1) Refactoring of tlsa.go - moved routine to create the certificate rdata to its own go module as this is shared between TLSA and SMIMEA records 2) Added support for creating an SMIMEA domain name 3) Developed in accordance with draft-ietf-dane-smime-12 RFC Miek, Submitting for your review. Happy to make any recommended changes or address omissions. Lightly tested against our internal DNS service which hosts DANE SMIMEA records for our email certificates. Parse tests are added.
This commit is contained in:
parent
dfae8d8799
commit
46df8c9462
|
@ -0,0 +1,44 @@
|
|||
package dns
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"crypto/sha512"
|
||||
"crypto/x509"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"io"
|
||||
)
|
||||
|
||||
// CertificateToDANE converts a certificate to a hex string as used in the TLSA or SMIMEA records.
|
||||
func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) (string, error) {
|
||||
switch matchingType {
|
||||
case 0:
|
||||
switch selector {
|
||||
case 0:
|
||||
return hex.EncodeToString(cert.Raw), nil
|
||||
case 1:
|
||||
return hex.EncodeToString(cert.RawSubjectPublicKeyInfo), nil
|
||||
}
|
||||
case 1:
|
||||
h := sha256.New()
|
||||
switch selector {
|
||||
case 0:
|
||||
io.WriteString(h, string(cert.Raw))
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
case 1:
|
||||
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
}
|
||||
case 2:
|
||||
h := sha512.New()
|
||||
switch selector {
|
||||
case 0:
|
||||
io.WriteString(h, string(cert.Raw))
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
case 1:
|
||||
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
}
|
||||
}
|
||||
return "", errors.New("dns: bad MatchingType or Selector")
|
||||
}
|
|
@ -1375,6 +1375,27 @@ func TestParseTLSA(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestParseSMIMEA(t *testing.T) {
|
||||
lt := map[string]string{
|
||||
"2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t1 1 2 bd80f334566928fc18f58df7e4928c1886f48f71ca3fd41cd9b1854aca7c2180aaacad2819612ed68e7bd3701cc39be7f2529b017c0bc6a53e8fb3f0c7d48070": "2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t1 1 2 bd80f334566928fc18f58df7e4928c1886f48f71ca3fd41cd9b1854aca7c2180aaacad2819612ed68e7bd3701cc39be7f2529b017c0bc6a53e8fb3f0c7d48070",
|
||||
"2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t0 0 1 cdcf0fc66b182928c5217ddd42c826983f5a4b94160ee6c1c9be62d38199f710": "2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t0 0 1 cdcf0fc66b182928c5217ddd42c826983f5a4b94160ee6c1c9be62d38199f710",
|
||||
"2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t3 0 2 499a1eda2af8828b552cdb9d80c3744a25872fddd73f3898d8e4afa3549595d2dd4340126e759566fe8c26b251fa0c887ba4869f011a65f7e79967c2eb729f5b": "2e85e1db3e62be6ea._smimecert.example.com.\t3600\tIN\tSMIMEA\t3 0 2 499a1eda2af8828b552cdb9d80c3744a25872fddd73f3898d8e4afa3549595d2dd4340126e759566fe8c26b251fa0c887ba4869f011a65f7e79967c2eb729f5b",
|
||||
"2e85e1db3e62be6eb._smimecert.example.com.\t3600\tIN\tSMIMEA\t3 0 2 499a1eda2af8828b552cdb9d80c3744a25872fddd73f3898d8e4afa3549595d2dd4340126e759566fe8 c26b251fa0c887ba4869f01 1a65f7e79967c2eb729f5b": "2e85e1db3e62be6eb._smimecert.example.com.\t3600\tIN\tSMIMEA\t3 0 2 499a1eda2af8828b552cdb9d80c3744a25872fddd73f3898d8e4afa3549595d2dd4340126e759566fe8c26b251fa0c887ba4869f011a65f7e79967c2eb729f5b",
