Expand description
Cryptographic backends, key generation and import.
This module is enabled by the unstable-crypto
or unstable-crypto-sign
feature flags. The unstable-crypto
enables all features except for
private key operations such as generation and signing. All features of
this module are enabled with the unstable-crypto-sign
feature flag.
This crate supports OpenSSL and Ring for performing cryptography. These
cryptographic backends are gated on the openssl
and ring
features,
respectively. They offer mostly equivalent functionality, but OpenSSL
supports a larger set of signing algorithms (and, for RSA keys, supports
weaker key sizes). A
sign
backend is provided for users that wish
to use either or both backends at runtime.
Each backend module (
openssl::sign
,
ring::sign
, and
sign
)
exposes a
KeyPair
type, representing a cryptographic key that can be used for
signing, and a generate()
function for creating new keys.
Users can choose to bring their own cryptography by providing their own
KeyPair
type that implements the
sign::SignRaw
trait.
While each cryptographic backend can support a limited number of signature
algorithms, even the types independent of a cryptographic backend (e.g.
sign::SecretKeyBytes
and
sign::GenerateParams
) support a limited
number of algorithms. Even with custom cryptographic backends,
this module can only
support these algorithms.
In addition to private key operations, this module provides the
common::PublicKey
type for signature verification.
The module also support computing message digests using the
common::DigestBuilder
type.
§Message digests
Given some data compute a message digest.
use domain::crypto::common::{DigestBuilder, DigestType};
let input = "Hello World!";
let mut ctx = DigestBuilder::new(DigestType::Sha256);
ctx.update(input.as_bytes());
ctx.finish().as_ref();
§Signature verification
Given some data, a signature, and a DNSKEY, the signature can be verified.
use domain::rdata::Dnskey;
use domain::crypto::common::PublicKey;
use domain::base::iana::SecurityAlgorithm;
let keyraw = [0u8; 16];
let input = "Hello World!";
let bad_sig = [0u8; 16];
let dnskey = Dnskey::new(256, 3, SecurityAlgorithm::ED25519, keyraw).unwrap();
let public_key = PublicKey::from_dnskey(&dnskey).unwrap();
let res = public_key.verify(input.as_bytes(), &bad_sig);
println!("verify result: {res:?}");