pub struct KeyMgr { /* private fields */ }
keymgr
only.Expand description
A key manager that acts as a frontend to a primary Keystore
and
any number of secondary Keystore
s.
Note: KeyMgr
is a low-level utility and does not implement caching (the key stores are
accessed for every read/write).
The KeyMgr
accessors - currently just get()
-
search the configured key stores in order: first the primary key store,
and then the secondary stores, in order.
§Concurrent key store access
The key stores will allow concurrent modification by different processes. In order to implement this safely without locking, the key store operations (get, insert, remove) will need to be atomic.
Note: KeyMgr::generate
and KeyMgr::get_or_generate
should not be used
concurrently with any other KeyMgr
operation that mutates the same key
(i.e. a key with the same ArtiPath
), because
their outcome depends on whether the selected key store
contains
the specified key (and thus suffers from a TOCTOU race).
Implementations§
Source§impl KeyMgr
impl KeyMgr
Sourcepub fn get<K: ToEncodableKey>(
&self,
key_spec: &dyn KeySpecifier,
) -> Result<Option<K>>
pub fn get<K: ToEncodableKey>( &self, key_spec: &dyn KeySpecifier, ) -> Result<Option<K>>
Read a key from one of the key stores, and try to deserialize it as K::Key
.
The key returned is retrieved from the first key store that contains an entry for the given specifier.
Returns Ok(None)
if none of the key stores have the requested key.
Sourcepub fn get_entry<K: ToEncodableKey>(
&self,
entry: &KeystoreEntry<'_>,
) -> Result<Option<K>>
pub fn get_entry<K: ToEncodableKey>( &self, entry: &KeystoreEntry<'_>, ) -> Result<Option<K>>
Retrieve the specified keystore entry, and try to deserialize it as K::Key
.
The key returned is retrieved from the key store specified in the KeystoreEntry
.
Returns Ok(None)
if the key store does not contain the requested entry.
Returns an error if the specified key_type
does not match K::Key::item_type()
.
Sourcepub fn get_or_generate<K>(
&self,
key_spec: &dyn KeySpecifier,
selector: KeystoreSelector<'_>,
rng: &mut dyn KeygenRng,
) -> Result<K>
pub fn get_or_generate<K>( &self, key_spec: &dyn KeySpecifier, selector: KeystoreSelector<'_>, rng: &mut dyn KeygenRng, ) -> Result<K>
Read the key identified by key_spec
.
The key returned is retrieved from the first key store that contains an entry for the given specifier.
If the requested key does not exist in any of the key stores, this generates a new key of
type K
from the key created using using K::Key
’s Keygen
implementation, and inserts
it into the specified keystore, returning the newly inserted value.
This is a convenience wrapper around get()
and
generate()
.
Sourcepub fn generate<K>(
&self,
key_spec: &dyn KeySpecifier,
selector: KeystoreSelector<'_>,
rng: &mut dyn KeygenRng,
overwrite: bool,
) -> Result<K>
pub fn generate<K>( &self, key_spec: &dyn KeySpecifier, selector: KeystoreSelector<'_>, rng: &mut dyn KeygenRng, overwrite: bool, ) -> Result<K>
Generate a new key of type K
, and insert it into the key store specified by selector
.
If the key already exists in the specified key store, the overwrite
flag is used to
decide whether to overwrite it with a newly generated key.
On success, this function returns the newly generated key.
Returns Error::KeyAlreadyExists
if the key already exists in the specified key store and overwrite
is false
.
IMPORTANT: using this function concurrently with any other KeyMgr
operation that
mutates the key store state is not recommended, as it can yield surprising results! The
outcome of KeyMgr::generate
depends on whether the selected key store
contains
the specified key, and thus suffers from a TOCTOU race.
