starred/hickory-dns
1
0
Fork 0
mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-25 19:25:56 +03:00
Code Issues 373 Projects Releases 6 Packages Wiki Activity

[GH-ISSUE #127] Combine KeyPair::generate() and KeyPair::encode_key() into one operation #61

New issue
Closed
opened 2026-03-07 22:18:28 +03:00 by kerem · 6 comments
kerem commented 2026-03-07 22:18:28 +03:00
Owner
Copy link

Originally created by @briansmith on GitHub (May 8, 2017).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/127

Originally assigned to: @bluejekyll on GitHub.

In the code there is this:

        let key = try!(KeyPair::generate(algorithm)
            .map_err(|e| format!("could not generate key: {}", e)));
        let key_bytes: Vec<u8> =
            try!(format
                     .encode_key(&key, key_config.password())
                     .map_err(|e| format!("could not get key bytes: {}", e)));

I was looking at the code to see how to update it for the new version of ring. ring is designed intentionally to make an encode_key() operation impossible without subverting memory safety. The idea is that once you have a private key object, e.g. Ed25519KeyPair, you can use the key, but you can't extract the private key from it. In the current version of Trust-DNS this is worked around by using ``Ed25519KeyPairBytes`, which was intended to help with serialization. But that's been replaced in ring by its PKCS#8 support. And that wouldn't work with the upcoming ECDSA support in ring either, nor with its RSA support.

Instead, ring supports a generate_pkcs8() function that returns the encoded bytes: i.e. it combines generation and serialization together. I think this is what Trust-DNS's KeyPair should do too, because other than generating a key, there's no reason (AFAICT) to need to encode a private key in Trust-DNS.

WDYT?

Originally created by @briansmith on GitHub (May 8, 2017). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/127 Originally assigned to: @bluejekyll on GitHub. In the code there is this: ```rust let key = try!(KeyPair::generate(algorithm) .map_err(|e| format!("could not generate key: {}", e))); let key_bytes: Vec<u8> = try!(format .encode_key(&key, key_config.password()) .map_err(|e| format!("could not get key bytes: {}", e))); ``` I was looking at the code to see how to update it for the new version of *ring*. *ring* is designed intentionally to make an `encode_key()` operation impossible without subverting memory safety. The idea is that once you have a private key object, e.g. `Ed25519KeyPair`, you can *use* the key, but you can't extract the private key from it. In the current version of Trust-DNS this is worked around by using ``Ed25519KeyPairBytes`, which was intended to help with serialization. But that's been replaced in *ring* by its PKCS#8 support. And that wouldn't work with the upcoming ECDSA support in *ring* either, nor with its RSA support. Instead, ring supports a `generate_pkcs8()` function that returns the encoded bytes: i.e. it combines generation and serialization together. I think this is what Trust-DNS's `KeyPair` should do too, because other than generating a key, there's no reason (AFAICT) to need to encode a private key in Trust-DNS. WDYT?
kerem closed this issue 2026-03-07 22:18:28 +03:00
kerem commented 2026-03-07 22:18:29 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (May 9, 2017):

That sounds like a great plan. I'd love to have a better story around this. I really like the idea of moving to a common pkcs8 storage.

<!-- gh-comment-id:300056377 --> @bluejekyll commented on GitHub (May 9, 2017): That sounds like a great plan. I'd love to have a better story around this. I really like the idea of moving to a common pkcs8 storage.
kerem commented 2026-03-07 22:18:29 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (May 11, 2017):

I'll have a patch for this as soon as possible. Did I understand that you want to pull previous versions, is this accurate?

<!-- gh-comment-id:300695625 --> @bluejekyll commented on GitHub (May 11, 2017): I'll have a patch for this as soon as possible. Did I understand that you want to pull previous versions, is this accurate?
kerem commented 2026-03-07 22:18:29 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (May 11, 2017):

Yes, that's true, but IIUC your cargo.lock should make it so you're not affected by that if/when I do it. Also I know it's an inconvenience so I won't do it this week.

