]>
git.siccegge.de Git - dane-monitoring-plugins.git/blob - check_dane/tlsa.py
8 from .cert
import get_spki
10 from unbound
import RR_TYPE_A
, RR_TYPE_AAAA
11 from unbound
import idn2dname
, ub_strerror
14 from unbound
import RR_TYPE_TLSA
18 def verify_tlsa_record(resolver
, record
, certificate
):
19 s
, r
= resolver
.resolve(record
, rrtype
=RR_TYPE_TLSA
)
25 logging
.error("No TLSA record returned")
28 for record
in r
.data
.data
:
29 hexencoder
= codecs
.getencoder('hex')
36 logging
.warning("Only 'Domain-issued certificate' records supported\n")
39 verifieddata
= certificate
41 verifieddata
= get_spki(certificate
)
43 # currently only 0 and 1 are assigned
44 sys
.stderr
.write("Only selectors 0 and 1 supported\n")
47 if verifieddata
== data
:
48 logging
.info("Found matching record: `TLSA %d %d %d %s`", usage
, selector
, matching
, hexencoder(data
)[0])
51 if hashlib
.sha256(verifieddata
).digest() == data
:
52 logging
.info("Found matching record: `TLSA %d %d %d %s`", usage
, selector
, matching
, hexencoder(data
)[0].decode())
55 if hashlib
.sha512(verifieddata
).digest() == data
:
56 logging
.info("Found matching record: `TLSA %d %d %d %s`", usage
, selector
, matching
, hexencoder(data
)[0].decode())
59 # currently only 0, 1 and 2 are assigned
60 logging
.warning("Only matching types 0, 1 and 2 supported\n")
62 logging
.error("could not verify any tlsa record\n")