Skip to main content

KeyStorage

Trait KeyStorage 

Source
pub trait KeyStorage: Send + Sync {
    // Required methods
    fn store_key(
        &self,
        alias: &KeyAlias,
        identity_did: &IdentityDID,
        role: KeyRole,
        encrypted_key_data: &[u8],
    ) -> Result<(), AgentError>;
    fn load_key(
        &self,
        alias: &KeyAlias,
    ) -> Result<(IdentityDID, KeyRole, Vec<u8>), AgentError>;
    fn delete_key(&self, alias: &KeyAlias) -> Result<(), AgentError>;
    fn list_aliases(&self) -> Result<Vec<KeyAlias>, AgentError>;
    fn list_aliases_for_identity(
        &self,
        identity_did: &IdentityDID,
    ) -> Result<Vec<KeyAlias>, AgentError>;
    fn get_identity_for_alias(
        &self,
        alias: &KeyAlias,
    ) -> Result<IdentityDID, AgentError>;
    fn backend_name(&self) -> &'static str;

    // Provided methods
    fn list_aliases_for_identity_with_role(
        &self,
        identity_did: &IdentityDID,
        role: KeyRole,
    ) -> Result<Vec<KeyAlias>, AgentError> { ... }
    fn is_hardware_backend(&self) -> bool { ... }
    fn rebind_identity(
        &self,
        alias: &KeyAlias,
        identity_did: &IdentityDID,
    ) -> Result<(), AgentError> { ... }
    fn export_public_key(&self, alias: &KeyAlias) -> Result<Vec<u8>, AgentError> { ... }
    fn sign_raw(
        &self,
        alias: &KeyAlias,
        message: &[u8],
    ) -> Result<Vec<u8>, AgentError> { ... }
}
Expand description

Platform-agnostic interface for storing and loading private keys securely.

All implementors must be Send + Sync for thread-safe access.

Required Methods§

Source

fn store_key( &self, alias: &KeyAlias, identity_did: &IdentityDID, role: KeyRole, encrypted_key_data: &[u8], ) -> Result<(), AgentError>

Stores encrypted key data associated with an alias AND an identity DID.

Source

fn load_key( &self, alias: &KeyAlias, ) -> Result<(IdentityDID, KeyRole, Vec<u8>), AgentError>

Loads the encrypted key data AND the associated identity DID for a given alias.

Source

fn delete_key(&self, alias: &KeyAlias) -> Result<(), AgentError>

Deletes a key by its alias.

Source

fn list_aliases(&self) -> Result<Vec<KeyAlias>, AgentError>

Lists all aliases stored by this backend for the specific service.

Source

fn list_aliases_for_identity( &self, identity_did: &IdentityDID, ) -> Result<Vec<KeyAlias>, AgentError>

Lists aliases associated ONLY with the given identity DID.

Source

fn get_identity_for_alias( &self, alias: &KeyAlias, ) -> Result<IdentityDID, AgentError>

Retrieves the identity DID associated with a given alias.

Source

fn backend_name(&self) -> &'static str

Returns the name of the storage backend.

Provided Methods§

Source

fn list_aliases_for_identity_with_role( &self, identity_did: &IdentityDID, role: KeyRole, ) -> Result<Vec<KeyAlias>, AgentError>

List aliases for an identity filtered by role.

Source

fn is_hardware_backend(&self) -> bool

Returns true if this backend manages keys in hardware (SE, HSM).

Hardware backends generate keys internally, don’t need passphrases, and store opaque handles instead of encrypted PKCS8.

Source

fn rebind_identity( &self, alias: &KeyAlias, identity_did: &IdentityDID, ) -> Result<(), AgentError>

Re-associates an existing stored key with a different identity DID without touching the key material.

Needed by KERI inception: the key must exist (so its public key can be read) before the identity prefix it belongs to can be derived. The default implementation round-trips the stored material through store_key, which is correct for software backends. Hardware backends MUST override this — their store_key generates a fresh key, which would orphan the original.

Args:

  • alias: Alias of the already-stored key.
  • identity_did: The identity to associate the key with.

Usage:

keychain.rebind_identity(&alias, &controller_did)?;
Source

fn export_public_key(&self, alias: &KeyAlias) -> Result<Vec<u8>, AgentError>

Returns the raw public key bytes of a stored key without a passphrase.

Hardware backends derive this from their opaque handle; software backends would need a passphrase to decrypt the stored PKCS8, so the default errors — use extract_public_key_bytes for those.

Source

fn sign_raw( &self, alias: &KeyAlias, message: &[u8], ) -> Result<Vec<u8>, AgentError>

Signs a message with a stored key without a passphrase.

Hardware backends sign inside the hardware (may trigger a biometric prompt); software backends need a passphrase, so the default errors — use SecureSigner::sign_with_alias for those.

Trait Implementations§

Source§

impl KeyStorage for Box<dyn KeyStorage + Send + Sync>

Source§

fn store_key( &self, alias: &KeyAlias, identity_did: &IdentityDID, role: KeyRole, encrypted_key_data: &[u8], ) -> Result<(), AgentError>

Stores encrypted key data associated with an alias AND an identity DID.
Source§

fn load_key( &self, alias: &KeyAlias, ) -> Result<(IdentityDID, KeyRole, Vec<u8>), AgentError>

Loads the encrypted key data AND the associated identity DID for a given alias.
Source§

fn delete_key(&self, alias: &KeyAlias) -> Result<(), AgentError>

Deletes a key by its alias.
Source§

fn list_aliases(&self) -> Result<Vec<KeyAlias>, AgentError>

Lists all aliases stored by this backend for the specific service.
Source§

fn list_aliases_for_identity( &self, identity_did: &IdentityDID, ) -> Result<Vec<KeyAlias>, AgentError>

Lists aliases associated ONLY with the given identity DID.
Source§

fn list_aliases_for_identity_with_role( &self, identity_did: &IdentityDID, role: KeyRole, ) -> Result<Vec<KeyAlias>, AgentError>

List aliases for an identity filtered by role.
Source§

fn get_identity_for_alias( &self, alias: &KeyAlias, ) -> Result<IdentityDID, AgentError>

Retrieves the identity DID associated with a given alias.
Source§

fn backend_name(&self) -> &'static str

Returns the name of the storage backend.
Source§

fn is_hardware_backend(&self) -> bool

Returns true if this backend manages keys in hardware (SE, HSM). Read more
Source§

fn rebind_identity( &self, alias: &KeyAlias, identity_did: &IdentityDID, ) -> Result<(), AgentError>

Re-associates an existing stored key with a different identity DID without touching the key material. Read more
Source§

fn export_public_key(&self, alias: &KeyAlias) -> Result<Vec<u8>, AgentError>

Returns the raw public key bytes of a stored key without a passphrase. Read more
Source§

fn sign_raw( &self, alias: &KeyAlias, message: &[u8], ) -> Result<Vec<u8>, AgentError>

Signs a message with a stored key without a passphrase. Read more

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementations on Foreign Types§

Source§

impl KeyStorage for Arc<dyn KeyStorage + Send + Sync>

Source§

impl KeyStorage for Box<dyn KeyStorage + Send + Sync>

Implementors§