More DSA stuff: generation/signing/verifying

dnssec.go

@@ -251,6 +251,9 @@ func (s *RR_RRSIG) Sign(k PrivateKey, rrset []RR) error {
 	var h hash.Hash
 	var ch crypto.Hash // Only need for RSA
 	switch s.Algorithm {
+	case DSA:
+		h = sha1.New()
+		ch = crypto.SHA1
 	case RSAMD5:
 		h = md5.New()
 		ch = crypto.MD5
@@ -272,6 +275,8 @@ func (s *RR_RRSIG) Sign(k PrivateKey, rrset []RR) error {
 	sighash = h.Sum(nil)
 
 	switch p := k.(type) {
+	case *dsa.PrivateKey:
+		// TODO(mg): sign it
 	case *rsa.PrivateKey:
 		signature, err := rsa.SignPKCS1v15(rand.Reader, p, ch, sighash)
 		if err != nil {
@@ -283,7 +288,6 @@ func (s *RR_RRSIG) Sign(k PrivateKey, rrset []RR) error {
 		if err != nil {
 			return err
 		}
-		// Check the length and zero pad??
 		signature := r1.Bytes()
 		signature = append(signature, s1.Bytes()...)
 		s.Signature = unpackBase64(signature)

keygen.go

@@ -5,6 +5,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/dsa"
 	"math/big"
 	"strconv"
 )
@@ -23,6 +24,10 @@ type PrivateKey interface{}
 // bits should be set to the size of the algorithm.
 func (r *RR_DNSKEY) Generate(bits int) (PrivateKey, error) {
 	switch r.Algorithm {
+	case DSA:
+		if bits != 1024 {
+			return nil, ErrKeySize
+		}
 	case RSAMD5, RSASHA1, RSASHA256, RSASHA1NSEC3SHA1:
 		if bits < 512 || bits > 4096 {
 			return nil, ErrKeySize
@@ -42,6 +47,19 @@ func (r *RR_DNSKEY) Generate(bits int) (PrivateKey, error) {
 	}
 
 	switch r.Algorithm {
+	case DSA:
+		params := new(dsa.Parameters)
+		if err := dsa.GenerateParameters(params, rand.Reader, dsa.L1024N160); err != nil {
+			return nil, err
+		}
+		priv := new(dsa.PrivateKey)
+		priv.PublicKey.Parameters = *params
+		err := dsa.GenerateKey(priv, rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+		// setPubicKey needed?
+		return priv, nil
 	case RSAMD5, RSASHA1, RSASHA256, RSASHA512, RSASHA1NSEC3SHA1:
 		priv, err := rsa.GenerateKey(rand.Reader, bits)
 		if err != nil {