From e1c501fcec573b426077659964d995c80b785e71 Mon Sep 17 00:00:00 2001
From: Miek Gieben <miek@miek.nl>
Date: Tue, 9 Apr 2013 08:00:08 +0100
Subject: [PATCH] Fix the CertificateToDane return value: add error

This is more inline with the rest of the functions which
do return an actual error. It is however a small api change.
---
 tlsa.go | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/tlsa.go b/tlsa.go
index 71728e2a..136b4b18 100644
--- a/tlsa.go
+++ b/tlsa.go
@@ -5,65 +5,73 @@ import (
 	"crypto/sha512"
 	"crypto/x509"
 	"encoding/hex"
+	"errors"
 	"io"
 	"net"
 	"strconv"
 )
 
 // CertificateToDANE converts a certificate to a hex string as used in the TLSA record.
-func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) string {
+func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) (string, error) {
 	switch matchingType {
 	case 0:
 		switch selector {
 		case 0:
-			return hex.EncodeToString(cert.Raw)
+			return hex.EncodeToString(cert.Raw), nil
 		case 1:
-			return hex.EncodeToString(cert.RawSubjectPublicKeyInfo)
+			return hex.EncodeToString(cert.RawSubjectPublicKeyInfo), nil
 		}
 	case 1:
 		h := sha256.New()
 		switch selector {
 		case 0:
-			return hex.EncodeToString(cert.Raw)
+			return hex.EncodeToString(cert.Raw), nil
 		case 1:
 			io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
-			return hex.EncodeToString(h.Sum(nil))
+			return hex.EncodeToString(h.Sum(nil)), nil
 		}
 	case 2:
 		h := sha512.New()
 		switch selector {
 		case 0:
-			return hex.EncodeToString(cert.Raw)
+			return hex.EncodeToString(cert.Raw), nil
 		case 1:
 			io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
-			return hex.EncodeToString(h.Sum(nil))
+			return hex.EncodeToString(h.Sum(nil)), nil
 		}
 	}
-	return ""
+	return "", errors.New("dns: bad TLSA MatchingType or TLSA Selector")
 }
 
 // Sign creates a TLSA record from an SSL certificate.
-func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) error {
+func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
 	r.Hdr.Rrtype = TypeTLSA
 	r.Usage = uint8(usage)
 	r.Selector = uint8(selector)
 	r.MatchingType = uint8(matchingType)
 
-	r.Certificate = CertificateToDANE(r.Selector, r.MatchingType, cert)
+	r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
+	if err != nil {
+		return err
+	}
 	return nil
 }
 
 // Verify verifies a TLSA record against an SSL certificate. If it is OK
 // a nil error is returned.
 func (r *TLSA) Verify(cert *x509.Certificate) error {
-	if r.Certificate == CertificateToDANE(r.Selector, r.MatchingType, cert) {
+	c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
+	if err != nil {
+		return err	// Not also ErrSig?
+	}
+	if r.Certificate == c {
 		return nil
 	}
 	return ErrSig // ErrSig, really?
 }
 
 // TLSAName returns the ownername of a TLSA resource record as per the
-// rules specified in RFC 6698, Section 3. 
+// rules specified in RFC 6698, Section 3.
 func TLSAName(name, service, network string) (string, error) {
 	if !IsFqdn(name) {
 		return "", ErrFqdn