Skeleton for full support of all key types

src/main/java/io/kamax/mxisd/storage/crypto/Ed2219RegularKeyIdentifier.java

@@ -0,0 +1,29 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+public class Ed2219RegularKeyIdentifier extends RegularKeyIdentifier {
+
+    public Ed2219RegularKeyIdentifier(String serial) {
+        super(KeyAlgorithm.Ed25519, serial);
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/Ed25519Key.java

@@ -0,0 +1,53 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+public class Ed25519Key implements Key {
+
+    private KeyIdentifier id;
+    private String privKey;
+
+    public Ed25519Key(KeyIdentifier id, String privKey) {
+        if (!KeyAlgorithm.Ed25519.equals(id.getAlgorithm())) {
+            throw new IllegalArgumentException();
+        }
+
+        this.id = new GenericKeyIdentifier(id);
+        this.privKey = privKey;
+    }
+
+
+    @Override
+    public KeyIdentifier getId() {
+        return id;
+    }
+
+    @Override
+    public boolean isValid() {
+        return true;
+    }
+
+    @Override
+    public String getPrivateKeyBase64() {
+        return privKey;
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/Ed25519KeyManager.java

@@ -0,0 +1,140 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+import io.kamax.matrix.codec.MxBase64;
+import net.i2p.crypto.eddsa.EdDSAPrivateKey;
+import net.i2p.crypto.eddsa.EdDSAPublicKey;
+import net.i2p.crypto.eddsa.KeyPairGenerator;
+import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
+import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
+import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
+import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.nio.ByteBuffer;
+import java.security.KeyPair;
+import java.time.Instant;
+import java.util.List;
+
+public class Ed25519KeyManager implements KeyManager {
+
+    private static final Logger log = LoggerFactory.getLogger(Ed25519KeyManager.class);
+
+    private final EdDSAParameterSpec keySpecs;
+    private final KeyStore store;
+
+    public Ed25519KeyManager(KeyStore store) {
+        this.keySpecs = EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.ED_25519);
+        this.store = store;
+
+        if (!store.getCurrentKey().isPresent()) {
+            List<KeyIdentifier> keys = store.list(KeyType.Regular);
+            if (keys.isEmpty()) {
+                keys.add(generateKey(KeyType.Regular));
+            }
+
+            store.setCurrentKey(keys.get(0));
+        }
+    }
+
+    protected String generateId() {
+        ByteBuffer buffer = ByteBuffer.allocate(Long.BYTES);
+        buffer.putLong(Instant.now().toEpochMilli() - 1546297200000L); // TS since 2019-01-01T00:00:00Z to keep IDs short
+        return Base64.encodeBase64URLSafeString(buffer.array()) + RandomStringUtils.randomAlphanumeric(1);
+    }
+
+    protected String getPrivateKeyBase64(EdDSAPrivateKey key) {
+        return MxBase64.encode(key.getSeed());
+    }
+
+    public EdDSAParameterSpec getKeySpecs() {
+        return keySpecs;
+    }
+
+    @Override
+    public KeyIdentifier generateKey(KeyType type) {
+        KeyIdentifier id;
+        do {
+            id = new GenericKeyIdentifier(type, KeyAlgorithm.Ed25519, generateId());
+        } while (store.has(id));
+
+        KeyPair pair = (new KeyPairGenerator()).generateKeyPair();
+        String keyEncoded = getPrivateKeyBase64((EdDSAPrivateKey) pair.getPrivate());
+
+        Key key = new GenericKey(id, true, keyEncoded);
+        store.add(key);
+
+        return id;
+    }
+
+    @Override
+    public List<KeyIdentifier> getKeys(KeyType type) {
+        return store.list(type);
+    }
+
+    @Override
+    public Key getServerSigningKey() {
+        return store.get(store.getCurrentKey().orElseThrow(IllegalStateException::new));
+    }
+
+    @Override
+    public Key getKey(KeyIdentifier id) {
+        return store.get(id);
+    }
+
+    public EdDSAPrivateKeySpec getPrivateKeySpecs(KeyIdentifier id) {
+        return new EdDSAPrivateKeySpec(java.util.Base64.getDecoder().decode(getKey(id).getPrivateKeyBase64()), keySpecs);
+    }
+
+    public EdDSAPrivateKey getPrivateKey(KeyIdentifier id) {
+        return new EdDSAPrivateKey(getPrivateKeySpecs(id));
+    }
+
+    public EdDSAPublicKey getPublicKey(KeyIdentifier id) {
+        EdDSAPrivateKeySpec privKeySpec = getPrivateKeySpecs(id);
+        EdDSAPublicKeySpec pubKeySpec = new EdDSAPublicKeySpec(privKeySpec.getA(), keySpecs);
+        return new EdDSAPublicKey(pubKeySpec);
+    }
+
+    @Override
+    public void disableKey(KeyIdentifier id) {
+        Key key = store.get(id);
+        key = new GenericKey(id, false, key.getPrivateKeyBase64());
+        store.update(key);
+    }
+
+    @Override
+    public String getPublicKeyBase64(KeyIdentifier id) {
+        return MxBase64.encode(getPublicKey(id).getAbyte());
+    }
+
+    @Override
+    public boolean isValid(KeyType type, String publicKeyBase64) {
+        // TODO caching?
+        return getKeys(type).stream().anyMatch(id -> StringUtils.equals(getPublicKeyBase64(id), publicKeyBase64));
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/Ed25519SignatureManager.java

