hickory-proto 0.26.0

hickory-proto is a safe and secure low-level DNS library. This is the foundational DNS protocol library used by the other higher-level Hickory DNS crates.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

// Copyright 2015-2023 Benjamin Fry <benjaminfry@me.com>
//
// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
// https://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
// https://opensource.org/licenses/MIT>, at your option. This file may not be
// copied, modified, or distributed except according to those terms.

//! Verifier is a structure for performing many of the signing processes of the DNSSEC specification

use alloc::sync::Arc;

use super::{Algorithm, PublicKey, rdata::RRSIG, tbs::TBS};
use crate::{
    error::ProtoResult,
    rr::{DNSClass, Name, Record},
};

/// Types which are able to verify DNS based signatures
pub trait Verifier {
    /// Return the algorithm which this Verifier covers
    fn algorithm(&self) -> Algorithm;

    /// Return the public key associated with this verifier
    fn key(&self) -> ProtoResult<Arc<dyn PublicKey + '_>>;

    /// Verifies the hash matches the signature with the current `key`.
    ///
    /// # Arguments
    ///
    /// * `hash` - the hash to be validated, see `rrset_tbs`
    /// * `signature` - the signature to use to verify the hash, extracted from an `RData::RRSIG`
    ///   for example.
    ///
    /// # Return value
    ///
    /// True if and only if the signature is valid for the hash.
    /// false if the `key`.
    fn verify(&self, hash: &[u8], signature: &[u8]) -> ProtoResult<()> {
        self.key()?.verify(hash, signature)
    }

    /// Verifies an RRSig with the associated key, e.g. DNSKEY
    ///
    /// # Arguments
    ///
    /// * `name` - name associated with the rrsig being validated
    /// * `dns_class` - DNSClass of the records, generally IN
    /// * `sig` - signature record being validated
    /// * `records` - Records covered by SIG
    fn verify_rrsig<'a>(
        &self,
        name: &Name,
        dns_class: DNSClass,
        sig: &RRSIG,
        records: impl Iterator<Item = &'a Record>,
    ) -> ProtoResult<()> {
        let rrset_tbs = TBS::from_input(name, dns_class, sig.input(), records)?;
        self.verify(rrset_tbs.as_ref(), sig.sig())
    }
}