YubiHsm2UserMapping

signstar_config::yubihsm2

Enum YubiHsm2UserMapping 

Source 
pub enum YubiHsm2UserMapping {
    Admin {
        authentication_key_id: Id,
    },
    AuditLog {
        authentication_key_id: Id,
        ssh_authorized_key: AuthorizedKeyEntry,
        system_user: SystemUserId,
    },
    Backup {
        authentication_key_id: Id,
        wrapping_key_id: Id,
        ssh_authorized_key: AuthorizedKeyEntry,
        system_user: SystemUserId,
    },
    HermeticAuditLog {
        authentication_key_id: Id,
        system_user: SystemUserId,
    },
    Signing {
        authentication_key_id: Id,
        key_setup: SigningKeySetup,
        domain: Domain,
        signing_key_id: Id,
        ssh_authorized_key: AuthorizedKeyEntry,
        system_user: SystemUserId,
    },
}
Expand description

User and data mapping between system users and YubiHSM2 users.

Variants§

§

Admin

A YubiHSM2 user in the administrator role, without a system user mapped to it.

Tracks an authentication key object with a specific authentication_key_id.

§Note

This variant implies, that the created authentication key object has all relevant capabilities necessary for the creation of users and keys and to restore from backup, i.e.:

  • delete-asymmetric-key
  • generate-asymmetric-key
  • put-asymmetric-key
  • delete-authentication-key
  • put-authentication-key
  • change-authentication-key
  • get-option
  • set-option
  • delete-hmac-key
  • generate-hmac-key
  • put-mac-key
  • sign-hmac
  • verify-hmac
  • delete-opaque
  • generate-opaque
  • get-opaque
  • put-opaque
  • reset-device
  • delete-template
  • get-template
  • put-template
  • delete-wrap-key
  • exportable-under-wrap
  • generate-wrap-key
  • import-wrapped
  • put-wrap-key
  • unwrap-data
  • wrap-data
  • put-public-wrap-key
  • delete-public-wrap-key
  • generate-symmetric-key
  • put-symmetric-key
  • delete-symmetric-key

Further, it is assumed that the authentication key object is added to all domains.

Fields

§authentication_key_id: Id

The identifier of the authentication key used to create a session with the YubiHSM2.

§

AuditLog

A system user, with SSH access, mapped to a YubiHSM2 authentication key.

This variant tracks

  • an authentication key object with a specific authentication_key_id
  • an SSH authorized key with a specific ssh_authorized_key
  • a system user ID using system_user

Its data is used to create relevant system and backend users for the retrieval of audit logs over the network, made available by the YubiHSM2.

§Note

This variant implies, that the created authentication key object has all relevant capabilities for audit log retrieval (i.e. get-log-entries).

Fields

§authentication_key_id: Id

The identifier of the authentication key used to create a session with the YubiHSM2.

§ssh_authorized_key: AuthorizedKeyEntry

The SSH public key used for connecting to the system_user.

§system_user: SystemUserId

The name of the system user.

§

Backup

A mapping used for the creation of YubiHSM2 backups.

This variant tracks

  • an [authentication key object] with a specific authentication_key_id
  • a wrap key object with a specific wrapping_key_id
  • an SSH authorized key with a specific ssh_authorized_key
  • a system user ID using system_user

Its data is used to create relevant system and backend users for the creation of backups of all keys (including [authentication key object]s) and non-key material (e.g. OpenPGP certificates) of a YubiHSM2.

§Note

This variant implies, that the created [authentication key object] has all relevant capabilities for backup related actions (i.e. export-wrapped, wrap-data).

Further, it is assumed that both the [authentication key object] and wrap key object are added to all domains.

Fields

§authentication_key_id: Id

The identifier of the authentication key used to create a session with the YubiHSM2.

This represents an authentication key object.

§wrapping_key_id: Id

The identifier of the wrapping key in the YubiHSM2 backend.

This identifies the encryption key used for wrapping backups of all keys of the YubiHSM2.

§Note

The wrapping key is automatically added to all domains.

§ssh_authorized_key: AuthorizedKeyEntry

The SSH public key used for connecting to the system_user.

§system_user: SystemUserId

The name of the system user.

§

HermeticAuditLog

A system user, without SSH access, mapped to a YubiHSM2 authentication key for collecting audit logs.

