almost ready for DNSSEC validation
only need call the crypto/rsa func
This commit is contained in:
parent
0cea39ac49
commit
5ced9e2152
96
dnssec.go
96
dnssec.go
|
@ -3,9 +3,15 @@ package dns
|
|||
import (
|
||||
"crypto/sha1"
|
||||
"crypto/sha256"
|
||||
// "crypto/rsa"
|
||||
"encoding/hex"
|
||||
"encoding/base64"
|
||||
"time"
|
||||
"io"
|
||||
"sort"
|
||||
"strings"
|
||||
"fmt" //tmp
|
||||
"os" //tmp
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -13,8 +19,13 @@ const (
|
|||
year68 = 2 << (32 - 1)
|
||||
)
|
||||
|
||||
// An RRset is just a bunch a RRs. No restrictions
|
||||
type RRset []RR
|
||||
|
||||
func (r RRset) Len() int { return len(r) }
|
||||
func (r RRset) Less(i, j int) bool { return r[i].Header().Name < r[j].Header().Name }
|
||||
func (r RRset) Swap(i, j int) { r[i], r[j] = r[j], r[i] }
|
||||
|
||||
// Convert an DNSKEY record to a DS record.
|
||||
func (k *RR_DNSKEY) ToDS(hash int) *RR_DS {
|
||||
ds := new(RR_DS)
|
||||
|
@ -39,22 +50,20 @@ func (k *RR_DNSKEY) ToDS(hash int) *RR_DS {
|
|||
end := start + int(k.Header().Rdlength)
|
||||
// buf[start:end] is the rdata of the key
|
||||
buf = buf[start:end]
|
||||
// Now the owner name
|
||||
owner := make([]byte, 255)
|
||||
off1, ok = packDomainName(k.Hdr.Name, owner, 0)
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
owner = owner[:off1]
|
||||
// digest buffer
|
||||
digest := append(owner, buf...)
|
||||
|
||||
/*
|
||||
* from RFC4034
|
||||
* digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
|
||||
* "|" denotes concatenation
|
||||
* DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
|
||||
*/
|
||||
owner = owner[:off1]
|
||||
// digest buffer
|
||||
digest := append(owner, buf...)
|
||||
|
||||
switch hash {
|
||||
case HashSHA1:
|
||||
|
@ -108,7 +117,7 @@ func (k *RR_DNSKEY) KeyTag() uint16 {
|
|||
|
||||
// Validate an rrset with the signature and key. This is the
|
||||
// cryptographic test, the validity period most be check separately.
|
||||
func (s *RR_RRSIG) Secure(rrset RRset, k *RR_DNSKEY) bool {
|
||||
func (s *RR_RRSIG) Verify(rrset RRset, k *RR_DNSKEY) bool {
|
||||
// Frist the easy checks
|
||||
if s.KeyTag != k.KeyTag() {
|
||||
println(s.KeyTag)
|
||||
|
@ -132,13 +141,69 @@ func (s *RR_RRSIG) Secure(rrset RRset, k *RR_DNSKEY) bool {
|
|||
if r.Header().Class != s.Hdr.Class {
|
||||
return false
|
||||
}
|
||||
if r.Header().Rrtype != s.TypeCovered {
|
||||
return false
|
||||
}
|
||||
// Number of labels. TODO(mg) add helper functions
|
||||
if r.Header().Rrtype != s.TypeCovered {
|
||||
return false
|
||||
}
|
||||
// Number of labels. TODO(mg) add helper functions
|
||||
}
|
||||
// 5.3.2. Reconstructing the Signed Data
|
||||
// signed_data = RRSIG_RDATA | RR(1) | RR(2)...
|
||||
sort.Sort(rrset)
|
||||
|
||||
// RFC 4035 5.3.2. Reconstructing the Signed Data
|
||||
signeddata := make([]byte, 10240) // 10 Kb??
|
||||
buf := make([]byte, 4096)
|
||||
s1 := s // does this copy??
