]> git.siccegge.de Git - dane-monitoring-plugins.git/blob - check_dane/tlsa.py
projects / dane-monitoring-plugins.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Code cleanup
[dane-monitoring-plugins.git] / check_dane / tlsa.py
1 #!/usr/bin/python3
2
3 import sys
4 import codecs
5 import hashlib
6 import logging
7
8 from .cert import get_spki
9
10 from unbound import ub_strerror
11
12 try:
13 from unbound import RR_TYPE_TLSA
14 except ImportError:
15 RR_TYPE_TLSA = 52
16
17 def verify_tlsa_record(resolver, record, certificate):
18 s, r = resolver.resolve(record, rrtype=RR_TYPE_TLSA)
19 if 0 != s:
20 ub_strerror(s)
21 return
22
23 if r.data is None:
24 logging.error("No TLSA record returned")
25 return 2
26
27 for record in r.data.data:
28 hexencoder = codecs.getencoder('hex')
29 usage = record[0]
30 selector = record[1]
31 matching = record[2]
32 data = record[3:]
33
34 if usage != 3:
35 logging.warning("Only 'Domain-issued certificate' records supported\n")
36
37 if selector == 0:
38 verifieddata = certificate
39 elif selector == 1:
40 verifieddata = get_spki(certificate)
41 else:
42 # currently only 0 and 1 are assigned
43 sys.stderr.write("Only selectors 0 and 1 supported\n")
44
45 if matching == 0:
46 if verifieddata == data:
47 logging.info("Found matching record: `TLSA %d %d %d %s`",
48 usage, selector, matching, hexencoder(data)[0])
49 return 0
50 elif matching == 1:
51 if hashlib.sha256(verifieddata).digest() == data:
52 logging.info("Found matching record: `TLSA %d %d %d %s`",
53 usage, selector, matching, hexencoder(data)[0].decode())
54 return 0
55 elif matching == 2:
56 if hashlib.sha512(verifieddata).digest() == data:
57 logging.info("Found matching record: `TLSA %d %d %d %s`",
58 usage, selector, matching, hexencoder(data)[0].decode())
59 return 0
60 else:
61 # currently only 0, 1 and 2 are assigned
62 logging.warning("Only matching types 0, 1 and 2 supported\n")
63
64 logging.error("could not verify any tlsa record\n")
65 return 2