validate: ensure scan canonicalizes SecAlg and validation as well (#127)

The SecAlg variant must be canonicalized to be used in a match, otherwise it's not going match the same algorithm numbers correctly using PartialEq.
NLnetLabs · Apr 25, 2022 · 7a8c591 · 7a8c591
1 parent 9d93707
commit 7a8c591
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/src/base/iana/macros.rs b/src/base/iana/macros.rs
@@ -360,9 +360,11 @@ macro_rules! int_enum_str_with_decimal {
                 scanner: &mut $crate::master::scan::Scanner<C>,
             ) -> Result<Self, $crate::master::scan::ScanError> {
                 scanner.scan_string_word(|word| {
-                    core::str::FromStr::from_str(&word).map_err(|_| {
-                        $crate::master::scan::SyntaxError::UnknownMnemonic
-                    })
+                    core::str::FromStr::from_str(&word)
+                        .map_err(|_| {
+                            $crate::master::scan::SyntaxError::UnknownMnemonic
+                        })
+                        .map($ianatype::from_int)
                 })
             }
         }

diff --git a/src/validate.rs b/src/validate.rs
@@ -209,12 +209,19 @@ impl<Octets: AsRef<[u8]>, Name: Compose> RrsigExt for Rrsig<Octets, Name> {
         let signature = self.signature().as_ref();
         let signed_data = signed_data.as_ref();
 
-        match self.algorithm() {
+        // Caller needs to ensure that the signature matches the key, but enforce the algorithm match
+        if self.algorithm() != dnskey.algorithm() {
+            return Err(AlgorithmError::InvalidData);
+        }
+
+        // Note: Canonicalize the algorithm, otherwise matching named variants against Int(_) is not going to work
+        let sec_alg = SecAlg::from_int(self.algorithm().to_int());
+        match sec_alg {
             SecAlg::RsaSha1
             | SecAlg::RsaSha1Nsec3Sha1
             | SecAlg::RsaSha256
             | SecAlg::RsaSha512 => {
-                let (algorithm, min_bytes) = match self.algorithm() {
+                let (algorithm, min_bytes) = match sec_alg {
                     SecAlg::RsaSha1 | SecAlg::RsaSha1Nsec3Sha1 => (
                         &signature::RSA_PKCS1_1024_8192_SHA1_FOR_LEGACY_USE_ONLY,
                         1024 / 8,
@@ -240,7 +247,7 @@ impl<Octets: AsRef<[u8]>, Name: Compose> RrsigExt for Rrsig<Octets, Name> {
                     .map_err(|_| AlgorithmError::BadSig)
             }
             SecAlg::EcdsaP256Sha256 | SecAlg::EcdsaP384Sha384 => {
-                let algorithm = match self.algorithm() {
+                let algorithm = match sec_alg {
                     SecAlg::EcdsaP256Sha256 => {
                         &signature::ECDSA_P256_SHA256_FIXED
                     }