|
||||
s1.Signature = "" // Unset signature data
|
||||
off, ok := packRR(s1, buf, 0)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
start := off - int(s.Header().Rdlength)
|
||||
end := start + int(s.Header().Rdlength)
|
||||
fmt.Fprintf(os.Stderr, "start %d, end %d\n", start, end)
|
||||
copy(signeddata, buf[start:end])
|
||||
off = end - start
|
||||
fmt.Fprintf(os.Stderr, "off %d\n", off)
|
||||
|
||||
for _, r := range rrset {
|
||||
// RFC 4034: 6.2. Canonical RR Form. (2) - domain name to lowercase
|
||||
r.Header().Name = strings.ToLower(r.Header().Name)
|
||||
// 6.2. Canonical RR Form. (3) - domain rdata to lowercaser
|
||||
switch r.Header().Rrtype {
|
||||
case TypeNS, TypeCNAME, TypeSOA, TypeMB, TypeMG, TypeMR, TypePTR:
|
||||
case TypeHINFO, TypeMINFO, TypeMX /* TypeRP, TypeAFSDB, TypeRT */ :
|
||||
case TypeSIG /* TypePX, TypeNXT /* TypeNAPTR, TypeKX */ :
|
||||
case TypeSRV, /* TypeDNAME, TypeA6 */ TypeRRSIG, TypeNSEC:
|
||||
/* do something */
|
||||
// lower case the strings rdata //
|
||||
|
||||
}
|
||||
// 6.2. Canonical RR Form. (4) - wildcards, don't understand
|
||||
// 6.2. Canonical RR Form. (5) - origTTL
|
||||
r.Header().Ttl = s.OrigTtl
|
||||
|
||||
fmt.Fprintf(os.Stderr, "%v\n", r)
|
||||
off, ok = packRR(r, signeddata, off)
|
||||
if !ok {
|
||||
println("Failure to pack")
|
||||
return false
|
||||
}
|
||||
}
|
||||
signeddata = signeddata[:off]
|
||||
fmt.Fprintf(os.Stderr, "length %d", len(signeddata))
|
||||
keybuf := make([]byte, 1024)
|
||||
keybuflen := base64.StdEncoding.DecodedLen(len(k.PubKey))
|
||||
base64.StdEncoding.Decode(keybuf[0:keybuflen], []byte(k.PubKey))
|
||||
sigbuf := make([]byte, 1024)
|
||||
sigbuflen := base64.StdEncoding.DecodedLen(len(s.Signature))
|
||||
base64.StdEncoding.Decode(sigbuf[0:sigbuflen], []byte(s.Signature))
|
||||
|
||||
switch s.Algorithm {
|
||||
case AlgRSASHA1:
|
||||
|
||||
case AlgRSASHA256:
|
||||
|
||||
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
@ -163,10 +228,3 @@ func timeToDate(t uint32) string {
|
|||
ti := time.SecondsToUTC(int64(t) + (mod * year68)) // abs()? TODO
|
||||
return ti.Format("20060102030405")
|
||||
}
|
||||
|
||||
// Sort an rrset
|
||||
func (RRset) Sort() []RR {
|
||||
return nil
|
||||
}
|
||||
|
||||
// Nr of labels
|
||||
|
|
|
@ -26,7 +26,7 @@ func TestSecure(t *testing.T) {
|
|||
sig.OrigTtl = 14400
|
||||
sig.KeyTag = 12051
|
||||
sig.SignerName = "miek.nl."
