Enum trust_dns::rr::dnssec::KeyPair
[−]
[src]
pub enum KeyPair { RSA(PKey), EC(PKey), }
A public and private key pair, the private portion is not required.
This supports all the various public/private keys which TRust-DNS is capable of using. Given
differing features, some key types may not be available. The openssl
feature will enable RSA and EC
(P256 and P384). The ring
feature enables ED25519, in the future, Ring will also be used for other keys.
Variants
RSA(PKey)
RSA keypair, supported by OpenSSL
EC(PKey)
Ellyptic curve keypair, supported by OpenSSL
Methods
impl KeyPair
[src]
fn from_rsa(rsa: OpenSslRsa) -> DnsSecResult<Self>
Creates an RSA type keypair.
fn from_rsa_pkey(pkey: PKey) -> Self
Given a know pkey of an RSA key, return the wrapped keypair
fn from_ec_key(ec_key: EcKey) -> DnsSecResult<Self>
Creates an EC, elliptic curve, type keypair, only P256 or P384 are supported.
fn from_ec_pkey(pkey: PKey) -> Self
Given a know pkey of an EC key, return the wrapped keypair
fn to_public_bytes(&self) -> DnsSecResult<Vec<u8>>
Converts this keypair to the DNS binary form of the public_key.
If there is a private key associated with this keypair, it will not be included in this format. Only the public key material will be included.
fn key_tag(&self) -> DnsSecResult<u16>
The key tag is calculated as a hash to more quickly lookup a DNSKEY.
RFC 1035, DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION, November 1987
RFC 2535 DNS Security Extensions March 1999
4.1.6 Key Tag Field
The "key Tag" is a two octet quantity that is used to efficiently
select between multiple keys which may be applicable and thus check
that a public key about to be used for the computationally expensive
effort to check the signature is possibly valid. For algorithm 1
(MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
octets of the public key modulus needed to decode the signature
field. That is to say, the most significant 16 of the least
significant 24 bits of the modulus in network (big endian) order. For
all other algorithms, including private algorithms, it is calculated
as a simple checksum of the KEY RR as described in Appendix C.
Appendix C: Key Tag Calculation
The key tag field in the SIG RR is just a means of more efficiently
selecting the correct KEY RR to use when there is more than one KEY
RR candidate available, for example, in verifying a signature. It is
possible for more than one candidate key to have the same tag, in
which case each must be tried until one works or all fail. The
following reference implementation of how to calculate the Key Tag,
for all algorithms other than algorithm 1, is in ANSI C. It is coded
for clarity, not efficiency. (See section 4.1.6 for how to determine
the Key Tag of an algorithm 1 key.)
/* assumes int is at least 16 bits
first byte of the key tag is the most significant byte of return
value
second byte of the key tag is the least significant byte of
return value
*/
int keytag (
unsigned char key[], /* the RDATA part of the KEY RR */
unsigned int keysize, /* the RDLENGTH */
)
{
long int ac; /* assumed to be 32 bits or larger */
for ( ac = 0, i = 0; i < keysize; ++i )
ac += (i&1) ? key[i] : key[i]<<8;
ac += (ac>>16) & 0xFFFF;
return ac & 0xFFFF;
}
fn to_dnskey(&self, algorithm: Algorithm) -> DnsSecResult<DNSKEY>
Creates a Record that represents the public key for this Signer
Arguments
algorithm
- algorithm of the DNSKEY
Return
the DNSKEY record data
fn to_sig0key(&self, algorithm: Algorithm) -> DnsSecResult<KEY>
Convert this keypair into a KEY record type for usage with SIG0
with key type entity (KeyUsage::Entity
).
Arguments
algorithm
- algorithm of the KEY
Return
the KEY record data
fn to_sig0key_with_usage(
&self,
algorithm: Algorithm,
usage: KeyUsage
) -> DnsSecResult<KEY>
&self,
algorithm: Algorithm,
usage: KeyUsage
) -> DnsSecResult<KEY>
Convert this keypair into a KEY record type for usage with SIG0 with a given key (usage) type.
Arguments
algorithm
- algorithm of the KEYusage
- the key type
Return
the KEY record data
fn to_ds(
&self,
name: &Name,
algorithm: Algorithm,
digest_type: DigestType
) -> DnsSecResult<DS>
&self,
name: &Name,
algorithm: Algorithm,
digest_type: DigestType
) -> DnsSecResult<DS>
Creates a DS record for this KeyPair associated to the given name
Arguments
name
- name of the DNSKEY record covered by the new DS recordalgorithm
- the algorithm of the DNSKEYdigest_type
- the digest_type used to
fn sign(&self, algorithm: Algorithm, message: &[u8]) -> DnsSecResult<Vec<u8>>
Signs a hash.
This will panic if the key
is not a private key and can be used for signing.
Arguments
message
- the message bytes to be signed, seehash_rrset
.
Return value
The signature, ready to be stored in an RData::RRSIG
.
fn generate(algorithm: Algorithm) -> DnsSecResult<Self>
Generates a new private and public key pair for the specified algorithm.
RSA keys are hardcoded to 2048bits at the moment. Other keys have predefined sizes.
Trait Implementations
impl PublicKey for KeyPair
[src]
fn public_bytes(&self) -> &[u8]
Returns the public bytes of the public key, in DNS format
fn verify(
&self,
algorithm: Algorithm,
message: &[u8],
signature: &[u8]
) -> DnsSecResult<()>
&self,
algorithm: Algorithm,
message: &[u8],
signature: &[u8]
) -> DnsSecResult<()>
Verifies the hash matches the signature with the current key
. Read more
fn key_tag(&self) -> DnsSecResult<u16>
The key tag is calculated as a hash to more quickly lookup a DNSKEY. Read more