check_dane/tlsa.py

   1 #!/usr/bin/python3
   2
   3 import sys
   4 import codecs
   5 import hashlib
   6 import logging
   7
   8 from .cert import get_spki
   9
  10 from unbound import ub_strerror
  11
  12 try:
  13     from unbound import RR_TYPE_TLSA
  14 except ImportError:
  15     RR_TYPE_TLSA = 52
  16
  17 def verify_tlsa_record(resolver, record, certificate):
  18     logging.debug("searching for TLSA record on %s", record)
  19     s, r = resolver.resolve(record, rrtype=RR_TYPE_TLSA)
  20     if 0 != s:
  21         ub_strerror(s)
  22         return
  23
  24     if r.data is None:
  25         logging.error("No TLSA record returned")
  26         return 2
  27
  28     for record in r.data.data:
  29         hexencoder = codecs.getencoder('hex')
  30         usage = record[0]
  31         selector = record[1]
  32         matching = record[2]
  33         data = record[3:]
  34
  35         if usage != 3:
  36             logging.warning("Only 'Domain-issued certificate' records supported\n")
  37
  38         if selector == 0:
  39             verifieddata = certificate
  40         elif selector == 1:
  41             verifieddata = get_spki(certificate)
  42         else:
  43             # currently only 0 and 1 are assigned
  44             sys.stderr.write("Only selectors 0 and 1 supported\n")
  45
  46         if matching == 0:
  47             if verifieddata == data:
  48                 logging.info("Found matching record: `TLSA %d %d %d %s`",
  49                              usage, selector, matching, hexencoder(data)[0])
  50                 return 0
  51         elif matching == 1:
  52             if hashlib.sha256(verifieddata).digest() == data:
  53                 logging.info("Found matching record: `TLSA %d %d %d %s`",
  54                              usage, selector, matching, hexencoder(data)[0].decode())
  55                 return 0
  56         elif matching == 2:
  57             if hashlib.sha512(verifieddata).digest() == data:
  58                 logging.info("Found matching record: `TLSA %d %d %d %s`",
  59                              usage, selector, matching, hexencoder(data)[0].decode())
  60                 return 0
  61         else:
  62             # currently only 0, 1 and 2 are assigned
  63             logging.warning("Only matching types 0, 1 and 2 supported\n")
  64
  65     logging.error("could not verify any tlsa record\n")
  66     return 2