Add validation
This commit is contained in:
parent
646ce89f6d
commit
f6cf2ae240
69
tlsa.go
69
tlsa.go
|
@ -12,48 +12,57 @@ import (
|
||||||
|
|
||||||
// TLSA support functions
|
// TLSA support functions
|
||||||
|
|
||||||
|
// certToTLSACert returns the hex data suitable for inclusion in a TLSA record
|
||||||
|
func certToTLSACert(selector, matchingType uint8, cert *x509.Certificate) string {
|
||||||
|
switch matchingType {
|
||||||
|
case 0:
|
||||||
|
switch selector {
|
||||||
|
case 0:
|
||||||
|
return hex.EncodeToString(cert.Raw)
|
||||||
|
case 1:
|
||||||
|
return hex.EncodeToString(cert.RawSubjectPublicKeyInfo)
|
||||||
|
}
|
||||||
|
case 1:
|
||||||
|
h := sha256.New()
|
||||||
|
switch selector {
|
||||||
|
case 0:
|
||||||
|
return hex.EncodeToString(cert.Raw)
|
||||||
|
case 1:
|
||||||
|
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
||||||
|
return hex.EncodeToString(h.Sum(nil))
|
||||||
|
}
|
||||||
|
case 2:
|
||||||
|
h := sha512.New()
|
||||||
|
switch selector {
|
||||||
|
case 0:
|
||||||
|
return hex.EncodeToString(cert.Raw)
|
||||||
|
case 1:
|
||||||
|
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
||||||
|
return hex.EncodeToString(h.Sum(nil))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
// Sign creates a TLSA record from a SSL certificate.
|
// Sign creates a TLSA record from a SSL certificate.
|
||||||
func (r *RR_TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) error {
|
func (r *RR_TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) error {
|
||||||
r.Hdr.Rrtype = TypeTLSA
|
r.Hdr.Rrtype = TypeTLSA
|
||||||
r.Usage = uint8(usage)
|
r.Usage = uint8(usage)
|
||||||
r.Selector = uint8(selector)
|
r.Selector = uint8(selector)
|
||||||
r.MatchingType = uint8(matchingType)
|
r.MatchingType = uint8(matchingType)
|
||||||
|
// Checks on the value!?
|
||||||
|
|
||||||
switch r.MatchingType {
|
r.Certificate = certToTLSACert(r.Selector, r.MatchingType, cert)
|
||||||
case 0:
|
|
||||||
switch r.Selector {
|
|
||||||
case 0:
|
|
||||||
r.Certificate = hex.EncodeToString(cert.Raw)
|
|
||||||
case 1:
|
|
||||||
r.Certificate = hex.EncodeToString(cert.RawSubjectPublicKeyInfo)
|
|
||||||
}
|
|
||||||
case 1:
|
|
||||||
h := sha256.New()
|
|
||||||
switch r.Selector {
|
|
||||||
case 0:
|
|
||||||
r.Certificate = hex.EncodeToString(cert.Raw)
|
|
||||||
case 1:
|
|
||||||
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
|
||||||
r.Certificate = hex.EncodeToString(h.Sum(nil))
|
|
||||||
}
|
|
||||||
case 2:
|
|
||||||
h := sha512.New()
|
|
||||||
switch r.Selector {
|
|
||||||
case 0:
|
|
||||||
r.Certificate = hex.EncodeToString(cert.Raw)
|
|
||||||
case 1:
|
|
||||||
io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
|
|
||||||
r.Certificate = hex.EncodeToString(h.Sum(nil))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify verifies a TLSA record against a SSL certificate. If it is OK
|
// Verify verifies a TLSA record against a SSL certificate. If it is OK
|
||||||
// a nil error is returned.
|
// a nil error is returned.
|
||||||
func (r *RR_TLSA) Verify(cert *x509.Certifcate) error {
|
func (r *RR_TLSA) Verify(cert *x509.Certificate) error {
|
||||||
return nil
|
if r.Certificate == certToTLSACert(r.Selector, r.MatchingType, cert) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return ErrSig // ErrSig, really?
|
||||||
}
|
}
|
||||||
|
|
||||||
// Name set the ownername of the TLSA record according to the
|
// Name set the ownername of the TLSA record according to the
|
||||||
|
|
Loading…
Reference in New Issue