Skip to main content

ProtectedState

Struct ProtectedState

pub struct ProtectedState {
    pub targets: BTreeMap<String, TargetValue>,
    pub peers: PeerMap,
    pub aux: Value,
}

Expand description

M: the decrypted protected state, accessible only inside T’s trusted boundary.

Fields§

§targets: BTreeMap<String, TargetValue>

M[target] = s_o. Keys are target identifiers, values are raw secret bytes (e.g. an API key or signing key).

§peers: PeerMap

Peer = {cid → W_c}, used by Phase III.3 for multi-credential rewrap.

§aux: Value

Deployment-specific auxiliary state (vault metadata, deployment hints, …). Out-of-scope of the protocol; the crate just preserves it.

Implementations§

impl ProtectedState

pub fn new() -> Self

New empty state. Used at Phase I.2 setup before any targets are added.

pub fn target(&self, name: &str) -> Result<&[u8]>

Look up s_o := M[target]. Returns an error if the target is absent.

pub fn put_target(&mut self, name: impl Into<String>, value: impl Into<Vec<u8>>)

Insert or replace a target value.

pub fn remove_target(&mut self, name: &str) -> Option<TargetValue>

Remove a target.

pub fn to_canonical(&self) -> Result<Zeroizing<Vec<u8>>>

Serialise to canonical JCS-style JSON bytes for sealing under K.

Returns a Zeroizing<Vec<u8>> so the canonical bytes (which contain base64-encoded target plaintexts and peer wrapping keys) are wiped on drop. The encoder writes directly into the zeroizing buffer without constructing an intermediate serde_json::Value tree — this avoids the prior leak path where target bytes’ base64 form lived in a non-zeroizing String inside Value.

The structurally fixed shape is {"aux":…?,"peers":{…},"targets":{…}} (keys sorted lexicographically per JCS). The optional aux field goes through crate::canonical::canonicalize which still uses serde_json::Value; deployments that put sensitive data in aux trade some zeroize guarantees and should encrypt-before-stuffing.

pub fn from_canonical(bytes: &[u8]) -> Result<Self>

Parse from canonical bytes (after Phase III.0 decryption of C).

Goes directly from bytes to ProtectedState via the serde visitor pattern (no intermediate serde_json::Value). Target plaintexts and wrapping keys land in [TargetValue] / WrappingKey which both Zeroize on drop, so the deserialize path is already leak-free.

Trait Implementations§

impl Clone for ProtectedState

fn clone(&self) -> ProtectedState

Returns a duplicate of the value. Read more

1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

impl Debug for ProtectedState

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

impl Default for ProtectedState

fn default() -> ProtectedState

Returns the “default value” for a type. Read more

impl<'de> Deserialize<'de> for ProtectedState

fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more

impl Serialize for ProtectedState

fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

impl Freeze for ProtectedState

impl RefUnwindSafe for ProtectedState

impl Send for ProtectedState

impl Sync for ProtectedState

impl Unpin for ProtectedState

impl UnsafeUnpin for ProtectedState

impl UnwindSafe for ProtectedState

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> CloneToUninit for T
where T: Clone,

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)

Performs copy-assignment from self to dest. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Same for T

type Output = T

Should always be Self

impl<T> ToOwned for T
where T: Clone,

type Owned = T

The resulting type after obtaining ownership.

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

fn vzip(self) -> V

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,