net: Fix dane::get to return cert canonicalization errors.

  - We may not understand all of the returned certs, and that is
    okay.  Change the return type to reflect that.

  - Also, one resource record may only contain one cert.  Adapt
    accordingly.

1 files changed, 10 insertions, 2 deletions

diff --git a/net/src/dane.rs b/net/src/dane.rs
index ca400724..592407c8 100644
--- a/net/src/dane.rs
+++ b/net/src/dane.rs
@@ -96,11 +96,19 @@ async fn get_raw(email_address: impl AsRef<str>) -> Result<Vec<Vec<u8>>> {
 /// # Ok(())
 /// # }
 /// ```
-pub async fn get(email_address: impl AsRef<str>) -> Result<Vec<Cert>> {
+pub async fn get(email_address: impl AsRef<str>) -> Result<Vec<Result<Cert>>> {
     let mut certs = vec![];
 
     for bytes in get_raw(email_address).await?.iter() {
-        certs.extend(CertParser::from_bytes(bytes)?.flatten());
+        // Section 2 of RFC7929 says that a record may only contain a
+        // single cert, but there may be more than one record:
+        //
+        //   A user that wishes to specify more than one OpenPGP key,
+        //   for example, because they are transitioning to a newer
+        //   stronger key, can do so by adding multiple OPENPGPKEY
+        //   records.  A single OPENPGPKEY DNS record MUST only
+        //   contain one OpenPGP key.
+        certs.push(Cert::from_bytes(bytes));
     }
 
     Ok(certs)