Skip to main content

tor_checkable/
lib.rs

1#![cfg_attr(docsrs, feature(doc_cfg))]
2#![doc = include_str!("../README.md")]
3// @@ begin lint list maintained by maint/add_warning @@
4#![allow(renamed_and_removed_lints)] // @@REMOVE_WHEN(ci_arti_stable)
5#![allow(unknown_lints)] // @@REMOVE_WHEN(ci_arti_nightly)
6#![warn(missing_docs)]
7#![warn(noop_method_call)]
8#![warn(unreachable_pub)]
9#![warn(clippy::all)]
10#![deny(clippy::await_holding_lock)]
11#![deny(clippy::cargo_common_metadata)]
12#![deny(clippy::cast_lossless)]
13#![deny(clippy::checked_conversions)]
14#![warn(clippy::cognitive_complexity)]
15#![deny(clippy::debug_assert_with_mut_call)]
16#![deny(clippy::exhaustive_enums)]
17#![deny(clippy::exhaustive_structs)]
18#![deny(clippy::expl_impl_clone_on_copy)]
19#![deny(clippy::fallible_impl_from)]
20#![deny(clippy::implicit_clone)]
21#![deny(clippy::large_stack_arrays)]
22#![warn(clippy::manual_ok_or)]
23#![deny(clippy::missing_docs_in_private_items)]
24#![warn(clippy::needless_borrow)]
25#![warn(clippy::needless_pass_by_value)]
26#![warn(clippy::option_option)]
27#![deny(clippy::print_stderr)]
28#![deny(clippy::print_stdout)]
29#![warn(clippy::rc_buffer)]
30#![deny(clippy::ref_option_ref)]
31#![warn(clippy::semicolon_if_nothing_returned)]
32#![warn(clippy::trait_duplication_in_bounds)]
33#![deny(clippy::unchecked_time_subtraction)]
34#![deny(clippy::unnecessary_wraps)]
35#![warn(clippy::unseparated_literal_suffix)]
36#![deny(clippy::unwrap_used)]
37#![deny(clippy::mod_module_files)]
38#![allow(clippy::let_unit_value)] // This can reasonably be done for explicitness
39#![allow(clippy::uninlined_format_args)]
40#![allow(clippy::significant_drop_in_scrutinee)] // arti/-/merge_requests/588/#note_2812945
41#![allow(clippy::result_large_err)] // temporary workaround for arti#587
42#![allow(clippy::needless_raw_string_hashes)] // complained-about code is fine, often best
43#![allow(clippy::needless_lifetimes)] // See arti#1765
44#![allow(mismatched_lifetime_syntaxes)] // temporary workaround for arti#2060
45#![allow(clippy::collapsible_if)] // See arti#2342
46#![deny(clippy::unused_async)]
47//! <!-- @@ end lint list maintained by maint/add_warning @@ -->
48
49use std::time;
50use thiserror::Error;
51
52pub mod signed;
53pub mod timed;
54
55/// An error that can occur when checking whether a Timebound object is
56/// currently valid.
57#[derive(Debug, Clone, Error, PartialEq, Eq)]
58#[non_exhaustive]
59pub enum TimeValidityError {
60    /// The object is not yet valid
61    #[error("Object will not be valid for {}", humantime::format_duration(*.0))]
62    NotYetValid(time::Duration),
63    /// The object is expired
64    #[error("Object has been expired for {}", humantime::format_duration(*.0))]
65    Expired(time::Duration),
66    /// The object isn't timely, and we don't know why, or won't say.
67    #[error("Object is not currently valid")]
68    Unspecified,
69}
70
71/// A Timebound object is one that is only valid for a given range of time.
72///
73/// It's better to wrap things in a TimeBound than to give them an is_valid()
74/// valid method, so that you can make sure that nobody uses the object before
75/// checking it.
76pub trait Timebound<T>: Sized {
77    /// An error type that's returned when the object is _not_ timely.
78    type Error;
79
80    /// Check whether this object is valid at a given time.
81    ///
82    /// Return Ok if the object is valid, and an error if the object is not.
83    fn is_valid_at(&self, t: &time::SystemTime) -> Result<(), Self::Error>;
84
85    /// Return the underlying object without checking whether it's valid.
86    fn dangerously_assume_timely(self) -> T;
87
88    /// Unwrap this Timebound object if it is valid at a given time.
89    fn check_valid_at(self, t: &time::SystemTime) -> Result<T, Self::Error> {
90        self.is_valid_at(t)?;
91        Ok(self.dangerously_assume_timely())
92    }
93
94    /// Unwrap this Timebound object if it is valid now.
95    fn check_valid_now(self) -> Result<T, Self::Error> {
96        self.check_valid_at(&time::SystemTime::now())
97    }
98
99    /// Unwrap this object if it is valid at the provided time t.
100    /// If no time is provided, check the object at the current time.
101    fn check_valid_at_opt(self, t: Option<time::SystemTime>) -> Result<T, Self::Error> {
102        match t {
103            Some(when) => self.check_valid_at(&when),
104            None => self.check_valid_now(),
105        }
106    }
107}
108
109/// A cryptographically signed object that can be validated without
110/// additional public keys.
111///
112/// It's better to wrap things in a SelfSigned than to give them an is_valid()
113/// method, so that you can make sure that nobody uses the object before
114/// checking it.  It's better to wrap things in a SelfSigned than to check
115/// them immediately, since you might want to defer the signature checking
116/// operation to another thread.
117pub trait SelfSigned<T>: Sized {
118    /// An error type that's returned when the object is _not_ well-signed.
119    type Error;
120    /// Check the signature on this object
121    fn is_well_signed(&self) -> Result<(), Self::Error>;
122    /// Return the underlying object without checking its signature.
123    fn dangerously_assume_wellsigned(self) -> T;
124
125    /// Unwrap this object if the signature is valid
126    fn check_signature(self) -> Result<T, Self::Error> {
127        self.is_well_signed()?;
128        Ok(self.dangerously_assume_wellsigned())
129    }
130}
131
132/// A cryptographically signed object that needs an external public
133/// key to validate it.
134pub trait ExternallySigned<T>: Sized {
135    /// The type of the public key object.
136    ///
137    /// You can use a tuple or a vector here if the object is signed
138    /// with multiple keys.
139    type Key: ?Sized;
140
141    /// A type that describes what keys are missing for this object.
142    type KeyHint;
143
144    /// An error type that's returned when the object is _not_ well-signed.
145    type Error;
146
147    /// Check whether k is the right key for this object.  If not, return
148    /// an error describing what key would be right.
149    ///
150    /// This function is allowed to return 'true' for a bad key, but never
151    /// 'false' for a good key.
152    fn key_is_correct(&self, k: &Self::Key) -> Result<(), Self::KeyHint>;
153
154    /// Check the signature on this object
155    fn is_well_signed(&self, k: &Self::Key) -> Result<(), Self::Error>;
156
157    /// Unwrap this object without checking any signatures on it.
158    fn dangerously_assume_wellsigned(self) -> T;
159
160    /// Unwrap this object if it's correctly signed by a provided key.
161    fn check_signature(self, k: &Self::Key) -> Result<T, Self::Error> {
162        self.is_well_signed(k)?;
163        Ok(self.dangerously_assume_wellsigned())
164    }
165}