|
||||
}
|
||||
for i, o := range lt {
|
||||
rr, err := NewRR(i)
|
||||
if err != nil {
|
||||
t.Error("failed to parse RR: ", err)
|
||||
continue
|
||||
}
|
||||
if rr.String() != o {
|
||||
t.Errorf("`%s' should be equal to\n`%s', but is `%s'", o, o, rr.String())
|
||||
} else {
|
||||
t.Logf("RR is OK: `%s'", rr.String())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseSSHFP(t *testing.T) {
|
||||
lt := []string{
|
||||
"test.example.org.\t300\tSSHFP\t1 2 (\n" +
|
||||
|
|
36
scan_rr.go
36
scan_rr.go
|
@ -1746,6 +1746,41 @@ func setTLSA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
|
|||
return rr, nil, c1
|
||||
}
|
||||
|
||||
func setSMIMEA(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
|
||||
rr := new(SMIMEA)
|
||||
rr.Hdr = h
|
||||
l := <-c
|
||||
if l.length == 0 {
|
||||
return rr, nil, l.comment
|
||||
}
|
||||
i, e := strconv.Atoi(l.token)
|
||||
if e != nil || l.err {
|
||||
return nil, &ParseError{f, "bad SMIMEA Usage", l}, ""
|
||||
}
|
||||
rr.Usage = uint8(i)
|
||||
<-c // zBlank
|
||||
l = <-c
|
||||
i, e = strconv.Atoi(l.token)
|
||||
if e != nil || l.err {
|
||||
return nil, &ParseError{f, "bad SMIMEA Selector", l}, ""
|
||||
}
|
||||
rr.Selector = uint8(i)
|
||||
<-c // zBlank
|
||||
l = <-c
|
||||
i, e = strconv.Atoi(l.token)
|
||||
if e != nil || l.err {
|
||||
return nil, &ParseError{f, "bad SMIMEA MatchingType", l}, ""
|
||||
}
|
||||
rr.MatchingType = uint8(i)
|
||||
// So this needs be e2 (i.e. different than e), because...??t
|
||||
s, e2, c1 := endingToString(c, "bad SMIMEA Certificate", f)
|
||||
if e2 != nil {
|
||||
return nil, e2, c1
|
||||
}
|
||||
rr.Certificate = s
|
||||
return rr, nil, c1
|
||||
}
|
||||
|
||||
func setRFC3597(h RR_Header, c chan lex, o, f string) (RR, *ParseError, string) {
|
||||
rr := new(RFC3597)
|
||||
rr.Hdr = h
|
||||
|
@ -2128,6 +2163,7 @@ var typeToparserFunc = map[uint16]parserFunc{
|
|||
TypeRP: {setRP, false},
|
||||
TypeRRSIG: {setRRSIG, true},
|
||||
TypeRT: {setRT, false},
|
||||
TypeSMIMEA: {setSMIMEA, true},
|
||||
TypeSOA: {setSOA, false},
|
||||
TypeSPF: {setSPF, true},
|
||||
TypeSRV: {setSRV, false},
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
package dns
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"crypto/x509"
|
||||
"encoding/hex"
|
||||
)
|
||||
|
||||
// Sign creates a SMIMEA record from an SSL certificate.
|
||||
func (r *SMIMEA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
|
||||
r.Hdr.Rrtype = TypeSMIMEA
|
||||
r.Usage = uint8(usage)
|
||||
r.Selector = uint8(selector)
|
||||
r.MatchingType = uint8(matchingType)
|
||||
|
||||
r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Verify verifies a SMIMEA record against an SSL certificate. If it is OK
|
||||
// a nil error is returned.
|
||||
func (r *SMIMEA) Verify(cert *x509.Certificate) error {
|
||||
c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
|
||||
if err != nil {
|
||||
return err // Not also ErrSig?
|
||||
}
|
||||
if r.Certificate == c {
|
||||
return nil
|
||||
}
|
||||
return ErrSig // ErrSig, really?
