The great rename plus cleanup.

Cargo.toml

@@ -36,7 +36,7 @@ parking_lot    = { version = "0.12", optional = true }
 moka           = { version = "0.12.3", optional = true, features = ["future"] }
 openssl        = { version = "0.10.57", optional = true } # 0.10.57 upgrades to 'bitflags' 2.x
 proc-macro2    = { version = "1.0.69", optional = true } # Force proc-macro2 to at least 1.0.69 for minimal-version build
-ring           = { version = "0.17", optional = true }
+ring           = { version = "0.17.2", optional = true }
 rustversion    = { version = "1", optional = true }
 secrecy        = { version = "0.10", optional = true }
 serde          = { version = "1.0.130", optional = true, features = ["derive"] }
@@ -72,11 +72,12 @@ zonefile    = ["bytes", "serde", "std"]
 
 # Unstable features
 unstable-client-transport = ["moka", "net", "tracing"]
+unstable-crypto = ["bytes"]
+unstable-crypto-sign = ["dep:secrecy", "unstable-crypto"]
 unstable-server-transport = ["arc-swap", "chrono/clock", "libc", "net", "siphasher", "tracing"]
-unstable-sign = ["std", "dep:secrecy", "dep:smallvec", "dep:serde", "time/formatting", "tracing", "unstable-validate"]
+unstable-sign = ["std", "dep:secrecy", "dep:smallvec", "dep:serde", "time/formatting", "tracing", "unstable-crypto-sign"]
 unstable-stelline = ["tokio/test-util", "tracing", "tracing-subscriber", "tsig", "unstable-client-transport", "unstable-server-transport", "zonefile"]
-unstable-validate = ["bytes", "std", "ring"]
-unstable-validator = ["unstable-validate", "zonefile", "unstable-client-transport"]
+unstable-validator = ["zonefile", "unstable-client-transport", "unstable-crypto"]
 unstable-xfr = ["net"]
 unstable-zonetree = ["futures-util", "parking_lot", "rustversion", "serde", "std", "tokio", "tracing", "unstable-xfr", "zonefile"]
 
@@ -155,7 +156,9 @@ required-features = ["net", "unstable-client-transport", "unstable-server-transp
 
 [[example]]
 name = "keyset"
-required-features = ["serde", "unstable-sign"]
+# Note that we have to pick a crypto backend eventhough the example doesn't
+# need one.
+required-features = ["serde", "unstable-sign", "ring"]
 
 # This example is commented out because it is difficult, if not impossible,
 # when including the sqlx dependency, to make the dependency tree compatible

examples/client-transports.rs

@@ -331,13 +331,15 @@ where
 {
     // Create a validating transport
     let anchor_file = std::fs::File::open("examples/root.key").unwrap();
-    let ta =
-        domain::validator::anchor::TrustAnchors::from_reader(anchor_file)
-            .unwrap();
-    let vc = Arc::new(domain::validator::context::ValidationContext::new(
-        ta,
-        conn.clone(),
-    ));
+    let ta = domain::dnssec::validator::anchor::TrustAnchors::from_reader(
+        anchor_file,
+    )
+    .unwrap();
+    let vc =
+        Arc::new(domain::dnssec::validator::context::ValidationContext::new(
+            ta,
+            conn.clone(),
+        ));
     let val_conn = domain::net::client::validator::Connection::new(conn, vc);
 
     // Send a query message.

examples/keyset.rs

@@ -1,6 +1,6 @@
 //! Demonstrate the use of key sets.
 use domain::base::Name;
-use domain::sign::keys::keyset::{
+use domain::dnssec::sign::keys::keyset::{
     Action, Error, KeySet, KeyType, RollType, UnixTime,
 };
 use itertools::{Either, Itertools};

