pub struct Claims {
pub issuer: Option<Subject>,
pub audience: Option<Subject>,
pub expires_at: Option<UnixTime>,
pub issued_at: UnixTime,
pub message_id: MessageId,
pub sender_key_id: Option<KeyId>,
pub response_key_id: Option<KeyId>,
pub response_subject: Option<ResponseSubject>,
pub in_reply_to: Option<MessageId>,
pub request_hash: Option<RequestHash>,
}Expand description
The claim set carried in a protected header (CWT map, header 15, plus the basil private labels).
One struct for every role; MessageRole validators enforce which fields
must / must not be present.
Fields§
§issuer: Option<Subject>CWT iss (1).
audience: Option<Subject>CWT aud (3).
expires_at: Option<UnixTime>CWT exp (4); when absent the effective expiry is
iat + default_ttl from ValidationParams.
issued_at: UnixTimeCWT iat (6). Required.
message_id: MessageIdCWT cti (7). Required; sender-unique inside the replay window.
sender_key_id: Option<KeyId>-70003: must equal the outer kid on signed/sealed messages.
response_key_id: Option<KeyId>-70004: the key a response must be sealed to (requests).
response_subject: Option<ResponseSubject>-70005: where to deliver the response (requests, optional).
in_reply_to: Option<MessageId>-70001: the request message id this message answers (responses).
request_hash: Option<RequestHash>-70002: SHA3-256 of the complete request bytes (responses).
Implementations§
Source§impl Claims
impl Claims
Sourcepub fn validate(&self, params: &ValidationParams) -> Result<(), ClaimsError>
pub fn validate(&self, params: &ValidationParams) -> Result<(), ClaimsError>
Validate this claim set against params: clock-skew on iat,
effective expiry (iat + default_ttl when exp is absent), the
max_ttl cap on an explicit span, the audience allow-list, and the
role shape.
§Errors
The first ClaimsError encountered, in the order above.
Sourcepub fn validate_role(&self, role: MessageRole) -> Result<(), ClaimsError>
pub fn validate_role(&self, role: MessageRole) -> Result<(), ClaimsError>
Validate only the role shape (which basil labels must / must not be present). Builders run this before sealing.
§Errors
ClaimsError::MissingClaim / ClaimsError::ForbiddenClaim with
the offending label.