Module crypto

Source
Expand description

Cryptographic backends, key generation and import.

This module is enabled by the unstable-crypto or unstable-crypto-sign feature flags. The unstable-crypto enables all features except for private key operations such as generation and signing. All features of this module are enabled with the unstable-crypto-sign feature flag.

This crate supports OpenSSL and Ring for performing cryptography. These cryptographic backends are gated on the openssl and ring features, respectively. They offer mostly equivalent functionality, but OpenSSL supports a larger set of signing algorithms (and, for RSA keys, supports weaker key sizes). A sign backend is provided for users that wish to use either or both backends at runtime.

Each backend module ( openssl::sign , ring::sign , and sign ) exposes a KeyPair type, representing a cryptographic key that can be used for signing, and a generate() function for creating new keys.

Users can choose to bring their own cryptography by providing their own KeyPair type that implements the sign::SignRaw trait.

While each cryptographic backend can support a limited number of signature algorithms, even the types independent of a cryptographic backend (e.g. sign::SecretKeyBytes and sign::GenerateParams ) support a limited number of algorithms. Even with custom cryptographic backends, this module can only support these algorithms.

In addition to private key operations, this module provides the common::PublicKey type for signature verification.

The module also support computing message digests using the common::DigestBuilder type.

§Message digests

Given some data compute a message digest.

use domain::crypto::common::{DigestBuilder, DigestType};

let input = "Hello World!";
let mut ctx = DigestBuilder::new(DigestType::Sha256);
ctx.update(input.as_bytes());
ctx.finish().as_ref();

§Signature verification

Given some data, a signature, and a DNSKEY, the signature can be verified.

use domain::rdata::Dnskey;
use domain::crypto::common::PublicKey;
use domain::base::iana::SecurityAlgorithm;

let keyraw = [0u8; 16];
let input = "Hello World!";
let bad_sig = [0u8; 16];
let dnskey = Dnskey::new(256, 3, SecurityAlgorithm::ED25519, keyraw).unwrap();
let public_key = PublicKey::from_dnskey(&dnskey).unwrap();
let res = public_key.verify(input.as_bytes(), &bad_sig);
println!("verify result: {res:?}");