<!-- gh-comment-id:300696475 --> @briansmith commented on GitHub (May 11, 2017): Yes, that's true, but IIUC your cargo.lock should make it so you're not affected by that if/when I do it. Also I know it's an inconvenience so I won't do it this week.
kerem commented 2026-03-07 22:18:29 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (May 11, 2017):

It's not a huge inconvenience, I think these are minor changes. But I believe if you yank previous version off crates.io, it will break any software that builds against those versions. Cargo.lock only binds the build to a particular version as I understand it, meaning it still needs to be available in crates.io for any builds at that version. I don't know of anyone depending on ring with TRust-DNS, and it's currently not a default dependency so I'm not worried about it.

But, for other users of ring and their downstream libraries, won't it be a cascading effect on every downstream dependency?

<!-- gh-comment-id:300698332 --> @bluejekyll commented on GitHub (May 11, 2017): It's not a huge inconvenience, I think these are minor changes. But I believe if you yank previous version off crates.io, it will break any software that builds against those versions. Cargo.lock only binds the build to a particular version as I understand it, meaning it still needs to be available in crates.io for any builds at that version. I don't know of anyone depending on *ring* with TRust-DNS, and it's currently not a default dependency so I'm not worried about it. But, for other users of *ring* and their downstream libraries, won't it be a cascading effect on every downstream dependency?
kerem commented 2026-03-07 22:18:29 +03:00
Author
Owner
Copy link

@briansmith commented on GitHub (May 11, 2017):

I don't know of anyone depending on ring with TRust-DNS, and it's currently not a default dependency so I'm not worried about it.

OK, that's good. I think moving the Ed25519 stuff to PKCS#8 is better done as a clean break without ugly migration logic anyway.

But, for other users of ring and their downstream libraries, won't it be a cascading effect on every downstream dependency?

The important thing here is how the change affects TRust-DNS.

<!-- gh-comment-id:300718477 --> @briansmith commented on GitHub (May 11, 2017): > I don't know of anyone depending on ring with TRust-DNS, and it's currently not a default dependency so I'm not worried about it. OK, that's good. I think moving the Ed25519 stuff to PKCS#8 is better done as a clean break without ugly migration logic anyway. > But, for other users of ring and their downstream libraries, won't it be a cascading effect on every downstream dependency? The important thing here is how the change affects TRust-DNS.
kerem commented 2026-03-07 22:18:29 +03:00
Author
Owner
Copy link

@bluejekyll commented on GitHub (May 17, 2017):