src/crypto/common.rs

@@ -0,0 +1,256 @@
+//! DNSSEC message digests and signature verification using built-in backends.
+//!
+//! This backend supports all the algorithms supported by Ring and OpenSSL,
+//! depending on whether the respective crate features are enabled.  See the
+//! documentation for each backend for more information.
+
+#![cfg(any(feature = "ring", feature = "openssl"))]
+#![cfg_attr(docsrs, doc(cfg(any(feature = "ring", feature = "openssl"))))]
+
+use core::fmt;
+use std::error;
+use std::vec::Vec;
+
+use crate::rdata::Dnskey;
+
+#[cfg(feature = "openssl")]
+use super::openssl;
+
+#[cfg(feature = "ring")]
+use super::ring;
+
+//----------- DigestType -----------------------------------------------------
+
+/// Type of message digest to compute.
+pub enum DigestType {
+    /// [FIPS Secure Hash Standard] Section 6.1.
+    ///
+    /// [FIPS Secure Hash Standard]: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
+    Sha1,
+
+    /// [FIPS Secure Hash Standard] Section 6.2.
+    ///
+    /// [FIPS Secure Hash Standard]: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
+    Sha256,
+
+    /// [FIPS Secure Hash Standard] Section 6.5.
+    ///
+    /// [FIPS Secure Hash Standard]: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
+    Sha384,
+}
+
+//----------- DigestContext --------------------------------------------------
+
+/// Context for computing a message digest.
+pub enum DigestContext {
+    #[cfg(feature = "ring")]
+    /// Use ring to compute the message digest.
+    Ring(ring::DigestContext),
+    #[cfg(feature = "openssl")]
+    /// Use openssl to compute the message digest.
+    Openssl(openssl::DigestContext),
+}
+
+impl DigestContext {
+    #[allow(unreachable_code)]
+    /// Create a new context for a specified digest type.
+    pub fn new(digest_type: DigestType) -> Self {
+        #[cfg(feature = "ring")]
+        return Self::Ring(ring::DigestContext::new(digest_type));
+
+        #[cfg(feature = "openssl")]
+        return Self::Openssl(openssl::DigestContext::new(digest_type));
+
+        #[cfg(not(any(feature = "ring", feature = "openssl")))]
+        compile_error!("Either feature \"ring\" or \"openssl\" must be enabled for this crate.");
+    }
+
+    /// Add input to the digest computation.
+    pub fn update(&mut self, data: &[u8]) {
+        match self {
+            #[cfg(feature = "ring")]
+            DigestContext::Ring(digest_context) => {
+                digest_context.update(data)
+            }
+            #[cfg(feature = "openssl")]
+            DigestContext::Openssl(digest_context) => {
+                digest_context.update(data)
+            }
+        }
+    }
+
+    /// Finish computing the digest.
+    pub fn finish(self) -> Digest {
+        match self {
+            #[cfg(feature = "ring")]
+            DigestContext::Ring(digest_context) => {
+                Digest::Ring(digest_context.finish())
+            }
+            #[cfg(feature = "openssl")]
+            DigestContext::Openssl(digest_context) => {
+                Digest::Openssl(digest_context.finish())
+            }
+        }
+    }
+}
+
+//----------- Digest ---------------------------------------------------------
+
+/// A message digest.
+pub enum Digest {
+    #[cfg(feature = "ring")]
+    /// A message digest computed using ring.
+    Ring(ring::Digest),
+    #[cfg(feature = "openssl")]
+    /// A message digest computed using openssl.
+    Openssl(openssl::Digest),
+}
+
+impl AsRef<[u8]> for Digest {
+    fn as_ref(&self) -> &[u8] {
+        match self {
+            #[cfg(feature = "ring")]
+            Digest::Ring(digest) => digest.as_ref(),
+            #[cfg(feature = "openssl")]
+            Digest::Openssl(digest) => digest.as_ref(),
+        }
+    }
+}
+
+//----------- PublicKey ------------------------------------------------------
+
+/// A public key for verifying a signature.
