Created
October 19, 2015 13:19
-
-
Save asergeyev/3859a899d68101a38c03 to your computer and use it in GitHub Desktop.
Crypto signer backporting for DNS lib
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/dnssec.go b/dnssec.go | |
index 84cb214..9198d6d 100644 | |
--- a/dnssec.go | |
+++ b/dnssec.go | |
@@ -18,8 +18,26 @@ import ( | |
"sort" | |
"strings" | |
"time" | |
+ "io" | |
) | |
+ | |
+type cryptoSignerOpts interface { | |
+ HashFunc() crypto.Hash | |
+} | |
+ | |
+type cryptoSigner interface { | |
+ Public() crypto.PublicKey | |
+ Sign(rand io.Reader, msg []byte, opts cryptoSignerOpts) (signature []byte, err error) | |
+} | |
+ | |
+type basicOpts crypto.Hash | |
+ | |
+func (h basicOpts) HashFunc() crypto.Hash { | |
+ return crypto.Hash(h) | |
+} | |
+ | |
+ | |
// DNSSEC encryption algorithm codes. | |
const ( | |
_ uint8 = iota | |
@@ -254,7 +272,7 @@ func (d *DS) ToCDS() *CDS { | |
// There is no check if RRSet is a proper (RFC 2181) RRSet. If OrigTTL is non | |
// zero, it is used as-is, otherwise the TTL of the RRset is used as the | |
// OrigTTL. | |
-func (rr *RRSIG) Sign(k crypto.Signer, rrset []RR) error { | |
+func (rr *RRSIG) Sign(k cryptoSigner, rrset []RR) error { | |
if k == nil { | |
return ErrPrivKey | |
} | |
@@ -318,8 +336,8 @@ func (rr *RRSIG) Sign(k crypto.Signer, rrset []RR) error { | |
return nil | |
} | |
-func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, error) { | |
- signature, err := k.Sign(rand.Reader, hashed, hash) | |
+func sign(k cryptoSigner, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, error) { | |
+ signature, err := k.Sign(rand.Reader, hashed, basicOpts(hash)) | |
if err != nil { | |
return nil, err | |
} | |
@@ -348,7 +366,7 @@ func sign(k crypto.Signer, hashed []byte, hash crypto.Hash, alg uint8) ([]byte, | |
signature = append(signature, intToBytes(ecdsaSignature.S, intlen)...) | |
return signature, nil | |
- // There is no defined interface for what a DSA backed crypto.Signer returns | |
+ // There is no defined interface for what a DSA backed cryptoSigner returns | |
case DSA, DSANSEC3SHA1: | |
// t := divRoundUp(divRoundUp(p.PublicKey.Y.BitLen(), 8)-64, 8) | |
// signature := []byte{byte(t)} | |
diff --git a/dnssec_test.go b/dnssec_test.go | |
index c315932..0ca63cd 100644 | |
--- a/dnssec_test.go | |
+++ b/dnssec_test.go | |
@@ -723,7 +723,7 @@ func TestInvalidRRSet(t *testing.T) { | |
} | |
// Sign the good record set and then make sure verification fails on the bad record set | |
- if err := signature.Sign(privatekey.(crypto.Signer), goodRecords); err != nil { | |
+ if err := signature.Sign(privatekey.(cryptoSigner), goodRecords); err != nil { | |
t.Fatal("Signing good records failed") | |
} | |
diff --git a/sig0.go b/sig0.go | |
index 0fccddb..edccdca 100644 | |
--- a/sig0.go | |
+++ b/sig0.go | |
@@ -13,7 +13,7 @@ import ( | |
// Sign signs a dns.Msg. It fills the signature with the appropriate data. | |
// The SIG record should have the SignerName, KeyTag, Algorithm, Inception | |
// and Expiration set. | |
-func (rr *SIG) Sign(k crypto.Signer, m *Msg) ([]byte, error) { | |
+func (rr *SIG) Sign(k cryptoSigner, m *Msg) ([]byte, error) { | |
if k == nil { | |
return nil, ErrPrivKey | |
} | |
diff --git a/sig0_test.go b/sig0_test.go | |
index c13adf3..9675eba 100644 | |
--- a/sig0_test.go | |
+++ b/sig0_test.go | |
@@ -41,7 +41,7 @@ func TestSIG0(t *testing.T) { | |
sigrr.Inception = now - 300 | |
sigrr.KeyTag = keyrr.KeyTag() | |
sigrr.SignerName = keyrr.Hdr.Name | |
- mb, err := sigrr.Sign(pk.(crypto.Signer), m) | |
+ mb, err := sigrr.Sign(pk.(cryptoSigner), m) | |
if err != nil { | |
t.Errorf("Failed to sign message using “%s”: %v", algstr, err) | |
continue | |
@@ -80,7 +80,7 @@ func TestSIG0(t *testing.T) { | |
} | |
sigrr.Expiration = 2 | |
sigrr.Inception = 1 | |
- mb, _ = sigrr.Sign(pk.(crypto.Signer), m) | |
+ mb, _ = sigrr.Sign(pk.(cryptoSigner), m) | |
if err := sigrr.Verify(keyrr, mb); err == nil { | |
t.Errorf("Verify succeeded on an expired message using “%s”", algstr) | |
continue |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment