signet::forge::crypto::HsmClientStub Class Reference

Test stub implementing IKmsClient using software AES Key Wrap. More...

#include <hsm_client_stub.hpp>

Inheritance diagram for signet::forge::crypto::HsmClientStub:

Public Member Functions
	HsmClientStub ()=default
expected< void >	register_kek (const std::string &key_id, const std::vector< uint8_t > &kek)
	Register a KEK by ID. The key must be exactly 32 bytes (AES-256).
void	register_kek (const std::string &key_id, const std::array< uint8_t, 32 > &kek)
	Register a KEK from a raw 32-byte array.
bool	has_kek (const std::string &key_id) const
	Check if a KEK is registered.
size_t	kek_count () const
	Number of registered KEKs.
expected< std::vector< uint8_t > >	wrap_key (const std::vector< uint8_t > &dek, const std::string &master_key_id) const override
	Wrap (encrypt) a DEK under the KEK identified by master_key_id.
expected< std::vector< uint8_t > >	unwrap_key (const std::vector< uint8_t > &wrapped_dek, const std::string &master_key_id) const override
	Unwrap (decrypt) a wrapped DEK using the KEK identified by master_key_id.
Public Member Functions inherited from signet::forge::crypto::IKmsClient
virtual	~IKmsClient ()=default

Detailed Description

Test stub implementing IKmsClient using software AES Key Wrap.

Simulates an HSM-backed KMS for integration testing. Keys are stored in process memory — NOT for production use.

Usage:

auto hsm = std::make_shared<HsmClientStub>();
hsm->register_kek("master-key-1", kek_bytes);
config.kms_client = hsm;
auto wrapped = encryptor.wrap_keys();

Definition at line 190 of file hsm_client_stub.hpp.

Constructor & Destructor Documentation

HsmClientStub()

signet::forge::crypto::HsmClientStub::HsmClientStub ( )

default

Member Function Documentation

has_kek()

bool signet::forge::crypto::HsmClientStub::has_kek ( const std::string &  key_id ) const

inline

Check if a KEK is registered.

Definition at line 216 of file hsm_client_stub.hpp.

kek_count()

size_t signet::forge::crypto::HsmClientStub::kek_count ( ) const

inline

Number of registered KEKs.

Definition at line 221 of file hsm_client_stub.hpp.

register_kek() [1/2]

void signet::forge::crypto::HsmClientStub::register_kek ( const std::string &  key_id, const std::array< uint8_t, 32 > &  kek  )

inline

Register a KEK from a raw 32-byte array.

Definition at line 210 of file hsm_client_stub.hpp.

register_kek() [2/2]

expected< void > signet::forge::crypto::HsmClientStub::register_kek ( const std::string &  key_id, const std::vector< uint8_t > &  kek  )

inline

Register a KEK by ID. The key must be exactly 32 bytes (AES-256).

Definition at line 195 of file hsm_client_stub.hpp.

unwrap_key()

expected< std::vector< uint8_t > > signet::forge::crypto::HsmClientStub::unwrap_key ( const std::vector< uint8_t > &  wrapped_dek, const std::string &  master_key_id  ) const

inlineoverridevirtual

Unwrap (decrypt) a wrapped DEK using the KEK identified by master_key_id.

Parameters

wrapped_dek	Wrapped DEK bytes (as returned by wrap_key).
master_key_id	KMS identifier for the Key Encryption Key (KEK).

Returns

Unwrapped (plaintext) DEK bytes, or error on KMS failure / auth failure.

Implements signet::forge::crypto::IKmsClient.

Definition at line 245 of file hsm_client_stub.hpp.

wrap_key()

expected< std::vector< uint8_t > > signet::forge::crypto::HsmClientStub::wrap_key ( const std::vector< uint8_t > &  dek, const std::string &  master_key_id  ) const

inlineoverridevirtual

Wrap (encrypt) a DEK under the KEK identified by master_key_id.

Parameters

dek	Raw Data Encryption Key bytes (typically 32 bytes for AES-256).
master_key_id	KMS identifier for the Key Encryption Key (KEK).

Returns

Wrapped (encrypted) DEK bytes, or error on KMS failure.

Implements signet::forge::crypto::IKmsClient.

Definition at line 225 of file hsm_client_stub.hpp.

---

The documentation for this class was generated from the following file:

• include/signet/crypto/hsm_client_stub.hpp