tools

package
v0.0.0-...-6c820e1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 23, 2025 License: MIT Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	RsaSha256       = 8  // RSA SHA256
	EcdsaP256Sha256 = 13 // ECDSA P256 SHA256
)

Signing algorithms

Variables

View Source 
var ErrNoValidKeys = fmt.Errorf("no valid keys")

ErrNoValidKeys represents an error returned when the session does not have valid keys

View Source 
var ErrNotEnoughDNSkeys = fmt.Errorf("could not find enough dnskeys")
View Source 
var StringToSignAlgorithm = map[string]SignAlgorithm{
	"rsa":               RsaSha256,
	"rsa_sha256":        RsaSha256,
	"ecdsa":             EcdsaP256Sha256,
	"ecdsa_p256":        EcdsaP256Sha256,
	"ecdsa_p256_sha256": EcdsaP256Sha256,
}

StringToSignAlgorithm takes the name of an algorithm

Functions

func CreateNewRRSIG 

func CreateNewRRSIG(zone string, dnsKeyRR *dns.DNSKEY, expDate time.Time, rrSetTTL uint32) *dns.RRSIG

CreateNewRRSIG creates a new RRSIG RR, using the parameters provided.

func DurationToTime 

func DurationToTime(now time.Time, dStr string) (d time.Time, err error)

DurationToTime parses a duration string and returns a time relative to now.

func GetDNSKEY 

func GetDNSKEY(keys *SigKeys, session SignSession) (zsk, ksk *dns.DNSKEY, err error)

GetDNSKEY returns two DNSKEY RRs based on the session SigKeys

func NormalizeFQDN 

func NormalizeFQDN(fqdn string) string

NormalizeFQDN normalizes a fqdn to ASCII (punycode).

func Sign 

func Sign(session SignSession) (ds *dns.DS, err error)

Sign signs a zone file and outputs the result into out path (if its length is more than zero). It also dumps the new signed file zone to the standard output.

Types

type Context 

type Context struct {
	Config *ContextConfig
	File   io.Reader      // zone path
	Output io.WriteCloser // Out path

	Log            *log.Logger         // Logger
	SignAlgorithm  SignAlgorithm       // Sign Algorithm
	DelegatedZones map[string]struct{} // Map with Delegated zones.
	WithDS         map[string]struct{} // Map with zones with a DS RR
	DNSKEYS        struct {
		ZSK, KSK map[uint16]*dns.DNSKEY // DNSKEYS
	}
	// contains filtered or unexported fields
}

Context contains the state of a zone signing process.

func NewContext 

func NewContext(config *ContextConfig, log *log.Logger) (ctx *Context, err error)

NewContext creates a new context based on a configuration structure. It also receives a logger to log errors.

func (*Context) AddNSEC13 

func (ctx *Context) AddNSEC13()

AddNSEC13 adds NSEC 1 and 3 rrs to the RR list.

func (*Context) AddZONEMDRecord 

func (ctx *Context) AddZONEMDRecord()

AddZONEMDRecord adds a zone digest following draft-ietf-dnsop-dns-zone-digest-05 we need the SOA info for that

func (*Context) CalculateDigest 

func (ctx *Context) CalculateDigest(hashAlg uint8) (string, error)

CalculateDigest calculates the digest for a PREVIOUSLY ORDERED zone. This method returns the digest hex value.

func (*Context) CleanDigests 

func (ctx *Context) CleanDigests()

CleanDigests sets all root zone digests to 0 It is used before zone signing

func (*Context) Close 

func (ctx *Context) Close() error

Close closes the output file if it is defined.

func (*Context) CreateNewDNSKEY 

func (ctx *Context) CreateNewDNSKEY(flags uint16, publicKey string) *dns.DNSKEY

CreateNewDNSKEY creates a new DNSKEY RR, using the parameters provided.

func (*Context) Digest 

func (ctx *Context) Digest() error

Digest creates a version of a zone with a valid ZONEMD RR.

func (*Context) NewFileSession 

func (ctx *Context) NewFileSession(zsk, ksk io.ReadWriteSeeker) (SignSession, error)

