Skip to main content

MobileKeyManager

runar_keys::mobile

Struct MobileKeyManager 

Source 
pub struct MobileKeyManager { /* private fields */ }
Expand description

Mobile Key Manager that acts as a Certificate Authority

Implementations§

Source§

impl MobileKeyManager

Source

pub fn new(logger: Arc<Logger>) -> Result<Self>

Create a new Mobile Key Manager

Source

pub fn install_network_public_key( &mut self, network_public_key: &[u8], ) -> Result<()>

Source

pub fn initialize_user_root_key(&mut self) -> Result<Vec<u8>>

Initialize user root key - Master key that never leaves the mobile device

Source

pub fn get_user_root_public_key(&self) -> Result<Vec<u8>>

Get the user root public key

Source

pub fn derive_user_profile_key(&mut self, label: &str) -> Result<Vec<u8>>

Derive a user profile agreement key from the root key using HKDF-SHA-256.

  • IKM: raw 32-byte scalar of the user root signing key
  • info: “runar-v1:profile:agreement:{label}[:{counter}]”
  • output: 32-byte scalar interpreted as P-256 SecretKey (with rejection sampling)
Source

pub fn get_network_public_key(&self, network_id: &str) -> Result<Vec<u8>>

Source

pub fn generate_network_data_key(&mut self) -> Result<String>

Generate a network data key for envelope encryption and return the network ID (compact Base64 public key)

Source

pub fn create_envelope_key(&self) -> Result<Vec<u8>>

Create an envelope key for per-object encryption Envelope keys are ephemeral - generated fresh for each object

Source

pub fn encrypt_with_envelope( &self, data: &[u8], network_id: Option<&str>, profile_public_keys: Vec<Vec<u8>>, ) -> Result<EnvelopeEncryptedData>

Encrypt data with envelope encryption This implements the envelope encryption pattern:

  1. Generate ephemeral envelope key
  2. Encrypt data with envelope key
  3. Encrypt envelope key with network/profile keys
Source

pub fn decrypt_with_profile( &self, envelope_data: &EnvelopeEncryptedData, profile_id: &str, ) -> Result<Vec<u8>>

Decrypt envelope-encrypted data using profile key

Source

pub fn decrypt_with_network( &self, envelope_data: &EnvelopeEncryptedData, ) -> Result<Vec<u8>>

Decrypt envelope-encrypted data using network key

Source

pub fn initialize_user_identity(&mut self) -> Result<Vec<u8>>

Initialize user identity and generate root keys

Source

pub fn get_ca_certificate(&self) -> &X509Certificate

Get the user CA certificate

Source

pub fn get_ca_public_key(&self) -> Vec<u8>

Get the CA public key bytes

Source

pub fn process_setup_token( &mut self, setup_token: &SetupToken, ) -> Result<NodeCertificateMessage>

Process a setup token from a node and issue a certificate

Source

pub fn get_statistics(&self) -> MobileKeyManagerStatistics

Get statistics about the mobile key manager

Source

pub fn create_network_key_message( &self, network_id: &str, node_agreement_public_key: &[u8], ) -> Result<NetworkKeyMessage>

Create a network key message for a node with proper encryption

Source

pub fn validate_certificate(&self, certificate: &X509Certificate) -> Result<()>

Validate a certificate issued by this CA

Source

pub fn get_issued_certificate(&self, node_id: &str) -> Option<&X509Certificate>

Get issued certificate by node ID

Source

pub fn list_issued_certificates(&self) -> Vec<(String, &X509Certificate)>

List all issued certificates

Source

pub fn encrypt_for_profile( &self, data: &[u8], profile_id: &str, ) -> Result<Vec<u8>>

Encrypt data for a specific profile (legacy method for compatibility)

Source

pub fn encrypt_for_network( &self, data: &[u8], network_id: &str, ) -> Result<Vec<u8>>

Encrypt data for a network (legacy method for compatibility)

Source

pub fn generate_user_profile_key(&mut self, profile_id: &str) -> Result<Vec<u8>>

Generate a user profile key (legacy method name for compatibility)

Source

pub fn encrypt_message_for_node( &self, message: &[u8], node_agreement_public_key: &[u8], ) -> Result<Vec<u8>>

Encrypt a message for a node using its public key (ECIES)

Source

pub fn decrypt_message_from_node( &self, encrypted_message: &[u8], ) -> Result<Vec<u8>>

Decrypt a message from a node using the user’s root key (ECIES)

Source

pub fn export_state(&self) -> MobileKeyManagerState

Export all cryptographic material for persistence.

Source

pub fn from_state( state: MobileKeyManagerState, logger: Arc<Logger>, ) -> Result<Self>

Restore a MobileKeyManager from a previously exported state.

Trait Implementations§

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V