPem { get; init; } ///

/// Whether this agent is currently active. ///

public bool IsActive { get; init; } = true; ///

/// When this agent was registered. ///

public required DateTimeOffset RegisteredAt { get; init; } }