pub enum KeyPair<K> {
RSA(PKey<K>),
EC(PKey<K>),
ECDSA(EcdsaKeyPair),
ED25519(Ed25519KeyPair),
}dnssec only.Expand description
A public and private key pair, the private portion is not required.
This supports all the various public/private keys which Trust-DNS is capable of using. Given
differing features, some key types may not be available. The openssl feature will enable RSA and EC
(P256 and P384). The ring feature enables ED25519, in the future, Ring will also be used for other keys.
Variants
RSA(PKey<K>)
openssl only.RSA keypair, supported by OpenSSL
EC(PKey<K>)
openssl only.Elliptic curve keypair, supported by OpenSSL
ECDSA(EcdsaKeyPair)
ring only.ring ECDSA keypair
ED25519(Ed25519KeyPair)
ring only.ED25519 encryption and hash defined keypair
Implementations
sourceimpl<K> KeyPair<K>
impl<K> KeyPair<K>
sourcepub fn from_rsa(rsa: OpenSslRsa<K>) -> DnsSecResult<Self>
This is supported on crate feature openssl only.
pub fn from_rsa(rsa: OpenSslRsa<K>) -> DnsSecResult<Self>
openssl only.Creates an RSA type keypair.
sourcepub fn from_rsa_pkey(pkey: PKey<K>) -> Self
This is supported on crate feature openssl only.
pub fn from_rsa_pkey(pkey: PKey<K>) -> Self
openssl only.Given a known pkey of an RSA key, return the wrapped keypair
sourcepub fn from_ec_key(ec_key: EcKey<K>) -> DnsSecResult<Self>
This is supported on crate feature openssl only.
pub fn from_ec_key(ec_key: EcKey<K>) -> DnsSecResult<Self>
openssl only.Creates an EC, elliptic curve, type keypair, only P256 or P384 are supported.
sourcepub fn from_ec_pkey(pkey: PKey<K>) -> Self
This is supported on crate feature openssl only.
pub fn from_ec_pkey(pkey: PKey<K>) -> Self
openssl only.Given a known pkey of an EC key, return the wrapped keypair
sourcepub fn from_ecdsa(ec_key: EcdsaKeyPair) -> Self
This is supported on crate feature ring only.
pub fn from_ecdsa(ec_key: EcdsaKeyPair) -> Self
ring only.Creates an ECDSA keypair with ring.
sourcepub fn from_ed25519(ed_key: Ed25519KeyPair) -> Self
This is supported on crate feature ring only.
pub fn from_ed25519(ed_key: Ed25519KeyPair) -> Self
ring only.Creates an ED25519 keypair.
sourceimpl<K: HasPublic> KeyPair<K>
impl<K: HasPublic> KeyPair<K>
sourcepub fn to_public_bytes(&self) -> DnsSecResult<Vec<u8>>
pub fn to_public_bytes(&self) -> DnsSecResult<Vec<u8>>
Converts this keypair to the DNS binary form of the public_key.
If there is a private key associated with this keypair, it will not be included in this format. Only the public key material will be included.
sourcepub fn to_public_key(&self) -> DnsSecResult<PublicKeyBuf>
pub fn to_public_key(&self) -> DnsSecResult<PublicKeyBuf>
Returns a PublicKeyBuf of the KeyPair
sourcepub fn key_tag(&self) -> DnsSecResult<u16>
pub fn key_tag(&self) -> DnsSecResult<u16>
The key tag is calculated as a hash to more quickly lookup a DNSKEY.
RFC 1035, DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION, November 1987
RFC 2535 DNS Security Extensions March 1999
4.1.6 Key Tag Field
The "key Tag" is a two octet quantity that is used to efficiently
select between multiple keys which may be applicable and thus check
that a public key about to be used for the computationally expensive
effort to check the signature is possibly valid. For algorithm 1
(MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
octets of the public key modulus needed to decode the signature
field. That is to say, the most significant 16 of the least
significant 24 bits of the modulus in network (big endian) order. For
all other algorithms, including private algorithms, it is calculated
as a simple checksum of the KEY RR as described in Appendix C.
Appendix C: Key Tag Calculation
The key tag field in the SIG RR is just a means of more efficiently
selecting the correct KEY RR to use when there is more than one KEY
RR candidate available, for example, in verifying a signature. It is
possible for more than one candidate key to have the same tag, in
which case each must be tried until one works or all fail. The
following reference implementation of how to calculate the Key Tag,
for all algorithms other than algorithm 1, is in ANSI C. It is coded
for clarity, not efficiency. (See section 4.1.6 for how to determine
the Key Tag of an algorithm 1 key.)