+pub enum PublicKey {
+    #[cfg(feature = "ring")]
+    /// A public key implemented using ring.
+    Ring(ring::PublicKey),
+
+    #[cfg(feature = "openssl")]
+    /// A public key implemented using openssl.
+    Openssl(openssl::PublicKey),
+}
+
+impl PublicKey {
+    #[allow(unreachable_code)]
+    /// Create a public key from a [`Dnskey`].
+    pub fn from_dnskey(
+        dnskey: &Dnskey<impl AsRef<[u8]>>,
+    ) -> Result<Self, AlgorithmError> {
+        #[cfg(feature = "ring")]
+        return Ok(Self::Ring(ring::PublicKey::from_dnskey(dnskey)?));
+
+        #[cfg(feature = "openssl")]
+        return Ok(Self::Openssl(openssl::PublicKey::from_dnskey(dnskey)?));
+
+        #[cfg(not(any(feature = "ring", feature = "openssl")))]
+        compile_error!("Either feature \"ring\" or \"openssl\" must be enabled for this crate.");
+    }
+
+    /// Verify a signature.
+    pub fn verify(
+        &self,
+        signed_data: &[u8],
+        signature: &[u8],
+    ) -> Result<(), AlgorithmError> {
+        match self {
+            #[cfg(feature = "ring")]
+            PublicKey::Ring(public_key) => {
+                public_key.verify(signed_data, signature)
+            }
+            #[cfg(feature = "openssl")]
+            PublicKey::Openssl(public_key) => {
+                public_key.verify(signed_data, signature)
+            }
+        }
+    }
+}
+
+/// Return the RSA exponent and modulus components from DNSKEY record data.
+pub fn rsa_exponent_modulus(
+    dnskey: &Dnskey<impl AsRef<[u8]>>,
+    min_len: usize,
+) -> Result<(Vec<u8>, Vec<u8>), AlgorithmError> {
+    let public_key = dnskey.public_key().as_ref();
+    if public_key.len() <= 3 {
+        return Err(AlgorithmError::InvalidData);
+    }
+
+    let (pos, exp_len) = match public_key[0] {
+        0 => (
+            3,
+            (usize::from(public_key[1]) << 8) | usize::from(public_key[2]),
+        ),
+        len => (1, usize::from(len)),
+    };
+
+    // Check if there's enough space for exponent and modulus.
+    if public_key[pos..].len() < pos + exp_len {
+        return Err(AlgorithmError::InvalidData);
+    };
+
+    // Check for minimum supported key size
+    if public_key[pos..].len() < min_len {
+        return Err(AlgorithmError::Unsupported);
+    }
+
+    let (e, n) = public_key[pos..].split_at(exp_len);
+    Ok((e.to_vec(), n.to_vec()))
+}
+
+//------------ AlgorithmError ------------------------------------------------
+
+/// An algorithm error during verification.
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+pub enum AlgorithmError {
+    /// Unsupported algorithm.
+    Unsupported,
+
+    /// Bad signature.
+    BadSig,
+
+    /// Invalid data.
+    InvalidData,
+}
+
+//--- Display, Error
+
+impl fmt::Display for AlgorithmError {
+    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        f.write_str(match self {
+            AlgorithmError::Unsupported => "unsupported algorithm",
+            AlgorithmError::BadSig => "bad signature",
+            AlgorithmError::InvalidData => "invalid data",
+        })
+    }
+}
+
+impl error::Error for AlgorithmError {}
+
+//----------- FromDnskeyError ------------------------------------------------
+
+/// An error in reading a DNSKEY record.
+#[derive(Clone, Debug)]
+pub enum FromDnskeyError {
+    /// The key's algorithm is not supported.
+    UnsupportedAlgorithm,
+
+    /// The key's protocol is not supported.
+    UnsupportedProtocol,
+
+    /// The key is not valid.
+    InvalidKey,
+}
+
+//--- Display, Error
+
+impl fmt::Display for FromDnskeyError {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.write_str(match self {
+            Self::UnsupportedAlgorithm => "unsupported algorithm",
+            Self::UnsupportedProtocol => "unsupported protocol",
+            Self::InvalidKey => "malformed key",
+        })
+    }
+}
+
+impl error::Error for FromDnskeyError {}