Add certificate parsing parts for autogenerating tlsa records

diff --git a/make-tlsa b/make-tlsa
new file mode 100755 (executable)
index 0000000..f050fa4
--- /dev/null
+++ b/make-tlsa
@@ -0,0 +1,46 @@
+#!/usr/bin/python3
+
+from pyasn1_modules import pem, rfc2459
+from pyasn1_modules import pem, rfc2459
+from pyasn1.codec.der import decoder
+from pyasn1.type import univ
+import sys
+import os
+import subprocess
+
+def main():
+   for root, _, files in os.walk(sys.argv[1]):
+      for filename in files:
+         if filename == 'cert.pem':
+            certname = os.path.join(root, filename)
+#            print(certname)
+            altnames = parse_cert(certname)
+            for altname in altnames:
+               subprocess.Popen(["ldns-dane", "create", "-c", certname,
+                                 altname, "443", "3", "1", "1"])
+      
+
+   
+def parse_cert(fname):
+   names = []
+   with open(fname) as fhd:
+      bits = pem.readPemFromFile(fhd)
+      cert = decoder.decode(bits, asn1Spec=rfc2459.Certificate())[0]
+      extensions = cert['tbsCertificate']['extensions']
+      for extension in extensions:
+         if extension['extnID'] != univ.ObjectIdentifier('2.5.29.17'):
+            continue
+
+         data = extension['extnValue'].asOctets()
+         altnames = decoder.decode(data)[0]
+         altnames = decoder.decode(altnames, asn1Spec=rfc2459.SubjectAltName())[0]
+         for altname in altnames:
+            result = altname['dNSName']
+            if result is not None:
+               names.append(str(result))
+
+   return names
+         
+
+if __name__ == '__main__':
+   main()