NewFileSession creates a new File session. The arguments define the readers for the zone signing and key signing keys.

func (*Context) NewPKCS11Session 

func (ctx *Context) NewPKCS11Session(key, label, p11lib string) (SignSession, error)

NewPKCS11Session creates a new session. The arguments also define the HSM user key and the pkcs11 label the keys will use when created or retrieved.

func (*Context) PrintDS 

func (ctx *Context) PrintDS()

PrintDS prints to log device DS value of zone:

func (*Context) ReadAndParseZone 

func (ctx *Context) ReadAndParseZone(updateSerial bool) error

ReadAndParseZone parses a DNS zone file and returns an array of rrs and the zone minTTL. It also updates the serial in the SOA record if updateSerial is true. If setCredits is true, it adds a TXT record to the zone, under the subdomain _dnstools, with signing information Returns the SOA. IT DOES NOT SORT THE RR LIST

func (*Context) UpdateDigest 

func (ctx *Context) UpdateDigest() (err error)

UpdateDigest calculates the digest for a PREVIOUSLY ORDERED zone with one ZONEMD RR This method updates the ZONEMD RR directly

func (*Context) ValidateOrderedZoneDigest 

func (ctx *Context) ValidateOrderedZoneDigest(hashAlg uint8, mddigest string) error

ValidateOrderedZoneDigest validates the digest for a PREVIOUSLY ORDERED zone. Returns nil if the calculated digest is equals the ZONEMD one, and an error otherwise. Follows the validation from https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-zone-digest. It is hardcoded to use SIMPLE scheme.

func (*Context) VerifyDigest 

func (ctx *Context) VerifyDigest() error

VerifyDigest validates a version of a zone with a valid ZONEMD RR.

func (*Context) VerifyFile 

func (ctx *Context) VerifyFile() (err error)

VerifyFile verifies the signatures in an already signed zone file. zone represents the domain origin, while path is the zone location, and it is used to resolve $INCLUDE directives. reader has the zone input and logger allows us to log the operations.

func (*Context) WriteZone 

func (ctx *Context) WriteZone() error

WriteZone prints on writer all the rrs on the array. The format of the text printed is the format of a DNS zone.

type ContextConfig 

type ContextConfig struct {
	Zone            string    // Zone name
	CreateKeys      bool      // If True, the sign process creates new keys for the signature.
	NSEC3           bool      // If true, the zone is signed using NSEC3
	OptOut          bool      // If true and NSEC3 is true, the zone is signed using OptOut NSEC3 flag.
	DigestEnabled   bool      // If true, the zone is hashed and DigestEnabled is used
	SignAlgorithm   string    // Signature algorithm
	FilePath        string    // Output Path
	OutputPath      string    // Output Path
	RRSIGExpDate    time.Time // RRSIG Expiration Date
	Info            bool      // If true, a credits txt will be added to _dnstools subdomain.
	Lazy            bool      // If true, the zone will not be signed if it is not needed.
	VerifyThreshold time.Time // Verification Threshold
	HashAlg         uint8     // 1:sha384 (default), 2:sha512
	NSEC3Iterations uint16
	NSEC3SaltLength uint8
	NSEC3SaltValue  string
}

ContextConfig contains the common args to sign and verify files

type FileSession 

type FileSession struct {
	// contains filtered or unexported fields
}

FileSession represents a File session. It includes the context and a Label String, used in creation and retrieval of DNS keys.

func (*FileSession) Context 

func (session *FileSession) Context() *Context

Context returns the session context

func (*FileSession) DestroyAllKeys 

func (session *FileSession) DestroyAllKeys() error

DestroyAllKeys destroys all keys inside the session. In the case of FileSession it does nothing

func (*FileSession) End 

func (session *FileSession) End() error

End ends the session. In FileSession it does nothing

func (*FileSession) GetKeys 

func (session *FileSession) GetKeys() (keys *SigKeys, err error)

GetKeys returns the keys (zsk, ksk) related to the session

func (*FileSession) GetPublicKeyBytes 

func (session *FileSession) GetPublicKeyBytes(keys *SigKeys) (zskBytes, kskBytes []byte, err error)

