"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "dnssec.go" between
dns-1.1.46.tar.gz and dns-1.1.47.tar.gz

About: GO DNS implements a DNS library in Go.

dnssec.go  (dns-1.1.46):dnssec.go  (dns-1.1.47)
skipping to change at line 68 skipping to change at line 68
ECDSAP256SHA256: "ECDSAP256SHA256", ECDSAP256SHA256: "ECDSAP256SHA256",
ECDSAP384SHA384: "ECDSAP384SHA384", ECDSAP384SHA384: "ECDSAP384SHA384",
ED25519: "ED25519", ED25519: "ED25519",
ED448: "ED448", ED448: "ED448",
INDIRECT: "INDIRECT", INDIRECT: "INDIRECT",
PRIVATEDNS: "PRIVATEDNS", PRIVATEDNS: "PRIVATEDNS",
PRIVATEOID: "PRIVATEOID", PRIVATEOID: "PRIVATEOID",
} }
// AlgorithmToHash is a map of algorithm crypto hash IDs to crypto.Hash's. // AlgorithmToHash is a map of algorithm crypto hash IDs to crypto.Hash's.
// For newer algorithm that do their own hashing (i.e. ED25519) the returned val
ue
// is 0, implying no (external) hashing should occur. The non-exported identityH
ash is then
// used.
var AlgorithmToHash = map[uint8]crypto.Hash{ var AlgorithmToHash = map[uint8]crypto.Hash{
RSAMD5: crypto.MD5, // Deprecated in RFC 6725 RSAMD5: crypto.MD5, // Deprecated in RFC 6725
DSA: crypto.SHA1, DSA: crypto.SHA1,
RSASHA1: crypto.SHA1, RSASHA1: crypto.SHA1,
RSASHA1NSEC3SHA1: crypto.SHA1, RSASHA1NSEC3SHA1: crypto.SHA1,
RSASHA256: crypto.SHA256, RSASHA256: crypto.SHA256,
ECDSAP256SHA256: crypto.SHA256, ECDSAP256SHA256: crypto.SHA256,
ECDSAP384SHA384: crypto.SHA384, ECDSAP384SHA384: crypto.SHA384,
RSASHA512: crypto.SHA512, RSASHA512: crypto.SHA512,
ED25519: crypto.Hash(0), ED25519: 0,
} }
// DNSSEC hashing algorithm codes. // DNSSEC hashing algorithm codes.
const ( const (
_ uint8 = iota _ uint8 = iota
SHA1 // RFC 4034 SHA1 // RFC 4034
SHA256 // RFC 4509 SHA256 // RFC 4509
GOST94 // RFC 5933 GOST94 // RFC 5933
SHA384 // Experimental SHA384 // Experimental
SHA512 // Experimental SHA512 // Experimental
skipping to change at line 299 skipping to change at line 302
n, err := packSigWire(sigwire, signdata) n, err := packSigWire(sigwire, signdata)
if err != nil { if err != nil {
return err return err
} }
signdata = signdata[:n] signdata = signdata[:n]
wire, err := rawSignatureData(rrset, rr) wire, err := rawSignatureData(rrset, rr)
if err != nil { if err != nil {
return err return err
} }
hash, ok := AlgorithmToHash[rr.Algorithm] h, cryptohash, err := hashFromAlgorithm(rr.Algorithm)
if !ok { if err != nil {
return ErrAlg return err
} }
switch rr.Algorithm { switch rr.Algorithm {
case ED25519:
// ed25519 signs the raw message and performs hashing internally.
// All other supported signature schemes operate over the pre-has
hed
// message, and thus ed25519 must be handled separately here.
//
// The raw message is passed directly into sign and crypto.Hash(0
) is
// used to signal to the crypto.Signer that the data has not been
hashed.
signature, err := sign(k, append(signdata, wire...), crypto.Hash(
0), rr.Algorithm)
if err != nil {
return err
}
rr.Signature = toBase64(signature)
return nil
case RSAMD5, DSA, DSANSEC3SHA1: case RSAMD5, DSA, DSANSEC3SHA1:
// See RFC 6944. // See RFC 6944.
