diff options
author | Justus Winter <justus@sequoia-pgp.org> | 2023-11-22 14:41:07 +0100 |
---|---|---|
committer | Justus Winter <justus@sequoia-pgp.org> | 2023-11-22 14:55:38 +0100 |
commit | 0c2acb9be58f87c2455aa59bd926a1da40c74e5f (patch) | |
tree | 84b94f0057b7b472feb3a07c03da8c88b6dd5fa2 | |
parent | 4e997895072f58524300f438423a114d390d3146 (diff) |
net: Fix dane::get to return cert canonicalization errors.
- We may not understand all of the returned certs, and that is
okay. Change the return type to reflect that.
- Also, one resource record may only contain one cert. Adapt
accordingly.
-rw-r--r-- | net/src/dane.rs | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/net/src/dane.rs b/net/src/dane.rs index ca400724..592407c8 100644 --- a/net/src/dane.rs +++ b/net/src/dane.rs @@ -96,11 +96,19 @@ async fn get_raw(email_address: impl AsRef<str>) -> Result<Vec<Vec<u8>>> { /// # Ok(()) /// # } /// ``` -pub async fn get(email_address: impl AsRef<str>) -> Result<Vec<Cert>> { +pub async fn get(email_address: impl AsRef<str>) -> Result<Vec<Result<Cert>>> { let mut certs = vec![]; for bytes in get_raw(email_address).await?.iter() { - certs.extend(CertParser::from_bytes(bytes)?.flatten()); + // Section 2 of RFC7929 says that a record may only contain a + // single cert, but there may be more than one record: + // + // A user that wishes to specify more than one OpenPGP key, + // for example, because they are transitioning to a newer + // stronger key, can do so by adding multiple OPENPGPKEY + // records. A single OPENPGPKEY DNS record MUST only + // contain one OpenPGP key. + certs.push(Cert::from_bytes(bytes)); } Ok(certs) |