This variant tracks

Its data is used to create relevant system and backend users for the retrieval of audit logs made available by the YubiHSM2.

§Note

This variant implies, that the created authentication key object has all relevant capabilities for audit log retrieval (i.e. get-log-entries).

Fields

§authentication_key_id: Id

The identifier of the authentication key used to create a session with the YubiHSM2.

§system_user: SystemUserId

The name of the system user.

§

Signing

A system user, with SSH access, mapped to a YubiHSM2 user in the Operator role with access to a single signing key.

This variant tracks

  • an authentication key object identified by an authentication_key_id
  • a domain (domain) assigned to both objects identified by authentication_key_id and signing_key_id
  • a SigningKeySetup using key_setup
  • an asymmetric key object identified by a signing_key_id
  • an SSH authorized key (ssh_authorized_key) for a system_user
  • a system user ID (system_user)

Its data is used to create relevant system and backend users for the creation of backups of all keys (including authentication key objects) and non-key material (e.g. OpenPGP certificates) of a YubiHSM2.

§Note

This variant implies, that the created authentication key object has all relevant capabilities for signing with the asymmetric key object (i.e. sign-ecdsa, sign-eddsa, sign-pkcs and sign-pss).

Further, it is assumed that both the authentication key object and asymmetric key object are added to the single domain domain.

Fields

§authentication_key_id: Id

The identifier of the authentication key used to create a session with the YubiHSM2.

§key_setup: SigningKeySetup

The setup of a YubiHSM2 key.

§domain: Domain

The domain the signing and authentication key belong to.

§signing_key_id: Id

The identifier of the signing key in the YubiHSM2 backend.

§ssh_authorized_key: AuthorizedKeyEntry

The SSH public key used for connecting to the system_user.

§system_user: SystemUserId

The name of the system user.

Implementations§

Source§

impl YubiHsm2UserMapping

Source

pub fn domain(&self) -> Option<&Domain>

Returns the optional Domain of the YubiHsm2UserMapping.

Source

pub fn backend_user_id(&self) -> Id

Returns the authentication key ID of the YubiHsm2UserMapping.

Trait Implementations§

Source§

impl Clone for YubiHsm2UserMapping

Source§

fn clone(&self) -> YubiHsm2UserMapping

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for YubiHsm2UserMapping

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<'de> Deserialize<'de> for YubiHsm2UserMapping

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Hash for YubiHsm2UserMapping

Source§

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher. Read more
1.3.0 · Source§

fn hash_slice<H>(data: &[Self], state: &mut H)
where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
Source§

impl MappingAuthorizedKeyEntry for YubiHsm2UserMapping

Source§

fn authorized_key_entry(&self) -> Option<&AuthorizedKeyEntry>

Returns an optional SSH authorized_keys entry. Read more
Source§

impl MappingBackendDomain<YubiHsm2DomainFilter> for YubiHsm2UserMapping

Source§

fn backend_domain( &self, _filter: Option<&YubiHsm2DomainFilter>, ) -> Option<String>

Returns a String representing a backend domain according to an optional filter.
Source§

impl MappingBackendKeyId<YubiHsm2BackendKeyIdFilter> for YubiHsm2UserMapping

Source§

fn backend_key_id(&self, filter: &YubiHsm2BackendKeyIdFilter) -> Option<String>

Returns an optional String representing a backend key ID according to a filter.
Source§

impl MappingBackendUserIds for YubiHsm2UserMapping

Source§

fn backend_user_ids(&self, filter: BackendUserIdFilter) -> Vec<String>

Returns a list of Strings representing backend User IDs according to a filter.
Source§

fn backend_user_with_passphrase( &self, name: &str, passphrase: Passphrase, ) -> Result<Box<dyn UserWithPassphrase>, Error>

Returns a specific UserWithPassphrase implementation for a backend user. Read more
Source§

fn backend_users_with_new_passphrase( &self, filter: BackendUserIdFilter, ) -> Vec<Box<dyn UserWithPassphrase>>

Returns a list of UserWithPassphrase implementations according to a filter. Read more
Source§

impl MappingBackendUserSecrets for YubiHsm2UserMapping

Source§

fn create_non_admin_backend_user_secrets( &self, secret_handling: NonAdministrativeSecretHandling, ) -> Result<Option<Vec<Box<dyn UserWithPassphrase>>>, Error>

