kms_stateless/
sealing_keys.rs

1// Copyright 2025 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5use fidl_fuchsia_security_keymint::{CreateError, SealError, UnsealError};
6use fuchsia_component::client;
7
8#[derive(Debug, thiserror::Error)]
9pub enum SealingKeysError {
10    #[error("Failed to connect to protocol: {0:?}")]
11    ConnectToProtocol(#[from] anyhow::Error),
12    #[error(transparent)]
13    Fidl(#[from] fidl::Error),
14    #[error("Failed to create {0:?}")]
15    Create(CreateError),
16    #[error("Failed to seal {0:?}")]
17    Seal(SealError),
18    #[error("Failed to unseal {0:?}")]
19    Unseal(UnsealError),
20}
21
22impl From<CreateError> for SealingKeysError {
23    fn from(e: CreateError) -> Self {
24        Self::Create(e)
25    }
26}
27
28impl From<SealError> for SealingKeysError {
29    fn from(e: SealError) -> Self {
30        Self::Seal(e)
31    }
32}
33
34impl From<UnsealError> for SealingKeysError {
35    fn from(e: UnsealError) -> Self {
36        Self::Unseal(e)
37    }
38}
39
40/// Convenience wrapper around fuchsia.security.keymint/SealingKeys::CreateSealingKey()
41///
42/// See //sdk/fidl/fuchsia.security.keymint/sealing_keys.fidl for more details.
43///
44/// Requires the caller to have the capability fuchsia.security.keymint.SealingKeys
45pub async fn create_sealing_key(key_info: &[u8]) -> Result<Vec<u8>, SealingKeysError> {
46    client::connect_to_protocol::<fidl_fuchsia_security_keymint::SealingKeysMarker>()?
47        .create_sealing_key(key_info)
48        .await?
49        .map_err(Into::into)
50}
51
52/// Convenience wrapper around fuchsia.security.keymint/SealingKeys:Seal()
53///
54/// See //sdk/fidl/fuchsia.security.keymint/sealing_keys.fidl for more details.
55///
56/// Requires the caller to have the capability fuchsia.security.keymint.SealingKeys
57pub async fn seal(
58    key_info: &[u8],
59    key_blob: &[u8],
60    secret: &[u8],
61) -> Result<Vec<u8>, SealingKeysError> {
62    client::connect_to_protocol::<fidl_fuchsia_security_keymint::SealingKeysMarker>()?
63        .seal(key_info, key_blob, secret)
64        .await?
65        .map_err(Into::into)
66}
67
68/// Convenience wrapper around fuchsia.security.keymint/SealingKeys::Unseal()
69///
70/// See //sdk/fidl/fuchsia.security.keymint/sealing_keys.fidl for more details.
71///
72/// Requires the caller to have the capability fuchsia.security.keymint.SealingKeys
73pub async fn unseal(
74    key_info: &[u8],
75    key_blob: &[u8],
76    sealed_secret: &[u8],
77) -> Result<Vec<u8>, SealingKeysError> {
78    client::connect_to_protocol::<fidl_fuchsia_security_keymint::SealingKeysMarker>()?
79        .unseal(key_info, key_blob, sealed_secret)
80        .await?
81        .map_err(Into::into)
82}