fn add_namespaced_keys(
nethsm: &NetHsm,
admin_credentials: &AdminCredentials,
users: &[UserMapping],
) -> Result<(), Error>Expand description
Sets up all namespaced keys and tags them.
Creates any missing keys and adds the configured tags for all of them. If keys exist already, deletes all tags and adds the configured ones for them.
§Note
It is assumed that N-Administrators have already been set up, before calling
this function (see add_namespace_admins).
This function uses the nethsm with the default
R-Administrator, but may switch to a
namespace-specific N-Administrator for individual operations.
If this function succeeds, the nethsm is guaranteed to use the default
R-Administrator again.
If this function fails, the nethsm may still use a namespace-specific N-Administrator.
This function does not fail on mismatching keys, as it is assumed that keys are added intentionally and should not be deleted/altered. However, warnings are emitted if an existing key has a mismatching key type or key mechanisms from what is configured in the Signstar configuration file.
Opposite to the behavior of add_system_wide_keys, this function does not delete any tags from
keys.
This is due to a bug in the NetHSM firmware, which leads to a crash when adding a tag to a
key, trying to remove and then re-adding it again.
§Errors
Returns an error if
- the default system-wide R-Administrator cannot be retrieved or used for authentication,
- retrieving the list of available users from the NetHSM backend fails,
- a namespaced user mapped to a key is not in a namespace,
- no usable N-Administrator for a namespace is known,
- the available keys in the namespace cannot be retrieved,
- information about a specific key in the namespace cannot be retrieved,
- a tag cannot be added to an already existing key,
- a new key cannot be generated,
- or using the default system-wide administrator again fails.