Skip to main content

Module attestor

cortex_core

Module attestor 

Source
Expand description

Actor attestation primitives — Attestor trait, Attestation value type, verify, and identity-rotation envelope (T-3.D.0, ADR 0010 + ADR 0014).

This crate owns only the trait and the canonical-bytes verifier. OS-keychain backends (macOS Keychain / Linux Secret Service / Windows DPAPI) are scaffolded behind #[cfg(target_os = "...")] modules with unimplemented!() bodies that compile on every platform but panic at runtime; v0 of cortex uses InMemoryAttestor in tests and the CLI init flow (lane T-3.D.5/6 will wire up the real backends).

§Verify-side fail-closed contract (ADR 0010 §1b)

verify MUST reject any preimage whose schema_version differs from crate::canonical::SCHEMA_VERSION_ATTESTATION. There is no “best effort” decode and no partial verification: an unknown version is a hard error.

§Future flag: --require-presence

ADR 0010 §5 specifies a --require-presence flag that asks the OS for user-presence (Touch ID, etc.) before signing. That flag is plumbed in the CLI lane (T-3.D.5 / T-3.D.6) — this trait deliberately does not take a require_presence: bool parameter in v0 because the in-memory attestor cannot honor it. When the keychain backends land, add a method sign_with_presence(&self, signing_input: &[u8]) -> Result<Signature, _> on the trait (default-impl returning the same bytes) so existing callers keep compiling.

Structs§

Attestation
Cryptographic proof that an event originated from the named principal.
InMemoryAttestor
In-memory Ed25519 attestor. Used in tests, fixtures, and the bootstrap path before the OS keychain is wired up.
KeychainAttestor
Linux Secret Service backend skeleton. Unimplemented in v0.
RotationEnvelope
Identity-rotation envelope — proves the holder of old_pubkey (or the recovery key) authorizes new_pubkey to take over (ADR 0010 §6).

Enums§

VerifyError
Errors raised by verify and the rotation-envelope verifier.

Traits§

Attestor
Generates Ed25519 attestations over a canonical signing input.
IdentityRotation
Marker trait for “this attestor records a future identity-rotation commitment in addition to signing payloads.” Implementors emit a rotation envelope when a new key is provisioned. Implementations land alongside the keychain backends.

Functions§

attest
Sign an AttestationPreimage and produce a verifiable Attestation.
sign_rotation
Sign an identity-rotation envelope using the old key (or recovery key) — ADR 0010 §6.
verify
Verify an Attestation against the canonical preimage and a verifying public key.
verify_rotation
Verify an identity-rotation envelope against the old verifying key. Fails closed on unknown schema version.