hickory_proto/dnssec/
algorithm.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
// Copyright 2015-2022 Benjamin Fry <benjaminfry@me.com>
//
// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
// https://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
// https://opensource.org/licenses/MIT>, at your option. This file may not be
// copied, modified, or distributed except according to those terms.

// needed for the derive statements on algorithm
//   this issue in rustc would help narrow the statement: https://github.com/rust-lang/rust/issues/62398
#![allow(deprecated, clippy::use_self)]

use std::fmt;
use std::fmt::{Display, Formatter};

#[cfg(feature = "serde")]
use serde::{Deserialize, Serialize};

use crate::error::*;
use crate::serialize::binary::*;

/// DNSSEC signing and validation algorithms.
///
/// For [reference](https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml)
///  the iana documents have all the officially registered algorithms.
///
/// [RFC 6944](https://tools.ietf.org/html/rfc6944), DNSSEC DNSKEY Algorithm Status, April 2013
///
/// ```text
///
/// 2.2.  Algorithm Implementation Status Assignment Rationale
///
/// RSASHA1 has an implementation status of Must Implement, consistent
/// with [RFC4034].  RSAMD5 has an implementation status of Must Not
/// Implement because of known weaknesses in MD5.
///
/// The status of RSASHA1-NSEC3-SHA1 is set to Recommended to Implement
/// as many deployments use NSEC3.  The status of RSA/SHA-256 and RSA/
/// SHA-512 are also set to Recommended to Implement as major deployments
/// (such as the root zone) use these algorithms [ROOTDPS].  It is
/// believed that RSA/SHA-256 or RSA/SHA-512 algorithms will replace
/// older algorithms (e.g., RSA/SHA-1) that have a perceived weakness.
///
/// Likewise, ECDSA with the two identified curves (ECDSAP256SHA256 and
/// ECDSAP384SHA384) is an algorithm that may see widespread use due to
/// the perceived similar level of security offered with smaller key size
/// compared to the key sizes of algorithms such as RSA.  Therefore,
/// ECDSAP256SHA256 and ECDSAP384SHA384 are Recommended to Implement.
///
/// All other algorithms used in DNSSEC specified without an
/// implementation status are currently set to Optional.
///
/// 2.3.  DNSSEC Implementation Status Table
///
/// The DNSSEC algorithm implementation status table is listed below.
/// Only the algorithms already specified for use with DNSSEC at the time
/// of writing are listed.
///
///  +------------+------------+-------------------+-------------------+
///  |    Must    |  Must Not  |    Recommended    |      Optional     |
///  |  Implement | Implement  |   to Implement    |                   |
///  +------------+------------+-------------------+-------------------+
///  |            |            |                   |                   |
///  |   RSASHA1  |   RSAMD5   |   RSASHA256       |   Any             |
///  |            |            |   RSASHA1-NSEC3   |   registered      |
///  |            |            |    -SHA1          |   algorithm       |
///  |            |            |   RSASHA512       |   not listed in   |
///  |            |            |   ECDSAP256SHA256 |   this table      |
///  |            |            |   ECDSAP384SHA384 |                   |
///  +------------+------------+-------------------+-------------------+
///
///    This table does not list the Reserved values in the IANA registry
///    table or the values for INDIRECT (252), PRIVATE (253), and PRIVATEOID
///    (254).  These values may relate to more than one algorithm and are
///    therefore up to the implementer's discretion.  As noted, any
///    algorithm not listed in the table is Optional.  As of this writing,
///    the Optional algorithms are DSASHA1, DH, DSA-NSEC3-SHA1, and GOST-
///    ECC, but in general, anything not explicitly listed is Optional.
///
/// 2.4.  Specifying New Algorithms and Updating the Status of Existing
///       Entries
///
///    [RFC6014] establishes a parallel procedure for adding a registry
///    entry for a new algorithm other than a standards track document.
///    Because any algorithm not listed in the foregoing table is Optional,
///    algorithms entered into the registry using the [RFC6014] procedure
///    are automatically Optional.
///
///    It has turned out to be useful for implementations to refer to a
///    single document that specifies the implementation status of every
///    algorithm.  Accordingly, when a new algorithm is to be registered
///    with a status other than Optional, this document shall be made
///    obsolete by a new document that adds the new algorithm to the table
///    in Section 2.3.  Similarly, if the status of any algorithm in the
///    table in Section 2.3 changes, a new document shall make this document
///    obsolete; that document shall include a replacement of the table in
///    Section 2.3.  This way, the goal of having one authoritative document
///    to specify all the status values is achieved.
///
///    This document cannot be updated, only made obsolete and replaced by a
///    successor document.
/// ```
#[cfg_attr(feature = "serde", derive(Deserialize, Serialize))]
#[derive(Clone, Copy, PartialEq, Eq, Hash, PartialOrd, Ord, Debug)]
#[non_exhaustive]
pub enum Algorithm {
    /// DO NOT USE, MD5 is a compromised hashing function, it is here for backward compatibility
    #[deprecated(
        note = "this is a compromised hashing function, it is here for backward compatibility"
    )]
    RSAMD5,
    /// DO NOT USE, DSA is a compromised hashing function, it is here for backward compatibility
    #[deprecated(
        note = "this is a compromised hashing function, it is here for backward compatibility"
    )]
    DSA,
    /// DO NOT USE, SHA1 is a compromised hashing function, it is here for backward compatibility
    #[deprecated(
        note = "this is a compromised hashing function, it is here for backward compatibility"
    )]
    RSASHA1,
    /// DO NOT USE, SHA1 is a compromised hashing function, it is here for backward compatibility
    #[deprecated(
        note = "this is a compromised hashing function, it is here for backward compatibility"
    )]
    RSASHA1NSEC3SHA1,
    /// RSA public key with SHA256 hash
    RSASHA256,
    /// RSA public key with SHA512 hash
    RSASHA512,
    /// [rfc6605](https://tools.ietf.org/html/rfc6605)
    ECDSAP256SHA256,
    /// [rfc6605](https://tools.ietf.org/html/rfc6605)
    ECDSAP384SHA384,
    /// [draft-ietf-curdle-dnskey-eddsa-03](https://tools.ietf.org/html/draft-ietf-curdle-dnskey-eddsa-03)
    ED25519,
    /// An unknown algorithm identifier
    Unknown(u8),
}