@@ -0,0 +1,85 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+import com.google.gson.JsonObject;
+import io.kamax.matrix.codec.MxBase64;
+import io.kamax.matrix.json.MatrixJson;
+import net.i2p.crypto.eddsa.EdDSAEngine;
+
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SignatureException;
+
+public class Ed25519SignatureManager implements SignatureManager {
+
+    private final Ed25519KeyManager keyMgr;
+
+    public Ed25519SignatureManager(Ed25519KeyManager keyMgr) {
+        this.keyMgr = keyMgr;
+    }
+
+    @Override
+    public JsonObject signMessageGson(String domain, String message) {
+        Signature sign = sign(message);
+
+        JsonObject keySignature = new JsonObject();
+        // FIXME should create a signing key object what would give this ed and index values
+        keySignature.addProperty(sign.getKey().getAlgorithm() + ":" + sign.getKey().getSerial(), sign.getSignature());
+        JsonObject signature = new JsonObject();
+        signature.add(domain, keySignature);
+
+        return signature;
+    }
+
+    @Override
+    public Signature sign(JsonObject obj) {
+
+        return sign(MatrixJson.encodeCanonical(obj));
+    }
+
+    @Override
+    public Signature sign(byte[] data) {
+        try {
+            KeyIdentifier signingKeyId = keyMgr.getServerSigningKey().getId();
+            EdDSAEngine signEngine = new EdDSAEngine(MessageDigest.getInstance(keyMgr.getKeySpecs().getHashAlgorithm()));
+            signEngine.initSign(keyMgr.getPrivateKey(signingKeyId));
+            byte[] signRaw = signEngine.signOneShot(data);
+            String sign = MxBase64.encode(signRaw);
+
+            return new Signature() {
+                @Override
+                public KeyIdentifier getKey() {
+                    return signingKeyId;
+                }
+
+                @Override
+                public String getSignature() {
+                    return sign;
+                }
+            };
+        } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/FileKeyStore.java

