Add CERT resource record support (#203)

CERT resource record support (rfc4398)

Author: JoeShook

src/DnsClient/DnsRecordFactory.cs

@@ -135,6 +135,10 @@ public DnsResourceRecord GetRecord(ResourceRecordInfo info)
                     result = ResolveNaptrRecord(info);
                     break;
 
+                case ResourceRecordType.CERT: // 37
+                    result = ResolveCertRecord(info);
+                    break;
+
                 case ResourceRecordType.OPT: // 41
                     result = ResolveOptRecord(info);
                     break;
@@ -265,6 +269,17 @@ private DnsResourceRecord ResolveNaptrRecord(ResourceRecordInfo info)
             return new NAPtrRecord(info, order, preference, flags, services, regexp, replacement);
         }
 
+        private DnsResourceRecord ResolveCertRecord(ResourceRecordInfo info)
+        {
+            var startIndex = _reader.Index;
+            var certType = _reader.ReadUInt16NetworkOrder();
+            var keyTag = _reader.ReadUInt16NetworkOrder();
+            var algorithm = _reader.ReadByte();
+            var publicKey = _reader.ReadBytesToEnd(startIndex, info.RawDataLength).ToArray();
+
+            return new CertRecord(info, certType, keyTag, algorithm, publicKey);
+        }
+
         private DnsResourceRecord ResolveOptRecord(ResourceRecordInfo info)
         {
             // Consume bytes in case the OPT record has any.

src/DnsClient/Protocol/CertRecord.cs

@@ -0,0 +1,84 @@
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace DnsClient.Protocol;
+
+
+/// <summary>A representation of CERT RDATA format.
+/// <remarks>
+/// RFC 4398.
+///
+/// Record format:
+/// <code>
+///                     1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+/// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+/// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+/// |             type              |             key tag           |
+/// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+/// |   algorithm   |                                               /
+/// +---------------+            certificate or CRL                 /
+/// /                                                               /
+/// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+/// </code>
+/// </remarks>
+/// <see cref="https://datatracker.ietf.org/doc/html/rfc4398#section-2"/>
+/// </summary>
+public class CertRecord : DnsResourceRecord
+{
+    /// <summary>
+    /// Gets the <see cref="CertType"/> referred to by this record
+    /// </summary>
+    /// <value>The CERT RR type of this certificate</value>
+    public CertificateType CertType { get; }
+
+    /// <summary>
+    /// Gets the key tag value of the <see cref="DnsKeyRecord"/> referred to by this record.
+    /// </summary>
+    /// <seealso href="https://tools.ietf.org/html/rfc4034#appendix-B">Key Tag Calculation</seealso>
+    public int KeyTag { get; }
+
+    /// <summary>
+    /// Gets certificate algorithm (see RFC 4034, Appendix 1)
+    /// </summary>
+    public DnsSecurityAlgorithm Algorithm { get; }
+
+    /// <summary>
+    /// Gets the raw certificate RDATA.
+    /// </summary>
+    /// <summary>
+    /// Gets the public key material.
+    /// The format depends on the <see cref="Algorithm"/> of the key being stored.
+    /// </summary>
+    public IReadOnlyList<byte> PublicKey { get; }
+
+    /// <summary>
+    /// Gets the base64 string representation of the <see cref="PublicKey"/>.
+    /// </summary>
+    public string PublicKeyAsString { get; }
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="DnsKeyRecord"/> class
+    /// </summary>
+    /// <param name="info"></param>
+    /// <param name="flags"></param>
+    /// <param name="protocol"></param>
+    /// <param name="algorithm"></param>
+    /// <param name="publicKey"></param>
+    /// <exception cref="ArgumentNullException">If <paramref name="info"/> or <paramref name="publicKey"/> is null.</exception>
+    public CertRecord(ResourceRecordInfo info, int certType, int keyTag, byte algorithm, byte[] publicKey)
+        : base(info)
+    {
+        CertType = (CertificateType)certType;
+        KeyTag = keyTag;
+        Algorithm = (DnsSecurityAlgorithm)algorithm;
+        PublicKey = publicKey ?? throw new ArgumentNullException(nameof(publicKey));
+        PublicKeyAsString = Convert.ToBase64String(publicKey);
+    }
+
+    
+    private protected override string RecordToString()
+    {
+        return string.Format("{0} {1} {2} {3}", CertType, KeyTag, Algorithm, PublicKeyAsString);
+    }
+}

