mirror of
https://github.com/miekg/dns.git
synced 2025-08-10 11:36:58 +02:00
46df8c9462
1) Refactoring of tlsa.go
- moved routine to create the certificate rdata to its own go module
as this is shared between TLSA and SMIMEA records
2) Added support for creating an SMIMEA domain name
3) Developed in accordance with draft-ietf-dane-smime-12 RFC
Miek,
Submitting for your review. Happy to make any recommended changes or
address omissions.
Lightly tested against our internal DNS service which hosts DANE
SMIMEA records for our email certificates.
Parse tests are added.
48 lines
1.1 KiB
Go
48 lines
1.1 KiB
Go
package dns
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"net"
|
|
"strconv"
|
|
)
|
|
|
|
// Sign creates a TLSA record from an SSL certificate.
|
|
func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
|
|
r.Hdr.Rrtype = TypeTLSA
|
|
r.Usage = uint8(usage)
|
|
r.Selector = uint8(selector)
|
|
r.MatchingType = uint8(matchingType)
|
|
|
|
r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Verify verifies a TLSA record against an SSL certificate. If it is OK
|
|
// a nil error is returned.
|
|
func (r *TLSA) Verify(cert *x509.Certificate) error {
|
|
c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
|
|
if err != nil {
|
|
return err // Not also ErrSig?
|
|
}
|
|
if r.Certificate == c {
|
|
return nil
|
|
}
|
|
return ErrSig // ErrSig, really?
|
|
}
|
|
|
|
// TLSAName returns the ownername of a TLSA resource record as per the
|
|
// rules specified in RFC 6698, Section 3.
|
|
func TLSAName(name, service, network string) (string, error) {
|
|
if !IsFqdn(name) {
|
|
return "", ErrFqdn
|
|
}
|
|
p, err := net.LookupPort(network, service)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return "_" + strconv.Itoa(p) + "._" + network + "." + name, nil
|
|
}
|