pub enum SshKeyType {
Ed25519,
Rsa,
}Expand description
Supported SSH key types for vault unlock.
Only key types that produce deterministic signatures are supported, because the KEK is derived from the raw signature bytes — a different signature on each unlock would produce a different KEK and fail to unwrap the enrollment blob.
- Ed25519: deterministic by specification (RFC 8032).
- RSA (PKCS#1 v1.5): deterministic — the padding scheme uses no randomness. The ssh-agent-client-rs crate hard-codes RSA sign requests to SHA-512, which is stable.
Excluded:
- ECDSA: non-deterministic — uses a random
kvalue per signature. - RSA-PSS: non-deterministic — uses a random salt per signature.
Variants§
Implementations§
Source§impl SshKeyType
impl SshKeyType
Sourcepub fn from_wire_name(name: &str) -> Result<Self, AuthError>
pub fn from_wire_name(name: &str) -> Result<Self, AuthError>
Parse from the SSH wire format key type string.
§Errors
Returns AuthError::UnsupportedKeyType for key types with
non-deterministic signatures (ECDSA, RSA-PSS) or unrecognized
type strings.
Sourcepub fn from_algorithm(algo: &Algorithm) -> Result<Self, AuthError>
pub fn from_algorithm(algo: &Algorithm) -> Result<Self, AuthError>
Convert from ssh_key::Algorithm, accepting only deterministic types.
Only Ed25519 (RFC 8032, deterministic) and RSA PKCS#1 v1.5 (deterministic padding) are accepted. ECDSA (random k) and RSA-PSS (random salt) are rejected because their non-deterministic signatures would produce different KEKs on each unlock attempt.
§Errors
Returns AuthError::UnsupportedKeyType for non-deterministic key types.
Trait Implementations§
Source§impl Clone for SshKeyType
impl Clone for SshKeyType
Source§fn clone(&self) -> SshKeyType
fn clone(&self) -> SshKeyType
1.0.0 · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more