Trait AuthenticationPlugin 

pub trait AuthenticationPlugin: Send + Sync {
    // Required methods
    fn validate_local_identity(
        &mut self,
        props: &PropertyList,
        participant_guid: [u8; 16],
    ) -> SecurityResult<IdentityHandle>;
    fn validate_remote_identity(
        &mut self,
        local: IdentityHandle,
        remote_participant_guid: [u8; 16],
        remote_auth_token: &[u8],
    ) -> SecurityResult<IdentityHandle>;
    fn begin_handshake_request(
        &mut self,
        initiator: IdentityHandle,
        replier: IdentityHandle,
    ) -> SecurityResult<(HandshakeHandle, HandshakeStepOutcome)>;
    fn begin_handshake_reply(
        &mut self,
        replier: IdentityHandle,
        initiator: IdentityHandle,
        request_token: &[u8],
    ) -> SecurityResult<(HandshakeHandle, HandshakeStepOutcome)>;
    fn process_handshake(
        &mut self,
        handshake: HandshakeHandle,
        token: &[u8],
    ) -> SecurityResult<HandshakeStepOutcome>;
    fn shared_secret(
        &self,
        handshake: HandshakeHandle,
    ) -> SecurityResult<SharedSecretHandle>;
    fn plugin_class_id(&self) -> &str;

    // Provided methods
    fn set_algo_nul_terminate(&mut self, _nul: bool) { ... }
    fn get_identity_token(
        &self,
        _local: IdentityHandle,
    ) -> SecurityResult<Vec<u8>> { ... }
    fn get_identity_status_token(
        &self,
        _local: IdentityHandle,
    ) -> SecurityResult<Vec<u8>> { ... }
    fn get_permissions_token(&self) -> Vec<u8>  { ... }
    fn set_local_participant_data(&mut self, _pdata: Vec<u8>) { ... }
    fn set_permissions_credential_and_token(
        &mut self,
        _local: IdentityHandle,
        _permissions_credential: &[u8],
        _permissions_token: &[u8],
    ) -> SecurityResult<()> { ... }
    fn get_authenticated_peer_credential_token(
        &self,
        _handshake: HandshakeHandle,
    ) -> SecurityResult<Vec<u8>> { ... }
}

Authentication plugin trait. Spec §8.3.2.7.

Required Methods

fn validate_local_identity( &mut self, props: &PropertyList, participant_guid: [u8; 16], ) -> SecurityResult<IdentityHandle>

Called once at participant start: validate the local identity (certificate, key, trust anchor) and return a handle.

Spec

§8.3.2.7.1 validate_local_identity.

fn validate_remote_identity( &mut self, local: IdentityHandle, remote_participant_guid: [u8; 16], remote_auth_token: &[u8], ) -> SecurityResult<IdentityHandle>

Called as soon as a remote participant has been discovered via SPDP. The plugin validates the remote cert (from remote_auth_token) against its trust store.

Spec

§8.3.2.7.2 validate_remote_identity.

fn begin_handshake_request( &mut self, initiator: IdentityHandle, replier: IdentityHandle, ) -> SecurityResult<(HandshakeHandle, HandshakeStepOutcome)>

Starts the handshake. Returns the first token that must be sent to the peer.

Spec

§8.3.2.7.3 begin_handshake_request.

fn begin_handshake_reply( &mut self, replier: IdentityHandle, initiator: IdentityHandle, request_token: &[u8], ) -> SecurityResult<(HandshakeHandle, HandshakeStepOutcome)>

Peer side of the handshake start. request_token is what the initiator sent via begin_handshake_request.

Spec

§8.3.2.7.4 begin_handshake_reply.

fn process_handshake( &mut self, handshake: HandshakeHandle, token: &[u8], ) -> SecurityResult<HandshakeStepOutcome>

Pass through follow-up handshake messages.

Spec

§8.3.2.7.5 process_handshake.

fn shared_secret( &self, handshake: HandshakeHandle, ) -> SecurityResult<SharedSecretHandle>

Ends the handshake and returns the final SharedSecret. Failure aborts. Called by the caller after a Complete outcome to pull the secret out of the plugin.

Alternatively: the Complete outcome already contains the handle — this method is only for polling integrations.

Spec

§8.3.2.7.8 get_shared_secret.

fn plugin_class_id(&self) -> &str

Identity plugin name (e.g. “DDS:Auth:PKI-DH:1.2”). Announced in SPDP as dds.sec.auth.plugin_class.

Provided Methods

fn set_algo_nul_terminate(&mut self, _nul: bool)

Cross-vendor quirk: determines whether the next handshake algorithm strings (c.dsign_algo/c.kagree_algo) are emitted + hashed NUL-terminated. OpenDDS compares them with sizeof (incl. \0) and needs the NUL form; FastDDS (#3803) needs them WITHOUT; cyclone is tolerant. Since the handshake runs per-peer, the discovery layer calls this based on the peer’s VendorId BEFORE begin_handshake_request or begin_handshake_reply. Default no-op (NUL-free = spec/FastDDS/ Cyclone-conformant).

fn get_identity_token(&self, _local: IdentityHandle) -> SecurityResult<Vec<u8>>

Returns the IdentityToken for a local identity (spec §9.3.2.4). Published in the SPDP announce as PID_IDENTITY_TOKEN (0x1001). Default: empty token (= the plugin does not support the feature).

Errors

Implementation-specific.

fn get_identity_status_token( &self, _local: IdentityHandle, ) -> SecurityResult<Vec<u8>>

Returns the IdentityStatusToken for a local identity (spec §9.3.2.5.1.2). Default: empty.

Errors

Implementation-specific.

fn get_permissions_token(&self) -> Vec<u8>

Returns the PermissionsToken (spec §7.2.4, PID_PERMISSIONS_TOKEN 0x1002) for the SPDP announce. Strictly per spec the AccessControlPlugin produces it; since ZeroDDS holds the permissions in the auth plugin (set_local_permissions, for the c.perm handshake), the getter lives here. Default: empty (no permissions configured ⇒ AccessControl inactive ⇒ token omitted). Cross-vendor requirement: secure vendors (cyclone/FastDDS) only validate a remote if SPDP carries both tokens (identity + permissions).

fn set_local_participant_data(&mut self, _pdata: Vec<u8>)

Sets the local ParticipantBuiltinTopicData as PL_CDR bytes that are sent along in the handshake as c.pdata (spec §9.3.2.5.2). The replier deserializes c.pdata as a ParameterList and binds the participant_guid to the authenticated identity. Default: no-op.

fn set_permissions_credential_and_token( &mut self, _local: IdentityHandle, _permissions_credential: &[u8], _permissions_token: &[u8], ) -> SecurityResult<()>

Sets the permissions credential and the permissions token on a local identity (spec §9.3.2.4 + §9.3.2.5.4). Fed by the caller layer with the output of the AccessControlPlugin.

Errors

Default: Unsupported (the plugin ignores the permissions bind).

fn get_authenticated_peer_credential_token( &self, _handshake: HandshakeHandle, ) -> SecurityResult<Vec<u8>>

Returns the AuthenticatedPeerCredentialToken (spec §9.3.2.5.6). Fetched by the AccessControl layer after a successful handshake to perform the caller subject match. Default: empty.

Errors

Implementation-specific.

Dyn Compatibility

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors

impl AuthenticationPlugin for MockAuthenticationPlugin