|
||||
}
|
||||
|
||||
// SIMEAName returns the ownername of a SMIMEA resource record as per the
|
||||
// format specified in RFC 'draft-ietf-dane-smime-12' Section 2 and 3
|
||||
func SMIMEAName(email_address string, domain_name string) (string, error) {
|
||||
hasher := sha256.New()
|
||||
hasher.Write([]byte(email_address))
|
||||
|
||||
// RFC Section 3: "The local-part is hashed using the SHA2-256
|
||||
// algorithm with the hash truncated to 28 octets and
|
||||
// represented in its hexadecimal representation to become the
|
||||
// left-most label in the prepared domain name"
|
||||
return hex.EncodeToString(hasher.Sum(nil)[:28]) + "." + "_smimecert." + domain_name, nil
|
||||
}
|
39
tlsa.go
39
tlsa.go
|
@ -1,50 +1,11 @@
|
|||
package dns
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"crypto/sha512"
|
||||
"crypto/x509"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"io"
|
||||
"net"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
// CertificateToDANE converts a certificate to a hex string as used in the TLSA record.
|
||||
func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) (string, error) {
|
||||
switch matchingType {
|
||||
case 0:
|
||||
switch selector {
|
||||
case 0:
|
||||
return hex.EncodeToString(cert.Raw), nil
|
||||
case 1:
|
||||
return hex.EncodeToString(cert.RawSubjectPublicKeyInfo), nil
|
||||
}
|
||||
case 1:
|
||||
h := sha256.New()
|
||||
switch selector {
|
||||
case 0:
|
||||
io.WriteString(h, string(cert.Raw))
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
case 1:
|
||||
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
}
|
||||
case 2:
|
||||
h := sha512.New()
|
||||
switch selector {
|
||||
case 0:
|
||||
io.WriteString(h, string(cert.Raw))
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
case 1:
|
||||
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
||||
return hex.EncodeToString(h.Sum(nil)), nil
|
||||
}
|
||||
}
|
||||
return "", errors.New("dns: bad TLSA MatchingType or TLSA Selector")
|
||||
}
|
||||
|
||||
// Sign creates a TLSA record from an SSL certificate.
|
||||
func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
|
||||
r.Hdr.Rrtype = TypeTLSA
|
||||
|
|
45
types.go
45
types.go
|
@ -70,6 +70,7 @@ const (
|
|||
TypeNSEC3 uint16 = 50
|
||||
TypeNSEC3PARAM uint16 = 51
|
||||
TypeTLSA uint16 = 52
|
||||
TypeSMIMEA uint16 = 53
|
||||
TypeHIP uint16 = 55
|
||||
TypeNINFO uint16 = 56
|
||||
TypeRKEY uint16 = 57
|
||||
|
@ -1047,6 +1048,28 @@ func (rr *TLSA) String() string {
|
|||
" " + rr.Certificate
|
||||
}
|
||||
|
||||
type SMIMEA struct {
|
||||
Hdr RR_Header
|
||||
Usage uint8
|
||||
Selector uint8
|
||||
MatchingType uint8
|
||||
Certificate string `dns:"hex"`
|
||||
}
|
||||
|
||||
func (rr *SMIMEA) String() string {
|
||||
s := rr.Hdr.String() +
|
||||
strconv.Itoa(int(rr.Usage)) +
|
||||
" " + strconv.Itoa(int(rr.Selector)) +
|
||||
" " + strconv.Itoa(int(rr.MatchingType))
|
||||
|
||||
// Every Nth char needs a space on this output. If we output
|
||||
// this as one giant line, we can't read it can in because in some cases
|
||||
// the cert length overflows scan.maxTok (2048).
|
||||
sx := splitN(rr.Certificate, 1024) // conservative value here
|
||||
s += " " + strings.Join(sx, " ")
|
||||
return s
|
||||
}
|
||||
|
||||
type HIP struct {
|
||||
Hdr RR_Header
|
||||
HitLength uint8
|
||||
|
@ -1247,3 +1270,25 @@ func copyIP(ip net.IP) net.IP {
|
|||
copy(p, ip)
|
||||
return p
|
||||
}
|
||||
|
||||
// SplitN splits a string into N sized string chunks.
|
||||
// This might become an exported function once.
