Crate ockam_vault
source ·Expand description
In order to support a variety of cryptographically capable hardware we maintain loose coupling between our protocols and how a specific building block is invoked in a specific hardware. This is achieved using an abstract Vault trait.
A concrete implementation of the Vault trait is called an Ockam Vault. Over time, and with help from the Ockam open source community, we plan to add vaults for several TEEs, TPMs, HSMs, and Secure Enclaves.
This crate provides a software-only Vault implementation that can be used when no cryptographic hardware is available. The primary Ockam crate uses this as the default Vault implementation.
The main [Ockam][main-ockam-crate-link] has optional dependency on this crate.
Modules
- Backwards compatibility storage formats
- Storage
Structs
- AEAD Secret.
- Handle to a AEAD Secret Key.
- Handle to an AES-256 Secret Key.
- Buffer with sensitive data, like HKDF output.
- A Curve P-256 Public Key that is only used for ECDSA SHA256 signatures.
- ECDSASHA256CurveP256 Secret Key.
- An ECDSA Signature using SHA256 and Curve P-256.
- A Curve25519 Public Key that is only used for EdDSA signatures.
- EdDSACurve25519 Secret Key.
- An EdDSA Signature using Curve25519.
- Implementation-specific arbitrary vector of bytes that allows a concrete Vault implementation to address a specific secret that it stores.
- Hash used for Noise handshake.
- HKDF Output.
- A handle to a secret Buffer (like an HKDF output).
- SHA-256 HKDF Output.
- SHA-256 Output.
- [
SecureChannelVault
] implementation using software - [
SigningVault
] implementation using software - [
VaultForSigning
] implementation using software - X25519 Public Key is used for ECDH.
- X25519 Secret Key.
- A handle to a X25519 Secret Key.
Enums
- Possible number of outputs of HKDF.
- A cryptographic signature.
- Key type for Signing. See
super::signatures::Signature
. - Signing secret binary
- A handle to signing secret key inside a vault.
- Represents the failures that can occur in an Ockam vault
- A public key for verifying signatures.
Constants
- AEAD Secret Length.
- AES256 private key length.
- AES-GCM nonce length
- NIST P256 public key length.
- NIST P256 private key length.
- ECDSASHA256CurveP256 signature length.
- Ed25519 public key length.
- Ed25519 private key length.
- EdDSACurve25519 signature length.
- SHA256 digest length
- X25519 public key length.
- X25519 private key length.
Traits
- Vault for running a Secure Channel
- Vault for signing data.
- Vault for verifying signatures and computing SHA-256.