]>
git.siccegge.de Git - dane-monitoring-plugins.git/blob - check_dane/tlsa.py
8 from .cert
import get_spki
10 from unbound
import ub_strerror
13 from unbound
import RR_TYPE_TLSA
20 """Class representing a TLSA record"""
21 def __init__(self
, usage
, selector
, matching
, payload
):
23 self
._selector
= selector
24 self
._matching
= matching
25 self
._payload
= payload
28 def match(self
, certificate
):
29 """Returns true if the certificate is covered by this TLSA record"""
30 if self
._selector
== 0:
31 verifieddata
= certificate
32 elif self
._selector
== 1:
33 verifieddata
= get_spki(certificate
)
35 # currently only 0 and 1 are assigned
36 sys
.stderr
.write("Only selectors 0 and 1 supported\n")
38 if self
._matching
== 0:
39 if verifieddata
== self
._payload
:
42 elif self
._matching
== 1:
43 if hashlib
.sha256(verifieddata
).digest() == self
._payload
:
46 elif self
._matching
== 2:
47 if hashlib
.sha512(verifieddata
).digest() == self
._payload
:
51 # currently only 0, 1 and 2 are assigned
52 logging
.warning("Only matching types 0, 1 and 2 supported\n")
60 """Usage for this TLSA record"""
66 """Selector for this record"""
72 """Way to match data against certificate"""
78 """Payload data of the TLSA record"""
83 hexencoder
= codecs
.getencoder('hex')
84 return '<TLSA %d %d %d %s>' % (self
._usage
, self
._selector
, self
._matching
, hexencoder(self
._payload
)[0].decode())
88 def get_tlsa_records(resolver
, name
):
89 """Extracts all TLSA records for a given name"""
91 logging
.debug("searching for TLSA record on %s", name
)
92 s
, r
= resolver
.resolve(name
, rrtype
=RR_TYPE_TLSA
)
98 logging
.warn("No TLSA record returned")
102 for record
in r
.data
.data
:
103 hexencoder
= codecs
.getencoder('hex')
104 usage
= ord(record
[0])
105 selector
= ord(record
[1])
106 matching
= ord(record
[2])
108 result
.add(TLSARecord(usage
, selector
, matching
, data
))
113 def match_tlsa_records(records
, certificates
):
114 """Returns all TLSA records matching the certificate"""
119 for certificate
in certificates
:
122 for record
in records
:
123 if record
.match(certificate
):
124 logging
.info("Matched record %s", record
)
125 usedrecords
.add(record
)
129 logging
.error("No TLSA record returned")
132 for record
in records
:
133 if not record
in usedrecords
:
134 logging
.warn("Unused record %s", record
)
141 def verify_tlsa_record(resolver
, record
, certificate
):
142 logging
.debug("searching for TLSA record on %s", record
)
143 s
, r
= resolver
.resolve(record
, rrtype
=RR_TYPE_TLSA
)
149 logging
.error("No TLSA record returned")
152 for record
in r
.data
.data
:
153 hexencoder
= codecs
.getencoder('hex')
154 usage
= ord(record
[0])
155 selector
= ord(record
[1])
156 matching
= ord(record
[2])
160 logging
.warning("Only 'Domain-issued certificate' records supported\n")
163 verifieddata
= certificate
165 verifieddata
= get_spki(certificate
)
167 # currently only 0 and 1 are assigned
168 sys
.stderr
.write("Only selectors 0 and 1 supported\n")
171 if verifieddata
== data
:
172 logging
.info("Found matching record: `TLSA %d %d %d %s`",
173 usage
, selector
, matching
, hexencoder(data
)[0])
176 if hashlib
.sha256(verifieddata
).digest() == data
:
177 logging
.info("Found matching record: `TLSA %d %d %d %s`",
178 usage
, selector
, matching
, hexencoder(data
)[0].decode())
181 if hashlib
.sha512(verifieddata
).digest() == data
:
182 logging
.info("Found matching record: `TLSA %d %d %d %s`",
183 usage
, selector
, matching
, hexencoder(data
)[0].decode())
186 # currently only 0, 1 and 2 are assigned
187 logging
.warning("Only matching types 0, 1 and 2 supported\n")
189 logging
.error("could not verify any tlsa record\n")