almost ready for DNSSEC validation

only need call the crypto/rsa func

dnssec.go

@@ -3,9 +3,15 @@ package dns
 import (
 	"crypto/sha1"
 	"crypto/sha256"
+//        "crypto/rsa"
 	"encoding/hex"
+        "encoding/base64"
 	"time"
 	"io"
+	"sort"
+	"strings"
+	"fmt" //tmp
+	"os"  //tmp
 )
 
 const (
@@ -13,8 +19,13 @@ const (
 	year68 = 2 << (32 - 1)
 )
 
+// An RRset is just a bunch a RRs. No restrictions
 type RRset []RR
 
+func (r RRset) Len() int           { return len(r) }
+func (r RRset) Less(i, j int) bool { return r[i].Header().Name < r[j].Header().Name }
+func (r RRset) Swap(i, j int)      { r[i], r[j] = r[j], r[i] }
+
 // Convert an DNSKEY record to a DS record.
 func (k *RR_DNSKEY) ToDS(hash int) *RR_DS {
 	ds := new(RR_DS)
@@ -39,22 +50,20 @@ func (k *RR_DNSKEY) ToDS(hash int) *RR_DS {
 	end := start + int(k.Header().Rdlength)
 	// buf[start:end] is the rdata of the key
 	buf = buf[start:end]
-	// Now the owner name
 	owner := make([]byte, 255)
 	off1, ok = packDomainName(k.Hdr.Name, owner, 0)
 	if !ok {
 		return nil
 	}
-	owner = owner[:off1]
-	// digest buffer
-	digest := append(owner, buf...)
-
 	/* 
 	 * from RFC4034
 	 * digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
 	 * "|" denotes concatenation
 	 * DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
 	 */
+	owner = owner[:off1]
+	// digest buffer
+	digest := append(owner, buf...)
 
 	switch hash {
 	case HashSHA1:
@@ -108,7 +117,7 @@ func (k *RR_DNSKEY) KeyTag() uint16 {
 
 // Validate an rrset with the signature and key. This is the
 // cryptographic test, the validity period most be check separately.
-func (s *RR_RRSIG) Secure(rrset RRset, k *RR_DNSKEY) bool {
+func (s *RR_RRSIG) Verify(rrset RRset, k *RR_DNSKEY) bool {
 	// Frist the easy checks
 	if s.KeyTag != k.KeyTag() {
 		println(s.KeyTag)
@@ -132,13 +141,69 @@ func (s *RR_RRSIG) Secure(rrset RRset, k *RR_DNSKEY) bool {
 		if r.Header().Class != s.Hdr.Class {
 			return false
 		}
-                if r.Header().Rrtype != s.TypeCovered {
-                        return false
-                }
-                // Number of labels. TODO(mg) add helper functions
+		if r.Header().Rrtype != s.TypeCovered {
+			return false
+		}
+		// Number of labels. TODO(mg) add helper functions
 	}
-        // 5.3.2.  Reconstructing the Signed Data
-        // signed_data = RRSIG_RDATA | RR(1) | RR(2)...
+	sort.Sort(rrset)
+
+	// RFC 4035 5.3.2.  Reconstructing the Signed Data
+	signeddata := make([]byte, 10240) // 10 Kb??
+	buf := make([]byte, 4096)
+	s1 := s           // does this copy??
+	s1.Signature = "" // Unset signature data
+	off, ok := packRR(s1, buf, 0)
+	if !ok {
+		return false
+	}
+	start := off - int(s.Header().Rdlength)
+	end := start + int(s.Header().Rdlength)
+	fmt.Fprintf(os.Stderr, "start %d, end %d\n", start, end)
+        copy(signeddata, buf[start:end])
+        off = end - start
+	fmt.Fprintf(os.Stderr, "off %d\n", off)
+
+	for _, r := range rrset {
+		// RFC 4034: 6.2.  Canonical RR Form. (2) - domain name to lowercase
+		r.Header().Name = strings.ToLower(r.Header().Name)
+		// 6.2.  Canonical RR Form. (3) - domain rdata to lowercaser
+		switch r.Header().Rrtype {
+		case TypeNS, TypeCNAME, TypeSOA, TypeMB, TypeMG, TypeMR, TypePTR:
+		case TypeHINFO, TypeMINFO, TypeMX /* TypeRP, TypeAFSDB, TypeRT */ :
+		case TypeSIG /* TypePX, TypeNXT /* TypeNAPTR, TypeKX */ :
+		case TypeSRV, /* TypeDNAME, TypeA6 */ TypeRRSIG, TypeNSEC:
+			/* do something */
+			// lower case the strings rdata //
+
+		}
+		// 6.2. Canonical RR Form. (4) - wildcards, don't understand
+		// 6.2. Canonical RR Form. (5) - origTTL
+		r.Header().Ttl = s.OrigTtl
+
+		fmt.Fprintf(os.Stderr, "%v\n", r)
+		off, ok = packRR(r, signeddata, off)
+		if !ok {
+			println("Failure to pack")
+			return false
+		}
+	}
+	signeddata = signeddata[:off]
+	fmt.Fprintf(os.Stderr, "length %d", len(signeddata))
+        keybuf := make([]byte, 1024)
+        keybuflen := base64.StdEncoding.DecodedLen(len(k.PubKey))
+        base64.StdEncoding.Decode(keybuf[0:keybuflen], []byte(k.PubKey))
+        sigbuf := make([]byte, 1024)
+        sigbuflen := base64.StdEncoding.DecodedLen(len(s.Signature))
+        base64.StdEncoding.Decode(sigbuf[0:sigbuflen], []byte(s.Signature))
+
+        switch s.Algorithm {
+                case AlgRSASHA1:
+
+                case AlgRSASHA256:
+
+
+        }
 