fixed in #133

<!-- gh-comment-id:302206389 --> @bluejekyll commented on GitHub (May 17, 2017): fixed in #133
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
release/0.26
david/conformance-dnssec-negative-tests
query-api
opt-types
cname-nsec
no-cname-recursion
conformance-min-ttl
dname-base
drop-message-request
no-error-queries
cpu-sig0-rm-message-sig_dev
cpu-tsig-test-update_dev
windows-config
dnssec-net
release/0.25
opp-enc-persist
integration-test
cpu-tidying-recursor-opts_dev
happy-eyeballs
david/authoritative-zone-storage-trait
dnssec-ad
no-authority
release/0.24
pvdrz/remove-top-file
pvdrz/h3-handshake-timeout
pvdrz/quic-handshake-timeout
nxdomain-for-recursor
ja-test-merque-queue
ja-fix-ci-again
sz-add-ede-tests
sz-test-tc-bit-with-large-response
sz-fix-tokio-dependency
gh-2275-test-rrsig-signature
refactor-sign-zone-file
fix-1.79-cleanliness
update-nightly-hash
release/0.23
gh-pages
use-just-for-server-toml
release/0.22
revert-1874-cpu-zone-parse-default-class
disable-bind-compatibility-tests
disable-test_tls_client_stream_ipv4
update-native-tls-0.2.11
recursor-tests
fix-clippy-self
release/0.20
saethlin-fix-rdata-zero
release/0.19
flat_name
drop_unused_futures
release/0.18
release-r0.12-cs0.17
release/r0.12-cs0.17
trust-dns-book
r0.10
test-connections-not-dropped
fix_exec_status_on_rs_files
release-0.9
add-mutex-to-integration-tests
0.8_release
bfry/dns-crypt
v0.26.0
v0.26.0-beta.4
v0.26.0-beta.3
v0.26.0-beta.2
v0.26.0-beta.1
v0.26.0-alpha.1
v0.25.2
v0.25.1
v0.25.0
v0.24.4
v0.24.3
v0.25.0-alpha.5
v0.24.2
v0.25.0-alpha.4
v0.25.0-alpha.3
v0.25.0-alpha.2
v0.25.0-alpha.1
v0.24.1
v0.23.2
v0.24.0
v0.23.1
v0.23.0
v0.23.0-alpha.5
v0.23.0-alpha.4
v0.23.0-alpha.3
v0.22.1
v0.23.0-alpha.2
v0.23.0-alpha.1
v0.22.0
v0.21.2
v0.21.1
v0.21.0
v0.21.0-alpha.5
v0.20.4
v0.21.0-alpha.4
v0.21.0-alpha.3
v0.21.0-alpha.2
v0.21.0-alpha.1
v0.20.3
v0.20.2
v0.20.1
v0.19.7
v0.20.0
0.19.6
v0.20.0-alpha.3
v0.20.0-alpha.2
v0.20.0-alpha.1
0.19.5
0.19.4
0.19.3
0.19.0
0.18.1
0.18
0.18.0.alpha.2
r0.12_cs0.17
r0.11.1
cs0.16.1
r0.11
cs0.16
r0.10.1
r0.10.0
cs0.15.0
r0.9.1
v0.14.0
r0.9.0
r0.8.1
r0.8.0
v0.13.0
r0.7.0
c0.12.0
r0.6.0
r0.5.0
resolver.0.4.0
0.11.0
0.10.5
0.10.4
0.10.3
0.10.2
0.10.1
0.10.0
0.9.3
0.9.2
0.9.1
0.9.0
0.8.1
0.8.0
0.7.3
0.7.2
0.7.1
0.7.0
0.6.0
0.5.3
0.5.1
0.5.0
0.4.0
0.3.1
0.3.0
0.2.1
0.2.0
0.1.0
Labels
Clear labels   
blocked

   
breaking-change

   
bug

   
bug:critical

   
bug:tests

   
cleanup

   
compliance

   
compliance

   
compliance

   
crate:all

   
crate:client

   
crate:native-tls

   
crate:proto

   
crate:recursor

   
crate:resolver

   
crate:resolver

   
crate:rustls

   
crate:server

   
crate:util

   
dependencies

   
docs

   
duplicate

   
easy

   
easy

   
enhance

   
enhance

   
enhance

   
feature:dns-over-https

   
feature:dns-over-quic

   
feature:dns-over-tls

   
feature:dnsssec

   
feature:global_lb

   
feature:mdns

   
feature:tsig

   
features:edns

   
has workaround

   
ops

   
perf

   
platform:WASM

   
platform:android

   
platform:fuchsia

   
platform:linux

   
platform:macos

   
platform:windows

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
test

   
tools

   
tools

   
trust

   
unclear

   
wontfix
No labels
blocked
breaking-change
bug
bug:critical
bug:tests
cleanup
compliance
compliance
compliance
crate:all
crate:client
crate:native-tls
crate:proto
crate:recursor
crate:resolver
crate:resolver
crate:rustls
crate:server
crate:util
dependencies
docs
duplicate
easy
easy
enhance
enhance
enhance
feature:dns-over-https
feature:dns-over-quic
feature:dns-over-tls
feature:dnsssec
feature:global_lb
feature:mdns
feature:tsig
features:edns
has workaround
ops
perf
platform:WASM
platform:android
platform:fuchsia
platform:linux
platform:macos
platform:windows
pull-request
question
test
tools
tools
trust
unclear
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hickory-dns#61
No description provided.