[PR #2558] [MERGED] proto: replace KeyPair with SigningKey trait #3139

New issue

Closed

opened 2026-03-16 11:27:22 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:27:22 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2558
Author: @djc
Created: 11/6/2024
Status: ✅ Merged
Merged: 11/8/2024
Merged by: @djc

Base: main ← Head: signing-key

📝 Commits (10+)

f9df2ef proto: remove deprecated KeyFormat::encode_key() method
f826fd0 proto: detach decode_key() from KeyFormat
d4b2767 proto: define SigningKey trait
b3bb37c proto: take reference to keys in PublicKeyBuf constructors
163238a proto: yield trait object from decode_key()
f788619 proto: rework DNSSEC tests to avoid generic encoding
a6f3ef7 proto: replace KeyPair:ED25519 variant with Ed25519SigningKey
a464bad proto: replace KeyPair::ECDSA variant with EcdsaSigningKey
1d22036 proto: replace KeyPair::EC variant with EcSigningKey
1b9b1a3 proto: replace remaining KeyPair usage with RsaSigningKey

📊 Changes

12 files changed (+568 additions, -683 deletions)

View changed files

📝 bin/src/dnssec.rs (+2 -3)
📝 bin/tests/integration/named_test_rsa_dnssec.rs (+3 -4)
📝 crates/proto/src/rr/dnssec/key_format.rs (+28 -326)
📝 crates/proto/src/rr/dnssec/keypair.rs (+485 -296)
📝 crates/proto/src/rr/dnssec/mod.rs (+6 -4)
📝 crates/proto/src/rr/dnssec/public_key.rs (+2 -2)
📝 crates/proto/src/rr/dnssec/signer.rs (+21 -27)
📝 tests/compatibility-tests/tests/integration/sig0_tests.rs (+10 -5)
📝 tests/integration-tests/src/example_authority.rs (+3 -4)
📝 tests/integration-tests/tests/integration/client_future_tests.rs (+3 -5)
📝 tests/integration-tests/tests/integration/client_tests.rs (+3 -5)
📝 util/src/bin/pem-to-public-dnskey.rs (+2 -2)

📄 Description

The KeyPair type was a mess of special cases trying to abstract over very different OpenSSL and ring APIs. Instead, use a small trait to abstract over the common core API and leave the remainder of the API to backend-specific types.

Next steps:

Make SigningKeys (and PublicKeys) aware of their own Algorithm
Add RSA support for the ring backend (so DNSSEC tests no longer require OpenSSL)
Add aws-lc-rs support as an alternative

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2558 **Author:** [@djc](https://github.com/djc) **Created:** 11/6/2024 **Status:** ✅ Merged **Merged:** 11/8/2024 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `signing-key` --- ### 📝 Commits (10+) - [`f9df2ef`](https://github.com/hickory-dns/hickory-dns/commit/f9df2efea1c2845e01dc8338647813575f1f202f) proto: remove deprecated KeyFormat::encode_key() method - [`f826fd0`](https://github.com/hickory-dns/hickory-dns/commit/f826fd056cb4260f35f4bb5c582ba7fc7c66a097) proto: detach decode_key() from KeyFormat - [`d4b2767`](https://github.com/hickory-dns/hickory-dns/commit/d4b2767e182a7fa188a0ca0f724bc410c287439d) proto: define SigningKey trait - [`b3bb37c`](https://github.com/hickory-dns/hickory-dns/commit/b3bb37cb6873a931c858654945c081b17c863134) proto: take reference to keys in PublicKeyBuf constructors - [`163238a`](https://github.com/hickory-dns/hickory-dns/commit/163238a090327ecd2f91399af358c76eb58cd793) proto: yield trait object from decode_key() - [`f788619`](https://github.com/hickory-dns/hickory-dns/commit/f788619f725715a21292fbc52cb050ab6f229462) proto: rework DNSSEC tests to avoid generic encoding - [`a6f3ef7`](https://github.com/hickory-dns/hickory-dns/commit/a6f3ef72db892fbc216dee171cf12359cbef3e0a) proto: replace KeyPair:ED25519 variant with Ed25519SigningKey - [`a464bad`](https://github.com/hickory-dns/hickory-dns/commit/a464bad998054f04389668c15ba357f248e0ba4e) proto: replace KeyPair::ECDSA variant with EcdsaSigningKey - [`1d22036`](https://github.com/hickory-dns/hickory-dns/commit/1d22036eb96a88fe7d5b1e3d9068da24350cefa3) proto: replace KeyPair::EC variant with EcSigningKey - [`1b9b1a3`](https://github.com/hickory-dns/hickory-dns/commit/1b9b1a37410812207d739581c4c118456c4e3f73) proto: replace remaining KeyPair usage with RsaSigningKey ### 📊 Changes **12 files changed** (+568 additions, -683 deletions) <details> <summary>View changed files</summary> 📝 `bin/src/dnssec.rs` (+2 -3) 📝 `bin/tests/integration/named_test_rsa_dnssec.rs` (+3 -4) 📝 `crates/proto/src/rr/dnssec/key_format.rs` (+28 -326) 📝 `crates/proto/src/rr/dnssec/keypair.rs` (+485 -296) 📝 `crates/proto/src/rr/dnssec/mod.rs` (+6 -4) 📝 `crates/proto/src/rr/dnssec/public_key.rs` (+2 -2) 📝 `crates/proto/src/rr/dnssec/signer.rs` (+21 -27) 📝 `tests/compatibility-tests/tests/integration/sig0_tests.rs` (+10 -5) 📝 `tests/integration-tests/src/example_authority.rs` (+3 -4) 📝 `tests/integration-tests/tests/integration/client_future_tests.rs` (+3 -5) 📝 `tests/integration-tests/tests/integration/client_tests.rs` (+3 -5) 📝 `util/src/bin/pem-to-public-dnskey.rs` (+2 -2) </details> ### 📄 Description The `KeyPair` type was a mess of special cases trying to abstract over very different OpenSSL and ring APIs. Instead, use a small trait to abstract over the common core API and leave the remainder of the API to backend-specific types. Next steps: - Make `SigningKey`s (and `PublicKey`s) aware of their own `Algorithm` - Add RSA support for the *ring* backend (so DNSSEC tests no longer require OpenSSL) - Add aws-lc-rs support as an alternative --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>