From f6cf2ae240f5374fa28cdc4e1783477e2d38a0c6 Mon Sep 17 00:00:00 2001
From: Miek Gieben <miek@miek.nl>
Date: Fri, 14 Sep 2012 11:56:02 +0200
Subject: [PATCH] Add validation

---
 tlsa.go | 69 ++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 39 insertions(+), 30 deletions(-)

diff --git a/tlsa.go b/tlsa.go
index 10445db4..3ddf56e1 100644
--- a/tlsa.go
+++ b/tlsa.go
@@ -12,48 +12,57 @@ import (
 
 // TLSA support functions
 
+// certToTLSACert returns the hex data suitable for inclusion in a TLSA record
+func certToTLSACert(selector, matchingType uint8, cert *x509.Certificate) string {
+	switch matchingType {
+	case 0:
+		switch selector {
+		case 0:
+			return hex.EncodeToString(cert.Raw)
+		case 1:
+			return hex.EncodeToString(cert.RawSubjectPublicKeyInfo)
+		}
+	case 1:
+		h := sha256.New()
+		switch selector {
+		case 0:
+			return hex.EncodeToString(cert.Raw)
+		case 1:
+			io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
+			return hex.EncodeToString(h.Sum(nil))
+		}
+	case 2:
+		h := sha512.New()
+		switch selector {
+		case 0:
+			return hex.EncodeToString(cert.Raw)
+		case 1:
+			io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
+			return hex.EncodeToString(h.Sum(nil))
+		}
+	}
+	return ""
+}
+
 // Sign creates a TLSA record from a SSL certificate.
 func (r *RR_TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) error {
 	r.Hdr.Rrtype = TypeTLSA
 	r.Usage = uint8(usage)
 	r.Selector = uint8(selector)
 	r.MatchingType = uint8(matchingType)
+	// Checks on the value!?
 
-	switch r.MatchingType {
-	case 0:
-		switch r.Selector {
-		case 0:
-			r.Certificate = hex.EncodeToString(cert.Raw)
-		case 1:
-			r.Certificate = hex.EncodeToString(cert.RawSubjectPublicKeyInfo)
-		}
-	case 1:
-		h := sha256.New()
-		switch r.Selector {
-		case 0:
-			r.Certificate = hex.EncodeToString(cert.Raw)
-		case 1:
-			io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
-			r.Certificate = hex.EncodeToString(h.Sum(nil))
-		}
-	case 2:
-		h := sha512.New()
-		switch r.Selector {
-		case 0:
-			r.Certificate = hex.EncodeToString(cert.Raw)
-		case 1:
-			io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
-			r.Certificate = hex.EncodeToString(h.Sum(nil))
-		}
-	}
+	r.Certificate = certToTLSACert(r.Selector, r.MatchingType, cert)
 	return nil
 }
 
 // Verify verifies a TLSA record against a SSL certificate. If it is OK
 // a nil error is returned.
-func (r *RR_TLSA) Verify(cert *x509.Certifcate) error {
-	return nil
-
+func (r *RR_TLSA) Verify(cert *x509.Certificate) error {
+	if r.Certificate == certToTLSACert(r.Selector, r.MatchingType, cert) {
+		return nil
+	}
+	return ErrSig	// ErrSig, really?
 }
 
 // Name set the ownername of the TLSA record according to the