pub fn sign(
nethsm: &NetHsm,
key_id: &KeyId,
message: &[u8],
) -> Result<Vec<u8>, Error>
Expand description
Generates an OpenPGP signature using a given NetHSM key for the message.
Signs the message message
using the key identified by key_id
and returns a binary OpenPGP data signature.
This call requires using a user in the Operator
role, which
carries a tag (see add_user_tag
) matching one of the tags of
the targeted key (see add_key_tag
).
§Namespaces
Operator
users in a namespace only have access to keys in their own namespace.- System-wide
Operator
users only have access to system-wide keys.
§Errors
Returns an crate::Error::Api
if creating an OpenPGP signature for the hasher state fails:
- the NetHSM is not in
Operational
state - no key identified by
key_id
exists on the NetHSM - the
Operator
user does not have access to the key (e.g. different namespace) - the
Operator
user does not carry a tag matching one of the key tags - the used
Credentials
are not correct - the used
Credentials
are not those of a user in theOperator
role - the certificate for a given key has not been generated or is invalid
- subpacket lengths exceed maximum values
- hashing signed data fails
- signature creation using the NetHSM fails
- constructing OpenPGP signature from parts fails
- writing the signature to vector fails