Struct KeyPair

pub struct KeyPair<PublicKey: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize> {
    pub public_key: PublicKey,
    pub secret_key: SecretKey,
}

Public/private keypair for use with crate::dryocbox::DryocBox, aka libsodium box

Fields

public_key: PublicKey

Public key

secret_key: SecretKey

Secret key

Implementations

impl KeyPair<Locked<HeapByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>, Locked<HeapByteArray<CRYPTO_BOX_SECRETKEYBYTES>>>

pub fn new_locked_keypair() -> Result<Self, Error>

Available on crate feature nightly only.

Returns a new locked keypair.

pub fn gen_locked_keypair() -> Result<Self, Error>

Available on crate feature nightly only.

Returns a new randomly generated locked keypair.

pub fn precalculate_locked<OtherPublicKey: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>( &self, third_party_public_key: &OtherPublicKey, ) -> Result<PrecalcSecretKey<Locked<HeapByteArray<CRYPTO_BOX_BEFORENMBYTES>>>, Error>

Available on crate feature nightly only.

Computes a heap-allocated, page-aligned, locked shared secret key using a secret key from this keypair and third_party_public_key.

Compatible with libsodium’s crypto_box_beforenm.

impl KeyPair<LockedRO<HeapByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>, LockedRO<HeapByteArray<CRYPTO_BOX_SECRETKEYBYTES>>>

pub fn gen_readonly_locked_keypair() -> Result<Self, Error>

Available on crate feature nightly only.

Returns a new randomly generated locked, read-only keypair.

pub fn precalculate_readonly_locked<OtherPublicKey: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>( &self, third_party_public_key: &OtherPublicKey, ) -> Result<PrecalcSecretKey<LockedRO<HeapByteArray<CRYPTO_BOX_BEFORENMBYTES>>>, Error>

Available on crate feature nightly only.

Computes a heap-allocated, page-aligned, locked, read-only shared secret key using a secret key from this keypair and third_party_public_key.

Compatible with libsodium’s crypto_box_beforenm.

impl<PublicKey: NewByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: NewByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize> KeyPair<PublicKey, SecretKey>

pub fn new() -> Self

Creates a new, empty keypair.

pub fn gen() -> Self

Generates a random keypair.

pub fn from_secret_key(secret_key: SecretKey) -> Self

Derives a keypair from secret_key, and consumes it, and returns a new keypair.

pub fn from_seed<Seed: Bytes>(seed: &Seed) -> Self

Derives a keypair from seed, returning a new keypair.

impl KeyPair<StackByteArray<CRYPTO_BOX_PUBLICKEYBYTES>, StackByteArray<CRYPTO_BOX_SECRETKEYBYTES>>

pub fn gen_with_defaults() -> Self

Randomly generates a new keypair, using default types (stack-allocated byte arrays). Provided for convenience.

impl<'a, PublicKey: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + TryFrom<&'a [u8]> + Zeroize, SecretKey: ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + TryFrom<&'a [u8]> + Zeroize> KeyPair<PublicKey, SecretKey>

pub fn from_slices( public_key: &'a [u8], secret_key: &'a [u8], ) -> Result<Self, Error>

Constructs a new keypair from key slices, consuming them. Does not check validity or authenticity of keypair.

impl<PublicKey: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize> KeyPair<PublicKey, SecretKey>

pub fn is_valid_public_key<PK: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>( key: &PK, ) -> bool

Checks if the given public key is valid according to X25519 rules.

For X25519 (crypto_box, DryocBox), a public key is considered valid if:

• It is not the all-zero point [0, ..., 0].
• The high bit of the last byte is 0.

This function verifies these conditions.

Note: This validation is specific to X25519 keys used in Diffie-Hellman key exchange (crypto_box). It primarily aims to exclude degenerate keys and does not explicitly verify that the point lies on the underlying curve, unlike stricter Ed25519 point validation (see crypto_core_ed25519_is_valid_point).

