pub struct SecurityProfile {
pub gate: Arc<SharedSecurityGate>,
pub pki: Arc<Mutex<PkiAuthenticationPlugin>>,
pub identity_handle: IdentityHandle,
pub adjusted_participant_guid: [u8; 16],
pub governance: Governance,
pub permissions: Permissions,
}Expand description
Fully built security profile. The caller typically only needs
gate (attach to RuntimeConfig.security) — pki/identity_handle
are needed for later programmatic handshake driving
(e.g. for tests that work without SEDP).
Fields§
§gate: Arc<SharedSecurityGate>Ready-to-consume SharedSecurityGate in Arc form, as
RuntimeConfig.security expects it.
pki: Arc<Mutex<PkiAuthenticationPlugin>>PKI plugin with a registered local identity. Arc<Mutex>,
because it is shared by both the handshake driver (&mut for
begin/process_handshake) and the crypto plugin (as a
SharedSecretProvider, &self).
identity_handle: IdentityHandleHandle of the local participant in the PKI plugin.
adjusted_participant_guid: [u8; 16]The DDS-Security §9.3.3-adjusted 16-byte participant GUID (prefix
cryptographically bound to the identity). The caller MUST use this GUID
(or its prefix) for the runtime/SPDP participant, so that
the SPDP beacon, handshake c.pdata and all entity GUIDs are consistent.
governance: GovernanceParsed governance.
permissions: PermissionsParsed permissions.
Implementations§
Source§impl SecurityProfile
impl SecurityProfile
Sourcepub fn from_files(
cfg: &SecurityProfileConfig,
participant_guid: [u8; 16],
) -> Result<Self, SecurityProfileError>
pub fn from_files( cfg: &SecurityProfileConfig, participant_guid: [u8; 16], ) -> Result<Self, SecurityProfileError>
Reads all files, verifies CMS signatures, builds PKI + gate.
participant_guid is the 16-byte DDS GUID of the local
participant — embedded by the PKI plugin into the handshake
token.
§Errors
SecurityProfileError in the variants Io / Pki / Permissions
/ GovernanceUtf8.
Sourcepub fn from_enclave_dir(
enclave_dir: impl AsRef<Path>,
domain_id: u32,
participant_guid: [u8; 16],
) -> Result<Self, SecurityProfileError>
pub fn from_enclave_dir( enclave_dir: impl AsRef<Path>, domain_id: u32, participant_guid: [u8; 16], ) -> Result<Self, SecurityProfileError>
C7 — loads a profile from an SROS2 enclave directory in one call.
An SROS2 keystore lays each participant’s material out under
enclaves/<name>/ and symlinks the standard file names into it:
| enclave file | role |
|---|---|
cert.pem | identity certificate |
key.pem | identity private key (PKCS#8) |
identity_ca.cert.pem | identity CA bundle |
permissions_ca.cert.pem | permissions CA bundle |
governance.p7s | CMS-signed governance XML |
permissions.p7s | CMS-signed permissions XML |
This replaces the six-path SecurityProfileConfig ceremony with a
single directory, mirroring how ros2 security enclaves are consumed.
§Errors
SecurityProfileError::Io when a standard file is absent, plus the
Pki/Permissions/Governance variants from Self::from_files.
Sourcepub fn from_env(
participant_guid: [u8; 16],
) -> Result<Option<Self>, SecurityProfileError>
pub fn from_env( participant_guid: [u8; 16], ) -> Result<Option<Self>, SecurityProfileError>
C7 — “secure by default” env entry point. Loads an enclave from
ZERODDS_SECURITY_DIR; the domain comes from ROS_DOMAIN_ID
(default 0). Returns Ok(None) when ZERODDS_SECURITY_DIR is unset,
so a launch path can opt into security with a single env var:
export ZERODDS_SECURITY_DIR=$ROS_SECURITY_KEYSTORE/enclaves/talker
export ROS_DOMAIN_ID=42§Errors
Propagates Self::from_enclave_dir errors when the dir is set but
the material is missing or invalid.