pub trait KeyProvider:
Send
+ Sync
+ 'static {
// Required method
fn resolve_signing_key<'life0, 'life1, 'async_trait>(
&'life0 self,
kid: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CoolError>> + Send + 'async_trait>>
where 'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait;
}Expand description
Resolves signing keys by kid (key id). Banks running multi-tenant or rotating keysets implement this so the envelope code never has to know the storage mechanism. Implementations must be constant- time for not-found vs wrong-tenant errors — never use the error message to leak whether a key id exists.
Required Methods§
Sourcefn resolve_signing_key<'life0, 'life1, 'async_trait>(
&'life0 self,
kid: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CoolError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
fn resolve_signing_key<'life0, 'life1, 'async_trait>(
&'life0 self,
kid: &'life1 str,
) -> Pin<Box<dyn Future<Output = Result<Vec<u8>, CoolError>> + Send + 'async_trait>>where
'life0: 'async_trait,
'life1: 'async_trait,
Self: 'async_trait,
Return the raw key bytes for the given kid. For HMAC this is
the symmetric secret. Error if the key is unknown.