Sourcepub fn insert<K: ToEncodableKey>(
&self,
key: K,
key_spec: &dyn KeySpecifier,
selector: KeystoreSelector<'_>,
overwrite: bool,
) -> Result<Option<K>>
pub fn insert<K: ToEncodableKey>( &self, key: K, key_spec: &dyn KeySpecifier, selector: KeystoreSelector<'_>, overwrite: bool, ) -> Result<Option<K>>
Insert key
into the Keystore
specified by selector
.
If the key already exists in the specified key store, the overwrite
flag is used to
decide whether to overwrite it with the provided key.
If this key is not already in the keystore, None
is returned.
If this key already exists in the keystore, its value is updated and the old value is returned.
Returns an error if the selected keystore is not the primary keystore or one of the configured secondary stores.
Sourcepub fn remove<K: ToEncodableKey>(
&self,
key_spec: &dyn KeySpecifier,
selector: KeystoreSelector<'_>,
) -> Result<Option<K>>
pub fn remove<K: ToEncodableKey>( &self, key_spec: &dyn KeySpecifier, selector: KeystoreSelector<'_>, ) -> Result<Option<K>>
Remove the key identified by key_spec
from the Keystore
specified by selector
.
Returns an error if the selected keystore is not the primary keystore or one of the configured secondary stores.
Returns the value of the removed key,
or Ok(None)
if the key does not exist in the requested keystore.
Returns Err
if an error occurred while trying to remove the key.
Sourcepub fn remove_entry(&self, entry: &KeystoreEntry<'_>) -> Result<Option<()>>
pub fn remove_entry(&self, entry: &KeystoreEntry<'_>) -> Result<Option<()>>
Remove the specified keystore entry.
Like KeyMgr::remove
, except this function does not return the value of the removed key.
A return value of Ok(None)
indicates the key was not found in the specified key store,
whereas Ok(Some(())
means the key was successfully removed.
Sourcepub fn list_matching(
&self,
pat: &KeyPathPattern,
) -> Result<Vec<KeystoreEntry<'_>>>
pub fn list_matching( &self, pat: &KeyPathPattern, ) -> Result<Vec<KeystoreEntry<'_>>>
Return the keystore entry descriptors of the keys matching the specified KeyPathPattern
.
NOTE: This searches for matching keys in all keystores.
Sourcepub fn describe(&self, path: &KeyPath) -> StdResult<KeyPathInfo, KeyPathError>
pub fn describe(&self, path: &KeyPath) -> StdResult<KeyPathInfo, KeyPathError>
Describe the specified key.
Returns KeyPathError::Unrecognized
if none of the registered
KeyPathInfoExtractor
s is able to parse the specified KeyPath
.
This function uses the KeyPathInfoExtractor
s registered using
register_key_info_extractor
,
or by DefaultKeySpecifier
.
Sourcepub fn get_key_and_cert<K, C>(
&self,
spec: &dyn KeyCertificateSpecifier,
) -> Result<Option<(K, C)>>where
K: ToEncodableKey,
C: ToEncodableCert<K>,
Available on crate feature experimental-api
only.
pub fn get_key_and_cert<K, C>(
&self,
spec: &dyn KeyCertificateSpecifier,
) -> Result<Option<(K, C)>>where
K: ToEncodableKey,
C: ToEncodableCert<K>,
experimental-api
only.Read the specified key and certificate from one of the key stores,
deserializing the subject key as K::Key
, the cert as C::Cert
,
and the signing key as C::SigningKey
.
Returns Ok(None)
if none of the key stores have the requested key.
This function validates the certificate using ToEncodableCert::validate
,
returning an error if it is invalid or missing.
Sourcepub fn get_or_generate_key_and_cert<K, C>(
&self,
spec: &dyn KeyCertificateSpecifier,
make_certificate: impl FnOnce(&K, &<C as ToEncodableCert<K>>::SigningKey) -> C,
selector: KeystoreSelector<'_>,
rng: &mut dyn KeygenRng,
) -> Result<(K, C)>
Available on crate feature experimental-api
only.
pub fn get_or_generate_key_and_cert<K, C>( &self, spec: &dyn KeyCertificateSpecifier, make_certificate: impl FnOnce(&K, &<C as ToEncodableCert<K>>::SigningKey) -> C, selector: KeystoreSelector<'_>, rng: &mut dyn KeygenRng, ) -> Result<(K, C)>
experimental-api
only.Like KeyMgr::get_key_and_cert
, except this function also generates the subject key
and its corresponding certificate if they don’t already exist.