src/DnsClient/Protocol/CertificateType.cs

@@ -0,0 +1,55 @@
+namespace DnsClient.Protocol;
+
+/// <summary>
+/// Certificate type values
+/// </summary>
+/// <remarks>
+///  <seealso href="https://tools.ietf.org/html/rfc4398#section-2.1">RFC 4398 section 2.1</seealso>
+/// </remarks>
+public enum CertificateType
+{
+    /// <summary>
+    /// Reserved certificate type.
+    /// </summary>
+    Reserved = 0,
+    /// <summary>
+    /// X.509 as per PKIX
+    /// </summary>
+    PKIX = 1,
+    /// <summary>
+    /// SPKI certificate
+    /// </summary>
+    SPKI,
+    /// <summary>
+    /// OpenPGP packet
+    /// </summary>
+    PGP,
+    /// <summary>
+    /// URL to an X.509 data object 
+    /// </summary>
+    IPKIX,
+    /// <summary>
+    ///  Url of an SPKI certificate
+    /// </summary>
+    ISPKI,
+    /// <summary>
+    /// fingerprint + URL of an OpenPGP packet
+    /// </summary>
+    IPGP,
+    /// <summary>
+    /// Attribute Certificate
+    /// </summary>
+    ACPKIX,
+    /// <summary>
+    /// The URL of an Attribute Certificate
+    /// </summary>
+    IACPKIK,
+    /// <summary>
+    /// URI private
+    /// </summary>
+    URI = 253,
+    /// <summary>
+    /// OID private
+    /// </summary>
+    OID = 254
+}

src/DnsClient/Protocol/ResourceRecordType.cs

@@ -168,6 +168,16 @@ public enum ResourceRecordType
         /// <seealso cref="NAPtrRecord"/>
         NAPTR = 35,
 
+        /// <summary>
+        /// Cryptographic public keys are frequently published, and their
+        /// authenticity is demonstrated by certificates.  A CERT resource record
+        /// (RR) is defined so that such certificates and related certificate
+        /// revocation lists can be stored in the Domain Name System (DNS).
+        /// </summary>
+        /// <seealso href="https://tools.ietf.org/html/rfc4398">RFC 4398</seealso>
+        /// <seealso cref="CertRecord"/>
+        CERT = 37,
+
         /// <summary>
         /// Option record.
         /// </summary>

src/DnsClient/QueryType.cs

@@ -165,6 +165,16 @@ public enum QueryType
         /// <seealso cref="NAPtrRecord"/>
         NAPTR = ResourceRecordType.NAPTR,
 
+        /// <summary>
+        /// Cryptographic public keys are frequently published, and their
+        /// authenticity is demonstrated by certificates.  A CERT resource record
+        /// (RR) is defined so that such certificates and related certificate
+        /// revocation lists can be stored in the Domain Name System (DNS).
+        /// </summary>
+        /// <seealso href="https://tools.ietf.org/html/rfc4398">RFC 4398</seealso>
+        /// <seealso cref="CertRecord"/>
+        CERT = ResourceRecordType.CERT,
+
         /// <summary>
         /// DS rfc4034
         /// </summary>

src/DnsClient/ResourceRecordCollectionExtensions.cs

@@ -205,6 +205,17 @@ public static IEnumerable<NAPtrRecord> NAPtrRecords(this IEnumerable<DnsResource
             return records.OfType<NAPtrRecord>();
         }
 
