]>
git.siccegge.de Git - dane-monitoring-plugins.git/blob - tlsa.py
2e220578dfabb7cd028a73c499921be404be2a68
8 from .cert
import get_spki
10 from unbound
import ub_strerror
13 from unbound
import RR_TYPE_TLSA
17 def verify_tlsa_record(resolver
, record
, certificate
):
18 s
, r
= resolver
.resolve(record
, rrtype
=RR_TYPE_TLSA
)
24 logging
.error("No TLSA record returned")
27 for record
in r
.data
.data
:
28 hexencoder
= codecs
.getencoder('hex')
35 logging
.warning("Only 'Domain-issued certificate' records supported\n")
38 verifieddata
= certificate
40 verifieddata
= get_spki(certificate
)
42 # currently only 0 and 1 are assigned
43 sys
.stderr
.write("Only selectors 0 and 1 supported\n")
46 if verifieddata
== data
:
47 logging
.info("Found matching record: `TLSA %d %d %d %s`",
48 usage
, selector
, matching
, hexencoder(data
)[0])
51 if hashlib
.sha256(verifieddata
).digest() == data
:
52 logging
.info("Found matching record: `TLSA %d %d %d %s`",
53 usage
, selector
, matching
, hexencoder(data
)[0].decode())
56 if hashlib
.sha512(verifieddata
).digest() == data
:
57 logging
.info("Found matching record: `TLSA %d %d %d %s`",
58 usage
, selector
, matching
, hexencoder(data
)[0].decode())
61 # currently only 0, 1 and 2 are assigned
62 logging
.warning("Only matching types 0, 1 and 2 supported\n")
64 logging
.error("could not verify any tlsa record\n")