If the key certificate is missing, it will be generated
from the subject key and signing key using the provided make_certificate
callback.
Generates the missing key and/or certificate as follows:
| Subject Key exists | Signing Key exists | Cert exists | Action |
|--------------------|--------------------|-------------|----------------------------------------|
| Y | Y | Y | Validate cert, return key and cert |
| | | | if valid, error otherwise |
|--------------------|--------------------|-------------|----------------------------------------|
| N | Y | N | Generate subject key and |
| | | | a new cert signed with signing key |
|--------------------|--------------------|-------------|----------------------------------------|
| Y | Y | N | Generate cert signed with signing key |
|--------------------|--------------------|-------------|----------------------------------------|
| Y | N | N | Error - cannot validate cert |
| | | | if signing key is not available |
|--------------------|--------------------|-------------|----------------------------------------|
| Y/N | N | N | Error - cannot generate cert |
| | | | if signing key is not available |
|--------------------|--------------------|-------------|----------------------------------------|
| N | Y/N | Y | Error - subject key was removed? |
| | | | (we found the cert, |
| | | | but the subject key is missing) |
Auto Trait Implementations§
impl Freeze for KeyMgr
impl !RefUnwindSafe for KeyMgr
impl Send for KeyMgr
impl Sync for KeyMgr
impl Unpin for KeyMgr
impl !UnwindSafe for KeyMgr
Blanket Implementations§
§impl<'a, T, E> AsTaggedExplicit<'a, E> for Twhere
T: 'a,
impl<'a, T, E> AsTaggedExplicit<'a, E> for Twhere
T: 'a,
§impl<'a, T, E> AsTaggedImplicit<'a, E> for Twhere
T: 'a,
impl<'a, T, E> AsTaggedImplicit<'a, E> for Twhere
T: 'a,
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
§impl<T> Downcast for Twhere
T: Any,
impl<T> Downcast for Twhere
T: Any,
§fn into_any(self: Box<T>) -> Box<dyn Any>
fn into_any(self: Box<T>) -> Box<dyn Any>
Box<dyn Trait>
(where Trait: Downcast
) to Box<dyn Any>
. Box<dyn Any>
can
then be further downcast
into Box<ConcreteType>
where ConcreteType
implements Trait
.§fn into_any_rc(self: Rc<T>) -> Rc<dyn Any>
fn into_any_rc(self: Rc<T>) -> Rc<dyn Any>
Rc<Trait>
(where Trait: Downcast
) to Rc<Any>
. Rc<Any>
can then be
further downcast
into Rc<ConcreteType>
where ConcreteType
implements Trait
.§fn as_any(&self) -> &(dyn Any + 'static)
fn as_any(&self) -> &(dyn Any + 'static)
&Trait
(where Trait: Downcast
) to &Any
. This is needed since Rust cannot
generate &Any
’s vtable from &Trait
’s.§fn as_any_mut(&mut self) -> &mut (dyn Any + 'static)
fn as_any_mut(&mut self) -> &mut (dyn Any + 'static)
&mut Trait
(where Trait: Downcast
) to &Any
. This is needed since Rust cannot
generate &mut Any
’s vtable from &mut Trait
’s.§impl<T> DowncastSync for T
impl<T> DowncastSync for T
§impl<T> Instrument for T
impl<T> Instrument for T
§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left
is true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self
into a Left
variant of Either<Self, Self>
if into_left(&self)
returns true
.
Converts self
into a Right
variant of Either<Self, Self>
otherwise. Read more