+        /// <summary>
+        /// Filters the elements of an <see cref="IEnumerable{T}"/> to return <see cref="CertRecord"/>s only.
+        /// </summary>
+        /// <param name="records">The records.</param>
+        /// <returns>The list of <see cref="CertRecord"/>.</returns>
+        public static IEnumerable<CertRecord> CertRecords(this IEnumerable<DnsResourceRecord> records)
+        {
+            return records.OfType<CertRecord>();
+        }
+
+
         /// <summary>
         /// Filters the elements of an <see cref="IEnumerable{T}"/> to return <see cref="UriRecord"/>s only.
         /// </summary>

test/DnsClient.Tests/DnsRecordFactoryTest.cs

@@ -2,10 +2,13 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using DnsClient.Internal;
 using DnsClient.Protocol;
 using Xunit;
+using Xunit.Abstractions;
 
 namespace DnsClient.Tests
 {
@@ -301,6 +304,66 @@ public void DnsRecordFactory_NAPTRRecord()
             Assert.Equal("", result.RegularExpression);
         }
 
+        [Fact]
+        public void DnsRecordFactory_CertRecord()
+        {
+            var expectedPublicKey = @"-----BEGIN CERTIFICATE-----
+MIIEMzCCAxugAwIBAgIBAzANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBtkY2R0
+MzEuaGVhbHRoaXQuZ292X2NhX3Jvb3QwHhcNMjIwMjA0MTUzNzUxWhcNMzIwMjA1
+MDE0OTUxWjBBMS0wKwYJKoZIhvcNAQkBFh5kMUBkb21haW4xLmRjZHQzMS5oZWFs
+dGhpdC5nb3YxEDAOBgNVBAMMB0QxX3ZhbEEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDHPWJogAq6zCU1zU6ar4GAvRb6bjCTSzm19E98E3dCCG8ZSgWH
+yZh3w6M/btu7qMDStrpzMGD1H5TiqS/mEFNNcJP2r8C6T8RKV2xEqhsJlwOoguzJ
+4MyePoVYG84/gm5v03BCp91uoz4O1WFrppu439njipv8wUwsvf6ukidhAgP9mEoN
+w1sCB1U9zOtpPmbRczMrYyDBWqFaxiaDD9xYaYqal7Ph7adKohBDZA1P7H/Jkxdf
+uCwULVDn+bcHD3eW9NToeZ7gc0CV75kVnI/7WbJ6mfx72zOIzEm1AFed36yuEpal
+VjCzhJO4ZmmfJxfXr36UICKHQIM/xwSEXqJtAgMBAAGjggFPMIIBSzAfBgNVHSME
+GDAWgBSIM9vz74ArTwMFMk3q5ShNOYQhMjApBgNVHQ4EIgQg1WLu98WJoAtR1X7K
+ZiHWfIcONgrBBtzuLgNWkQklJugwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw
+KQYDVR0RBCIwIIEeZDFAZG9tYWluMS5kY2R0MzEuaGVhbHRoaXQuZ292MFUGA1Ud
+HwROMEwwSqBIoEaGRGh0dHA6Ly9wa2kuZGNkdDMxLmhlYWx0aGl0LmdvdjoxMDA4
+MC9kY2R0MzEuaGVhbHRoaXQuZ292X2NhX3Jvb3QuY3JsMGAGCCsGAQUFBwEBBFQw
+UjBQBggrBgEFBQcwAoZEaHR0cDovL3BraS5kY2R0MzEuaGVhbHRoaXQuZ292OjEw
+MDgwL2RjZHQzMS5oZWFsdGhpdC5nb3ZfY2Ffcm9vdC5jZXIwDQYJKoZIhvcNAQEL
+BQADggEBAGqMC2kEA6acNgmUueCbPuLj7uePRGaRk6x0rSEY6mTGoBXci+s9EXbx
+a7d/glNFNgQC9KP35esriqSfUn2bsDmtlTs+A79+ldMRH5SWvEmI5f7s9SitLIYR
+uRBLE693R7/1DjyUrEFxpdL16O8Y2kIKO9S8lrscNBOg7hW0RKYb4VBnlsNw3jk2
+rXyGcFZ63D8VsdgUJTh2BKhpiY37gd/+ILUcylpmC5Uf3yWM2wYRMS6IVACllv+U
+PoPWSE2fsrMpfCtDFeUL71gn8g6TYIctVHTn4OeuhHQ6Yt21rgQnlpDFVt0p9sGl
+H+L10KwE7wqqmkxwfib5kwgNyrlXtx0=
+-----END CERTIFICATE-----";
+
+            var expectedBytes = Encoding.UTF8.GetBytes(expectedPublicKey);
+            var name = DnsString.Parse("example.com");
+            using var memory = new PooledBytes(expectedBytes.Length);
+
+            var writer = new DnsDatagramWriter(new ArraySegment<byte>(memory.Buffer));
+            writer.WriteInt16NetworkOrder((short)CertificateType.PKIX); // 2 bytes
+            writer.WriteInt16NetworkOrder((short)27891); // 2 bytes
+            writer.WriteByte((byte)DnsSecurityAlgorithm.RSASHA256);  // 1 byte
+            writer.WriteBytes(expectedBytes, expectedBytes.Length);
+
+            var factory = GetFactory(writer.Data);
+
+            var info = new ResourceRecordInfo(name, ResourceRecordType.CERT, QueryClass.IN, 0, writer.Data.Count);
+
+            var result = factory.GetRecord(info) as CertRecord;
+            Assert.NotNull(result);
+            Assert.Equal(27891, result.KeyTag);
+            Assert.Equal(CertificateType.PKIX, result.CertType);
+            Assert.Equal(DnsSecurityAlgorithm.RSASHA256, result.Algorithm);
+            Assert.Equal(expectedBytes, result.PublicKey);
+
+            var cert = new X509Certificate2(Convert.FromBase64String(result.PublicKeyAsString));
+            Assert.Equal("sha256RSA", cert.SignatureAlgorithm.FriendlyName);
+            Assert.Equal("CN=D1_valA, [email protected]", cert.Subject);
+
+            var x509Extension = cert.Extensions["2.5.29.17"];
+            Assert.NotNull(x509Extension);
+            var asnData = new AsnEncodedData(x509Extension.Oid, x509Extension.RawData);
+            Assert.Equal("RFC822 [email protected]", asnData.Format(false));
+        }
+
         [Fact]
         public void DnsRecordFactory_TXTRecordEmpty()
         {