@@ -0,0 +1,78 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+import io.kamax.mxisd.exception.ObjectNotFoundException;
+
+import java.util.List;
+import java.util.Optional;
+
+public class FileKeyStore implements KeyStore {
+
+    public FileKeyStore(String path) {
+    }
+
+    @Override
+    public boolean has(KeyIdentifier id) {
+        return false;
+    }
+
+    @Override
+    public List<KeyIdentifier> list() {
+        return null;
+    }
+
+    @Override
+    public List<KeyIdentifier> list(KeyType type) {
+        return null;
+    }
+
+    @Override
+    public Key get(KeyIdentifier id) throws ObjectNotFoundException {
+        return null;
+    }
+
+    @Override
+    public void add(Key key) throws IllegalStateException {
+
+    }
+
+    @Override
+    public void update(Key key) throws ObjectNotFoundException {
+
+    }
+
+    @Override
+    public void delete(KeyIdentifier id) throws ObjectNotFoundException {
+
+    }
+
+    @Override
+    public void setCurrentKey(KeyIdentifier id) throws IllegalArgumentException {
+
+    }
+
+    @Override
+    public Optional<KeyIdentifier> getCurrentKey() {
+        return Optional.empty();
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/GenericKey.java

@@ -0,0 +1,51 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+public class GenericKey implements Key {
+
+    private final KeyIdentifier id;
+    private final boolean isValid;
+    private final String privKey;
+
+    public GenericKey(KeyIdentifier id, boolean isValid, String privKey) {
+        this.id = new GenericKeyIdentifier(id);
+        this.isValid = isValid;
+        this.privKey = privKey;
+    }
+
+
+    @Override
+    public KeyIdentifier getId() {
+        return id;
+    }
+
+    @Override
+    public boolean isValid() {
+        return isValid;
+    }
+
+    @Override
+    public String getPrivateKeyBase64() {
+        return privKey;
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/GenericKeyIdentifier.java

@@ -0,0 +1,54 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+public class GenericKeyIdentifier implements KeyIdentifier {
+
+    private final KeyType type;
+    private final String algo;
+    private final String serial;
+
+    public GenericKeyIdentifier(KeyIdentifier id) {
+        this(id.getType(), id.getAlgorithm(), id.getSerial());
+    }
+
+    public GenericKeyIdentifier(KeyType type, String algo, String serial) {
+        this.type = type;
+        this.algo = algo;
+        this.serial = serial;
+    }
+
+    @Override
+    public KeyType getType() {
+        return type;
+    }
+
+    @Override
+    public String getAlgorithm() {
+        return algo;
+    }
+
+    @Override
+    public String getSerial() {
+        return serial;
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/Key.java

@@ -0,0 +1,44 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+/**
+ * A signing key
+ */
+public interface Key {
+
+    KeyIdentifier getId();
+
+    /**
+     * If the key is currently valid
+     *
+     * @return true if the key is valid, false if not
+     */
+    boolean isValid();
+
+    /**
+     * Get the private key
+     *
+     * @return the private key encoded as Base64
+     */
+    String getPrivateKeyBase64();
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/KeyAlgorithm.java

@@ -0,0 +1,27 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+public interface KeyAlgorithm {
+
+    String Ed25519 = "ed25519";
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/KeyIdentifier.java

@@ -0,0 +1,50 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+/**
+ * Identifying data for a given Key.
+ */
+public interface KeyIdentifier {
+
+    /**
+     * Type of key.
+     *
+     * @return The type of the key
+     */
+    KeyType getType();
+
+    /**
+     * Algorithm of the key. Typically <code>ed25519</code>.
+     *
+     * @return The algorithm of the key
+     */
+    String getAlgorithm();
+
+    /**
+     * Serial of the key, unique for the algorithm.
+     * It is typically made of random alphanumerical characters.
+     *
+     * @return The serial of the key
+     */
+    String getSerial();
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/KeyManager.java

@@ -0,0 +1,41 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+import java.util.List;
+
+public interface KeyManager {
+
+    KeyIdentifier generateKey(KeyType type);
+
+    List<KeyIdentifier> getKeys(KeyType type);
+
+    Key getServerSigningKey();
+
+    Key getKey(KeyIdentifier id);
+
+    void disableKey(KeyIdentifier id);
+
+    String getPublicKeyBase64(KeyIdentifier id);
+
+    boolean isValid(KeyType type, String publicKeyBase64);
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/KeyStore.java

