Skip to main content

SigningBackend

zlayer_secrets

Trait SigningBackend 

Source 
pub trait SigningBackend:
    Send
    + Sync
    + Debug {
    // Required methods
    fn name(&self) -> &'static str;
    fn is_hardware_backed(&self) -> bool;
    fn active_key_id<'life0, 'async_trait>(
        &'life0 self,
    ) -> Pin<Box<dyn Future<Output = Result<String, SecretsError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait;
    fn public_key_b64<'life0, 'life1, 'async_trait>(
        &'life0 self,
        kid: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Result<Option<String>, SecretsError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait;
    fn list_valid_pubkeys<'life0, 'async_trait>(
        &'life0 self,
    ) -> Pin<Box<dyn Future<Output = Result<Vec<PubkeyInfo>, SecretsError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait;
    fn sign<'life0, 'life1, 'life2, 'async_trait>(
        &'life0 self,
        kid: &'life1 str,
        msg: &'life2 [u8],
    ) -> Pin<Box<dyn Future<Output = Result<[u8; 64], SecretsError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait,
             'life1: 'async_trait,
             'life2: 'async_trait;
    fn rotate<'life0, 'async_trait>(
        &'life0 self,
        grace: Duration,
    ) -> Pin<Box<dyn Future<Output = Result<KeystoreRotationResult, SecretsError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait;
    fn prune_expired_grace<'life0, 'async_trait>(
        &'life0 self,
    ) -> Pin<Box<dyn Future<Output = Result<usize, SecretsError>> + Send + 'async_trait>>
       where Self: 'async_trait,
             'life0: 'async_trait;
}
Expand description

Abstract interface over a cluster-signing-key store.

Implementations may live on local disk (FileBackend), in a TPM, in an HSM, or in a cloud KMS — the trait keeps the call sites agnostic. The default and only shipped implementation today is FileBackend.

All methods are async because hardware backends inevitably involve IO (TPM sessions, network round-trips to KMS, etc.). The file backend’s IO is the existing tokio-fs path.

Required Methods§

Source

fn name(&self) -> &'static str

Returns a human-readable name ("file", "tpm", …) for log lines and --key-store-backend debug output.

Source

fn is_hardware_backed(&self) -> bool

Returns true if private key material lives in tamper-resistant hardware. Pure-software backends return false. Used for startup logging and the “key-store-backend: tpm (hw-backed)” banner.

Source

fn active_key_id<'life0, 'async_trait>( &'life0 self, ) -> Pin<Box<dyn Future<Output = Result<String, SecretsError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait,

Lowercase hex first-8-chars-of-SHA256 of the currently-active verifying key. Stable across processes for the same key.

Source

fn public_key_b64<'life0, 'life1, 'async_trait>( &'life0 self, kid: &'life1 str, ) -> Pin<Box<dyn Future<Output = Result<Option<String>, SecretsError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait,

URL-safe no-pad base64 of the verifying key bytes for the given kid. Returns Ok(None) if the kid is unknown or its grace window has expired.

Source

fn list_valid_pubkeys<'life0, 'async_trait>( &'life0 self, ) -> Pin<Box<dyn Future<Output = Result<Vec<PubkeyInfo>, SecretsError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait,

All currently-valid (active OR not-yet-expired grace) keys in the store with their statuses.

Source

fn sign<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, kid: &'life1 str, msg: &'life2 [u8], ) -> Pin<Box<dyn Future<Output = Result<[u8; 64], SecretsError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait,

Sign msg with the key identified by kid. Fails with SecretsError::Provider if the kid is unknown or expired. Note that signing with a grace-window key is unusual (callers typically only sign with the active key) but supported for recovery scenarios.

Source

fn rotate<'life0, 'async_trait>( &'life0 self, grace: Duration, ) -> Pin<Box<dyn Future<Output = Result<KeystoreRotationResult, SecretsError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait,

Rotate the keystore: generate a new active key, move the previous active into the grace window for grace, and return the new active kid + public key. Idempotent only in the sense that calling twice produces two rotations.

Source

fn prune_expired_grace<'life0, 'async_trait>( &'life0 self, ) -> Pin<Box<dyn Future<Output = Result<usize, SecretsError>> + Send + 'async_trait>>
where Self: 'async_trait, 'life0: 'async_trait,

Prune any grace-window entries whose retention has elapsed. Returns the count of pruned entries. Called periodically by the daemon’s keystore sweep task.

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§