Module safe_bag 

SafeBag — ndn-cxx interop wrapper for transferring an identity (a certificate plus its password-encrypted private key) between machines.

Wire format

Pinned to ndn-cxx tag ndn-cxx-0.9.0, files ndn-cxx/encoding/tlv-security.hpp:34-35 and ndn-cxx/security/safe-bag.{hpp,cpp}. Spec link inside ndn-cxx: <a href="../specs/safe-bag.html">. The wire layout is two nested TLVs inside a SafeBag outer TLV:

SafeBag (TLV 128 = 0x80) {
  Data         (TLV 6 = 0x06) -- the full certificate Data packet
  EncryptedKey (TLV 129 = 0x81) -- PKCS#8 EncryptedPrivateKeyInfo DER
}

The certificate is stored as the complete Data packet wire encoding including its own outer 0x06 header. The EncryptedKey body is the raw DER of an EncryptedPrivateKeyInfo produced by the rustcrypto pkcs8 crate’s encryption feature, which in turn uses PBES2 with PBKDF2-HMAC-SHA256 for key derivation and AES-256- CBC for content encryption — exactly the defaults that OpenSSL’s i2d_PKCS8PrivateKey_bio produces on modern releases, which is what ndn-cxx’s BackEndFile::doExportKey calls.

Algorithm support (path C of the FileTpm design discussion)

• RSA — convert PKCS#1 RSAPrivateKey (FileTpm on-disk form) to PKCS#8 PrivateKeyInfo, then encrypt. Roundtrips with ndnsec export / ndnsec import.
• ECDSA-P256 — convert SEC1 ECPrivateKey to PKCS#8, then encrypt. Roundtrips with ndnsec.
• Ed25519 — already PKCS#8 on disk (sentinel suffix); encrypt directly. ndn-rs ↔ ndn-rs interop only — ndn-cxx tpm-file does not handle Ed25519 keys regardless of how they’re transferred.

Structs

SafeBag

A decoded SafeBag — the certificate Data wire bytes and the password-encrypted PKCS#8 private key DER.

Enums

SafeBagError

Errors specific to SafeBag encode/decode and PKCS#8 encryption.