@@ -0,0 +1,98 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+import io.kamax.mxisd.exception.ObjectNotFoundException;
+
+import java.util.List;
+import java.util.Optional;
+
+/**
+ * Store to persist signing keys and the identifier for the current long-term signing key
+ */
+public interface KeyStore {
+
+    /**
+     * If a given key is currently stored
+     *
+     * @param id The Identifier elements for the key
+     * @return true if the key is stored, false if not
+     */
+    boolean has(KeyIdentifier id);
+
+    /**
+     * List all keys within the store
+     *
+     * @return The list of key identifiers
+     */
+    List<KeyIdentifier> list();
+
+    /**
+     * List all keys of a given type within the store
+     *
+     * @param type The type to filter on
+     * @return The list of keys identifiers matching the given type
+     */
+    List<KeyIdentifier> list(KeyType type);
+
+    /**
+     * Get the key that relates to the given identifier
+     *
+     * @param id The identifier of the key to get
+     * @return The key
+     * @throws ObjectNotFoundException If no key is found for that identifier
+     */
+    Key get(KeyIdentifier id) throws ObjectNotFoundException;
+
+    /**
+     * Add a key to the store
+     *
+     * @param key The key to store
+     * @throws IllegalStateException If a key already exist for the given identifier data
+     */
+    void add(Key key) throws IllegalStateException;
+
+    void update(Key key) throws ObjectNotFoundException;
+
+    /**
+     * Delete a key from the store
+     *
+     * @param id The key identifier of the key to delete
+     * @throws ObjectNotFoundException If no key is found for that identifier
+     */
+    void delete(KeyIdentifier id) throws ObjectNotFoundException;
+
+    /**
+     * Store the information of which key is the current signing key
+     *
+     * @param id The key identifier
+     * @throws ObjectNotFoundException If the key is not known to the store
+     */
+    void setCurrentKey(KeyIdentifier id) throws ObjectNotFoundException;
+
+    /**
+     * Retrieve the previously stored information of which key is the current signing key, if any
+     *
+     * @return The optional key identifier that was previously stored
+     */
+    Optional<KeyIdentifier> getCurrentKey();
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/KeyType.java

@@ -0,0 +1,39 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+/**
+ * Types of keys used by an Identity server.
+ * See https://matrix.org/docs/spec/identity_service/r0.1.0.html#key-management
+ */
+public enum KeyType {
+
+    /**
+     * Ephemeral keys are related to 3PID invites and are only valid while the invite is pending.
+     */
+    Ephemeral,
+
+    /**
+     * Regular keys are used by the Identity Server itself to sign requests/responses
+     */
+    Regular
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/MemoryKeyStore.java

