Fix the CertificateToDane return value: add error
This is more inline with the rest of the functions which do return an actual error. It is however a small api change.
This commit is contained in:
parent
afd4d24572
commit
e1c501fcec
32
tlsa.go
32
tlsa.go
|
@ -5,65 +5,73 @@ import (
|
||||||
"crypto/sha512"
|
"crypto/sha512"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
|
"errors"
|
||||||
"io"
|
"io"
|
||||||
"net"
|
"net"
|
||||||
"strconv"
|
"strconv"
|
||||||
)
|
)
|
||||||
|
|
||||||
// CertificateToDANE converts a certificate to a hex string as used in the TLSA record.
|
// CertificateToDANE converts a certificate to a hex string as used in the TLSA record.
|
||||||
func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) string {
|
func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) (string, error) {
|
||||||
switch matchingType {
|
switch matchingType {
|
||||||
case 0:
|
case 0:
|
||||||
switch selector {
|
switch selector {
|
||||||
case 0:
|
case 0:
|
||||||
return hex.EncodeToString(cert.Raw)
|
return hex.EncodeToString(cert.Raw), nil
|
||||||
case 1:
|
case 1:
|
||||||
return hex.EncodeToString(cert.RawSubjectPublicKeyInfo)
|
return hex.EncodeToString(cert.RawSubjectPublicKeyInfo), nil
|
||||||
}
|
}
|
||||||
case 1:
|
case 1:
|
||||||
h := sha256.New()
|
h := sha256.New()
|
||||||
switch selector {
|
switch selector {
|
||||||
case 0:
|
case 0:
|
||||||
return hex.EncodeToString(cert.Raw)
|
return hex.EncodeToString(cert.Raw), nil
|
||||||
case 1:
|
case 1:
|
||||||
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
||||||
return hex.EncodeToString(h.Sum(nil))
|
return hex.EncodeToString(h.Sum(nil)), nil
|
||||||
}
|
}
|
||||||
case 2:
|
case 2:
|
||||||
h := sha512.New()
|
h := sha512.New()
|
||||||
switch selector {
|
switch selector {
|
||||||
case 0:
|
case 0:
|
||||||
return hex.EncodeToString(cert.Raw)
|
return hex.EncodeToString(cert.Raw), nil
|
||||||
case 1:
|
case 1:
|
||||||
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
||||||
return hex.EncodeToString(h.Sum(nil))
|
return hex.EncodeToString(h.Sum(nil)), nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return ""
|
return "", errors.New("dns: bad TLSA MatchingType or TLSA Selector")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Sign creates a TLSA record from an SSL certificate.
|
// Sign creates a TLSA record from an SSL certificate.
|
||||||
func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) error {
|
func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
|
||||||
r.Hdr.Rrtype = TypeTLSA
|
r.Hdr.Rrtype = TypeTLSA
|
||||||
r.Usage = uint8(usage)
|
r.Usage = uint8(usage)
|
||||||
r.Selector = uint8(selector)
|
r.Selector = uint8(selector)
|
||||||
r.MatchingType = uint8(matchingType)
|
r.MatchingType = uint8(matchingType)
|
||||||
|
|
||||||
r.Certificate = CertificateToDANE(r.Selector, r.MatchingType, cert)
|
r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify verifies a TLSA record against an SSL certificate. If it is OK
|
// Verify verifies a TLSA record against an SSL certificate. If it is OK
|
||||||
// a nil error is returned.
|
// a nil error is returned.
|
||||||
func (r *TLSA) Verify(cert *x509.Certificate) error {
|
func (r *TLSA) Verify(cert *x509.Certificate) error {
|
||||||
if r.Certificate == CertificateToDANE(r.Selector, r.MatchingType, cert) {
|
c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
|
||||||
|
if err != nil {
|
||||||
|
return err // Not also ErrSig?
|
||||||
|
}
|
||||||
|
if r.Certificate == c {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
return ErrSig // ErrSig, really?
|
return ErrSig // ErrSig, really?
|
||||||
}
|
}
|
||||||
|
|
||||||
// TLSAName returns the ownername of a TLSA resource record as per the
|
// TLSAName returns the ownername of a TLSA resource record as per the
|
||||||
// rules specified in RFC 6698, Section 3.
|
// rules specified in RFC 6698, Section 3.
|
||||||
func TLSAName(name, service, network string) (string, error) {
|
func TLSAName(name, service, network string) (string, error) {
|
||||||
if !IsFqdn(name) {
|
if !IsFqdn(name) {
|
||||||
return "", ErrFqdn
|
return "", ErrFqdn
|
||||||
|
|
Loading…
Reference in New Issue