pub struct LogCheckpoint {
pub checkpoint_version: String,
pub log_id: String,
pub tree_size: u64,
pub root_hash: String,
pub timestamp: DateTime<Utc>,
pub signature: Signature,
}Expand description
A registry-signed checkpoint (signed tree head): the registry’s
commitment that, as of timestamp, the log log_id has tree_size
leaves and Merkle root root_hash (RFC-ACDP-0012 §6).
CLOSED schema (acdp-log-checkpoint.schema.json,
additionalProperties: false): every field is signed, so an unknown
member would change the preimage. The signing construction is
RFC-ACDP-0010 §5 verbatim — same receipt signing key, same
"remove the signature member" preimage rule, same ASCII
"sha256:<hex>" signing input — with checkpoint_version as the
in-preimage domain separator.
Fields§
§checkpoint_version: StringMUST be exactly LOG_CHECKPOINT_VERSION ("acdp-log/1").
log_id: StringThe log instantiation identifier
"<registry_did>/log/<instance>" (§6). A new instance component
is an explicit, detectable history reset (§7.4).
tree_size: u64The number of leaves this checkpoint commits to (0 is a valid, empty log).
root_hash: String"sha256:" + lowercase_hex(MTH(D[tree_size])) per §5.2.
timestamp: DateTime<Utc>Registry-clock time at which this checkpoint was evaluated and
signed; canonical millisecond-precision RFC 3339 UTC. Registry-
asserted (§13) — consumers bound it with Self::check_timestamp_skew
and their own freshness policy (§7.2).
signature: SignatureThe registry’s signature over the checkpoint hash (§6 — the
RFC-ACDP-0010 §5 construction verbatim). signature.key_id MUST
be a DID URL under the registry_did embedded in log_id.
Implementations§
Source§impl LogCheckpoint
impl LogCheckpoint
Sourcepub fn from_value(value: &Value) -> Result<Self, AcdpError>
pub fn from_value(value: &Value) -> Result<Self, AcdpError>
§9.3 step 1 — schema-closed parse: exact checkpoint_version,
well-formed log_id and root_hash, canonical millisecond byte
form of the RAW timestamp (checked before parsing
normalization), and signature.key_id under the log_id’s
registry DID.
Sourcepub fn registry_did(&self) -> Result<&str, AcdpError>
pub fn registry_did(&self) -> Result<&str, AcdpError>
The registry DID embedded in log_id, after checking that
signature.key_id is a DID URL under it (RFC-ACDP-0012 §6).
Sourcepub fn preimage_hash_of_value(value: &Value) -> Result<ContentHash, AcdpError>
pub fn preimage_hash_of_value(value: &Value) -> Result<ContentHash, AcdpError>
Compute the §6 checkpoint hash from the RAW wire JSON of a
checkpoint (the value minus signature, JCS-canonicalized as
received, SHA-256’d). Verifiers MUST hash the checkpoint exactly
as received — the same raw-JSON rule as
crate::receipt::RegistryReceipt::preimage_hash_of_value.
Sourcepub fn preimage_hash(&self) -> Result<ContentHash, AcdpError>
pub fn preimage_hash(&self) -> Result<ContentHash, AcdpError>
Compute the checkpoint hash from the struct. Used at MINT time
(the struct’s serializer emits the canonical three-digit-
millisecond timestamp); verifiers should prefer
Self::preimage_hash_of_value over the raw wire JSON.
Sourcepub fn root_hash_bytes(&self) -> Result<[u8; 32], AcdpError>
pub fn root_hash_bytes(&self) -> Result<[u8; 32], AcdpError>
The raw 32-byte digest root_hash encodes.
Sourcepub fn verify_signature_with_key(
&self,
registry_pub_ed25519: Option<&[u8; 32]>,
registry_pub_p256_sec1: Option<&[u8]>,
) -> Result<(), AcdpError>
pub fn verify_signature_with_key( &self, registry_pub_ed25519: Option<&[u8; 32]>, registry_pub_p256_sec1: Option<&[u8]>, ) -> Result<(), AcdpError>
§9.3 step 2 — verify the checkpoint signature against a known
registry public key (pure — no DID resolution; the client
feature’s verify_log_checkpoint_value resolves the registry
DID and calls this).
Sourcepub fn verify_signature_against_hash(
&self,
hash: &ContentHash,
registry_pub_ed25519: Option<&[u8; 32]>,
registry_pub_p256_sec1: Option<&[u8]>,
) -> Result<(), AcdpError>
pub fn verify_signature_against_hash( &self, hash: &ContentHash, registry_pub_ed25519: Option<&[u8; 32]>, registry_pub_p256_sec1: Option<&[u8]>, ) -> Result<(), AcdpError>
Like Self::verify_signature_with_key but over an
already-computed checkpoint hash — pair with
Self::preimage_hash_of_value for raw-JSON verification.
Sourcepub fn cross_check_registry_binding(
&self,
serving_authority: &str,
capabilities_registry_did: &str,
) -> Result<(), AcdpError>
pub fn cross_check_registry_binding( &self, serving_authority: &str, capabilities_registry_did: &str, ) -> Result<(), AcdpError>
§9.3 step 3 — registry binding (pure): the registry_did prefix
of log_id MUST be did:web:<authority> where <authority> is
the authority the checkpoint was fetched from AND equal
capabilities.registry_did; the DID portion of
signature.key_id MUST equal that DID (already enforced by
Self::registry_did).
Sourcepub fn check_timestamp_skew(
&self,
now: DateTime<Utc>,
max_clock_skew: Duration,
) -> Result<(), AcdpError>
pub fn check_timestamp_skew( &self, now: DateTime<Utc>, max_clock_skew: Duration, ) -> Result<(), AcdpError>
§9.3 step 4 — form: timestamp millisecond-truncated and not in
the future beyond max_clock_skew (RECOMMENDED 120 s, the
RFC-ACDP-0011 §7 step 6 allowance). Staleness (an old but honest
timestamp) is consumer freshness policy (§7.2), evaluated
separately via Self::age_at.
Trait Implementations§
Source§impl Clone for LogCheckpoint
impl Clone for LogCheckpoint
Source§fn clone(&self) -> LogCheckpoint
fn clone(&self) -> LogCheckpoint
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more