|
||||
func splitN(s string, n int) []string {
|
||||
if len(s) < n {
|
||||
return []string{s}
|
||||
}
|
||||
sx := []string{}
|
||||
p, i := 0, n
|
||||
for {
|
||||
if i <= len(s) {
|
||||
sx = append(sx, s[p:i])
|
||||
} else {
|
||||
sx = append(sx, s[p:])
|
||||
break
|
||||
|
||||
}
|
||||
p, i = p+n, i+n
|
||||
}
|
||||
|
||||
return sx
|
||||
}
|
||||
|
|
|
@ -40,3 +40,35 @@ func TestCmToM(t *testing.T) {
|
|||
t.Error("9, 9")
|
||||
}
|
||||
}
|
||||
|
||||
func TestSplitN(t *testing.T) {
|
||||
xs := splitN("abc", 5)
|
||||
if len(xs) != 1 && xs[0] != "abc" {
|
||||
t.Errorf("Failure to split abc")
|
||||
}
|
||||
|
||||
s := ""
|
||||
for i := 0; i < 255; i++ {
|
||||
s += "a"
|
||||
}
|
||||
|
||||
xs = splitN(s, 255)
|
||||
if len(xs) != 1 && xs[0] != s {
|
||||
t.Errorf("failure to split 255 char long string")
|
||||
}
|
||||
|
||||
s += "b"
|
||||
xs = splitN(s, 255)
|
||||
if len(xs) != 2 || xs[1] != "b" {
|
||||
t.Errorf("failure to split 256 char long string: %d", len(xs))
|
||||
}
|
||||
|
||||
// Make s longer
|
||||
for i := 0; i < 255; i++ {
|
||||
s += "a"
|
||||
}
|
||||
xs = splitN(s, 255)
|
||||
if len(xs) != 3 || xs[2] != "a" {
|
||||
t.Errorf("failure to split 510 char long string: %d", len(xs))
|
||||
}
|
||||
}
|
||||
|
|
65
zmsg.go
65
zmsg.go
|
@ -1085,6 +1085,32 @@ func (rr *SIG) pack(msg []byte, off int, compression map[string]int, compress bo
|
|||
return off, nil
|
||||
}
|
||||
|
||||
func (rr *SMIMEA) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
|
||||
off, err := rr.Hdr.pack(msg, off, compression, compress)
|
||||
if err != nil {
|
||||
return off, err
|
||||
}
|
||||
headerEnd := off
|
||||
off, err = packUint8(rr.Usage, msg, off)
|
||||
if err != nil {
|
||||
return off, err
|
||||
}
|
||||
off, err = packUint8(rr.Selector, msg, off)
|
||||
if err != nil {
|
||||
return off, err
|
||||
}
|
||||
off, err = packUint8(rr.MatchingType, msg, off)
|
||||
if err != nil {
|
||||
return off, err
|
||||
}
|
||||
off, err = packStringHex(rr.Certificate, msg, off)
|
||||
if err != nil {
|
||||
return off, err
|
||||
}
|
||||
rr.Header().Rdlength = uint16(off - headerEnd)
|
||||
return off, nil
|
||||
}
|
||||
|
||||
func (rr *SOA) pack(msg []byte, off int, compression map[string]int, compress bool) (int, error) {
|
||||
off, err := rr.Hdr.pack(msg, off, compression, compress)
|
||||
if err != nil {
|
||||
|
@ -2907,6 +2933,44 @@ func unpackSIG(h RR_Header, msg []byte, off int) (RR, int, error) {
|
|||
return rr, off, err
|
||||
}
|
||||
|
||||
func unpackSMIMEA(h RR_Header, msg []byte, off int) (RR, int, error) {
|
||||
rr := new(SMIMEA)
|
||||
rr.Hdr = h
|
||||
if noRdata(h) {
|
||||
return rr, off, nil
|
||||
}
|
||||
var err error
|
||||
rdStart := off
|
||||
_ = rdStart
|
||||
|
||||
rr.Usage, off, err = unpackUint8(msg, off)
|
||||
if err != nil {
|
||||
return rr, off, err
|
||||
}
|
||||
if off == len(msg) {
|
||||
return rr, off, nil
|
||||
}
|
||||
rr.Selector, off, err = unpackUint8(msg, off)
|
