Struct trust_dns::rr::dnssec::Signer
[−]
[src]
pub struct Signer { /* fields omitted */ }
Use for performing signing and validation of DNSSec based components.
Methods
impl Signer
[src]
fn new_verifier(algorithm: Algorithm, rsa: RSA, signer_name: Name) -> Self
Version of Signer for verifying RRSIGs and SIG0 records.
fn new(algorithm: Algorithm,
rsa: RSA,
signer_name: Name,
sig_duration: Duration)
-> Self
rsa: RSA,
signer_name: Name,
sig_duration: Duration)
-> Self
Version of Signer for signing RRSIGs and SIG0 records.
fn get_algorithm(&self) -> Algorithm
fn get_sig_duration(&self) -> Duration
fn get_signer_name(&self) -> &Name
fn get_rsa(&self) -> &RSA
fn get_public_key(&self) -> Vec<u8>
fn to_dnskey(&self, name: Name, ttl: u32) -> Record
Creates a Record that represents the public key for this Signer
fn calculate_key_tag(&self) -> u16
The key tag is calculated as a hash to more quickly lookup a DNSKEY.
RFC 1035, DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION, November 1987
RFC 2535 DNS Security Extensions March 1999
4.1.6 Key Tag Field
The "key Tag" is a two octet quantity that is used to efficiently
select between multiple keys which may be applicable and thus check
that a public key about to be used for the computationally expensive
effort to check the signature is possibly valid. For algorithm 1
(MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
octets of the public key modulus needed to decode the signature
field. That is to say, the most significant 16 of the least
significant 24 bits of the modulus in network (big endian) order. For
all other algorithms, including private algorithms, it is calculated
as a simple checksum of the KEY RR as described in Appendix C.
Appendix C: Key Tag Calculation
The key tag field in the SIG RR is just a means of more efficiently
selecting the correct KEY RR to use when there is more than one KEY
RR candidate available, for example, in verifying a signature. It is
possible for more than one candidate key to have the same tag, in
which case each must be tried until one works or all fail. The
following reference implementation of how to calculate the Key Tag,
for all algorithms other than algorithm 1, is in ANSI C. It is coded
for clarity, not efficiency. (See section 4.1.6 for how to determine
the Key Tag of an algorithm 1 key.)
/* assumes int is at least 16 bits
first byte of the key tag is the most significant byte of return
value
second byte of the key tag is the least significant byte of
return value
*/
int keytag (
unsigned char key[], /* the RDATA part of the KEY RR */
unsigned int keysize, /* the RDLENGTH */
)
{
long int ac; /* assumed to be 32 bits or larger */
for ( ac = 0, i = 0; i < keysize; ++i )
ac += (i&1) ? key[i] : key[i]<<8;
ac += (ac>>16) & 0xFFFF;
return ac & 0xFFFF;
}
fn sign_message(&self, message: &Message) -> DnsSecResult<Vec<u8>>
Signs the given message, returning the signature bytes.
Arguments
message
- the message to sign
4.1.8.1 Calculating Transaction and Request SIGs
A response message from a security aware server may optionally
contain a special SIG at the end of the additional information
section to authenticate the transaction.
This SIG has a "type covered" field of zero, which is not a valid RR
type. It is calculated by using a "data" (see Section 4.1.8) of the
entire preceding DNS reply message, including DNS header but not the
IP header and before the reply RR counts have been adjusted for the
inclusion of any transaction SIG, concatenated with the entire DNS
query message that produced this response, including the query's DNS
header and any request SIGs but not its IP header. That is
data = full response (less transaction SIG) | full query
Verification of the transaction SIG (which is signed by the server
host key, not the zone key) by the requesting resolver shows that the
query and response were not tampered with in transit, that the
response corresponds to the intended query, and that the response
comes from the queried server.
A DNS request may be optionally signed by including one or more SIGs
at the end of the query. Such SIGs are identified by having a "type
covered" field of zero. They sign the preceding DNS request message
including DNS header but not including the IP header or any request
SIGs at the end and before the request RR counts have been adjusted
for the inclusions of any request SIG(s).
WARNING: Request SIGs are unnecessary for any currently defined
request other than update [RFC 2136, 2137] and will cause some old
DNS servers to give an error return or ignore a query. However, such
SIGs may in the future be needed for other requests.
Except where needed to authenticate an update or similar privileged
request, servers are not required to check request SIGs.
NOTE: In classic RFC style, this is unclear, it implies that each SIG record is not included in the Additional record count, but this makes it more difficult to process and calculate more than one SIG0 record. Annoyingly, it means that the Header is signed with different material (i.e. additional record count - #SIG0 records), so the exact header sent is NOT the header being verified.
fn verify_message(&self,
message: &Message,
signature: &[u8])
-> DnsSecResult<()>
message: &Message,
signature: &[u8])
-> DnsSecResult<()>
Verifies a message with the against the given signature
Arguments
message
- the message to verify
signature
- the signature to use for validation
Return value
true
if the message could be validated against the signature, false
otherwise
fn hash_rrset(&self,
name: &Name,
dns_class: DNSClass,
num_labels: u8,
type_covered: RecordType,
algorithm: Algorithm,
original_ttl: u32,
sig_expiration: u32,
sig_inception: u32,
key_tag: u16,
signer_name: &Name,
records: &[Record])
-> DnsSecResult<Vec<u8>>
name: &Name,
dns_class: DNSClass,
num_labels: u8,
type_covered: RecordType,
algorithm: Algorithm,
original_ttl: u32,
sig_expiration: u32,
sig_inception: u32,
key_tag: u16,
signer_name: &Name,
records: &[Record])
-> DnsSecResult<Vec<u8>>
name is the the name of the records in the rrset
fn hash_rrset_with_rrsig(&self,
rrsig: &Record,
records: &[Record])
-> DnsSecResult<Vec<u8>>
rrsig: &Record,
records: &[Record])
-> DnsSecResult<Vec<u8>>
fn hash_rrset_with_sig(&self,
name: &Name,
dns_class: DNSClass,
sig: &SIG,
records: &[Record])
-> DnsSecResult<Vec<u8>>
name: &Name,
dns_class: DNSClass,
sig: &SIG,
records: &[Record])
-> DnsSecResult<Vec<u8>>
fn sign(&self, hash: &[u8]) -> DnsSecResult<Vec<u8>>
Signs a hash.
This will panic if the key
is not a private key and can be used for signing.
Arguments
hash
- the hashed resource record set, seehash_rrset
.
Return value
The signature, ready to be stored in an RData::RRSIG
.
fn verify(&self, hash: &[u8], signature: &[u8]) -> DnsSecResult<()>
Verifies the hash matches the signature with the current key
.
Arguments
hash
- the hash to be validated, seehash_rrset
signature
- the signature to use to verify the hash, extracted from anRData::RRSIG
for example.
Return value
True if and only if the signature is valid for the hash. This will always return
false if the key
.