pub struct TSigner(/* private fields */);
dnssec
only.Expand description
Struct to pass to a client for it to authenticate requests using TSIG.
Implementations§
source§impl TSigner
impl TSigner
sourcepub fn new(
key: Vec<u8>,
algorithm: TsigAlgorithm,
signer_name: Name,
fudge: u16
) -> ProtoResult<Self>
pub fn new( key: Vec<u8>, algorithm: TsigAlgorithm, signer_name: Name, fudge: u16 ) -> ProtoResult<Self>
Create a new Tsigner from its parts
Arguments
key
- cryptographic key used to authenticate exchangesalgorithm
- algorithm used to authenticate exchangessigner_name
- name of the key. Must match the name known to the serverfudge
- maximum difference between client and server time, in seconds, see fudge for details
sourcepub fn algorithm(&self) -> &TsigAlgorithm
pub fn algorithm(&self) -> &TsigAlgorithm
Return the algorithm used for message authentication
sourcepub fn signer_name(&self) -> &Name
pub fn signer_name(&self) -> &Name
Name of the key used by this signer
sourcepub fn fudge(&self) -> u16
pub fn fudge(&self) -> u16
Maximum time difference between client time when issuing a message, and server time when receiving it, in second. If time is out, the server will consider the request invalid. Longer values means more room for replay by an attacker. A few minutes are usually a good value.
sourcepub fn sign_message(
&self,
message: &Message,
pre_tsig: &TSIG
) -> ProtoResult<Vec<u8>>
pub fn sign_message( &self, message: &Message, pre_tsig: &TSIG ) -> ProtoResult<Vec<u8>>
Compute authentication tag for a message
sourcepub fn verify(&self, tbv: &[u8], tag: &[u8]) -> ProtoResult<()>
pub fn verify(&self, tbv: &[u8], tag: &[u8]) -> ProtoResult<()>
Verify hmac in constant time to prevent timing attacks
sourcepub fn verify_message_byte(
&self,
previous_hash: Option<&[u8]>,
message: &[u8],
first_message: bool
) -> ProtoResult<(Vec<u8>, Range<u64>, u64)>
pub fn verify_message_byte( &self, previous_hash: Option<&[u8]>, message: &[u8], first_message: bool ) -> ProtoResult<(Vec<u8>, Range<u64>, u64)>
Verify the message is correctly signed This does not perform time verification on its own, instead one should verify current time lie in returned Range
Arguments
previous_hash
- Hash of the last message received before this one, or of the query for the first messagemessage
- byte buffer containing current messagefirst_message
- is this the first response message
Returns
Return Ok(_) on valid signature. Inner tuple contain the following values, in order:
- a byte buffer containing the hash of this message. Need to be passed back when authenticating next message
- a Range of time that is acceptable
- the time the signature was emitted. It must be greater or equal to the time of previous messages, if any