frankhinek
commented
2 months ago Alternative Proposal
Follow an approach similar to what has been implemented in JS, Kotlin, Dart, and Go:
-
Remove the
export_private_keysandimport_private_keysmethods from the RustKeyManagertrait. -
Add two additional traits:
KeyImporterKeyExporter
These can optionally be implemented by concrete implementations of KeyManager when this functionality is desirable.
Background
Not all KeyManager implementations can support exporting keys. For example, this typically isn't possible with both mobile device and cloud-based HSMs.
Additionally, some key management systems can support importing of externally created key material, but this can be rather involved (e.g., see docs on AWS KMS and Google CloudKMS key import).
By maintaining separate traits, concrete implementations can choose to implement KeyImporter and KeyExporter when it is possible / makes sense.
KendallWeihe
Currently the
export_private_keys()andimport_private_keys()are a part of theKeyManagertrait, but this is undesirable for two reasons. First, we want to promote the exclusion of the implementation of these methods because moving keys out of the given key store poses security risks. Second, we want to avoid implementations which return an error for "unsupported" or "not implemented" and instead shift-left such that the implementation is determinable at build time (throwing an error isn't discovered until runtime whereas the implementation of a rust trait is determinable at build time).Instead, let's introduce a new trait, appropriately named
UnsafeKeyManagerwhich resolves both of these issues; it's named as such as to promote the exclusion of it (b/c what developer wants to use something "unsafe"? I suppose there is an assumption in there but I'm okay making it) & also the implementation of such a trait will be determinable at build time.