pub struct ProtectedState {
pub secrets: BTreeMap<String, SecretValue>,
pub authenticators: AuthenticatorMap,
pub aux: Value,
}Expand description
M: the decrypted protected state, accessible only inside T’s trusted
boundary.
Fields§
§secrets: BTreeMap<String, SecretValue>M[target] = s_o. Keys are target identifiers, values are raw secret
bytes (e.g. an API key or signing key).
authenticators: AuthenticatorMap{cid → W_c}, used by Phase III.3 for multi-credential rewrap.
aux: ValueDeployment-specific auxiliary state (vault metadata, deployment hints, …). Out-of-scope of the protocol; the crate just preserves it.
Implementations§
Source§impl ProtectedState
impl ProtectedState
Sourcepub fn secret(&self, name: &str) -> Result<&[u8]>
pub fn secret(&self, name: &str) -> Result<&[u8]>
Look up s_o := M[target]. Returns an error if the
target is absent.
Sourcepub fn put_secret(&mut self, name: impl Into<String>, value: impl Into<Vec<u8>>)
pub fn put_secret(&mut self, name: impl Into<String>, value: impl Into<Vec<u8>>)
Insert or replace the secret for a target.
Sourcepub fn remove_secret(&mut self, name: &str) -> Option<SecretValue>
pub fn remove_secret(&mut self, name: &str) -> Option<SecretValue>
Remove the secret for a target.
Sourcepub fn to_canonical(&self) -> Result<Zeroizing<Vec<u8>>>
pub fn to_canonical(&self) -> Result<Zeroizing<Vec<u8>>>
Serialise to canonical JCS-style JSON bytes for sealing under K.
Returns a Zeroizing<Vec<u8>> so the canonical bytes (which contain
base64-encoded secret plaintexts and authenticator wrapping keys) are
wiped on drop. The encoder writes directly into the zeroizing buffer
without constructing an intermediate serde_json::Value tree — this
avoids the prior leak path where secret bytes’ base64 form lived in a
non-zeroizing String inside Value.
The structurally fixed shape is
{"authenticators":{…},"aux":…?,"secrets":{…}} (keys sorted
lexicographically per JCS: authenticators < aux < secrets). The
optional aux field goes through crate::canonical::canonicalize
which still uses serde_json::Value; deployments that put sensitive
data in aux trade some zeroize guarantees and should
encrypt-before-stuffing.
Sourcepub fn from_canonical(bytes: &[u8]) -> Result<Self>
pub fn from_canonical(bytes: &[u8]) -> Result<Self>
Parse from canonical bytes (after Phase III.0 decryption of C).
Goes directly from bytes to ProtectedState via the serde visitor
pattern (no intermediate serde_json::Value). Secret plaintexts and
wrapping keys land in [SecretValue] / WrappingKey which both
Zeroize on drop, so the deserialize path is already leak-free.
Trait Implementations§
Source§impl Clone for ProtectedState
impl Clone for ProtectedState
Source§fn clone(&self) -> ProtectedState
fn clone(&self) -> ProtectedState
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more