pub struct TrustAnchor {
pub min_tier: Option<SignatureTier>,
pub ed25519_verifying_key: Option<[u8; 32]>,
pub mldsa_verifying_key: Option<Vec<u8>>,
pub expected_manifest_digest: Option<[u8; 32]>,
pub expected_chain_tip: Option<[u8; 32]>,
}Expand description
Operator-supplied trust anchor for authenticated WAL verification
(Wal::verify_chain_anchored).
Wal::verify_chain derives its verification policy and keys from the
WAL header. Under the threat model where WAL bytes are attacker-
controlled (a tampered on-disk log or a malicious peer’s snapshot),
that lets an attacker downgrade the tier to None (skipping all
signature checks) or substitute their own keys and re-sign the whole
chain. A TrustAnchor closes that gap: the caller pins — out-of-band —
the minimum tier and the exact verifying key(s) it trusts. The kernel
provides the MECHANISM (compare the header against the anchor; reject
downgrade / substitution / truncation); the caller owns the POLICY
(which key and tier to require). Unset (None) fields impose no check.
Fields§
§min_tier: Option<SignatureTier>Minimum acceptable signature tier. A header weaker than this is
rejected with WalError::TierDowngrade.
ed25519_verifying_key: Option<[u8; 32]>Expected Ed25519 verifying-key bytes; the header’s pinned key must
equal this (else WalError::VerifyingKeyMismatch).
mldsa_verifying_key: Option<Vec<u8>>Expected ML-DSA 65 verifying-key bytes (Hybrid); the header’s pinned PQC key must equal this.
expected_manifest_digest: Option<[u8; 32]>Expected manifest_digest (A14); rejects a WAL written under a
different ModuleManifest.
expected_chain_tip: Option<[u8; 32]>Expected final chain tip; pins the record count so a tail truncation (a chain-consistent prefix) is detected.
Trait Implementations§
Source§impl Clone for TrustAnchor
impl Clone for TrustAnchor
Source§fn clone(&self) -> TrustAnchor
fn clone(&self) -> TrustAnchor
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more