Crate tor_keymgr

Expand description

§tor-keymgr

Code to fetch, store, and update keys.

§Overview

This crate is part of Arti, a project to implement Tor in Rust.

§Likely to change

The APIs exposed by this crate (even without the keymgr feature) are new and are likely to change rapidly. We’ll therefore often be making semver-breaking changes (and will update the crate version accordingly).

§Key stores

The KeyMgr is an interface to one or more key stores. A key store is a type that implements the Keystore trait.

The following key store implementations are provided:

ArtiNativeKeystore: an on-disk store that stores keys in OpenSSH format. It does not currently support keys that have a passphrase. Passphrase support will be added in the future (see #902).
(not yet implemented) C Tor key store: an on-disk store that is backwards-compatible with C Tor (new keys are stored in the format used by C Tor, and any existing keys are expected to be in this format too).

In the future we plan to also support HSM-based key stores.

§Key specifiers and key types

The Keystore APIs identify a particular instance of a key using a KeySpecifier and a KeyType. This enables key stores to have multiple keys with the same role (i.e. the same KeySpecifier::arti_path), but different key types (i.e. different KeyType::arti_extensions).

A KeySpecifier identifies a group of equivalent keys, each of a different type (algorithm). In the ArtiNativeKeystore, it is used to determine the path of the key within the key store, minus the extension (the extension of the key is derived from its KeyType). KeySpecifier implementers must specify:

the ArtiPath of the specifier: this serves as a unique identifier for a particular instance of a key, and is used by ArtiNativeKeystore to determine the path of a key on disk
the CTorPath of the key: the location of the key in the C Tor key store (optional).

KeyType represents the type (“keypair”, “public key”) and algorithm (“ed25519”, “x25519”) of a key KeyType::arti_extension specifies what file extension keys of that type are expected to have when stored in an ArtiNativeKeystore: ArtiNativeKeystores join the KeySpecifier::arti_path and KeyType::arti_extension to form the path of the key on disk (relative to the root directory of the key store).

§Feature flags

§Additive features

keymgr – build with full key manager support. Disabling this feature causes tor-keymgr to export a no-op, placeholder implementation.

§Experimental and unstable features

Note that the APIs enabled by these features are NOT covered by semantic versioning¹ guarantees: we might break them or remove them between patch versions.

(None at present)

Remember, semantic versioning is what makes various cargo features work reliably. To be explicit: if you want cargo update to only make safe changes, then you cannot enable these features. ↩

Re-exports§

pub use ssh_key;keymgr

Modules§

config: Configuration options for types implementing Keystore
test_utilstesting: Test helpers.

Macros§

derive_deftly_template_KeySpecifier: A helper for implementing KeySpecifiers.
register_key_info_extractor: Register a KeyPathInfoExtractor for use with KeyMgr.

Structs§

ArtiEphemeralKeystorekeymgr and ephemeral-keystore: The Ephemeral Arti key store
ArtiNativeKeystorekeymgr: The Arti key store.
ArtiPath: A unique identifier for a particular instance of a key.
ArtiPathRange: A range specifying a substring of a KeyPath.
CTorClientKeystorekeymgr and ctor-keystore: A read-only C Tor client keystore.
CTorServiceKeystorekeymgr and ctor-keystore: A read-only C Tor service keystore.
KeyMgrkeymgr: A key manager that acts as a frontend to a primary Keystore and any number of secondary Keystores.
KeyMgrBuilderkeymgr: Builder for KeyMgr.
KeyPathInfo: Information about a KeyPath.
KeyPathInfoBuilder: Builder for KeyPathInfo.
KeystoreEntrykeymgr: A keystore entry descriptor.
KeystoreId: An identifier for a particular Keystore instance.
SshKeyData: A public key or a keypair.
UnknownKeyTypeError: An error that happens when we encounter an unknown key type.

Enums§

ArtiPathSyntaxError: An error caused by a syntactically invalid ArtiPath.
ArtiPathUnavailableError: An error returned by a KeySpecifier.
CTorPath: The path of a key in the C Tor key store.
CTorServicePath: The relative path in a C Tor key store.
Error: An Error type for this crate.
InvalidKeyPathComponentValue: Error to be returned by KeySpecifierComponent::from_slug implementations
KeyMgrBuilderErrorkeymgr: Error type for KeyMgrBuilder
KeyPath: The identifier of a key.
KeyPathError: An error while attempting to extract information about a key given its path
KeyPathPattern: A pattern that can be used to match ArtiPaths or CTorPaths.
KeyType: A type of key stored in the key store.
KeystoreCorruptionError: An error caused by keystore corruption.
KeystoreSelector: Specifies which keystores a KeyMgr operation should apply to.
SshKeyAlgorithm: SSH key algorithms.

Constants§

DENOTATOR_SEP: A separator for that marks the beginning of the keys denotators within an ArtiPath.

Traits§

EncodableItem: A key that can be serialized to, and deserialized from.
KeyCertificateSpecifier: The “specifier” of a key certificate, which identifies an instance of a cert, as well as its signing and subject keys.
KeyPathInfoExtractor: A trait for extracting info out of a KeyPaths.
KeySpecifier: The “specifier” of a key, which identifies an instance of a key.
KeySpecifierComponent: A trait for serializing and deserializing specific types of Slugs.
KeySpecifierComponentViaDisplayFromStr: Implement KeySpecifierComponent in terms of Display and FromStr (helper trait)
KeySpecifierPattern: A pattern specifying some or all of a kind of key
Keygen: A trait for generating fresh keys.
KeygenRng: A random number generator for generating EncodableItems.
Keystorekeymgr: A generic key store.
KeystoreError: An error returned by a Keystore.
ToEncodableKey: A key that can be converted to an EncodableItem.

Type Aliases§

ErasedKey: A type-erased key. Used by the tor-keymgr.
Result: A Result type for this crate.

Crate tor_keymgrCopy item path