Handshake Query is a cross-platform library to trustlessly resolve and verify Handshake names using a p2p light client

Handshake Query

⚠️ Usage of this library is not currently recommended in your application as the API will likely change.

Handshake Query is a cross-platform library to trustlessly resolve and verify Handshake names using an SPV node. Supports DNSSEC & DNS-Based Authentication of Named Entities (DANE). It wraps libhsk with a thread-safe API. It's currently being used by Impervious browser.

Supported Platforms

iOS, Android, macOS, Windows and Linux

Usage

Launching an SPV node

This example shows how to launch an SPV node, wait for it to sync and store block headers in a temp directory.

package main

import (
	hns "github.com/imperviousinc/hnsquery"
)

config := &hns.Config {
    // Used for storing cache data such as block headers 
    DataDir: os.TempDir(),
}


client, err := hns.NewClient(config)
if err != nil { ... }
defer client.Destroy()

ready := make(chan error)
client.Start(ready)

<-ready // blocks until SPV node is synced

// Get proofofconcept zone
zone, err := client.GetZone("proofofconcept")
for _, rr := range zone {
   fmt.Println(rr)
}

// Read info
fmt.Println("Height: ", client.Height())
fmt.Println("Sync progress: ", client.Progress())
fmt.Println("Peers: ", client.PeerCount())
fmt.Println("Active Peers:", client.ActivePeerCount())

Resolving names

// create a Proof of work trust anchor using the client
powTA := func(ctx context.Context, cut string) (*dnssec.Zone, bool, error) {
	// Follow example in mobile package
}

// initialize a resolver in forwarding mode with DoH
resolver, err := hns.NewResolver(&ResolverConfig{
        TrustAnchorFunc: powTA,
	Forward: "https://hs.dnssec.dev/dns-query"
})

// Securely resolve names with trustless DNSSEC validation
resolver.Query("_443._tcp.proofofconcept.", dns.TypeTLSA)

Verifying certificates

You can create custom cert verifiers but in most cases you may want to use the default:

cv := hns.NewDNSCertVerifier(resolver)
cv.Verify(ctx, &CertVerifyInfo{
    Host: "proofofconcept",
    Port: "443",
    Protocol: "tcp",
    RawCerts: certs
})

DNSSEC validation

Handshake Query provides a modern Handshake native DNSSEC validation package that doesn't rely on a root KSK. Although this is optional as it can be integrated with other libraries such as libunbound to support a recursive mode (TODO)

RFC8624 still considers weak crypto such as 256-bit RSA key size to be secure. The web has moved on. hnsq will downgrade algorithms it considers weak and they cannot be used for DANE. The following table shows which algorithms are accepted:

+--------+--------------------+----------------------------------+
| Number | Mnemonics          | Supported for DANE               |
+--------+--------------------+ ---------------------------------+
| 1      | RSAMD5             | NO                               |
| 3      | DSA                | NO                               |
| 5      | RSASHA1            | NO                               |
| 6      | DSA-NSEC3-SHA1     | NO                               |
| 7      | RSASHA1-NSEC3-SHA1 | NO                               |
| 8      | RSASHA256          | YES - Min key size 2048 bit      |
| 10     | RSASHA512          | YES - Min key size 2048 bit      |
| 12     | ECC-GOST           | NO                               |
| 13     | ECDSAP256SHA256    | YES                              |
| 14     | ECDSAP384SHA384    | YES                              |
| 15     | ED25519            | YES                              |
| 16     | ED448              | TODO                             |
+--------+--------------------+----------------------------------+

PoWDoH

PoWDoH requests the DNSSEC chain from a DoH server and verifies it by fetching the DS record from an SPV node which verifies Proof of Work.

DNS records & DNSSEC signatures can be transmitted over any channel. DoH transmits the signatures over HTTPS. The advantage is better censorship resistance compared to using port 53 since queries hide with other HTTPS traffic. Plain DNS traffic is unreliable due to middlebox inteference and they are easy to block by ISPs.

Using a forwarding resolver is faster than doing recursion since it benefits from a global cache. Currently, hnsq queries DNS records over DoH and re-uses tcp connections to reduce latency but performance can be improved with CHAIN queries (RFC7901).

PoWDoH may improve security if the DoH server uses cert pinning & also performs DNSSEC validation because an attacker needs to compromise the DoH server (which likely uses a full node) in addition to the SPV node.

TLS DNSSEC Chain Extension (RFC9102)

The DNSSEC chain extension is an experimental TLS extension that embeds the DNSSEC chain which obviates the need to perform separate, out-of-band DNS lookups. The complete chain can be validated directly with an SPV node. No need for an external forwarding or recursive resolver.

Not currently supported by either clients or servers.

TODO.