|
||||
sig.Sig = "kLq/5oFy3Sh5ZxPGFMCyHq8MtN6E17R1Ln9+bJ2Q76YYAxFE8Xlie33A1GFctH2uhzRzJKuP/JSjUkrvGk2rjBm32z9zXtZsKx/4yV0da2nLRm44NOmX6gsP4Yia8mdqPUajjkyLzAzU2bevtesJm0Z65AcmPdq3tUZODdRAcng="
|
||||
sig.Signature = "kLq/5oFy3Sh5ZxPGFMCyHq8MtN6E17R1Ln9+bJ2Q76YYAxFE8Xlie33A1GFctH2uhzRzJKuP/JSjUkrvGk2rjBm32z9zXtZsKx/4yV0da2nLRm44NOmX6gsP4Yia8mdqPUajjkyLzAzU2bevtesJm0Z65AcmPdq3tUZODdRAcng="
|
||||
|
||||
key := new(RR_DNSKEY)
|
||||
key.Hdr.Name = "miek.nl."
|
||||
|
@ -39,7 +39,7 @@ func TestSecure(t *testing.T) {
|
|||
key.PubKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
|
||||
|
||||
// It should validate, at least this month dec 2010
|
||||
if ! sig.Secure([]RR{soa}, key) {
|
||||
if ! sig.Verify([]RR{soa}, key) {
|
||||
t.Log("Failure to validate")
|
||||
t.Fail()
|
||||
}
|
||||
|
|
|
@ -46,7 +46,7 @@ func TestPackUnpack(t *testing.T) {
|
|||
sig.Hdr = RR_Header{Name: "miek.nl.", Rrtype: TypeRRSIG, Class: ClassINET, Ttl: 3600}
|
||||
sig = &RR_RRSIG{TypeCovered: TypeDNSKEY, Algorithm: AlgRSASHA1, Labels: 2,
|
||||
OrigTtl: 3600, Expiration: 4000, Inception: 4000, KeyTag: 34641, SignerName: "miek.nl.",
|
||||
Sig: "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"}
|
||||
Signature: "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"}
|
||||
|
||||
out.Answer[0] = sig
|
||||
msg, ok = out.Pack()
|
||||
|
|
|
@ -18,7 +18,7 @@ func TestSignature(t *testing.T) {
|
|||
sig.Inception = 800 //Thu Jan 1 01:13:20 CET 1970
|
||||
sig.KeyTag = 34641
|
||||
sig.SignerName = "miek.nl."
|
||||
sig.Sig = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
|
||||
sig.Signature = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
|
||||
|
||||
// Should not be valid
|
||||
if sig.PeriodOK() {
|
||||
|
|
14
types.go
14
types.go
|
@ -53,6 +53,10 @@ const (
|
|||
// EDNS
|
||||
TypeOPT = 41
|
||||
|
||||
// Old DNSSEC
|
||||
TypeSIG = 24
|
||||
TypeKEY = 25
|
||||
TypeNXT = 30
|
||||
// DNSSEC
|
||||
TypeDS = 43
|
||||
TypeRRSIG = 46
|
||||
|
@ -117,9 +121,9 @@ const (
|
|||
|
||||
// DNSSEC hashing codes.
|
||||
const (
|
||||
HashSHA1 = 1 //? Check the codepoints
|
||||
HashSHA256 = 2 //?
|
||||
HashGOST94 = 3 //?
|
||||
HashSHA1 = iota
|
||||
HashSHA256
|
||||
HashGOST94
|
||||
)
|
||||
|
||||
// DNS queries.
|
||||
|
@ -389,7 +393,7 @@ type RR_RRSIG struct {
|
|||
Inception uint32
|
||||
KeyTag uint16
|
||||
SignerName string "domain-name"
|
||||
Sig string "base64"
|
||||
Signature string "base64"
|
||||
}
|
||||
|
||||
func (rr *RR_RRSIG) Header() *RR_Header {
|
||||
|
@ -406,7 +410,7 @@ func (rr *RR_RRSIG) String() string {
|
|||
" " + timeToDate(rr.Inception) +
|
||||
" " + strconv.Itoa(int(rr.KeyTag)) +
|
||||
" " + rr.SignerName +
|
||||
" " + rr.Sig
|
||||
" " + rr.Signature
|
||||
}
|
||||
|
||||
type RR_NSEC struct {
|
||||
|
|
Loading…
Reference in New Issue