Skip to main content

KeyState

lion_core::state

Struct KeyState 

Source 
pub struct KeyState { /* private fields */ }
Expand description

Key state for HMAC key rotation support.

Corresponds to Lean: structure KeyState

Design rationale:

  • current: The active key used for sealing new capabilities
  • epoch: Monotonically increasing counter identifying the current key
  • previous: Optional previous key for validating in-flight capabilities
  • previous_epoch: Epoch of the previous key

The grace period (keeping previous key) allows capabilities that were sealed just before rotation to still be verified.

SECURITY INVARIANT: epoch is monotonically increasing (never wraps in practice).

Implementations§

Source§

impl KeyState

Source

pub fn initial(key: Key) -> Self

Create initial key state with no previous key

Corresponds to Lean: def KeyState.initial

Source

pub fn empty() -> Self

Create empty key state (for default/placeholder purposes)

Corresponds to Lean: def KeyState.empty

Source

pub fn rotate(&mut self, new_key: Key)

Rotate to a new key

Corresponds to Lean: def KeyState.rotate

The current key becomes the previous key for grace period verification. The epoch is incremented.

SECURITY: Only kernel can trigger rotation (not plugins). Uses checked arithmetic – epoch overflow is a critical error.

Source

pub fn rotated(&self, new_key: Key) -> Self

Rotate to a new key (immutable version)

Returns a new KeyState with the rotated key.

Source

pub fn current(&self) -> &Key

Get the current key

Source

pub fn epoch(&self) -> u64

Get the current epoch

Source

pub fn previous(&self) -> Option<&Key>

Get the previous key (if available)

Source

pub fn previous_epoch(&self) -> Option<u64>

Get the previous epoch (if available)

Source

pub fn epoch_valid(&self, cap_epoch: u64) -> bool

Check if epoch is current or within grace period

Corresponds to Lean: def KeyState.epochValid

Source

pub fn verify_seal(&self, payload: &CapPayload, tag: &SealedTag) -> bool

Verify a capability’s seal against the key state

Corresponds to Lean: def KeyState.verify

Strategy:

  1. Try current key first
  2. Fall back to previous key for in-flight capabilities (grace period)

Returns true if the capability verifies against either key.

Source

pub fn verify_with_epoch( &self, payload: &CapPayload, tag: &SealedTag, cap_epoch: u64, ) -> bool

Combined verification: seal AND epoch valid

Corresponds to Lean: def KeyState.verifyWithEpoch

Source

pub fn clear_previous(&mut self)

Clear the previous key (end grace period)

Call this after sufficient time has passed since rotation to clear the previous key from memory.

Trait Implementations§

Source§

impl Clone for KeyState

Source§

fn clone(&self) -> KeyState

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for KeyState

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for KeyState

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.