Lowercase/uppercase mahem in DNSSEC
This commit is contained in:
parent
261025ab42
commit
d7a7e6e112
|
@ -10,6 +10,7 @@ need to be fixed.
|
||||||
* Add tsig check in 'q'?
|
* Add tsig check in 'q'?
|
||||||
* Tsig is handled in the library, api for querying tsig status
|
* Tsig is handled in the library, api for querying tsig status
|
||||||
* Query source address?
|
* Query source address?
|
||||||
|
* TEST nsec with TYPE65534
|
||||||
|
|
||||||
## Examples to add
|
## Examples to add
|
||||||
|
|
||||||
|
|
10
dnssec.go
10
dnssec.go
|
@ -222,6 +222,7 @@ func (s *RR_RRSIG) Sign(k PrivateKey, rrset []RR) error {
|
||||||
sigwire.Expiration = s.Expiration
|
sigwire.Expiration = s.Expiration
|
||||||
sigwire.Inception = s.Inception
|
sigwire.Inception = s.Inception
|
||||||
sigwire.KeyTag = s.KeyTag
|
sigwire.KeyTag = s.KeyTag
|
||||||
|
// For signing, lowercase this name
|
||||||
sigwire.SignerName = strings.ToLower(s.SignerName)
|
sigwire.SignerName = strings.ToLower(s.SignerName)
|
||||||
|
|
||||||
// Create the desired binary blob
|
// Create the desired binary blob
|
||||||
|
@ -288,6 +289,9 @@ func (s *RR_RRSIG) Sign(k PrivateKey, rrset []RR) error {
|
||||||
// This function modifies the rdata of some RRs (lowercases domain names) for the validation to work.
|
// This function modifies the rdata of some RRs (lowercases domain names) for the validation to work.
|
||||||
func (s *RR_RRSIG) Verify(k *RR_DNSKEY, rrset []RR) error {
|
func (s *RR_RRSIG) Verify(k *RR_DNSKEY, rrset []RR) error {
|
||||||
// First the easy checks
|
// First the easy checks
|
||||||
|
if len(rrset) == 0 {
|
||||||
|
return ErrSigGen
|
||||||
|
}
|
||||||
if s.KeyTag != k.KeyTag() {
|
if s.KeyTag != k.KeyTag() {
|
||||||
return ErrKey
|
return ErrKey
|
||||||
}
|
}
|
||||||
|
@ -297,7 +301,7 @@ func (s *RR_RRSIG) Verify(k *RR_DNSKEY, rrset []RR) error {
|
||||||
if s.Algorithm != k.Algorithm {
|
if s.Algorithm != k.Algorithm {
|
||||||
return ErrKey
|
return ErrKey
|
||||||
}
|
}
|
||||||
if s.SignerName != k.Hdr.Name {
|
if strings.ToLower(s.SignerName) != strings.ToLower(k.Hdr.Name) {
|
||||||
return ErrKey
|
return ErrKey
|
||||||
}
|
}
|
||||||
if k.Protocol != 3 {
|
if k.Protocol != 3 {
|
||||||
|
@ -311,7 +315,6 @@ func (s *RR_RRSIG) Verify(k *RR_DNSKEY, rrset []RR) error {
|
||||||
return ErrRRset
|
return ErrRRset
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// RFC 4035 5.3.2. Reconstructing the Signed Data
|
// RFC 4035 5.3.2. Reconstructing the Signed Data
|
||||||
// Copy the sig, except the rrsig data
|
// Copy the sig, except the rrsig data
|
||||||
sigwire := new(rrsigWireFmt)
|
sigwire := new(rrsigWireFmt)
|
||||||
|
@ -322,7 +325,8 @@ func (s *RR_RRSIG) Verify(k *RR_DNSKEY, rrset []RR) error {
|
||||||
sigwire.Expiration = s.Expiration
|
sigwire.Expiration = s.Expiration
|
||||||
sigwire.Inception = s.Inception
|
sigwire.Inception = s.Inception
|
||||||
sigwire.KeyTag = s.KeyTag
|
sigwire.KeyTag = s.KeyTag
|
||||||
sigwire.SignerName = strings.ToLower(s.SignerName)
|
// Copy the signername as-is, don't ToLower() it
|
||||||
|
sigwire.SignerName = s.SignerName
|
||||||
// Create the desired binary blob
|
// Create the desired binary blob
|
||||||
signeddata := make([]byte, DefaultMsgSize)
|
signeddata := make([]byte, DefaultMsgSize)
|
||||||
n, ok := packStruct(sigwire, signeddata, 0)
|
n, ok := packStruct(sigwire, signeddata, 0)
|
||||||
|
|
Loading…
Reference in New Issue