Module trust 

Transport trust module (TOFU, rotations, channel binding surfaces)

Structs

EventCollector

A test utility that collects and records trust-related events for verification. Useful in tests to assert that expected events were triggered.

FsPinStore

A filesystem-based implementation of PinStore that persists pin records as JSON files. Each peer’s record is stored in a separate file named after the peer’s hex-encoded ID.

GlobalTrustRuntime

Global trust runtime used by integration glue to perform automatic channel binding and event emission. This is intentionally simple and primarily for tests and early integration; production deployments should provide explicit wiring.

PinRecord

A record of pinned fingerprints for a peer, supporting key rotation with continuity. Contains the current fingerprint and optionally the previous one for continuity validation.

TransportPolicy

Configuration policy for trust operations including TOFU, continuity, and channel binding. Provides a builder pattern for configuring trust behavior.

Enums

TrustError

Errors that can occur during trust operations such as pinning, rotation, and channel binding.

Traits

EventSink

A trait for receiving notifications about trust-related events. Implementations can be used to monitor pinning, rotation, and channel binding operations. All methods have default empty implementations for optional overriding.

PinStore

A trait for storing and retrieving pinned peer fingerprints. Implementations must be thread-safe (Send + Sync) for concurrent access.

Functions

derive_exporter

Derive a fixed-size exporter key from the TLS session for binding.

global_runtime

Get the global trust runtime, if one was installed.

perform_channel_binding

Perform a simple exporter-based channel binding. Minimal stub that derives exporter and marks success via event sink. Future work will add signature exchange and pin check.

perform_channel_binding_from_exporter

Test-only helper: perform channel binding from provided exporter bytes.

recv_verify_binding_ed25519

Receive and verify a binding message over a unidirectional stream using Ed25519.

register_first_seen

Register a peer for the first time, performing TOFU pinning if allowed by policy. Computes the peer ID from the SPKI fingerprint and either loads existing pin or creates new one. Returns the peer ID regardless of whether pinning occurred.

register_rotation

Register a key rotation for a peer, validating continuity if required by policy. Updates the pin record with the new fingerprint and triggers rotation events. Validates the old fingerprint matches the current pin and checks continuity signature if required.

send_binding_ed25519

Send a binding message over a unidirectional stream using Ed25519.

set_global_runtime

Install a global trust runtime used by automatic binding integration.

sign_continuity

Sign a new fingerprint with the old private key to prove continuity during key rotation. Returns the Ed25519 signature as bytes, which can be verified with the old public key.

sign_exporter_ed25519

Sign the exporter with an Ed25519 private key.

verify_binding_ed25519

Verify a binding signature against a pinned SubjectPublicKeyInfo (SPKI).