tor-keymgr: Add support for storing certificates
This MR implements the new APIs described in doc/dev/notes/keymgr-certificates.md
:
- the first half of the MR (all the commits up to, and including, aba84fa1
tor-keymgr: Replace as_ssh_key_data with as_keystore_item (fmt).
) is a refactoring that enables us to store non-SshKeyData
items in the keystore (the motivation behind the refactoring is described indoc/dev/notes/keymgr-certificates.md
) - the second half (commit range 125d79ea - de2ecc4b) implements #1617 (closed)
Important: I left a handful of TODOs in the code, two of which are significant and will need to be addressed in the near future:
- We need to flesh out the
InvalidCertError
error type (see TODO in commit 90361e22tor-key-forge: Add a ToEncodableCert trait.
) - In 615418db, I added a constructor for building
EncodedEd25519Cert
s out of byte slices. However, this constructor doesn't validate the cert at all, which isn't great. Before we mark it as non-experimental, we'll need to make it actually parse the cert, rejecting it if it's invalid. But I think it's alright to address this one as a follow up (EncodedEd25519Cert::from_bytes
is gated behindexperimental-api
)
Closes #1617 (closed)
Edited by gabi-250