community
/
dns
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix the CertificateToDane return value: add error 

This is more inline with the rest of the functions which
do return an actual error. It is however a small api change.
This commit is contained in:
Miek Gieben 2013-04-09 08:00:08 +01:00
parent afd4d24572
commit e1c501fcec
1 changed files with 20 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
tlsa.go
View File

@ -5,65 +5,73 @@ import (
"crypto/sha512" "crypto/sha512"
"crypto/x509" "crypto/x509"
"encoding/hex" "encoding/hex"
"errors"
"io" "io"
"net" "net"
"strconv" "strconv"
) )
// CertificateToDANE converts a certificate to a hex string as used in the TLSA record. // CertificateToDANE converts a certificate to a hex string as used in the TLSA record.
func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) string { func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) (string, error) {
switch matchingType { switch matchingType {
case 0: case 0:
switch selector { switch selector {
case 0: case 0:
return hex.EncodeToString(cert.Raw) return hex.EncodeToString(cert.Raw), nil
case 1: case 1:
return hex.EncodeToString(cert.RawSubjectPublicKeyInfo) return hex.EncodeToString(cert.RawSubjectPublicKeyInfo), nil
} }
case 1: case 1:
h := sha256.New() h := sha256.New()
switch selector { switch selector {
case 0: case 0:
return hex.EncodeToString(cert.Raw) return hex.EncodeToString(cert.Raw), nil
case 1: case 1:
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo)) io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
return hex.EncodeToString(h.Sum(nil)) return hex.EncodeToString(h.Sum(nil)), nil
} }
case 2: case 2:
h := sha512.New() h := sha512.New()
switch selector { switch selector {
case 0: case 0:
return hex.EncodeToString(cert.Raw) return hex.EncodeToString(cert.Raw), nil
case 1: case 1:
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo)) io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
return hex.EncodeToString(h.Sum(nil)) return hex.EncodeToString(h.Sum(nil)), nil
} }
} }
return "" return "", errors.New("dns: bad TLSA MatchingType or TLSA Selector")
} }
// Sign creates a TLSA record from an SSL certificate. // Sign creates a TLSA record from an SSL certificate.
func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) error { func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
r.Hdr.Rrtype = TypeTLSA r.Hdr.Rrtype = TypeTLSA
r.Usage = uint8(usage) r.Usage = uint8(usage)
r.Selector = uint8(selector) r.Selector = uint8(selector)
r.MatchingType = uint8(matchingType) r.MatchingType = uint8(matchingType)
r.Certificate = CertificateToDANE(r.Selector, r.MatchingType, cert) r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
if err != nil {
return err
}
return nil return nil
} }
// Verify verifies a TLSA record against an SSL certificate. If it is OK // Verify verifies a TLSA record against an SSL certificate. If it is OK
// a nil error is returned. // a nil error is returned.
func (r *TLSA) Verify(cert *x509.Certificate) error { func (r *TLSA) Verify(cert *x509.Certificate) error {
if r.Certificate == CertificateToDANE(r.Selector, r.MatchingType, cert) { c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
if err != nil {
return err // Not also ErrSig?
}
if r.Certificate == c {
return nil return nil
} }
return ErrSig // ErrSig, really? return ErrSig // ErrSig, really?
} }
// TLSAName returns the ownername of a TLSA resource record as per the // TLSAName returns the ownername of a TLSA resource record as per the
// rules specified in RFC 6698, Section 3. // rules specified in RFC 6698, Section 3.
func TLSAName(name, service, network string) (string, error) { func TLSAName(name, service, network string) (string, error) {
if !IsFqdn(name) { if !IsFqdn(name) {
return "", ErrFqdn return "", ErrFqdn