From 7667f1b9e3c15b4c1181f0986dbf9385fa253f35 Mon Sep 17 00:00:00 2001 From: Matt Corallo Date: Sun, 14 Apr 2024 16:41:54 +0000 Subject: [PATCH] Filter using `VerifiedRRStream::resolve_name` in wasm When resolving a name in WASM we should let `resolve_name` handle C/DNAMEs, which we do here. --- wasmpack/doh_lookup.js | 2 +- wasmpack/src/lib.rs | 17 ++++++++++++----- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/wasmpack/doh_lookup.js b/wasmpack/doh_lookup.js index 17c5bbf..fec246c 100644 --- a/wasmpack/doh_lookup.js +++ b/wasmpack/doh_lookup.js @@ -46,7 +46,7 @@ export async function lookup_doh(domain, ty, doh_endpoint) { } else if (queries_pending == 0) { var proof = wasm.get_unverified_proof(builder); if (proof != null) { - var result = wasm.verify_byte_stream(proof); + var result = wasm.verify_byte_stream(proof, domain); return JSON.stringify(JSON.parse(result), null, 1); } else { return "{\"error\":\"Failed to build proof\"}"; diff --git a/wasmpack/src/lib.rs b/wasmpack/src/lib.rs index 57fe0a0..75ca16c 100644 --- a/wasmpack/src/lib.rs +++ b/wasmpack/src/lib.rs @@ -2,6 +2,7 @@ use dnssec_prover::ser::parse_rr_stream; use dnssec_prover::validation::{verify_rr_stream, ValidationError}; +use dnssec_prover::rr::Name; use dnssec_prover::query::{ProofBuilder, QueryBuf}; use wasm_bindgen::prelude::wasm_bindgen; @@ -72,23 +73,29 @@ pub fn get_unverified_proof(proof_builder: WASMProofBuilder) -> Option> } #[wasm_bindgen] -/// Verifies an RFC 9102-formatted proof and returns the [`VerifiedRRStream`] in JSON form. -pub fn verify_byte_stream(stream: Vec) -> String { - match do_verify_byte_stream(stream) { +/// Verifies an RFC 9102-formatted proof and returns verified records matching the given name +/// (resolving any C/DNAMEs as required). +pub fn verify_byte_stream(stream: Vec, name_to_resolve: String) -> String { + let name = match Name::try_from(name_to_resolve) { + Ok(name) => name, + Err(()) => return "{\"error\":\"Bad name to resolve\"}".to_string(), + }; + match do_verify_byte_stream(stream, name) { Ok(r) => r, Err(e) => format!("{{\"error\":\"{:?}\"}}", e), } } -fn do_verify_byte_stream(stream: Vec) -> Result { +fn do_verify_byte_stream(stream: Vec, name_to_resolve: Name) -> Result { let rrs = parse_rr_stream(&stream).map_err(|()| ValidationError::Invalid)?; let verified_rrs = verify_rr_stream(&rrs)?; + let resolved_rrs = verified_rrs.resolve_name(&name_to_resolve); let mut resp = String::new(); write!(&mut resp, "{}", format_args!("{{\"valid_from\": {}, \"expires\": {}, \"max_cache_ttl\": {}, \"verified_rrs\": [", verified_rrs.valid_from, verified_rrs.expires, verified_rrs.max_cache_ttl) ).expect("Write to a String shouldn't fail"); - for (idx, rr) in verified_rrs.verified_rrs.iter().enumerate() { + for (idx, rr) in resolved_rrs.iter().enumerate() { write!(&mut resp, "{}{}", if idx != 0 { ", " } else { "" }, rr.json()) .expect("Write to a String shouldn't fail"); } -- 2.39.5