||||
if err != nil {
|
||||
return rr, off, err
|
||||
}
|
||||
if off == len(msg) {
|
||||
return rr, off, nil
|
||||
}
|
||||
rr.MatchingType, off, err = unpackUint8(msg, off)
|
||||
if err != nil {
|
||||
return rr, off, err
|
||||
}
|
||||
if off == len(msg) {
|
||||
return rr, off, nil
|
||||
}
|
||||
rr.Certificate, off, err = unpackStringHex(msg, off, rdStart+int(rr.Hdr.Rdlength))
|
||||
if err != nil {
|
||||
return rr, off, err
|
||||
}
|
||||
return rr, off, err
|
||||
}
|
||||
|
||||
func unpackSOA(h RR_Header, msg []byte, off int) (RR, int, error) {
|
||||
rr := new(SOA)
|
||||
rr.Hdr = h
|
||||
|
@ -3447,6 +3511,7 @@ var typeToUnpack = map[uint16]func(RR_Header, []byte, int) (RR, int, error){
|
|||
TypeRRSIG: unpackRRSIG,
|
||||
TypeRT: unpackRT,
|
||||
TypeSIG: unpackSIG,
|
||||
TypeSMIMEA: unpackSMIMEA,
|
||||
TypeSOA: unpackSOA,
|
||||
TypeSPF: unpackSPF,
|
||||
TypeSRV: unpackSRV,
|
||||
|
|
14
ztypes.go
14
ztypes.go
|
@ -62,6 +62,7 @@ var TypeToRR = map[uint16]func() RR{
|
|||
TypeRRSIG: func() RR { return new(RRSIG) },
|
||||
TypeRT: func() RR { return new(RT) },
|
||||
TypeSIG: func() RR { return new(SIG) },
|
||||
TypeSMIMEA: func() RR { return new(SMIMEA) },
|
||||
TypeSOA: func() RR { return new(SOA) },
|
||||
TypeSPF: func() RR { return new(SPF) },
|
||||
TypeSRV: func() RR { return new(SRV) },
|
||||
|
@ -141,6 +142,7 @@ var TypeToString = map[uint16]string{
|
|||
TypeRT: "RT",
|
||||
TypeReserved: "Reserved",
|
||||
TypeSIG: "SIG",
|
||||
TypeSMIMEA: "SMIMEA",
|
||||
TypeSOA: "SOA",
|
||||
TypeSPF: "SPF",
|
||||
TypeSRV: "SRV",
|
||||
|
@ -213,6 +215,7 @@ func (rr *RP) Header() *RR_Header { return &rr.Hdr }
|
|||
func (rr *RRSIG) Header() *RR_Header { return &rr.Hdr }
|
||||
func (rr *RT) Header() *RR_Header { return &rr.Hdr }
|
||||
func (rr *SIG) Header() *RR_Header { return &rr.Hdr }
|
||||
func (rr *SMIMEA) Header() *RR_Header { return &rr.Hdr }
|
||||
func (rr *SOA) Header() *RR_Header { return &rr.Hdr }
|
||||
func (rr *SPF) Header() *RR_Header { return &rr.Hdr }
|
||||
func (rr *SRV) Header() *RR_Header { return &rr.Hdr }
|
||||
|
@ -514,6 +517,14 @@ func (rr *RT) len() int {
|
|||
l += len(rr.Host) + 1
|
||||
return l
|
||||
}
|
||||
func (rr *SMIMEA) len() int {
|
||||
l := rr.Hdr.len()
|
||||
l += 1 // Usage
|
||||
l += 1 // Selector
|
||||
l += 1 // MatchingType
|
||||
l += len(rr.Certificate)/2 + 1
|
||||
return l
|
||||
}
|
||||
func (rr *SOA) len() int {
|
||||
l := rr.Hdr.len()
|
||||
l += len(rr.Ns) + 1
|
||||
|
@ -780,6 +791,9 @@ func (rr *RRSIG) copy() RR {
|
|||
func (rr *RT) copy() RR {
|
||||
return &RT{*rr.Hdr.copyHeader(), rr.Preference, rr.Host}
|
||||
}
|
||||
func (rr *SMIMEA) copy() RR {
|
||||
return &SMIMEA{*rr.Hdr.copyHeader(), rr.Usage, rr.Selector, rr.MatchingType, rr.Certificate}
|
||||
}
|
||||
func (rr *SOA) copy() RR {
|
||||
return &SOA{*rr.Hdr.copyHeader(), rr.Ns, rr.Mbox, rr.Serial, rr.Refresh, rr.Retry, rr.Expire, rr.Minttl}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue