Second stab a DNSSEC validation
- still need: sorting, numOfLabels, wildcard handling
This commit is contained in:
parent
fc2373cd15
commit
0cea39ac49
29
dnssec.go
29
dnssec.go
|
@ -13,6 +13,8 @@ const (
|
|||
year68 = 2 << (32 - 1)
|
||||
)
|
||||
|
||||
type RRset []RR
|
||||
|
||||
// Convert an DNSKEY record to a DS record.
|
||||
func (k *RR_DNSKEY) ToDS(hash int) *RR_DS {
|
||||
ds := new(RR_DS)
|
||||
|
@ -106,21 +108,38 @@ func (k *RR_DNSKEY) KeyTag() uint16 {
|
|||
|
||||
// Validate an rrset with the signature and key. This is the
|
||||
// cryptographic test, the validity period most be check separately.
|
||||
func (s *RR_RRSIG) Secure(rrset []RR, k *RR_DNSKEY) bool {
|
||||
println(len(rrset))
|
||||
func (s *RR_RRSIG) Secure(rrset RRset, k *RR_DNSKEY) bool {
|
||||
// Frist the easy checks
|
||||
if s.KeyTag != k.KeyTag() {
|
||||
println(s.KeyTag)
|
||||
println(k.KeyTag())
|
||||
return false
|
||||
}
|
||||
if s.Hdr.Class != k.Hdr.Class {
|
||||
println("Class")
|
||||
return false
|
||||
}
|
||||
if s.Algorithm != k.Algorithm {
|
||||
println("Class")
|
||||
return false
|
||||
}
|
||||
if s.SignerName != k.Hdr.Name {
|
||||
println(s.SignerName)
|
||||
println(k.Hdr.Name)
|
||||
return false
|
||||
}
|
||||
for _, r := range rrset {
|
||||
if r.Header().Class != s.Hdr.Class {
|
||||
return false
|
||||
}
|
||||
if r.Header().Rrtype != s.TypeCovered {
|
||||
return false
|
||||
}
|
||||
// Number of labels. TODO(mg) add helper functions
|
||||
}
|
||||
// 5.3.2. Reconstructing the Signed Data
|
||||
// signed_data = RRSIG_RDATA | RR(1) | RR(2)...
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
|
@ -145,3 +164,9 @@ func timeToDate(t uint32) string {
|
|||
return ti.Format("20060102030405")
|
||||
}
|
||||
|
||||
// Sort an rrset
|
||||
func (RRset) Sort() []RR {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Nr of labels
|
||||
|
|
|
@ -29,7 +29,7 @@ func TestSecure(t *testing.T) {
|
|||
sig.Sig = "kLq/5oFy3Sh5ZxPGFMCyHq8MtN6E17R1Ln9+bJ2Q76YYAxFE8Xlie33A1GFctH2uhzRzJKuP/JSjUkrvGk2rjBm32z9zXtZsKx/4yV0da2nLRm44NOmX6gsP4Yia8mdqPUajjkyLzAzU2bevtesJm0Z65AcmPdq3tUZODdRAcng="
|
||||
|
||||
key := new(RR_DNSKEY)
|
||||
key.Hdr.Name = "miek.nl"
|
||||
key.Hdr.Name = "miek.nl."
|
||||
key.Hdr.Rrtype = TypeDNSKEY
|
||||
key.Hdr.Class = ClassINET
|
||||
key.Hdr.Ttl = 14400
|
||||
|
@ -38,6 +38,9 @@ func TestSecure(t *testing.T) {
|
|||
key.Algorithm = AlgRSASHA256
|
||||
key.PubKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
|
||||
|
||||
if sig.Secure([]RR{soa}, key) {
|
||||
// It should validate, at least this month dec 2010
|
||||
if ! sig.Secure([]RR{soa}, key) {
|
||||
t.Log("Failure to validate")
|
||||
t.Fail()
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue