hickory_proto/dnssec/verifier.rs
1// Copyright 2015-2023 Benjamin Fry <benjaminfry@me.com>
2//
3// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
4// https://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
5// https://opensource.org/licenses/MIT>, at your option. This file may not be
6// copied, modified, or distributed except according to those terms.
7
8//! Verifier is a structure for performing many of the signing processes of the DNSSEC specification
9
10use alloc::sync::Arc;
11
12use super::{Algorithm, PublicKey, rdata::RRSIG, tbs::TBS};
13use crate::{
14 error::ProtoResult,
15 rr::{DNSClass, Name, Record},
16};
17
18/// Types which are able to verify DNS based signatures
19pub trait Verifier {
20 /// Return the algorithm which this Verifier covers
21 fn algorithm(&self) -> Algorithm;
22
23 /// Return the public key associated with this verifier
24 fn key(&self) -> ProtoResult<Arc<dyn PublicKey + '_>>;
25
26 /// Verifies the hash matches the signature with the current `key`.
27 ///
28 /// # Arguments
29 ///
30 /// * `hash` - the hash to be validated, see `rrset_tbs`
31 /// * `signature` - the signature to use to verify the hash, extracted from an `RData::RRSIG`
32 /// for example.
33 ///
34 /// # Return value
35 ///
36 /// True if and only if the signature is valid for the hash.
37 /// false if the `key`.
38 fn verify(&self, hash: &[u8], signature: &[u8]) -> ProtoResult<()> {
39 self.key()?.verify(hash, signature)
40 }
41
42 /// Verifies an RRSig with the associated key, e.g. DNSKEY
43 ///
44 /// # Arguments
45 ///
46 /// * `name` - name associated with the rrsig being validated
47 /// * `dns_class` - DNSClass of the records, generally IN
48 /// * `sig` - signature record being validated
49 /// * `records` - Records covered by SIG
50 fn verify_rrsig<'a>(
51 &self,
52 name: &Name,
53 dns_class: DNSClass,
54 sig: &RRSIG,
55 records: impl Iterator<Item = &'a Record>,
56 ) -> ProtoResult<()> {
57 let rrset_tbs = TBS::from_input(name, dns_class, sig.input(), records)?;
58 self.verify(rrset_tbs.as_ref(), sig.sig())
59 }
60}