1 //! WASM-compatible verification wrappers
3 use dnssec_prover::ser::parse_rr_stream;
4 use dnssec_prover::validation::{verify_rr_stream, ValidationError};
5 use dnssec_prover::rr::Name;
6 use dnssec_prover::query::{ProofBuilder, QueryBuf};
8 use wasm_bindgen::prelude::wasm_bindgen;
11 use alloc::collections::VecDeque;
16 static ALLOC: wee_alloc::WeeAlloc = wee_alloc::WeeAlloc::INIT;
19 pub struct WASMProofBuilder(ProofBuilder, VecDeque<QueryBuf>);
22 /// Builds a proof builder which can generate a proof for records of the given `ty`pe at the given
25 /// After calling this [`get_next_query`] should be called to fetch the initial query.
26 pub fn init_proof_builder(mut name: String, ty: u16) -> Option<WASMProofBuilder> {
27 if !name.ends_with('.') { name.push('.'); }
28 if let Ok(qname) = name.try_into() {
29 let (builder, initial_query) = ProofBuilder::new(&qname, ty);
30 let mut queries = VecDeque::with_capacity(4);
31 queries.push_back(initial_query);
32 Some(WASMProofBuilder(builder, queries))
39 /// Processes a response to a query previously fetched from [`get_next_query`].
41 /// After calling this, [`get_next_query`] should be called until pending queries are exhausted and
42 /// no more pending queries exist, at which point [`get_unverified_proof`] should be called.
43 pub fn process_query_response(proof_builder: &mut WASMProofBuilder, response: Vec<u8>) {
44 if response.len() < u16::MAX as usize {
45 let mut answer = QueryBuf::new_zeroed(response.len() as u16);
46 answer.copy_from_slice(&response);
47 if let Ok(queries) = proof_builder.0.process_response(&answer) {
48 for query in queries {
49 proof_builder.1.push_back(query);
57 /// Gets the next query (if any) that should be sent to the resolver for the given proof builder.
59 /// Once the resolver responds [`process_query_response`] should be called with the response.
60 pub fn get_next_query(proof_builder: &mut WASMProofBuilder) -> Option<Vec<u8>> {
61 if let Some(query) = proof_builder.1.pop_front() {
62 Some(query.into_vec())
69 /// Gets the final, unverified, proof once all queries fetched via [`get_next_query`] have
70 /// completed and their responses passed to [`process_query_response`].
71 pub fn get_unverified_proof(proof_builder: WASMProofBuilder) -> Option<Vec<u8>> {
72 proof_builder.0.finish_proof().ok().map(|(proof, _ttl)| proof)
76 /// Verifies an RFC 9102-formatted proof and returns verified records matching the given name
77 /// (resolving any C/DNAMEs as required).
78 pub fn verify_byte_stream(stream: Vec<u8>, name_to_resolve: String) -> String {
79 let name = match Name::try_from(name_to_resolve) {
81 Err(()) => return "{\"error\":\"Bad name to resolve\"}".to_string(),
83 match do_verify_byte_stream(stream, name) {
85 Err(e) => format!("{{\"error\":\"{:?}\"}}", e),
89 fn do_verify_byte_stream(stream: Vec<u8>, name_to_resolve: Name) -> Result<String, ValidationError> {
90 let rrs = parse_rr_stream(&stream).map_err(|()| ValidationError::Invalid)?;
91 let verified_rrs = verify_rr_stream(&rrs)?;
92 let resolved_rrs = verified_rrs.resolve_name(&name_to_resolve);
93 let mut resp = String::new();
94 write!(&mut resp, "{}",
95 format_args!("{{\"valid_from\": {}, \"expires\": {}, \"max_cache_ttl\": {}, \"verified_rrs\": [",
96 verified_rrs.valid_from, verified_rrs.expires, verified_rrs.max_cache_ttl)
97 ).expect("Write to a String shouldn't fail");
98 for (idx, rr) in resolved_rrs.iter().enumerate() {
99 write!(&mut resp, "{}{}", if idx != 0 { ", " } else { "" }, rr.json())
100 .expect("Write to a String shouldn't fail");