/* assumes int is at least 16 bits
first byte of the key tag is the most significant byte of return
value
second byte of the key tag is the least significant byte of
return value
*/
int keytag (
unsigned char key[], /* the RDATA part of the KEY RR */
unsigned int keysize, /* the RDLENGTH */
)
{
long int ac; /* assumed to be 32 bits or larger */
for ( ac = 0, i = 0; i < keysize; ++i )
ac += (i&1) ? key[i] : key[i]<<8;
ac += (ac>>16) & 0xFFFF;
return ac & 0xFFFF;
}sourcepub fn to_dnskey(&self, algorithm: Algorithm) -> DnsSecResult<DNSKEY>
pub fn to_dnskey(&self, algorithm: Algorithm) -> DnsSecResult<DNSKEY>
sourcepub fn to_sig0key(&self, algorithm: Algorithm) -> DnsSecResult<KEY>
pub fn to_sig0key(&self, algorithm: Algorithm) -> DnsSecResult<KEY>
sourcepub fn to_sig0key_with_usage(
&self,
algorithm: Algorithm,
usage: KeyUsage
) -> DnsSecResult<KEY>
pub fn to_sig0key_with_usage(
&self,
algorithm: Algorithm,
usage: KeyUsage
) -> DnsSecResult<KEY>
sourcepub fn to_ds(
&self,
name: &Name,
algorithm: Algorithm,
digest_type: DigestType
) -> DnsSecResult<DS>
This is supported on crate features openssl or ring only.
pub fn to_ds(
&self,
name: &Name,
algorithm: Algorithm,
digest_type: DigestType
) -> DnsSecResult<DS>
openssl or ring only.Creates a DS record for this KeyPair associated to the given name
Arguments
name- name of the DNSKEY record covered by the new DS recordalgorithm- the algorithm of the DNSKEYdigest_type- the digest_type used to
sourceimpl<K: HasPrivate> KeyPair<K>
impl<K: HasPrivate> KeyPair<K>
sourcepub fn sign(&self, algorithm: Algorithm, tbs: &TBS) -> DnsSecResult<Vec<u8>>
pub fn sign(&self, algorithm: Algorithm, tbs: &TBS) -> DnsSecResult<Vec<u8>>
Signs a hash.
This will panic if the key is not a private key and can be used for signing.
Arguments
message- the message bytes to be signed, seerrset_tbs.
Return value
The signature, ready to be stored in an RData::RRSIG.
sourceimpl KeyPair<Private>
impl KeyPair<Private>
sourcepub fn generate(algorithm: Algorithm) -> DnsSecResult<Self>
pub fn generate(algorithm: Algorithm) -> DnsSecResult<Self>
Generates a new private and public key pair for the specified algorithm.
RSA keys are hardcoded to 2048bits at the moment. Other keys have predefined sizes.
sourcepub fn generate_pkcs8(algorithm: Algorithm) -> DnsSecResult<Vec<u8>>
This is supported on crate feature ring only.
pub fn generate_pkcs8(algorithm: Algorithm) -> DnsSecResult<Vec<u8>>
ring only.Generates a key, securing it with pkcs8
Auto Trait Implementations
impl<K> RefUnwindSafe for KeyPair<K> where
K: RefUnwindSafe,
impl<K> Send for KeyPair<K>
impl<K> Sync for KeyPair<K>
impl<K> Unpin for KeyPair<K> where
K: Unpin,
impl<K> UnwindSafe for KeyPair<K> where
K: UnwindSafe,
Blanket Implementations
sourceimpl<T> BorrowMut<T> for T where
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
const: unstable · sourcepub fn borrow_mut(&mut self) -> &mut T
pub fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
sourceimpl<T> Instrument for T
impl<T> Instrument for T
sourcefn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
sourcefn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
impl<V, T> VZip<V> for T where
V: MultiLane<T>,
impl<V, T> VZip<V> for T where
V: MultiLane<T>,
pub fn vzip(self) -> V
sourceimpl<T> WithSubscriber for T
impl<T> WithSubscriber for T
sourcefn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self> where
S: Into<Dispatch>,
fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self> where
S: Into<Dispatch>,
Attaches the provided Subscriber to this type, returning a
WithDispatch wrapper. Read more
sourcefn with_current_subscriber(self) -> WithDispatch<Self>
fn with_current_subscriber(self) -> WithDispatch<Self>
Attaches the current default Subscriber to this type, returning a
WithDispatch wrapper. Read more