hickory_proto::rr::dnssec::public_key

Trait PublicKey

Source 
pub trait PublicKey {
    // Required methods
    fn public_bytes(&self) -> &[u8] ;
    fn verify(
        &self,
        algorithm: Algorithm,
        message: &[u8],
        signature: &[u8],
    ) -> Result<(), ProtoError>;

    // Provided methods
    fn to_sig0key(&self, algorithm: Algorithm) -> KEY { ... }
    fn to_sig0key_with_usage(
        &self,
        algorithm: Algorithm,
        usage: KeyUsage,
    ) -> KEY { ... }
    fn to_ds(
        &self,
        name: &Name,
        algorithm: Algorithm,
        digest_type: DigestType,
    ) -> DnsSecResult<DS> { ... }
    fn to_dnskey(&self, algorithm: Algorithm) -> DNSKEY { ... }
    fn key_tag(&self) -> u16 { ... }
}
Available on crate feature dnssec only.
Expand description

PublicKeys implement the ability to ideally be zero copy abstractions over public keys for verifying signed content.

In DNS the KEY and DNSKEY types are generally the RData types which store public key material.

Required Methods§

Source

fn public_bytes(&self) -> &[u8]

Returns the public bytes of the public key, in DNS format

Source

fn verify( &self, algorithm: Algorithm, message: &[u8], signature: &[u8], ) -> Result<(), ProtoError>

Verifies the hash matches the signature with the current key.

§Arguments
  • message - the message to be validated, see hash_rrset
  • signature - the signature to use to verify the hash, extracted from an RData::RRSIG for example.
§Return value

True if and only if the signature is valid for the hash. This will always return false if the key.

Provided Methods§

Source

fn to_sig0key(&self, algorithm: Algorithm) -> KEY

Convert this keypair into a KEY record type for usage with SIG0 with key type entity (KeyUsage::Entity).

§Arguments
  • algorithm - algorithm of the KEY
§Return

the KEY record data

Source

fn to_sig0key_with_usage(&self, algorithm: Algorithm, usage: KeyUsage) -> KEY

Convert this keypair into a KEY record type for usage with SIG0 with a given key (usage) type.

§Arguments
  • algorithm - algorithm of the KEY
  • usage - the key type
§Return

the KEY record data

Source

fn to_ds( &self, name: &Name, algorithm: Algorithm, digest_type: DigestType, ) -> DnsSecResult<DS>

Creates a DS record for this KeyPair associated to the given name

§Arguments
  • name - name of the DNSKEY record covered by the new DS record
  • algorithm - the algorithm of the DNSKEY
  • digest_type - the digest_type used to
Source

fn to_dnskey(&self, algorithm: Algorithm) -> DNSKEY

Creates a Record that represents the public key for this Signer

§Arguments
  • algorithm - algorithm of the DNSKEY
§Return

the DNSKEY record data

Source

fn key_tag(&self) -> u16

The key tag is calculated as a hash to more quickly lookup a DNSKEY.

RFC 1035, DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION, November 1987

RFC 2535                DNS Security Extensions               March 1999

4.1.6 Key Tag Field

 The "key Tag" is a two octet quantity that is used to efficiently
 select between multiple keys which may be applicable and thus check
 that a public key about to be used for the computationally expensive
 effort to check the signature is possibly valid.  For algorithm 1
 (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
 octets of the public key modulus needed to decode the signature
 field.  That is to say, the most significant 16 of the least
 significant 24 bits of the modulus in network (big endian) order. For
 all other algorithms, including private algorithms, it is calculated
 as a simple checksum of the KEY RR as described in Appendix C.

Appendix C: Key Tag Calculation

 The key tag field in the SIG RR is just a means of more efficiently
 selecting the correct KEY RR to use when there is more than one KEY
 RR candidate available, for example, in verifying a signature.  It is
 possible for more than one candidate key to have the same tag, in
 which case each must be tried until one works or all fail.  The
 following reference implementation of how to calculate the Key Tag,
 for all algorithms other than algorithm 1, is in ANSI C.  It is coded
 for clarity, not efficiency.  (See section 4.1.6 for how to determine
 the Key Tag of an algorithm 1 key.)

 /* assumes int is at least 16 bits
    first byte of the key tag is the most significant byte of return
    value
    second byte of the key tag is the least significant byte of
    return value
    */

 int keytag (

         unsigned char key[],  /* the RDATA part of the KEY RR */
         unsigned int keysize, /* the RDLENGTH */
         )
 {
 long int    ac;    /* assumed to be 32 bits or larger */

 for ( ac = 0, i = 0; i < keysize; ++i )
     ac += (i&1) ? key[i] : key[i]<<8;
 ac += (ac>>16) & 0xFFFF;
 return ac & 0xFFFF;
 }

Implementors§

Source§

impl PublicKey for PublicKeyBuf

Source§

impl PublicKey for Ec

Available on crate feature dnssec-ring only.
Source§

impl<'k> PublicKey for PublicKeyEnum<'k>

Source§

impl<'k> PublicKey for Ed25519<'k>

Available on crate feature dnssec-ring only.
Source§

impl<'k> PublicKey for Rsa<'k>

Available on crate features dnssec-openssl or dnssec-ring only.