pub trait KeyStorage: Send + Sync {
// Required methods
fn store_key(
&self,
alias: &KeyAlias,
identity_did: &IdentityDID,
role: KeyRole,
encrypted_key_data: &[u8],
) -> Result<(), AgentError>;
fn load_key(
&self,
alias: &KeyAlias,
) -> Result<(IdentityDID, KeyRole, Vec<u8>), AgentError>;
fn delete_key(&self, alias: &KeyAlias) -> Result<(), AgentError>;
fn list_aliases(&self) -> Result<Vec<KeyAlias>, AgentError>;
fn list_aliases_for_identity(
&self,
identity_did: &IdentityDID,
) -> Result<Vec<KeyAlias>, AgentError>;
fn get_identity_for_alias(
&self,
alias: &KeyAlias,
) -> Result<IdentityDID, AgentError>;
fn backend_name(&self) -> &'static str;
// Provided methods
fn list_aliases_for_identity_with_role(
&self,
identity_did: &IdentityDID,
role: KeyRole,
) -> Result<Vec<KeyAlias>, AgentError> { ... }
fn is_hardware_backend(&self) -> bool { ... }
fn rebind_identity(
&self,
alias: &KeyAlias,
identity_did: &IdentityDID,
) -> Result<(), AgentError> { ... }
fn export_public_key(&self, alias: &KeyAlias) -> Result<Vec<u8>, AgentError> { ... }
fn sign_raw(
&self,
alias: &KeyAlias,
message: &[u8],
) -> Result<Vec<u8>, AgentError> { ... }
}Expand description
Platform-agnostic interface for storing and loading private keys securely.
All implementors must be Send + Sync for thread-safe access.
Required Methods§
Sourcefn store_key(
&self,
alias: &KeyAlias,
identity_did: &IdentityDID,
role: KeyRole,
encrypted_key_data: &[u8],
) -> Result<(), AgentError>
fn store_key( &self, alias: &KeyAlias, identity_did: &IdentityDID, role: KeyRole, encrypted_key_data: &[u8], ) -> Result<(), AgentError>
Stores encrypted key data associated with an alias AND an identity DID.
Sourcefn load_key(
&self,
alias: &KeyAlias,
) -> Result<(IdentityDID, KeyRole, Vec<u8>), AgentError>
fn load_key( &self, alias: &KeyAlias, ) -> Result<(IdentityDID, KeyRole, Vec<u8>), AgentError>
Loads the encrypted key data AND the associated identity DID for a given alias.
Sourcefn delete_key(&self, alias: &KeyAlias) -> Result<(), AgentError>
fn delete_key(&self, alias: &KeyAlias) -> Result<(), AgentError>
Deletes a key by its alias.
Sourcefn list_aliases(&self) -> Result<Vec<KeyAlias>, AgentError>
fn list_aliases(&self) -> Result<Vec<KeyAlias>, AgentError>
Lists all aliases stored by this backend for the specific service.
Sourcefn list_aliases_for_identity(
&self,
identity_did: &IdentityDID,
) -> Result<Vec<KeyAlias>, AgentError>
fn list_aliases_for_identity( &self, identity_did: &IdentityDID, ) -> Result<Vec<KeyAlias>, AgentError>
Lists aliases associated ONLY with the given identity DID.
Sourcefn get_identity_for_alias(
&self,
alias: &KeyAlias,
) -> Result<IdentityDID, AgentError>
fn get_identity_for_alias( &self, alias: &KeyAlias, ) -> Result<IdentityDID, AgentError>
Retrieves the identity DID associated with a given alias.
Sourcefn backend_name(&self) -> &'static str
fn backend_name(&self) -> &'static str
Returns the name of the storage backend.
Provided Methods§
Sourcefn list_aliases_for_identity_with_role(
&self,
identity_did: &IdentityDID,
role: KeyRole,
) -> Result<Vec<KeyAlias>, AgentError>
fn list_aliases_for_identity_with_role( &self, identity_did: &IdentityDID, role: KeyRole, ) -> Result<Vec<KeyAlias>, AgentError>
List aliases for an identity filtered by role.
Sourcefn is_hardware_backend(&self) -> bool
fn is_hardware_backend(&self) -> bool
Returns true if this backend manages keys in hardware (SE, HSM).
Hardware backends generate keys internally, don’t need passphrases, and store opaque handles instead of encrypted PKCS8.
