pub trait KeyStore: Send + Sync {
// Required methods
fn sign(&self, data: &[u8]) -> Result<Vec<u8>>;
fn verify(&self, data: &[u8], signature: &[u8]) -> Result<()>;
fn public_key_bytes(&self) -> Vec<u8> ⓘ;
// Provided method
fn identifier(&self) -> String { ... }
}Expand description
Trait for cryptographic key storage backends
This abstraction allows Hope Genome to support multiple key storage mechanisms without changing the core logic:
- SoftwareKeyStore: Keys stored in memory (testing, dev)
- HsmKeyStore: Keys stored in Hardware Security Module (production)
- TeeKeyStore: Keys stored in Trusted Execution Environment (production)
- Future: YubiKey, TPM, AWS CloudHSM, Azure Key Vault, etc.
§Security Requirements
Implementations MUST:
- Use constant-time operations to prevent timing attacks
- Protect private keys from unauthorized access
- Support Ed25519 signature scheme (or compatible)
- Be thread-safe (Send + Sync)
§Example
use _hope_core::crypto::{KeyStore, SoftwareKeyStore};
fn sign_decision(store: &dyn KeyStore, decision: &[u8]) -> Vec<u8> {
store.sign(decision).expect("Signing failed")
}Required Methods§
Provided Methods§
Sourcefn identifier(&self) -> String
fn identifier(&self) -> String
Get a human-readable identifier for this key store
Examples: “SoftwareKeyStore”, “HSM:YubiKey-5C”, “AWS-KMS:key-123”