@@ -0,0 +1,109 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+import io.kamax.mxisd.exception.ObjectNotFoundException;
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.*;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class MemoryKeyStore implements KeyStore {
+
+    private Map<KeyType, Map<String, Map<String, String>>> keys = new ConcurrentHashMap<>();
+    private KeyIdentifier current;
+
+    private Map<String, String> getMap(KeyType type, String algo) {
+        return keys.computeIfAbsent(type, k -> new ConcurrentHashMap<>()).computeIfAbsent(algo, k -> new ConcurrentHashMap<>());
+    }
+
+    @Override
+    public boolean has(KeyIdentifier id) {
+        return getMap(id.getType(), id.getAlgorithm()).containsKey(id.getSerial());
+    }
+
+    @Override
+    public List<KeyIdentifier> list() {
+        List<KeyIdentifier> keyIds = new ArrayList<>();
+        keys.forEach((key, value) -> value.forEach((key1, value1) -> value1.forEach((key2, value2) -> keyIds.add(new GenericKeyIdentifier(key, key1, key2)))));
+        return keyIds;
+    }
+
+    @Override
+    public List<KeyIdentifier> list(KeyType type) {
+        List<KeyIdentifier> keyIds = new ArrayList<>();
+        keys.computeIfAbsent(type, t -> new ConcurrentHashMap<>()).forEach((key, value) -> value.forEach((key1, value1) -> keyIds.add(new GenericKeyIdentifier(type, key, key1))));
+        return keyIds;
+    }
+
+    @Override
+    public Key get(KeyIdentifier id) throws ObjectNotFoundException {
+        String data = getMap(id.getType(), id.getAlgorithm()).get(id.getSerial());
+        if (Objects.isNull(data)) {
+            throw new ObjectNotFoundException("Key", id.getType() + ":" + id.getAlgorithm() + ":" + id.getSerial());
+        }
+
+        return new GenericKey(new GenericKeyIdentifier(id), StringUtils.isEmpty(data), data);
+    }
+
+    private void set(Key key) {
+        String data = key.isValid() ? key.getPrivateKeyBase64() : "";
+        getMap(key.getId().getType(), key.getId().getAlgorithm()).put(key.getId().getSerial(), data);
+    }
+
+    @Override
+    public void add(Key key) throws IllegalStateException {
+        if (has(key.getId())) {
+            throw new IllegalStateException();
+        }
+
+        set(key);
+    }
+
+    @Override
+    public void update(Key key) throws ObjectNotFoundException {
+        if (!has(key.getId())) {
+            throw new ObjectNotFoundException("Key", key.getId().getType() + ":" + key.getId().getAlgorithm() + ":" + key.getId().getSerial());
+        }
+
+        set(key);
+    }
+
+    @Override
+    public void delete(KeyIdentifier id) throws ObjectNotFoundException {
+        keys.computeIfAbsent(id.getType(), k -> new ConcurrentHashMap<>()).computeIfAbsent(id.getAlgorithm(), k -> new ConcurrentHashMap<>()).remove(id.getSerial());
+    }
+
+    @Override
+    public void setCurrentKey(KeyIdentifier id) throws ObjectNotFoundException {
+        if (!has(id)) {
+            throw new ObjectNotFoundException("Key", id.getType() + ":" + id.getAlgorithm() + ":" + id.getSerial());
+        }
+
+        current = id;
+    }
+
+    @Override
+    public Optional<KeyIdentifier> getCurrentKey() {
+        return Optional.ofNullable(current);
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/RegularKeyIdentifier.java

@@ -0,0 +1,29 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+public class RegularKeyIdentifier extends GenericKeyIdentifier {
+
+    public RegularKeyIdentifier(String algo, String serial) {
+        super(KeyType.Regular, algo, serial);
+    }
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/Signature.java

@@ -0,0 +1,29 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+public interface Signature {
+
+    KeyIdentifier getKey();
+
+    String getSignature();
+
+}

src/main/java/io/kamax/mxisd/storage/crypto/SignatureManager.java

@@ -0,0 +1,57 @@
+/*
+ * mxisd - Matrix Identity Server Daemon
+ * Copyright (C) 2019 Kamax Sàrl
+ *
+ * https://www.kamax.io/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package io.kamax.mxisd.storage.crypto;
+
+import com.google.gson.JsonObject;
+
+import java.nio.charset.StandardCharsets;
+
+public interface SignatureManager {
+
+    JsonObject signMessageGson(String domain, String message);
+
+    /**
+     * Sign the canonical form of a JSON object
+     *
+     * @param obj The JSON object to canonicalize and sign
+     * @return The signature
+     */
+    Signature sign(JsonObject obj);
+
+    /**
+     * Sign the message, using UTF-8 as decoding character set
+     *
+     * @param message The UTF-8 encoded message
+     * @return
+     */
+    default Signature sign(String message) {
+        return sign(message.getBytes(StandardCharsets.UTF_8));
+    }
+
+    /**
+     * Sign the data
+     *
+     * @param data The data to sign
+     * @return The signature
+     */
+    Signature sign(byte[] data);
+
+}