Struct KeyRotationStore 

pub struct KeyRotationStore { /* private fields */ }

Zero-downtime key rotation store.

Holds up to max_keys Ed25519 key pairs simultaneously. The latest added key is used for signing; all retained keys can verify tokens. During rotation:

1. Call rotate(private_pem, public_pem) to add the new key.
2. New tokens are signed with the new key immediately.
3. Old tokens remain verifiable until their natural expiry.
4. Call prune() to remove the oldest key once all old tokens have expired.

Example

let mut store = KeyRotationStore::new(3);
store.add_key("v1", PRIVATE_PEM, PUBLIC_PEM)?;

// Later, on rotation:
store.rotate("v2", NEW_PRIVATE_PEM, NEW_PUBLIC_PEM)?;

Implementations

impl KeyRotationStore

pub fn new(max_keys: usize) -> Self

Create a new store. max_keys caps how many key versions are retained simultaneously (minimum 1, maximum 16).

pub fn add_key( &self, kid: impl Into<String>, private_pem: &[u8], public_pem: &[u8], ) -> Result<()>

Load the initial key pair. kid is a human-readable version tag.

pub fn rotate( &self, kid: impl Into<String>, private_pem: &[u8], public_pem: &[u8], ) -> Result<()>

Convenience alias — same as add_key but semantically signals rotation.

pub fn prune_oldest(&self)

Drop the oldest key version (call after old tokens have expired).

pub fn sign( &self, subject: Uuid, ttl_seconds: i64, extra: Value, ) -> Result<String>

Sign a JWT with the current (newest) key.

pub fn verify(&self, token: &str) -> Result<Claims>

Verify a JWT against all retained key versions (newest first).

pub fn key_count(&self) -> usize

Number of currently retained key versions.

Trait Implementations

impl Clone for KeyRotationStore

fn clone(&self) -> Self

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.