Sourcefn rebind_identity(
&self,
alias: &KeyAlias,
identity_did: &IdentityDID,
) -> Result<(), AgentError>
fn rebind_identity( &self, alias: &KeyAlias, identity_did: &IdentityDID, ) -> Result<(), AgentError>
Re-associates an existing stored key with a different identity DID without touching the key material.
Needed by KERI inception: the key must exist (so its public key can be
read) before the identity prefix it belongs to can be derived. The
default implementation round-trips the stored material through
store_key, which is correct for software backends. Hardware backends
MUST override this — their store_key generates a fresh key, which
would orphan the original.
Args:
alias: Alias of the already-stored key.identity_did: The identity to associate the key with.
Usage:
keychain.rebind_identity(&alias, &controller_did)?;Sourcefn export_public_key(&self, alias: &KeyAlias) -> Result<Vec<u8>, AgentError>
fn export_public_key(&self, alias: &KeyAlias) -> Result<Vec<u8>, AgentError>
Returns the raw public key bytes of a stored key without a passphrase.
Hardware backends derive this from their opaque handle; software
backends would need a passphrase to decrypt the stored PKCS8, so the
default errors — use extract_public_key_bytes for those.
Sourcefn sign_raw(
&self,
alias: &KeyAlias,
message: &[u8],
) -> Result<Vec<u8>, AgentError>
fn sign_raw( &self, alias: &KeyAlias, message: &[u8], ) -> Result<Vec<u8>, AgentError>
Signs a message with a stored key without a passphrase.
Hardware backends sign inside the hardware (may trigger a biometric
prompt); software backends need a passphrase, so the default errors —
use SecureSigner::sign_with_alias for those.
Trait Implementations§
Source§impl KeyStorage for Box<dyn KeyStorage + Send + Sync>
impl KeyStorage for Box<dyn KeyStorage + Send + Sync>
Source§fn store_key(
&self,
alias: &KeyAlias,
identity_did: &IdentityDID,
role: KeyRole,
encrypted_key_data: &[u8],
) -> Result<(), AgentError>
fn store_key( &self, alias: &KeyAlias, identity_did: &IdentityDID, role: KeyRole, encrypted_key_data: &[u8], ) -> Result<(), AgentError>
Source§fn load_key(
&self,
alias: &KeyAlias,
) -> Result<(IdentityDID, KeyRole, Vec<u8>), AgentError>
fn load_key( &self, alias: &KeyAlias, ) -> Result<(IdentityDID, KeyRole, Vec<u8>), AgentError>
Source§fn delete_key(&self, alias: &KeyAlias) -> Result<(), AgentError>
fn delete_key(&self, alias: &KeyAlias) -> Result<(), AgentError>
Source§fn list_aliases(&self) -> Result<Vec<KeyAlias>, AgentError>
fn list_aliases(&self) -> Result<Vec<KeyAlias>, AgentError>
Source§fn list_aliases_for_identity(
&self,
identity_did: &IdentityDID,
) -> Result<Vec<KeyAlias>, AgentError>
fn list_aliases_for_identity( &self, identity_did: &IdentityDID, ) -> Result<Vec<KeyAlias>, AgentError>
Source§fn list_aliases_for_identity_with_role(
&self,
identity_did: &IdentityDID,
role: KeyRole,
) -> Result<Vec<KeyAlias>, AgentError>
fn list_aliases_for_identity_with_role( &self, identity_did: &IdentityDID, role: KeyRole, ) -> Result<Vec<KeyAlias>, AgentError>
Source§fn get_identity_for_alias(
&self,
alias: &KeyAlias,
) -> Result<IdentityDID, AgentError>
fn get_identity_for_alias( &self, alias: &KeyAlias, ) -> Result<IdentityDID, AgentError>
Source§fn backend_name(&self) -> &'static str
fn backend_name(&self) -> &'static str
Source§fn is_hardware_backend(&self) -> bool
fn is_hardware_backend(&self) -> bool
Source§fn rebind_identity(
&self,
alias: &KeyAlias,
identity_did: &IdentityDID,
) -> Result<(), AgentError>
fn rebind_identity( &self, alias: &KeyAlias, identity_did: &IdentityDID, ) -> Result<(), AgentError>
Source§fn export_public_key(&self, alias: &KeyAlias) -> Result<Vec<u8>, AgentError>
fn export_public_key(&self, alias: &KeyAlias) -> Result<Vec<u8>, AgentError>
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".