Creates on-disk secrets for non-administrative backend users of the mapping. Read more
Source§

fn load_non_admin_backend_user_secrets( &self, secret_handling: NonAdministrativeSecretHandling, filter: NonAdminBackendUserIdFilter, ) -> Result<Option<Vec<Box<dyn UserWithPassphrase>>>, Error>

Loads secrets from on-disk files for each non-administrative backend user matching a filter. Read more
Source§

impl MappingSystemUserId for YubiHsm2UserMapping

Source§

fn system_user_id(&self) -> Option<&SystemUserId>

Returns a reference to the SystemUserId. Read more
Source§

fn system_user_id_as_existing_unix_user(&self) -> Result<Option<User>, Error>

Returns the tracked system user ID as [User] if it exists. Read more
Source§

fn system_user_id_as_current_unix_user(&self) -> Result<Option<User>, Error>

Returns the tracked system user ID as the current [User] if it exists. Read more
Source§

impl Ord for YubiHsm2UserMapping

Source§

fn cmp(&self, other: &YubiHsm2UserMapping) -> Ordering

This method returns an Ordering between self and other. Read more
1.21.0 · Source§

fn max(self, other: Self) -> Self
where Self: Sized,

Compares and returns the maximum of two values. Read more
1.21.0 · Source§

fn min(self, other: Self) -> Self
where Self: Sized,

Compares and returns the minimum of two values. Read more
1.50.0 · Source§

fn clamp(self, min: Self, max: Self) -> Self
where Self: Sized,

Restrict a value to a certain interval. Read more
Source§

impl PartialEq for YubiHsm2UserMapping

Source§

fn eq(&self, other: &YubiHsm2UserMapping) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl PartialOrd for YubiHsm2UserMapping

Source§

fn partial_cmp(&self, other: &YubiHsm2UserMapping) -> Option<Ordering>

This method returns an ordering between self and other values if one exists. Read more
1.0.0 · Source§

fn lt(&self, other: &Rhs) -> bool

Tests less than (for self and other) and is used by the < operator. Read more
1.0.0 · Source§

fn le(&self, other: &Rhs) -> bool

Tests less than or equal to (for self and other) and is used by the <= operator. Read more
1.0.0 · Source§

fn gt(&self, other: &Rhs) -> bool

Tests greater than (for self and other) and is used by the > operator. Read more
1.0.0 · Source§

fn ge(&self, other: &Rhs) -> bool

Tests greater than or equal to (for self and other) and is used by the >= operator. Read more
Source§

impl Serialize for YubiHsm2UserMapping

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl Eq for YubiHsm2UserMapping

Source§

impl StructuralPartialEq for YubiHsm2UserMapping

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
§

impl<T> Conv for T

§

fn conv<T>(self) -> T
where Self: Into<T>,

Converts self into T using Into<T>. Read more
§

impl<T> FmtForward for T

§

fn fmt_binary(self) -> FmtBinary<Self>
where Self: Binary,

Causes self to use its Binary implementation when Debug-formatted.
§

fn fmt_display(self) -> FmtDisplay<Self>
where Self: Display,

Causes self to use its Display implementation when Debug-formatted.
§

fn fmt_lower_exp(self) -> FmtLowerExp<Self>
where Self: LowerExp,

Causes self to use its LowerExp implementation when Debug-formatted.
§

fn fmt_lower_hex(self) -> FmtLowerHex<Self>
where Self: LowerHex,

Causes self to use its LowerHex implementation when Debug-formatted.
§

fn fmt_octal(self) -> FmtOctal<Self>
where Self: Octal,

Causes self to use its Octal implementation when Debug-formatted.
§

fn fmt_pointer(self) -> FmtPointer<Self>
where Self: Pointer,

Causes self to use its Pointer implementation when Debug-formatted.
§

fn fmt_upper_exp(self) -> FmtUpperExp<Self>
where Self: UpperExp,

Causes self to use its UpperExp implementation when Debug-formatted.
§

fn fmt_upper_hex(self) -> FmtUpperHex<Self>
where Self: UpperHex,

Causes self to use its UpperHex implementation when Debug-formatted.
§

fn fmt_list(self) -> FmtList<Self>
where &'a Self: for<'a> IntoIterator,

Formats each item in a sequence. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, O> Matches<O> for T
where T: PartialEq<O>,

