]> git.siccegge.de Git - dane-monitoring-plugins.git/blob - check_dane/tlsa.py
projects / dane-monitoring-plugins.git / blob
? search:


3cd1d943e4ec18b6bb526354028cf1727c48497a
[dane-monitoring-plugins.git] / check_dane / tlsa.py
1 #!/usr/bin/python3
2
3 import sys
4 import codecs
5 import hashlib
6 import logging
7
8 from .cert import get_spki
9
10 from unbound import RR_TYPE_A, RR_TYPE_AAAA
11 from unbound import idn2dname, ub_strerror
12
13 try:
14 from unbound import RR_TYPE_TLSA
15 except ImportError:
16 RR_TYPE_TLSA=52
17
18 def verify_tlsa_record(resolver, record, certificate):
19 s, r = resolver.resolve(record, rrtype=RR_TYPE_TLSA)
20 if 0 != s:
21 ub_strerror(s)
22 return
23
24 if r.data is None:
25 logging.error("No TLSA record returned")
26 return 2
27
28 for record in r.data.data:
29 hexencoder = codecs.getencoder('hex')
30 usage = record[0]
31 selector = record[1]
32 matching = record[2]
33 data = record[3:]
34
35 if usage != 3:
36 logging.warning("Only 'Domain-issued certificate' records supported\n")
37
38 if selector == 0:
39 verifieddata = certificate
40 elif selector == 1:
41 verifieddata = get_spki(certificate)
42 else:
43 # currently only 0 and 1 are assigned
44 sys.stderr.write("Only selectors 0 and 1 supported\n")
45
46 if matching == 0:
47 if verifieddata == data:
48 logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0])
49 return 0
50 elif matching == 1:
51 if hashlib.sha256(verifieddata).digest() == data:
52 logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0].decode())
53 return 0
54 elif matching == 2:
55 if hashlib.sha512(verifieddata).digest() == data:
56 logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0].decode())
57 return 0
58 else:
59 # currently only 0, 1 and 2 are assigned
60 logging.warning("Only matching types 0, 1 and 2 supported\n")
61
62 logging.error("could not verify any tlsa record\n")
63 return 2