2016-01-08 16:56:01 -05:00
|
|
|
package dns
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/x509"
|
|
|
|
"net"
|
|
|
|
"strconv"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Sign creates a TLSA record from an SSL certificate.
|
|
|
|
func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
|
|
|
|
r.Hdr.Rrtype = TypeTLSA
|
|
|
|
r.Usage = uint8(usage)
|
|
|
|
r.Selector = uint8(selector)
|
|
|
|
r.MatchingType = uint8(matchingType)
|
|
|
|
|
|
|
|
r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
|
2020-02-25 11:35:35 -05:00
|
|
|
return err
|
2016-01-08 16:56:01 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify verifies a TLSA record against an SSL certificate. If it is OK
|
|
|
|
// a nil error is returned.
|
|
|
|
func (r *TLSA) Verify(cert *x509.Certificate) error {
|
|
|
|
c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
|
|
|
|
if err != nil {
|
|
|
|
return err // Not also ErrSig?
|
|
|
|
}
|
|
|
|
if r.Certificate == c {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return ErrSig // ErrSig, really?
|
|
|
|
}
|
|
|
|
|
|
|
|
// TLSAName returns the ownername of a TLSA resource record as per the
|
|
|
|
// rules specified in RFC 6698, Section 3.
|
|
|
|
func TLSAName(name, service, network string) (string, error) {
|
|
|
|
if !IsFqdn(name) {
|
|
|
|
return "", ErrFqdn
|
|
|
|
}
|
2018-06-01 10:24:59 -04:00
|
|
|
p, err := net.LookupPort(network, service)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
2016-01-08 16:56:01 -05:00
|
|
|
}
|
2018-06-01 10:24:59 -04:00
|
|
|
return "_" + strconv.Itoa(p) + "._" + network + "." + name, nil
|
2016-01-08 16:56:01 -05:00
|
|
|
}
|