§

fn validate_matches(&self, other: &O) -> bool

§

impl<T> Pipe for T
where T: ?Sized,

§

fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> R
where Self: Sized,

Pipes by value. This is generally the method you want to use. Read more
§

fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> R
where R: 'a,

Borrows self and passes that borrow into the pipe function. Read more
§

fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> R
where R: 'a,

Mutably borrows self and passes that borrow into the pipe function. Read more
§

fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> R
where Self: Borrow<B>, B: 'a + ?Sized, R: 'a,

Borrows self, then passes self.borrow() into the pipe function. Read more
§

fn pipe_borrow_mut<'a, B, R>( &'a mut self, func: impl FnOnce(&'a mut B) -> R, ) -> R
where Self: BorrowMut<B>, B: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.borrow_mut() into the pipe function. Read more
§

fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> R
where Self: AsRef<U>, U: 'a + ?Sized, R: 'a,

Borrows self, then passes self.as_ref() into the pipe function.
§

fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> R
where Self: AsMut<U>, U: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.as_mut() into the pipe function.
§

fn pipe_deref<'a, T, R>(&'a self, func: impl FnOnce(&'a T) -> R) -> R
where Self: Deref<Target = T>, T: 'a + ?Sized, R: 'a,

Borrows self, then passes self.deref() into the pipe function.
§

fn pipe_deref_mut<'a, T, R>( &'a mut self, func: impl FnOnce(&'a mut T) -> R, ) -> R
where Self: DerefMut<Target = T> + Deref, T: 'a + ?Sized, R: 'a,

Mutably borrows self, then passes self.deref_mut() into the pipe function.
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
§

impl<T> Tap for T

§

fn tap(self, func: impl FnOnce(&Self)) -> Self

Immutable access to a value. Read more
§

fn tap_mut(self, func: impl FnOnce(&mut Self)) -> Self

Mutable access to a value. Read more
§

fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Self
where Self: Borrow<B>, B: ?Sized,

Immutable access to the Borrow<B> of a value. Read more
§

fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Self
where Self: BorrowMut<B>, B: ?Sized,

Mutable access to the BorrowMut<B> of a value. Read more
§

fn tap_ref<R>(self, func: impl FnOnce(&R)) -> Self
where Self: AsRef<R>, R: ?Sized,

Immutable access to the AsRef<R> view of a value. Read more
§

fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Self
where Self: AsMut<R>, R: ?Sized,

Mutable access to the AsMut<R> view of a value. Read more
§

fn tap_deref<T>(self, func: impl FnOnce(&T)) -> Self
where Self: Deref<Target = T>, T: ?Sized,

Immutable access to the Deref::Target of a value. Read more
§

fn tap_deref_mut<T>(self, func: impl FnOnce(&mut T)) -> Self
where Self: DerefMut<Target = T> + Deref, T: ?Sized,

Mutable access to the Deref::Target of a value. Read more
§

fn tap_dbg(self, func: impl FnOnce(&Self)) -> Self

Calls .tap() only in debug builds, and is erased in release builds.
§

fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self

Calls .tap_mut() only in debug builds, and is erased in release builds.
§

fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Self
where Self: Borrow<B>, B: ?Sized,

Calls .tap_borrow() only in debug builds, and is erased in release builds.
§

fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Self
where Self: BorrowMut<B>, B: ?Sized,

Calls .tap_borrow_mut() only in debug builds, and is erased in release builds.
§

fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Self
where Self: AsRef<R>, R: ?Sized,

Calls .tap_ref() only in debug builds, and is erased in release builds.
§

fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Self
where Self: AsMut<R>, R: ?Sized,

Calls .tap_ref_mut() only in debug builds, and is erased in release builds.
§

fn tap_deref_dbg<T>(self, func: impl FnOnce(&T)) -> Self
where Self: Deref<Target = T>, T: ?Sized,

Calls .tap_deref() only in debug builds, and is erased in release builds.
§

fn tap_deref_mut_dbg<T>(self, func: impl FnOnce(&mut T)) -> Self
where Self: DerefMut<Target = T> + Deref, T: ?Sized,

Calls .tap_deref_mut() only in debug builds, and is erased in release builds.
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
§

impl<T> TryConv for T

§

fn try_conv<T>(self) -> Result<T, Self::Error>
where Self: TryInto<T>,

Attempts to convert self into T using TryInto<T>. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,