third_party/rust_crates/vendor/rustls/src/manual/howto.rs - fuchsia - Git at Google

 /*! # Customising private key usage

 By default rustls supports PKCS#8-format[^1] RSA or ECDSA keys, plus PKCS#1-format RSA keys.

 However, if your private key resides in a HSM, or in another process, or perhaps
 another machine, rustls has some extension points to support this:

 The main trait you must implement is [`sign::SigningKey`][signing_key]. The primary method here
 is [`choose_scheme`][choose_scheme] where you are given a set of [`SignatureScheme`s][sig_scheme] the client says
 it supports: you must choose one (or return `None` -- this aborts the handshake). Having
 done that, you return an implementation of the [`sign::Signer`][signer] trait.
 The [`sign()`][sign_method] performs the signature and returns it.

 (Unfortunately this is currently designed for keys with low latency access, like in a
 PKCS#11 provider, Microsoft CryptoAPI, etc. so is blocking rather than asynchronous.
 It's a TODO to make these and other extension points async.)

 Once you have these two pieces, configuring a server to use them involves, briefly:

 - packaging your `sign::SigningKey` with the matching certificate chain into a [`sign::CertifiedKey`][certified_key]
 - making a [`ResolvesServerCertUsingSNI`][cert_using_sni] and feeding in your `sign::CertifiedKey` for all SNI hostnames you want to use it for,
 - setting that as your `ServerConfig`'s [`cert_resolver`][cert_resolver]

 [signing_key]: ../../sign/trait.SigningKey.html
 [choose_scheme]: ../../sign/trait.SigningKey.html#tymethod.choose_scheme
 [sig_scheme]: ../../enum.SignatureScheme.html
 [signer]: ../../sign/trait.Signer.html
 [sign_method]: ../../sign/trait.Signer.html#tymethod.sign
 [certified_key]: ../../sign/struct.CertifiedKey.html
 [cert_using_sni]: ../../struct.ResolvesServerCertUsingSNI.html
 [cert_resolver]: ../../struct.ServerConfig.html#structfield.cert_resolver

 [^1]: For PKCS#8 it does not support password encryption -- there's not a meaningful threat
       model addressed by this, and the encryption supported is typically extremely poor.

 */
	/*! # Customising private key usage

	By default rustls supports PKCS#8-format[^1] RSA or ECDSA keys, plus PKCS#1-format RSA keys.

	However, if your private key resides in a HSM, or in another process, or perhaps
	another machine, rustls has some extension points to support this:

	The main trait you must implement is [`sign::SigningKey`][signing_key]. The primary method here
	is [`choose_scheme`][choose_scheme] where you are given a set of [`SignatureScheme`s][sig_scheme] the client says
	it supports: you must choose one (or return `None` -- this aborts the handshake). Having
	done that, you return an implementation of the [`sign::Signer`][signer] trait.
	The [`sign()`][sign_method] performs the signature and returns it.

	(Unfortunately this is currently designed for keys with low latency access, like in a
	PKCS#11 provider, Microsoft CryptoAPI, etc. so is blocking rather than asynchronous.
	It's a TODO to make these and other extension points async.)

	Once you have these two pieces, configuring a server to use them involves, briefly:

	- packaging your `sign::SigningKey` with the matching certificate chain into a [`sign::CertifiedKey`][certified_key]
	- making a [`ResolvesServerCertUsingSNI`][cert_using_sni] and feeding in your `sign::CertifiedKey` for all SNI hostnames you want to use it for,
	- setting that as your `ServerConfig`'s [`cert_resolver`][cert_resolver]

	[signing_key]: ../../sign/trait.SigningKey.html
	[choose_scheme]: ../../sign/trait.SigningKey.html#tymethod.choose_scheme
	[sig_scheme]: ../../enum.SignatureScheme.html
	[signer]: ../../sign/trait.Signer.html
	[sign_method]: ../../sign/trait.Signer.html#tymethod.sign
	[certified_key]: ../../sign/struct.CertifiedKey.html
	[cert_using_sni]: ../../struct.ResolvesServerCertUsingSNI.html
	[cert_resolver]: ../../struct.ServerConfig.html#structfield.cert_resolver

	[^1]: For PKCS#8 it does not support password encryption -- there's not a meaningful threat
	model addressed by this, and the encryption supported is typically extremely poor.

	*/