tlsa.go raw

   1  package dns
   2  
   3  import (
   4  	"crypto/x509"
   5  	"net"
   6  	"strconv"
   7  )
   8  
   9  // Sign creates a TLSA record from an SSL certificate.
  10  func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
  11  	r.Hdr.Rrtype = TypeTLSA
  12  	r.Usage = uint8(usage)
  13  	r.Selector = uint8(selector)
  14  	r.MatchingType = uint8(matchingType)
  15  
  16  	r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
  17  	return err
  18  }
  19  
  20  // Verify verifies a TLSA record against an SSL certificate. If it is OK
  21  // a nil error is returned.
  22  func (r *TLSA) Verify(cert *x509.Certificate) error {
  23  	c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
  24  	if err != nil {
  25  		return err // Not also ErrSig?
  26  	}
  27  	if r.Certificate == c {
  28  		return nil
  29  	}
  30  	return ErrSig // ErrSig, really?
  31  }
  32  
  33  // TLSAName returns the ownername of a TLSA resource record as per the
  34  // rules specified in RFC 6698, Section 3.
  35  func TLSAName(name, service, network string) (string, error) {
  36  	if !IsFqdn(name) {
  37  		return "", ErrFqdn
  38  	}
  39  	p, err := net.LookupPort(network, service)
  40  	if err != nil {
  41  		return "", err
  42  	}
  43  	return "_" + strconv.Itoa(p) + "._" + network + "." + name, nil
  44  }
  45