Skip to content

tor-keymgr: Add support for storing certificates

gabi-250 requested to merge gabi-250/arti:keymgr-certmgr into main

This MR implements the new APIs described in doc/dev/notes/keymgr-certificates.md:

  • the first half of the MR (all the commits up to, and including, aba84fa1 tor-keymgr: Replace as_ssh_key_data with as_keystore_item (fmt).) is a refactoring that enables us to store non-SshKeyData items in the keystore (the motivation behind the refactoring is described in doc/dev/notes/keymgr-certificates.md)
  • the second half (commit range 125d79ea - de2ecc4b) implements #1617 (closed)

Important: I left a handful of TODOs in the code, two of which are significant and will need to be addressed in the near future:

  1. We need to flesh out the InvalidCertError error type (see TODO in commit 90361e22 tor-key-forge: Add a ToEncodableCert trait.)
  2. In 615418db, I added a constructor for building EncodedEd25519Certs out of byte slices. However, this constructor doesn't validate the cert at all, which isn't great. Before we mark it as non-experimental, we'll need to make it actually parse the cert, rejecting it if it's invalid. But I think it's alright to address this one as a follow up (EncodedEd25519Cert::from_bytes is gated behind experimental-api)

Closes #1617 (closed)

Edited by gabi-250

Merge request reports

Loading