GetPublicKeyBytes returns the public key bytes for ZSK and KSK keys

type NSEC3List 

type NSEC3List struct {
	// contains filtered or unexported fields
}

type PKCS11RRSigner 

type PKCS11RRSigner struct {
	Session *PKCS11Session      // PKCS#11 PKCS11Session
	SK, PK  pkcs11.ObjectHandle // Secret and Public PKCS11Key handles
}

PKCS11RRSigner represents a signer using a PKCS11 device to sign and store the keys

func (*PKCS11RRSigner) Public 

func (rs *PKCS11RRSigner) Public() crypto.PublicKey

Public returns the public key related to the signer

func (*PKCS11RRSigner) Sign 

func (rs *PKCS11RRSigner) Sign(rand io.Reader, rr []byte, opts crypto.SignerOpts) ([]byte, error)

Sign signs a wire-format ww set.

type PKCS11Session 

type PKCS11Session struct {
	P11Context *pkcs11.Ctx          // PKCS#11 Context
	Handle     pkcs11.SessionHandle // PKCS11Session Handle
	Label      string               // Signature Label
	Key        string               // Signature key
	// contains filtered or unexported fields
}

PKCS11Session represents a PKCS#11 session. It includes the context, the session handle and a Label String, used in creation and retrieval of DNS keys.

func (*PKCS11Session) Context 

func (session *PKCS11Session) Context() *Context

Context Returns the session context

func (*PKCS11Session) DestroyAllKeys 

func (session *PKCS11Session) DestroyAllKeys() error

DestroyAllKeys destroys all the keys using the rsaLabel defined in the session struct.

func (*PKCS11Session) End 

func (session *PKCS11Session) End() error

End finishes a session execution, logging out and clossing the session.

func (*PKCS11Session) GetKeys 

func (session *PKCS11Session) GetKeys() (keys *SigKeys, err error)

GetKeys get the public key string and private key habdler from HSM. returns an error, if any.

func (*PKCS11Session) GetPublicKeyBytes 

func (session *PKCS11Session) GetPublicKeyBytes(keys *SigKeys) (zskBytes, kskBytes []byte, err error)

GetPublicKeyBytes returns bytestrings of public zsk and ksk keys.

type RRArray 

type RRArray []dns.RR

RRArray represents an array of rrs It implements Swapper interface, and is sortable.

func (RRArray) Len 

func (array RRArray) Len() int

Len returns the length of an RRArray.

func (RRArray) Less 

func (array RRArray) Less(i, j int) bool

Less returns true if the element in the position i of RRArray is less than the element in position j of RRArray.

func (RRArray) String 

func (array RRArray) String() string

String returns a string representation of the RRArray, based on the name, class and Rrtype of the first element.

func (RRArray) Swap 

func (array RRArray) Swap(i, j int)

Swap swaps elements on positions i and j from RRArray

type RRSetList 

type RRSetList []RRArray

RRSetList is an array of RRArrays.

func (RRSetList) Len 

func (setList RRSetList) Len() int

Len returns the length of an RRSetList.

func (RRSetList) Less 

func (setList RRSetList) Less(i, j int) bool

Less returns true if the element in the position i of RRSetList is less than the element in position j of RRSetList.

func (RRSetList) Swap 

func (setList RRSetList) Swap(i, j int)

Swap swaps elements on positions i and j from RRSetList

type RRSigPair 

type RRSigPair struct {
	RRSig *dns.RRSIG
	RRSet RRArray
}

RRSigPair combines an RRSIg and the set related to it.

type SigKeys 

type SigKeys struct {
	// contains filtered or unexported fields
}

SigKeys contains the four keys used in zone signing.

type SignAlgorithm 

type SignAlgorithm uint8

SignAlgorithm represents the algorithm used to sign a zone The numbers are the same the RFC defined for the algorithms.

type SignSession 

type SignSession interface {
	Context() *Context
	GetKeys() (*SigKeys, error)
	GetPublicKeyBytes(*SigKeys) (zskBytes, kskBytes []byte, err error)
	DestroyAllKeys() error
	End() error
}

SignSession represents an abstract signing session

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.