test/DnsClient.Tests/DnsResponseParsingTest.cs

@@ -45,7 +45,8 @@ public void DnsRecordFactory_McnetValidateSupport()
                 ResourceRecordType.NSEC3PARAM,
                 ResourceRecordType.SPF,
                 ResourceRecordType.DNSKEY,
-                ResourceRecordType.DS
+                ResourceRecordType.DS,
+                ResourceRecordType.CERT
             };
 
             foreach (var t in types)

test/DnsClient.Tests/LookupTest.cs

@@ -1,6 +1,8 @@
 using System;
 using System.Linq;
 using System.Net;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
 using DnsClient.Protocol;
@@ -816,6 +818,29 @@ public async Task Lookup_Query_NaPtr()
             Assert.NotNull(host.HostName);
         }
 
+        [Fact]
+        public async Task Lookup_Query_CERT()
+        {
+            var client = new LookupClient(NameServer.Cloudflare);
+            var result = await client.QueryAsync("d1.domain1.dcdt31.healthit.gov", QueryType.CERT).ConfigureAwait(false);
+
+            Assert.NotEmpty(result.Answers.CertRecords());
+            var certRecord = result.Answers.CertRecords().First();
+            Assert.NotNull(certRecord);
+            Assert.Equal("d1.domain1.dcdt31.healthit.gov.", certRecord.DomainName);
+            Assert.Equal(CertificateType.PKIX, certRecord.CertType);
+
+            var cert = new X509Certificate2(Convert.FromBase64String(certRecord.PublicKeyAsString));
+            Assert.Equal("sha256RSA", cert.SignatureAlgorithm.FriendlyName);
+            Assert.Equal("CN=D1_valA, [email protected]", cert.Subject);
+
+            var x509Extension = cert.Extensions["2.5.29.17"];
+            Assert.NotNull(x509Extension);
+            var asnData = new AsnEncodedData(x509Extension.Oid, x509Extension.RawData);
+            Assert.Equal("RFC822 [email protected]", asnData.Format(false));
+            
+        }
+
         [Fact]
         public async Task GetHostEntry_ExampleSub()
         {