Expand description
A high-level library to interact with the API of a Nitrokey NetHSM.
Provides high-level integration with a Nitrokey NetHSM and the official container.
As this crate is a wrapper around [nethsm_sdk_rs] it covers all available actions from
provisioning, over key and user management to backup and restore.
The NetHSM provides dedicated user management based on a role system (see UserRole)
which can be used to separate concerns.
Each user has exactly one role.
With the help of a namespace concept, it is possible to segregate users and their keys into
secluded groups.
Notably, this introduces R-Administrators (system-wide users in the
Administrator role), which have access to all system-wide
actions, but can not modify users and keys in a namespace and N-Administrators
(namespace users in the Administrator role), which have
access only to actions towards users and keys in their own namespace.
Namespace users in the Operator role only have access to keys in
their own namespace, while system-wide users only have access to system-wide keys.
The cryptographic key material on the NetHSM can be assigned to one or several tags.
Users in the Operator role can be assigned to the same tags
to gain access to the respective keys.
Using the central NetHsm struct it is possible to establish a TLS connection for multiple
users and all available operations.
TLS validation can be configured based on a variant of the ConnectionSecurity enum:
ConnectionSecurity::Unsafe: The host certificate is not validated.ConnectionSecurity::Fingerprints: The host certificate is validated based on configurable fingerprints.ConnectionSecurity::Native: The host certificate is validated using the native Operating System trust store.
Apart from the crate specific documentation it is very recommended to read the canonical upstream documentation as well: https://docs.nitrokey.com/nethsm/
§Reexports
This crate re-exports the following [nethsm_sdk_rs] types, so that the crate does not have to
be relied upon directly:
nethsm_sdk_rs::models::DistinguishedNamenethsm_sdk_rs::models::InfoDatanethsm_sdk_rs::models::LoggingConfignethsm_sdk_rs::models::NetworkConfignethsm_sdk_rs::models::PublicKeynethsm_sdk_rs::models::SystemInfonethsm_sdk_rs::models::SystemStatenethsm_sdk_rs::models::SystemUpdateDatanethsm_sdk_rs::models::UserData
§Examples
use nethsm::{Connection, ConnectionSecurity, Credentials, NetHsm, Passphrase};
// Create a new connection to a NetHSM at "https://example.org" using admin credentials
let nethsm = NetHsm::new(
Connection::new(
"https://example.org/api/v1".try_into()?,
ConnectionSecurity::Unsafe,
),
Some(Credentials::new("admin".parse()?, Some(Passphrase::new("passphrase".to_string())))),
None,
None,
)?;
// Connections can be initialized without any credentials and more than one can be provided later on
let nethsm = NetHsm::new(
Connection::new(
"https://example.org/api/v1".try_into()?,
ConnectionSecurity::Unsafe,
),
None,
None,
None,
)?;
nethsm.add_credentials(Credentials::new("admin".parse()?, Some(Passphrase::new("passphrase".to_string()))));
nethsm.add_credentials(Credentials::new("user1".parse()?, Some(Passphrase::new("other_passphrase".to_string()))));
// A set of credentials must be used before establishing a connection with the configured NetHSM
nethsm.use_credentials(&"user1".parse()?)?;Re-exports§
pub use connection::Connection;pub use connection::Url;
Modules§
- connection
- Components for NetHSM connection handling.
- key 🔒
- nethsm_
sdk 🔒 - openpgp 🔒
- OpenPGP-related functions.
- tls 🔒
- user 🔒
- Module for credentials, user IDs and passphrases.
Structs§
- Credentials
- Credentials for a
NetHsm - Distinguished
Name - Full
Credentials - Credentials for a
NetHsm. - Host
Certificate Fingerprints - Certificate fingerprints to use for matching against a host’s TLS certificate
- Info
Data - KeyId
- A unique key identifier for a private key on a NetHSM.
- Logging
Config - Namespace
Id - The ID of a
NetHsmnamespace - NetHsm
- A network connection to a NetHSM.
- Network
Config - Open
PgpKey Usage Flags - Key usage flags that can be set on the generated certificate.
- Open
PgpUser Id - A basic representation of a User ID for OpenPGP
- Open
PgpUser IdList - A list of
OpenPgpUserId - Passphrase
- A secret passphrase
- Private
KeyImport - The key data required when importing a secret key
- Public
Key - Signing
KeySetup - The validated setup for a cryptographic signing key
- System
Info - System
Update Data - User
Data
Enums§
- Boot
Mode - The NetHSM boot mode
- Connection
Security - The security model chosen for a
crate::NetHsm’s TLS connection - Cryptographic
KeyContext - The cryptographic context in which a key is used
- Decrypt
Mode - A mode for decrypting a message
- Encrypt
Mode - A mode for encrypting a message
- Error
- An error that may occur when using a NetHSM.
- KeyFormat
- The format of a key
- KeyMechanism
- A mechanism which can be used with a key
- KeyType
- The algorithm type of a key
- LogLevel
- A device log level
- Open
PgpVersion - The OpenPGP version
- Signature
Type - The type of a signature
- System
State - TlsKey
Type - The algorithm type of a key used for TLS
- User
Error - An error that may occur when operating on users.
- UserId
- The ID for a
NetHsmuser - User
Role - The role of a user on a NetHSM device
Constants§
- MIN_
RSA_ BIT_ LENGTH - The minimum bit length for an RSA key
Functions§
- extract_
openpgp_ certificate - Extracts certificate (public key) from an OpenPGP TSK.
- key_
type_ and_ mechanisms_ match_ signature_ type - Ensures that a
KeyTypeand a list ofKeyMechanisms is compatible with aSignatureType - key_
type_ matches_ length - Ensures that a
KeyTypeis compatible with an optional key length - key_
type_ matches_ mechanisms - Ensures that a
KeyTypeis compatible with a list ofKeyMechanisms - tls_
key_ type_ matches_ length - Ensures that a
TlsKeyTypeis compatible with an optional key length - tsk_
to_ private_ key_ import - Converts an OpenPGP Transferable Secret Key into
PrivateKeyImportobject. - validate_
backup - Validates a backup.