impl Algorithm {
    /// <https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml>
    pub fn from_u8(value: u8) -> Self {
        #[allow(deprecated)]
        match value {
            1 => Self::RSAMD5,
            3 => Self::DSA,
            5 => Self::RSASHA1,
            7 => Self::RSASHA1NSEC3SHA1,
            8 => Self::RSASHA256,
            10 => Self::RSASHA512,
            13 => Self::ECDSAP256SHA256,
            14 => Self::ECDSAP384SHA384,
            15 => Self::ED25519,
            _ => Self::Unknown(value),
        }
    }

    /// Whether this algorithm is supported by hickory's build settings
    pub fn is_supported(&self) -> bool {
        match self {
            #[cfg(any(feature = "dnssec-openssl", feature = "dnssec-ring"))]
            Algorithm::ECDSAP256SHA256
            | Algorithm::ECDSAP384SHA384
            | Algorithm::RSASHA1
            | Algorithm::RSASHA1NSEC3SHA1
            | Algorithm::RSASHA256
            | Algorithm::RSASHA512 => true,
            #[cfg(feature = "dnssec-ring")]
            Algorithm::ED25519 => true,
            _ => false,
        }
    }

    /// length in bytes that the hash portion of this function will produce
    pub fn hash_len(self) -> Option<usize> {
        match self {
            Self::RSAMD5 => Some(16),                                       // 128 bits
            Self::DSA | Self::RSASHA1 | Self::RSASHA1NSEC3SHA1 => Some(20), // 160 bits
            Self::RSASHA256 | Self::ECDSAP256SHA256 | Self::ED25519 => Some(32), // 256 bits
            Self::ECDSAP384SHA384 => Some(48),
            Self::RSASHA512 => Some(64), // 512 bites
            Self::Unknown(_) => None,
        }
    }

