Struct PskProvider

pub struct PskProvider { /* private fields */ }

The PskProvider is used along with the [PskReceiver] to perform TLS 1.3 out-of-band PSK authentication, using PSK’s generated from KMS.

This struct can be enabled on a config with s2n_tls::config::Builder::set_connection_initializer.

The datakey is automatically rotated every 24 hours. Any errors in this rotation are reported through the configured failure_notification callback.

Note that the “rotation check” only happens when a new connection is created. So if a new connection is only created every 2 hours, rotation might not be attempted until 26 hours have elapsed.

Implementations

impl PskProvider

pub async fn initialize( psk_version: PskVersion, kms_client: Client, key: KeyArn, obfuscation_key: ObfuscationKey, failure_notification: impl Fn(Error) + Send + Sync + 'static, ) -> Result<Self>

Initialize a PskProvider.

• psk_version: The PSK version that the PSK provider will use. Versions are backwards compatible but will not necessarily be forwards compatible. For further information see the “Versioning” section in the main module documentation.
• kms_client: The KMS client that will be used to make generateDataKey calls.
• key: The KeyArn which will be used in the API calls
• obfuscation_key: The key used to obfuscate any ciphertext details over the wire.
• failure_notification: A callback invoked if there is ever a failure when rotating the key.

This method will call the KMS generate-data-key API to create the initial PSK that will be used for TLS connections.

Customers should emit metrics and alarm if there is a failure to rotate the key. If the key fails to rotate, then the PskProvider will continue using the existing key, and attempt rotation again after [KEY_ROTATION_PERIOD] has elapsed.

The failure_notification implementation will depend on a customer’s specific metrics/alarming configuration. As an example, if a customer is already alarming on tracing error events then the following might be sufficient:

PskProvider::initialize(client, key, obfuscation_key, |error| {
    tracing::error!("failed to rotate key: {error}");
});

Trait Implementations

impl Clone for PskProvider

fn clone(&self) -> PskProvider

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl ConnectionInitializer for PskProvider

fn initialize_connection( &self, connection: &mut Connection, ) -> Result<Option<Pin<Box<dyn ConnectionFuture>>>, Error>

The application can return an Ok(None) to resolve the callback synchronously or return an Ok(Some(ConnectionFuture)) if it wants to run some asynchronous task before resolving the callback.

impl Debug for PskProvider

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.