return ErrAlg return ErrAlg
default: default:
h := hash.New()
h.Write(signdata) h.Write(signdata)
h.Write(wire) h.Write(wire)
signature, err := sign(k, h.Sum(nil), hash, rr.Algorithm) signature, err := sign(k, h.Sum(nil), cryptohash, rr.Algorithm)
if err != nil { if err != nil {
return err return err
} }
rr.Signature = toBase64(signature) rr.Signature = toBase64(signature)
return nil return nil
} }
} }
func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, error) { func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, error) {
signature, err := k.Sign(rand.Reader, hashed, hash) signature, err := k.Sign(rand.Reader, hashed, hash)
if err != nil { if err != nil {
return nil, err return nil, err
} }
switch alg { switch alg {
case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512: case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512, ED25519:
return signature, nil return signature, nil
case ECDSAP256SHA256, ECDSAP384SHA384: case ECDSAP256SHA256, ECDSAP384SHA384:
ecdsaSignature := &struct { ecdsaSignature := &struct {
R, S *big.Int R, S *big.Int
}{} }{}
if _, err := asn1.Unmarshal(signature, ecdsaSignature); err != ni l { if _, err := asn1.Unmarshal(signature, ecdsaSignature); err != ni l {
return nil, err return nil, err
} }
var intlen int var intlen int
switch alg { switch alg {
case ECDSAP256SHA256: case ECDSAP256SHA256:
intlen = 32 intlen = 32
case ECDSAP384SHA384: case ECDSAP384SHA384:
intlen = 48 intlen = 48
} }
signature := intToBytes(ecdsaSignature.R, intlen) signature := intToBytes(ecdsaSignature.R, intlen)
signature = append(signature, intToBytes(ecdsaSignature.S, intlen )...) signature = append(signature, intToBytes(ecdsaSignature.S, intlen )...)
return signature, nil return signature, nil
case ED25519:
return signature, nil
default: default:
return nil, ErrAlg return nil, ErrAlg
} }
} }
// Verify validates an RRSet with the signature and key. This is only the // Verify validates an RRSet with the signature and key. This is only the
// cryptographic test, the signature validity period must be checked separately. // cryptographic test, the signature validity period must be checked separately.
// This function copies the rdata of some RRs (to lowercase domain names) for th e validation to work. // This function copies the rdata of some RRs (to lowercase domain names) for th e validation to work.
// It also checks that the Zone Key bit (RFC 4034 2.1.1) is set on the DNSKEY // It also checks that the Zone Key bit (RFC 4034 2.1.1) is set on the DNSKEY
// and that the Protocol field is set to 3 (RFC 4034 2.1.2). // and that the Protocol field is set to 3 (RFC 4034 2.1.2).
skipping to change at line 440 skipping to change at line 426
if err != nil { if err != nil {
return err return err
} }
sigbuf := rr.sigBuf() // Get the binary signature data sigbuf := rr.sigBuf() // Get the binary signature data
if rr.Algorithm == PRIVATEDNS { // PRIVATEOID if rr.Algorithm == PRIVATEDNS { // PRIVATEOID
// TODO(miek) // TODO(miek)
// remove the domain name and assume its ours? // remove the domain name and assume its ours?
} }
hash, ok := AlgorithmToHash[rr.Algorithm] h, cryptohash, err := hashFromAlgorithm(rr.Algorithm)
if !ok { if err != nil {
return ErrAlg return err
} }
switch rr.Algorithm { switch rr.Algorithm {
case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512: case RSASHA1, RSASHA1NSEC3SHA1, RSASHA256, RSASHA512:
// TODO(mg): this can be done quicker, ie. cache the pubkey data somewhere?? // TODO(mg): this can be done quicker, ie. cache the pubkey data somewhere??
pubkey := k.publicKeyRSA() // Get the key pubkey := k.publicKeyRSA() // Get the key
if pubkey == nil { if pubkey == nil {
return ErrKey return ErrKey
} }
h := hash.New()
h.Write(signeddata) h.Write(signeddata)
h.Write(wire) h.Write(wire)
return rsa.VerifyPKCS1v15(pubkey, hash, h.Sum(nil), sigbuf) return rsa.VerifyPKCS1v15(pubkey, cryptohash, h.Sum(nil), sigbuf)
case ECDSAP256SHA256, ECDSAP384SHA384: case ECDSAP256SHA256, ECDSAP384SHA384:
pubkey := k.publicKeyECDSA() pubkey := k.publicKeyECDSA()
if pubkey == nil { if pubkey == nil {
return ErrKey return ErrKey
} }
// Split sigbuf into the r and s coordinates // Split sigbuf into the r and s coordinates
r := new(big.Int).SetBytes(sigbuf[:len(sigbuf)/2]) r := new(big.Int).SetBytes(sigbuf[:len(sigbuf)/2])
s := new(big.Int).SetBytes(sigbuf[len(sigbuf)/2:]) s := new(big.Int).SetBytes(sigbuf[len(sigbuf)/2:])
h := hash.New()
h.Write(signeddata) h.Write(signeddata)
h.Write(wire) h.Write(wire)
if ecdsa.Verify(pubkey, h.Sum(nil), r, s) { if ecdsa.Verify(pubkey, h.Sum(nil), r, s) {
return nil return nil
} }
return ErrSig return ErrSig
case ED25519: case ED25519:
pubkey := k.publicKeyED25519() pubkey := k.publicKeyED25519()
if pubkey == nil { if pubkey == nil {
 End of changes. 12 change blocks. 
33 lines changed or deleted 15 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)