 	return true
 }
@@ -163,10 +228,3 @@ func timeToDate(t uint32) string {
 	ti := time.SecondsToUTC(int64(t) + (mod * year68)) // abs()? TODO
 	return ti.Format("20060102030405")
 }
-
-// Sort an rrset
-func (RRset) Sort() []RR {
-        return nil
-}
-
-// Nr of labels

dnssec_test.go

@@ -26,7 +26,7 @@ func TestSecure(t *testing.T) {
 	sig.OrigTtl = 14400
 	sig.KeyTag = 12051
 	sig.SignerName = "miek.nl."
-	sig.Sig = "kLq/5oFy3Sh5ZxPGFMCyHq8MtN6E17R1Ln9+bJ2Q76YYAxFE8Xlie33A1GFctH2uhzRzJKuP/JSjUkrvGk2rjBm32z9zXtZsKx/4yV0da2nLRm44NOmX6gsP4Yia8mdqPUajjkyLzAzU2bevtesJm0Z65AcmPdq3tUZODdRAcng="
+	sig.Signature = "kLq/5oFy3Sh5ZxPGFMCyHq8MtN6E17R1Ln9+bJ2Q76YYAxFE8Xlie33A1GFctH2uhzRzJKuP/JSjUkrvGk2rjBm32z9zXtZsKx/4yV0da2nLRm44NOmX6gsP4Yia8mdqPUajjkyLzAzU2bevtesJm0Z65AcmPdq3tUZODdRAcng="
 
 	key := new(RR_DNSKEY)
 	key.Hdr.Name = "miek.nl."
@@ -39,7 +39,7 @@ func TestSecure(t *testing.T) {
 	key.PubKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
 
         // It should validate, at least this month dec 2010
-        if ! sig.Secure([]RR{soa}, key) {
+        if ! sig.Verify([]RR{soa}, key) {
                 t.Log("Failure to validate")
                 t.Fail()
         }

pack_test.go

@@ -46,7 +46,7 @@ func TestPackUnpack(t *testing.T) {
 	sig.Hdr = RR_Header{Name: "miek.nl.", Rrtype: TypeRRSIG, Class: ClassINET, Ttl: 3600}
 	sig = &RR_RRSIG{TypeCovered: TypeDNSKEY, Algorithm: AlgRSASHA1, Labels: 2,
 		OrigTtl: 3600, Expiration: 4000, Inception: 4000, KeyTag: 34641, SignerName: "miek.nl.",
-		Sig: "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"}
+		Signature: "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"}
 
 	out.Answer[0] = sig
 	msg, ok = out.Pack()

signature_test.go

@@ -18,7 +18,7 @@ func TestSignature(t *testing.T) {
 	sig.Inception = 800   //Thu Jan  1 01:13:20 CET 1970
 	sig.KeyTag = 34641
 	sig.SignerName = "miek.nl."
-	sig.Sig = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
+	sig.Signature = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
 
 	// Should not be valid
 	if sig.PeriodOK() {

types.go

@@ -53,6 +53,10 @@ const (
 	// EDNS
 	TypeOPT = 41
 
+        // Old DNSSEC
+        TypeSIG        = 24
+        TypeKEY        = 25
+        TypeNXT        = 30
 	// DNSSEC
 	TypeDS         = 43
 	TypeRRSIG      = 46
@@ -117,9 +121,9 @@ const (
 
 // DNSSEC hashing codes.
 const (
-	HashSHA1   = 1 //? Check the codepoints
-	HashSHA256 = 2 //?
-        HashGOST94 = 3 //? 
+	HashSHA1   = iota
+	HashSHA256
+        HashGOST94
 )
 
 // DNS queries.
@@ -389,7 +393,7 @@ type RR_RRSIG struct {
 	Inception   uint32
 	KeyTag      uint16
 	SignerName  string "domain-name"
-	Sig         string "base64"
+	Signature   string "base64"
 }
 
 func (rr *RR_RRSIG) Header() *RR_Header {
@@ -406,7 +410,7 @@ func (rr *RR_RRSIG) String() string {
 		" " + timeToDate(rr.Inception) +
 		" " + strconv.Itoa(int(rr.KeyTag)) +
 		" " + rr.SignerName +
-		" " + rr.Sig
+		" " + rr.Signature
 }
 
 type RR_NSEC struct {