yubihsm 0.42.1

Pure Rust client for YubiHSM2 devices with support for HTTP and USB-based access to the device. Supports most HSM functionality including ECDSA, Ed25519, HMAC, and RSA.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

//! Roles for interacting with the YubiHSM 2

use super::{Error, ErrorKind};
use crate::Client;
pub use crate::{object, Capability, Credentials, Domain};

/// Roles represent accounts on the device with specific permissions
#[derive(Clone, Debug)]
pub struct Role {
    /// Label to place on the authentication key for this role
    pub(super) authentication_key_label: object::Label,

    /// Credentials (auth key and ID) used to authenticate with this role
    pub(super) credentials: Credentials,

    /// Permissions for this role
    pub(super) capabilities: Capability,

    /// Set of permissions allowed to be set by objects created by this role
    pub(super) delegated_capabilities: Capability,

    /// Domains (logical partitions in the YubiHSM 2) this role has access to
    pub(super) domains: Domain,
}

impl Role {
    /// Create a new role object
    pub fn new(credentials: Credentials) -> Self {
        Self {
            authentication_key_label: Default::default(),
            credentials,
            capabilities: Capability::empty(),
            delegated_capabilities: Capability::empty(),
            domains: Domain::empty(),
        }
    }

    /// Set the label for this role's authentication key
    pub fn authentication_key_label<L>(mut self, label: L) -> Self
    where
        L: Into<object::Label>,
    {
        self.authentication_key_label = label.into();
        self
    }

    /// Set the capabilities (i.e. permission) for this role
    pub fn capabilities(mut self, capabilities: Capability) -> Self {
        self.capabilities = capabilities;
        self
    }

    /// Set the delegated capabilities for this role
    pub fn delegated_capabilities(mut self, capabilities: Capability) -> Self {
        self.delegated_capabilities = capabilities;
        self
    }

    /// Set the domains this role is allowed to access
    pub fn domains(mut self, domains: Domain) -> Self {
        self.domains = domains;
        self
    }

    /// Create this role within the YubiHSM 2 device
    pub fn create(&self, client: &Client) -> Result<(), Error> {
        client
            .put_authentication_key(
                self.credentials.authentication_key_id,
                self.authentication_key_label.clone(),
                self.domains,
                self.capabilities,
                self.delegated_capabilities,
                Default::default(),
                self.credentials.authentication_key.clone(),
            )
            .map_err(|e| format_err!(ErrorKind::SetupFailed, "error creating role: {}", e))?;

        Ok(())
    }
}