    /// Convert to string form
    #[deprecated(note = "use as_str instead")]
    pub fn to_str(self) -> &'static str {
        self.as_str()
    }

    /// Convert to string form
    pub fn as_str(self) -> &'static str {
        match self {
            Self::RSAMD5 => "RSAMD5",
            Self::DSA => "DSA",
            Self::RSASHA1 => "RSASHA1",
            Self::RSASHA256 => "RSASHA256",
            Self::RSASHA1NSEC3SHA1 => "RSASHA1-NSEC3-SHA1",
            Self::RSASHA512 => "RSASHA512",
            Self::ECDSAP256SHA256 => "ECDSAP256SHA256",
            Self::ECDSAP384SHA384 => "ECDSAP384SHA384",
            Self::ED25519 => "ED25519",
            Self::Unknown(_) => "Unknown",
        }
    }
}

impl BinEncodable for Algorithm {
    fn emit(&self, encoder: &mut BinEncoder<'_>) -> ProtoResult<()> {
        encoder.emit(u8::from(*self))
    }
}

impl<'r> BinDecodable<'r> for Algorithm {
    // https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
    fn read(decoder: &mut BinDecoder<'r>) -> ProtoResult<Self> {
        let algorithm_id =
            decoder.read_u8()?.unverified(/*Algorithm is verified as safe in processing this*/);
        Ok(Self::from_u8(algorithm_id))
    }
}

impl From<Algorithm> for &'static str {
    fn from(a: Algorithm) -> &'static str {
        a.as_str()
    }
}

impl From<Algorithm> for u8 {
    fn from(a: Algorithm) -> Self {
        match a {
            Algorithm::RSAMD5 => 1,
            Algorithm::DSA => 3,
            Algorithm::RSASHA1 => 5,
            Algorithm::RSASHA1NSEC3SHA1 => 7,
            Algorithm::RSASHA256 => 8,
            Algorithm::RSASHA512 => 10,
            Algorithm::ECDSAP256SHA256 => 13,
            Algorithm::ECDSAP384SHA384 => 14,
            Algorithm::ED25519 => 15,
            Algorithm::Unknown(v) => v,
        }
    }
}

impl Display for Algorithm {
    fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), fmt::Error> {
        f.write_str(self.as_str())
    }
}

#[test]
fn test_into() {
    for algorithm in &[
        Algorithm::RSAMD5,
        Algorithm::DSA,
        Algorithm::RSASHA1,
        Algorithm::RSASHA256,
        Algorithm::RSASHA1NSEC3SHA1,
        Algorithm::RSASHA512,
        Algorithm::ECDSAP256SHA256,
        Algorithm::ECDSAP384SHA384,
        Algorithm::ED25519,
    ] {
        assert_eq!(*algorithm, Algorithm::from_u8(Into::<u8>::into(*algorithm)))
    }
}

#[test]
fn test_order() {
    let mut algorithms = [
        Algorithm::RSAMD5,
        Algorithm::DSA,
        Algorithm::RSASHA1,
        Algorithm::RSASHA256,
        Algorithm::RSASHA1NSEC3SHA1,
        Algorithm::RSASHA512,
        Algorithm::ECDSAP256SHA256,
        Algorithm::ECDSAP384SHA384,
        Algorithm::ED25519,
    ];

    algorithms.sort();

    for (got, expect) in algorithms.iter().zip(
        [
            Algorithm::RSAMD5,
            Algorithm::DSA,
            Algorithm::RSASHA1,
            Algorithm::RSASHA1NSEC3SHA1,
            Algorithm::RSASHA256,
            Algorithm::RSASHA512,
            Algorithm::ECDSAP256SHA256,
            Algorithm::ECDSAP384SHA384,
            Algorithm::ED25519,
        ]
        .iter(),
    ) {
        assert_eq!(got, expect);
    }
}