Validating Protected Keys

You can validate keys stored in protected memory directly, as the validation functions operate on references.

use dryoc::constants::{CRYPTO_BOX_PUBLICKEYBYTES, CRYPTO_BOX_SECRETKEYBYTES};
use dryoc::keypair::protected::{HeapByteArray, LockedRO};
use dryoc::keypair::{KeyPair, PublicKey, SecretKey};

// Generate a keypair stored in locked, read-only memory
let protected_kp: KeyPair<
    LockedRO<HeapByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>,
    LockedRO<HeapByteArray<CRYPTO_BOX_SECRETKEYBYTES>>,
> = KeyPair::gen_readonly_locked_keypair().expect("Failed to generate locked keypair");

// Validate the Ed25519 public key using the relaxed rules appropriate for
// keys generated by crypto_sign_keypair (even though this is an X25519 keypair,
// the validation function itself can be called).
// Note: For an actual Ed25519 keypair from crypto_sign, you'd use the
// crypto_core_ed25519_is_valid_point_relaxed function directly.
// Here we demonstrate calling the KeyPair method.
let is_valid = KeyPair::<
    LockedRO<HeapByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>,
    LockedRO<HeapByteArray<CRYPTO_BOX_SECRETKEYBYTES>>,
>::is_valid_ed25519_key(&protected_kp.public_key);

// For keys generated by crypto_sign_keypair, relaxed validation should pass.
// (This assertion might depend on the specific key generation details,
// but illustrates the call)
// assert!(is_valid, "Protected key should be valid (relaxed check)");

// Similarly, validate the X25519 public key
let is_x25519_valid = KeyPair::<
    LockedRO<HeapByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>,
    LockedRO<HeapByteArray<CRYPTO_BOX_SECRETKEYBYTES>>,
>::is_valid_public_key(&protected_kp.public_key);

assert!(is_x25519_valid, "Protected X25519 key should be valid");

pub fn is_valid_ed25519_key<PK: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES>>( key: &PK, ) -> bool

Checks if the given key is a valid Ed25519 public key, using relaxed validation rules that allow the high bit to be set.

For Ed25519 public keys, generated by crypto_sign_keypair(), we need to use more permissive validation since these keys can have the high bit set.

This method should be used for validating Ed25519 keys (used in signatures), while is_valid_public_key should be used for X25519 keys (used in crypto_box).

pub fn kx_new_client_session<SessionKey: NewByteArray<CRYPTO_KX_SESSIONKEYBYTES> + Zeroize>( &self, server_public_key: &PublicKey, ) -> Result<Session<SessionKey>, Error>

Creates new client session keys using this keypair and server_public_key, assuming this keypair is for the client.

pub fn kx_new_server_session<SessionKey: NewByteArray<CRYPTO_KX_SESSIONKEYBYTES> + Zeroize>( &self, client_public_key: &PublicKey, ) -> Result<Session<SessionKey>, Error>

Creates new server session keys using this keypair and client_public_key, assuming this keypair is for the server.

pub fn precalculate( &self, third_party_public_key: &PublicKey, ) -> PrecalcSecretKey<StackByteArray<CRYPTO_BOX_BEFORENMBYTES>>

Computes a stack-allocated shared secret key using a secret key from this keypair and third_party_public_key.

Compatible with libsodium’s crypto_box_beforenm.

Trait Implementations

impl<PublicKey: Clone + ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: Clone + ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize> Clone for KeyPair<PublicKey, SecretKey>

fn clone(&self) -> KeyPair<PublicKey, SecretKey>

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<PublicKey: Debug + ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: Debug + ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize> Debug for KeyPair<PublicKey, SecretKey>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<PublicKey: NewByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: NewByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize> Default for KeyPair<PublicKey, SecretKey>

fn default() -> Self

Returns the “default value” for a type.

impl<'de, PublicKey, SecretKey> Deserialize<'de> for KeyPair<PublicKey, SecretKey>

where PublicKey: Deserialize<'de> + ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: Deserialize<'de> + ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize,

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl<PublicKey: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize> Drop for KeyPair<PublicKey, SecretKey>

fn drop(&mut self)

Executes the destructor for this type.

impl<PublicKey: ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize> PartialEq for KeyPair<PublicKey, SecretKey>

fn eq(&self, other: &Self) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl<PublicKey, SecretKey> Serialize for KeyPair<PublicKey, SecretKey>

where PublicKey: Serialize + ByteArray<CRYPTO_BOX_PUBLICKEYBYTES> + Zeroize, SecretKey: Serialize + ByteArray<CRYPTO_BOX_SECRETKEYBYTES> + Zeroize,

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl<PublicKey, SecretKey> Zeroize for KeyPair<PublicKey, SecretKey>

where PublicKey: Zeroize + ByteArray<CRYPTO_BOX_PUBLICKEYBYTES>, SecretKey: Zeroize + ByteArray<CRYPTO_BOX_SECRETKEYBYTES>,

fn zeroize(&mut self)

Zero out this object from memory using Rust intrinsics which ensure the zeroization operation is not “optimized away” by the compiler.