Skip to main content

EntityKeypair

net::adapter::net::identity

Struct EntityKeypair 

Source 
pub struct EntityKeypair { /* private fields */ }
Expand description

Entity keypair — ed25519 signing key + public identity.

This is the root of trust for a node. The signing key must be kept secret. The EntityId (public key) is freely shareable.

§Full vs. public-only

Most keypairs carry both halves: a SigningKey (32-byte secret seed) plus the derived EntityId. The migration-target path may instead receive a public-only keypair — same entity_id and origin_hash, but with the signing half absent. Public-only keypairs satisfy every entity_id / origin_hash / node_id query the mesh does routinely, but refuse to sign. This exists because a daemon that migrated under “transport_identity = false” (see DAEMON_IDENTITY_MIGRATION_PLAN.md) reaches the target with its public identity intact but no private material — the plan’s deliberate trade-off for workloads that don’t need post-migration signing capability.

Callers that may receive a public-only keypair should use Self::try_sign / Self::is_read_only; Self::sign panics on a public-only keypair because most call sites own a freshly generated keypair and a silent “signed with zeros” fallback would be worse than a panic.

Implementations§

Source§

impl EntityKeypair

Source

pub fn generate() -> Self

Generate a new random keypair.

getrandom::fill failure is a fatal condition for an identity layer that issues secret keys (predictable bytes produce a forgeable ed25519 secret), so the safe response is to terminate the process rather than unwind. We use std::process::abort() instead of expect/panic! because abort does not unwind and is extern "C"-safe — these helpers are reachable from the FFI bindings under ffi/mesh.rs, where unwinding through an extern "C" frame is undefined behaviour.

Source

pub fn from_signing_key(signing_key: SigningKey) -> Self

Create from an existing ed25519 signing key.

Source

pub fn from_bytes(secret: [u8; 32]) -> Self

Create from raw secret key bytes (32 bytes).

Source

pub fn public_only(entity_id: EntityId) -> Self

Create a public-only keypair — an EntityId without its signing half. Sign attempts return EntityError::ReadOnly (via Self::try_sign) or panic (via Self::sign).

Used by the migration-target path when a caller opts out of private-key transport; the daemon keeps its public identity (so origin_hash stays stable and the causal chain continues) but cannot sign new capability announcements or mint new permission tokens from the target.

Source

pub fn entity_id(&self) -> &EntityId

Get the entity identity (public key).

Source

pub fn origin_hash(&self) -> u64

Get the cached origin hash. The per-packet NetHeader::origin_hash callers downcast via as u32.

Source

pub fn node_id(&self) -> u64

Get the cached node ID for swarm/routing.

Source

pub fn is_read_only(&self) -> bool

true iff this keypair has no signing half. Public-only keypairs survive every entity_id / origin_hash query but return EntityError::ReadOnly from Self::try_sign and Self::try_secret_bytes.

Source

pub fn sign(&self, message: &[u8]) -> Signature

Sign a message. Panics on a public-only keypair; callers that might hold one must use Self::try_sign instead.

§Panics

If this keypair is public-only (see Self::is_read_only).

Source

pub fn try_sign(&self, message: &[u8]) -> Result<Signature, EntityError>

Fallible sign. Returns EntityError::ReadOnly when this keypair is public-only; otherwise delegates to the ed25519 signing path.

Source

pub fn secret_bytes(&self) -> &[u8; 32]

Get the raw secret key bytes. Panics on a public-only keypair; callers that might hold one must use Self::try_secret_bytes.

Handle with care — this is the root secret.

§Panics

If this keypair is public-only (see Self::is_read_only).

Source

pub fn try_secret_bytes(&self) -> Result<&[u8; 32], EntityError>

Fallible secret_bytes. Returns EntityError::ReadOnly for public-only keypairs.

Source

pub fn zeroize(&mut self)

Zeroize the signing half in place, converting this keypair into public-only. The entity_id / origin_hash / node_id remain available; further sign / secret_bytes calls go down the try_* / read-only path.

Called by the migration-source handler after ActivateAck arrives from the target — the source no longer needs to sign on behalf of this daemon, and holding the key longer than necessary widens the dual-custody window beyond the plan’s invariant. Idempotent; second call is a no-op.

Trait Implementations§

Source§

impl Clone for EntityKeypair

Source§

fn clone(&self) -> Self

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for EntityKeypair

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more