Build

Note: these instructions are not yet complete but you should be able to build it if you're familar with cgo.

iOS

$ git clone https://github.com/buffrr/hnsd && cd hnsd
$ git checkout ios
$ ./build-ios.sh
$ gomobile bind -target ios/arm64 -o MobileHNS.xcframework github.com/imperviousinc/hnsquery/mobile

Android

You can build it with gomobile. You also need NDK to compile libhsk.

TODO

MacOS, Linux and Windows

build libhsk & hnsq

$ ./configure --without-daemon --prefix /path/to/build/dir
$ make -j 10
$ make install
$ go build
Owner
Impervious Inc
Cypherpunk development for Bitcoin and Handshake
Impervious Inc
Similar Resources

Send and receive files securely through Tor.

Send and receive files securely through Tor.

onionbox A basic implementation of OnionShare in Go. Mostly built as a fun project, onionbox is still a WIP so usage is not guaranteed secure, yet. Ke

Nov 22, 2022

proxyd proxies data between TCP, TLS, and unix sockets

proxyd proxyd proxies data between TCP, TLS, and unix sockets TLS termination: Connecting to a remote application's unix socket: +---------+

Nov 9, 2022

transfer.sh - Easy and fast file sharing from the command-line.

Easy and fast file sharing from the command-line. This code contains the server with everything you need to create your own instance.

Jan 2, 2023

Easy and fast file sharing from the command-line.

Easy and fast file sharing from the command-line. This code contains the server with everything you need to create your own instance.

Jan 2, 2023

Distributed File Store Application Consist of API Server to handle file operations and command line tool to do operations

Filestore Distributed File Store Application Consist of API Server to handle file operations and command line tool to do operations (store named binar

Nov 7, 2021

aqua is a simple file uploading and sharing server for personal use.

aqua is a simple file uploading and sharing server for personal use.

aqua is a simple file uploading and sharing server for personal use. It is built to be easy to set up and host on your own server, for example to use it in combination with uploading tools like ShareX.

Jul 7, 2022

Transfer - A simple go application for uploading, downloading and checksumming of files

Transfer This project holds a simple go application for uploading, downloading a

Aug 18, 2022

Simple temporary file upload and transfer web application coding with Go language.

Temp File Transfer Web Application Simple temporary file upload and transfer web application coding with Go language. Explore the Golang » Live Demo T

Dec 2, 2022

🖥 Securely transfer and send anything between computers with TUI.

🖥 Securely transfer and send anything between computers with TUI.

🖥️ Securely transfer and send anything between computers with TUI. Installation ways

Dec 21, 2022
Peerster refers to a gossip-based P2P system composed of multiple peers interacting with each other

Peerster design Peerster refers to a gossip-based P2P system composed of multiple peers interacting with each other. A peer refers to an autonomous en

Jan 22, 2022
oDrop, a fast efficient cross-platform file transfer software for server and home environments

oDrop is a cross-platform LAN file transfer software to efficiently transfer files between computers, oDrop is useful in environments where GUI is not available.

Jun 4, 2022
Wormhole-gui is a cross-platform application that lets you easily share files, folders and text between devices.
Wormhole-gui is a cross-platform application that lets you easily share files, folders and text between devices.

Cross-platform application for easy encrypted sharing of files, folders, and text between devices.

Dec 30, 2022
🌧 BitTorrent client and library in Go
🌧 BitTorrent client and library in Go

rain BitTorrent client and library in Go. Running in production at put.io. Features Core protocol Fast extension Magnet links Multiple trackers UDP tr

Jan 5, 2023
garlicshare is an open source tool that lets you securely and anonymously share files on a hosted onion service using the Tor network.
garlicshare is an open source tool that lets you securely and anonymously share files on a hosted onion service using the Tor network.

garlicshare is an open source tool that lets you securely and anonymously share files on a hosted onion service using the Tor network.

Dec 22, 2022
A(nother) Bittorrent client written in the go programming language

Taipei Torrent This is a simple command-line-interface BitTorrent client coded in the go programming language. Features: Supports multiple torrent fil

Dec 19, 2022
BitTorrent client in Go

wgo - Simple BitTorrent client in Go Roger Pau Monné (2010 - 2011) Introduction This project is based on the previous work of jackpal, Taipei-Torrent:

Jan 2, 2020
An experimental project to build a framework for naming and sharing files and other data securely
An experimental project to build a framework for naming and sharing files and other data securely

Upspin Documentation: upspin.io About the project Upspin is an experimental project to build a framework for naming and sharing files and other data s

Oct 20, 2021
JuiceFS is a distributed POSIX file system built on top of Redis and S3.
JuiceFS is a distributed POSIX file system built on top of Redis and S3.

JuiceFS is an open-source POSIX file system built on top of Redis and object storage

Jan 5, 2023
A web based drag and drop file transfer tool for sending files across the internet.

DnD A file transfer tool. Demo Usage Get go get github.com/0xcaff/dnd or download the latest release (you don't need go to run it) Run dnd Now navig

Dec 16, 2022