Skip to main content

cdx_core/security/
mod.rs

1#![allow(clippy::doc_markdown)] // EdDSA is a proper algorithm name
2
3//! Digital signatures, encryption, and security features.
4//!
5//! This module provides cryptographic capabilities for Codex documents:
6//!
7//! - **Signatures**: ECDSA (ES256, ES384), EdDSA (Ed25519), RSA-PSS (PS256), ML-DSA-65 (post-quantum), and WebAuthn/FIDO2 digital signatures
8//! - **Encryption**: AES-256-GCM and ChaCha20-Poly1305 authenticated encryption
9//! - **Certificate Validation**: X.509 certificate chain validation
10//! - **Revocation Checking**: OCSP and CRL certificate revocation (feature: `ocsp`)
11//! - **Access Control**: Permission management for document operations
12//!
13//! # Signing Documents (ECDSA)
14//!
15//! ```rust,ignore
16//! use cdx_core::security::{EcdsaSigner, SignerInfo, Signer};
17//!
18//! let signer_info = SignerInfo::new("Alice");
19//! let (signer, public_key_pem) = EcdsaSigner::generate(signer_info)?;
20//! let signature = signer.sign(&document_id)?;
21//! ```
22//!
23//! # Signing Documents (EdDSA)
24//!
25//! ```rust,ignore
26//! use cdx_core::security::{EddsaSigner, SignerInfo, Signer};
27//!
28//! let signer_info = SignerInfo::new("Alice");
29//! let (signer, public_key_pem) = EddsaSigner::generate(signer_info)?;
30//! let signature = signer.sign(&document_id)?;
31//! ```
32//!
33//! # Encrypting Data
34//!
35//! ```rust,ignore
36//! use cdx_core::security::Aes256GcmEncryptor;
37//!
38//! let key = Aes256GcmEncryptor::generate_key();
39//! let encryptor = Aes256GcmEncryptor::new(&key)?;
40//! let encrypted = encryptor.encrypt(b"secret data")?;
41//! let decrypted = encryptor.decrypt(&encrypted.ciphertext, &encrypted.nonce)?;
42//! ```
43
44mod access_control;
45mod annotations;
46mod certificate;
47#[cfg(feature = "eddsa")]
48mod eddsa;
49#[cfg(feature = "encryption")]
50mod encryption;
51#[cfg(feature = "signatures-es384")]
52mod es384;
53#[cfg(feature = "ml-dsa")]
54mod ml_dsa;
55#[cfg(feature = "ocsp")]
56mod revocation;
57#[cfg(feature = "signatures-rsa")]
58mod rsa_pss;
59mod signature;
60mod signer;
61#[cfg(test)]
62mod test_helpers;
63#[cfg(feature = "webauthn")]
64mod webauthn;
65
66pub use access_control::{AccessControl, Operation, PermissionGrant, Permissions, Principal};
67pub use annotations::{Annotation, AnnotationType, AnnotationsFile};
68pub use certificate::{eku, CertificateChain, CertificateInfo, CertificateValidation, KeyUsage};
69pub use signature::{
70    Signature, SignatureAlgorithm, SignatureFile, SignatureScope, SignatureVerification,
71    SignerInfo, TrustedTimestamp, WebAuthnSignature,
72};
73pub use signer::{EcdsaSigner, EcdsaVerifier, Signer, Verifier};
74
75#[cfg(feature = "eddsa")]
76pub use eddsa::{EddsaSigner, EddsaVerifier};
77
78#[cfg(feature = "signatures-es384")]
79#[cfg_attr(docsrs, doc(cfg(feature = "signatures-es384")))]
80pub use es384::{Es384Signer, Es384Verifier};
81
82#[cfg(feature = "signatures-rsa")]
83#[cfg_attr(docsrs, doc(cfg(feature = "signatures-rsa")))]
84pub use rsa_pss::{Ps256Signer, Ps256Verifier};
85
86#[cfg(feature = "ml-dsa")]
87#[cfg_attr(docsrs, doc(cfg(feature = "ml-dsa")))]
88pub use ml_dsa::{MlDsaSigner, MlDsaVerifier};
89
90#[cfg(feature = "encryption")]
91pub use encryption::{
92    Aes256GcmEncryptor, EncryptedData, EncryptionAlgorithm, EncryptionMetadata, KdfAlgorithm,
93    KeyDerivation, KeyManagementAlgorithm, Recipient,
94};
95
96#[cfg(feature = "encryption-chacha")]
97#[cfg_attr(docsrs, doc(cfg(feature = "encryption-chacha")))]
98pub use encryption::ChaCha20Poly1305Encryptor;
99
100#[cfg(feature = "key-wrapping")]
101#[cfg_attr(docsrs, doc(cfg(feature = "key-wrapping")))]
102pub use encryption::{EcdhEsKeyUnwrapper, EcdhEsKeyWrapper, WrappedKeyData};
103
104#[cfg(feature = "key-wrapping-rsa")]
105#[cfg_attr(docsrs, doc(cfg(feature = "key-wrapping-rsa")))]
106pub use encryption::{RsaOaepKeyUnwrapper, RsaOaepKeyWrapper, RsaWrappedKeyData};
107
108#[cfg(feature = "key-wrapping-pbes2")]
109#[cfg_attr(docsrs, doc(cfg(feature = "key-wrapping-pbes2")))]
110pub use encryption::{Pbes2KeyUnwrapper, Pbes2KeyWrapper, Pbes2WrappedKeyData};
111
112#[cfg(feature = "ocsp")]
113#[cfg_attr(docsrs, doc(cfg(feature = "ocsp")))]
114pub use revocation::{
115    RevocationChecker, RevocationConfig, RevocationMethod, RevocationReason, RevocationResult,
116    RevocationStatus,
117};
118
119#[cfg(feature = "webauthn")]
120#[cfg_attr(docsrs, doc(cfg(feature = "webauthn")))]
121pub use webauthn::WebAuthnVerifier;