Crate tor_keymgr 

tor-keymgr

Code to fetch, store, and update keys.

Overview

This crate is part of Arti, a project to implement Tor in Rust.

Likely to change

The APIs exposed by this crate (even without the keymgr feature) are new and are likely to change rapidly. We’ll therefore often be making semver-breaking changes (and will update the crate version accordingly).

Key stores

The KeyMgr is an interface to one or more key stores. A key store is a type that implements the Keystore trait.

The following key store implementations are provided:

• ArtiNativeKeystore: an on-disk store that stores keys in OpenSSH format. It does not currently support keys that have a passphrase. Passphrase support will be added in the future (see #902).
• CTorServiceKeystore (experimental): an on-disk keystore providing read-only access to the hidden service keys rooted at a given HiddenServiceDirectory directory (see HiddenServiceDirectory in tor(1)).
• CTorClientKeystore (experimental): an on-disk keystore providing read-only access to the client restricted discovery keys rooted at a given ClientOnionAuthDir directory (see ClientOnionAuthDir in tor(1)).

In the future we plan to also support HSM-based key stores.

Key specifiers and key types

The Keystore APIs identify a particular instance of a key using a KeySpecifier and a KeyType. This enables key stores to have multiple keys with the same role (i.e. the same KeySpecifier::arti_path), but different key types (i.e. different KeyType::arti_extensions).

A KeySpecifier identifies a group of equivalent keys, each of a different type (algorithm). In the ArtiNativeKeystore, it is used to determine the path of the key within the key store, minus the extension (the extension of the key is derived from its KeyType). KeySpecifier implementers must specify:

• the ArtiPath of the specifier: this serves as a unique identifier for a particular instance of a key, and is used by ArtiNativeKeystore to determine the path of a key on disk
• the CTorPath of the key: the location of the key in the C Tor key store (optional).

KeyType represents the type (“keypair”, “public key”) and algorithm (“ed25519”, “x25519”) of a key KeyType::arti_extension specifies what file extension keys of that type are expected to have when stored in an ArtiNativeKeystore: ArtiNativeKeystores join the KeySpecifier::arti_path and KeyType::arti_extension to form the path of the key on disk (relative to the root directory of the key store).

Feature flags

Additive features

• keymgr – build with full key manager support. Disabling this feature causes tor-keymgr to export a no-op, placeholder implementation.

Experimental and unstable features

Note that the APIs enabled by these features are NOT covered by semantic versioning¹ guarantees: we might break them or remove them between patch versions.

• ctor-keystore – build with C Tor keystore support
• ephemeral-keystore – build with ephemeral keystore support
• onion-service-cli-extra – build with additional key and state management command line functionalities

---

1. Remember, semantic versioning is what makes various cargo features work reliably. To be explicit: if you want cargo update to only make safe changes, then you cannot enable these features. ↩

Re-exports

pub use ssh_key;keymgr

Modules

config

Configuration options for types implementing Keystore

test_utilstesting

Test helpers.

Macros

derive_deftly_template_KeySpecifier

A helper for implementing KeySpecifiers.

register_key_info_extractor

Register a KeyPathInfoExtractor for use with KeyMgr.

Structs

ArtiEphemeralKeystorekeymgr and ephemeral-keystore

The Ephemeral Arti key store

ArtiNativeKeystorekeymgr

The Arti key store.

ArtiPath

A unique identifier for a particular instance of a key.

ArtiPathRange

A range specifying a substring of a KeyPath.

CTorClientKeystorekeymgr and ctor-keystore

A read-only C Tor client keystore.

CTorServiceKeystorekeymgr and ctor-keystore

A read-only C Tor service keystore.

KeyMgrkeymgr

A key manager that acts as a frontend to a primary Keystore and any number of secondary Keystores.

KeyMgrBuilderkeymgr

Builder for KeyMgr.

KeyPathInfo

Information about a KeyPath.

KeyPathInfoBuilder

Builder for KeyPathInfo.

KeystoreEntrykeymgr

A keystore entry descriptor.

KeystoreId

An identifier for a particular Keystore instance.

RawKeystoreEntryonion-service-cli-extra

A raw keystore entry descriptor.

SshKeyData

A public key or a keypair.

UnknownKeyTypeError

An error that happens when we encounter an unknown key type.

UnrecognizedEntry

The opaque identifier of an unrecognized key inside a Keystore.

UnrecognizedEntryError

An unrecognized keystore entry.

Enums

ArtiPathSyntaxError

An error caused by a syntactically invalid ArtiPath.

ArtiPathUnavailableError

An error returned by a KeySpecifier.

CTorPath

The path of a key in the C Tor key store.

CTorServicePath

The relative path in a C Tor key store.

Error

An Error type for this crate.

InvalidKeyPathComponentValue

Error to be returned by KeySpecifierComponent::from_slug implementations

KeyMgrBuilderErrorkeymgr

Error type for KeyMgrBuilder

KeyPath

The identifier of a key.

KeyPathError

An error while attempting to extract information about a key given its path

KeyPathPattern

A pattern that can be used to match ArtiPaths or CTorPaths.

KeyType

A type of key stored in the key store.

KeystoreCorruptionError

An error caused by keystore corruption.

KeystoreSelector

Specifies which keystores a KeyMgr operation should apply to.

RawEntryIdonion-service-cli-extra

The raw identifier of a key inside a Keystore.

SshKeyAlgorithm

SSH key algorithms.

Constants

DENOTATOR_SEP

A separator for that marks the beginning of the keys denotators within an ArtiPath.

Traits

EncodableItem

A key that can be serialized to, and deserialized from.

KeyCertificateSpecifier

The “specifier” of a key certificate, which identifies an instance of a cert, as well as its signing and subject keys.

KeyPathInfoExtractor

A trait for extracting info out of a KeyPaths.

KeySpecifier

The “specifier” of a key, which identifies an instance of a key.

KeySpecifierComponent

A trait for serializing and deserializing specific types of Slugs.

KeySpecifierComponentViaDisplayFromStr

Implement KeySpecifierComponent in terms of Display and FromStr (helper trait)

KeySpecifierPattern

A pattern specifying some or all of a kind of key

Keygen

A trait for generating fresh keys.

KeygenRng

A random number generator for generating EncodableItems.

Keystorekeymgr

A generic key store.

KeystoreError

An error returned by a Keystore.

ToEncodableKey

A key that can be converted to an EncodableItem.

Type Aliases

ErasedKey

A type-erased key. Used by the tor-keymgr.

KeystoreEntryResultkeymgr

A type alias returned by Keystore::list.

Result

A Result type for this crate.