Enum SignatureClass 

#[non_exhaustive]
pub enum SignatureClass {
    None,
    Ed25519 {
        signing_key: SigningKey,
        verifying_key: VerifyingKey,
    },
    Hybrid {
        ed25519_signing_key: SigningKey,
        ed25519_verifying_key: VerifyingKey,
        pqc_signer: Box<dyn PqcSigner>,
    },
}

Signature tier configuration for a WalWriter. Default: None (Tier 1 — chain integrity only).

Adds Hybrid for PQC dual-sign per CNSA 2.0.

Variants (Non-exhaustive)

Non-exhaustive enums could have additional variants added in future. Therefore, when matching against variants of non-exhaustive enums, an extra wildcard arm must be added to account for any future variants.

None

No signature path (chain integrity only).

Ed25519

RFC 8032 Ed25519 — deterministic per-record signatures.

Fields

signing_key: SigningKey

Private signing key. Never serialized; redacted in Debug.

verifying_key: VerifyingKey

Verifying key derived from the signing key. Pinned in the WAL header so post-hoc verification is self-contained.

Hybrid

Hybrid — Ed25519 + ML-DSA 65 dual-sign. Both signatures emitted per record. Verify path is AND-mode (both must pass).

Fields

ed25519_signing_key: SigningKey

Ed25519 private signing key.

ed25519_verifying_key: VerifyingKey

Ed25519 verifying key (pinned in WAL header verifying_key).

pqc_signer: Box<dyn PqcSigner>

PQC signer (trait object — currently SoftwareMlDsa65Signer; HSM/KMS providers land via PqcSigner impl, deferred).

Implementations

impl SignatureClass

pub fn new_ed25519_from_secret(secret: [u8; 32]) -> Self

Construct an Ed25519 class from a 32-byte secret seed. The verifying key is derived deterministically.

pub fn new_hybrid_from_secrets( ed25519_secret: [u8; 32], ml_dsa_seed: [u8; 32], ) -> Self

Construct a Hybrid class from independent Ed25519 and ML-DSA 65 secret seeds. Both keys derived deterministically from their respective 32-byte seeds. Use independent seeds (do not reuse the same seed for both schemes).

pub fn verifying_key_bytes(&self) -> Option<[u8; 32]>

Bytes of the Ed25519 verifying (public) key, if Ed25519/Hybrid. Returned bytes are the [u8; 32] form pinned in the WAL header verifying_key field.

pub fn verifying_key_pqc_bytes(&self) -> Option<Vec<u8>>

Bytes of the PQC verifying (public) key, if Hybrid (else None). Returned bytes are the Vec<u8> form (1952 bytes for ML-DSA 65) pinned in the WAL header verifying_key_pqc field.

Trait Implementations

impl Debug for SignatureClass

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for SignatureClass

fn default() -> SignatureClass

Returns the “default value” for a type.