Skip to content
Snippets Groups Projects
Select Git revision
  • b1b0f1bafe4c8458a11e0b54cbbac849a79e4bc4
  • master default
  • renovate/golang.org-x-crypto-0.x
  • renovate/go-1.x
  • renovate/golang.org-x-sync-0.x
  • renovate/opentelemetry-go-monorepo
  • renovate/github.com-go-webauthn-webauthn-0.x
  • renovate/github.com-mattn-go-sqlite3-1.x
  • renovate/github.com-go-ldap-ldap-v3-3.x
  • renovate/github.com-prometheus-client_golang-1.x
  • renovate/github.com-google-go-cmp-0.x
  • renovate/github.com-lunixbochs-struc-digest
  • renovate/github.com-duo-labs-webauthn-digest
13 results

dialer_legacy.go

Blame
    • ale's avatar
      c165311f
      Let the configuration override connection and max request timeouts · c165311f
      ale authored 
      Add the 'connect_timeout' and 'request_max_timeout' configuration
fields, to control respectively the initial connection timeout, and
the maximum time for each individual request. This allows fine-tuning
of the expected performance of specific backends, for example to let
optional backends fail fast.
      c165311f
      History
      Let the configuration override connection and max request timeouts
      ale authored 
      Add the 'connect_timeout' and 'request_max_timeout' configuration
fields, to control respectively the initial connection timeout, and
the maximum time for each individual request. This allows fine-tuning
of the expected performance of specific backends, for example to let
optional backends fail fast.
    tlsa.go 2.14 KiB 
    package dns

import (
	"crypto/sha256"
	"crypto/sha512"
	"crypto/x509"
	"encoding/hex"
	"errors"
	"io"
	"net"
	"strconv"
)

// CertificateToDANE converts a certificate to a hex string as used in the TLSA record.
func CertificateToDANE(selector, matchingType uint8, cert *x509.Certificate) (string, error) {
	switch matchingType {
	case 0:
		switch selector {
		case 0:
			return hex.EncodeToString(cert.Raw), nil
		case 1:
			return hex.EncodeToString(cert.RawSubjectPublicKeyInfo), nil
		}
	case 1:
		h := sha256.New()
		switch selector {
		case 0:
			io.WriteString(h, string(cert.Raw))
			return hex.EncodeToString(h.Sum(nil)), nil
		case 1:
			io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
			return hex.EncodeToString(h.Sum(nil)), nil
		}
	case 2:
		h := sha512.New()
		switch selector {
		case 0:
			io.WriteString(h, string(cert.Raw))
			return hex.EncodeToString(h.Sum(nil)), nil
		case 1:
			io.WriteString(h, string(cert.RawSubjectPublicKeyInfo))
			return hex.EncodeToString(h.Sum(nil)), nil
		}
	}
	return "", errors.New("dns: bad TLSA MatchingType or TLSA Selector")
}

// Sign creates a TLSA record from an SSL certificate.
func (r *TLSA) Sign(usage, selector, matchingType int, cert *x509.Certificate) (err error) {
	r.Hdr.Rrtype = TypeTLSA
	r.Usage = uint8(usage)
	r.Selector = uint8(selector)
	r.MatchingType = uint8(matchingType)

	r.Certificate, err = CertificateToDANE(r.Selector, r.MatchingType, cert)
	if err != nil {
		return err
	}
	return nil
}

// Verify verifies a TLSA record against an SSL certificate. If it is OK
// a nil error is returned.
func (r *TLSA) Verify(cert *x509.Certificate) error {
	c, err := CertificateToDANE(r.Selector, r.MatchingType, cert)
	if err != nil {
		return err // Not also ErrSig?
	}
	if r.Certificate == c {
		return nil
    	}
	return ErrSig // ErrSig, really?
}

// TLSAName returns the ownername of a TLSA resource record as per the
// rules specified in RFC 6698, Section 3.
func TLSAName(name, service, network string) (string, error) {
	if !IsFqdn(name) {
		return "", ErrFqdn
	}
	p, e := net.LookupPort(network, service)
	if e != nil {
		return "", e
	}
	return "_" + strconv.Itoa(p) + "_" + network + "." + name, nil
}