]>
git.siccegge.de Git - dane-monitoring-plugins.git/blob - check_dane/tlsa.py
8 from .cert
import get_spki
10 from unbound
import ub_strerror
13 from unbound
import RR_TYPE_TLSA
20 """Class representing a TLSA record"""
21 def __init__(self
, usage
, selector
, matching
, payload
):
23 self
._selector
= selector
24 self
._matching
= matching
25 self
._payload
= payload
28 def match(self
, certificate
):
29 """Returns true if the certificate is covered by this TLSA record"""
30 if self
._selector
== 0:
31 verifieddata
= certificate
32 elif self
._selector
== 1:
33 verifieddata
= get_spki(certificate
)
35 # currently only 0 and 1 are assigned
36 sys
.stderr
.write("Only selectors 0 and 1 supported\n")
38 if self
._matching
== 0:
39 if verifieddata
== self
._payload
:
42 elif self
._matching
== 1:
43 if hashlib
.sha256(verifieddata
).digest() == self
._payload
:
46 elif self
._matching
== 2:
47 if hashlib
.sha512(verifieddata
).digest() == self
._payload
:
51 # currently only 0, 1 and 2 are assigned
52 logging
.warning("Only matching types 0, 1 and 2 supported\n")
60 """Usage for this TLSA record"""
66 """Selector for this record"""
72 """Way to match data against certificate"""
78 """Payload data of the TLSA record"""
83 hexencoder
= codecs
.getencoder('hex')
84 return '<TLSA %d %d %d %s>' % (self
._usage
, self
._selector
, self
._matching
, hexencoder(self
._payload
)[0].decode())
88 def get_tlsa_records(resolver
, name
):
89 """Extracts all TLSA records for a given name"""
91 logging
.debug("searching for TLSA record on %s", name
)
92 s
, r
= resolver
.resolve(name
, rrtype
=RR_TYPE_TLSA
)
98 logging
.warning("No TLSA record returned")
102 for record
in r
.data
.data
:
107 result
.add(TLSARecord(usage
, selector
, matching
, data
))
112 def match_tlsa_records(records
, certificates
):
113 """Returns all TLSA records matching the certificate"""
118 for certificate
in certificates
:
121 for record
in records
:
122 if record
.match(certificate
):
123 logging
.info("Matched record %s", record
)
124 usedrecords
.add(record
)
128 logging
.error("No TLSA record returned")
131 for record
in records
:
132 if not record
in usedrecords
:
133 logging
.warning("Unused record %s", record
)
140 def verify_tlsa_record(resolver
, record
, certificate
):
141 logging
.debug("searching for TLSA record on %s", record
)
142 s
, r
= resolver
.resolve(record
, rrtype
=RR_TYPE_TLSA
)
148 logging
.error("No TLSA record returned")
151 for record
in r
.data
.data
:
152 hexencoder
= codecs
.getencoder('hex')
153 usage
= ord(record
[0])
154 selector
= ord(record
[1])
155 matching
= ord(record
[2])
159 logging
.warning("Only 'Domain-issued certificate' records supported\n")
162 verifieddata
= certificate
164 verifieddata
= get_spki(certificate
)
166 # currently only 0 and 1 are assigned
167 sys
.stderr
.write("Only selectors 0 and 1 supported\n")
170 if verifieddata
== data
:
171 logging
.info("Found matching record: `TLSA %d %d %d %s`",
172 usage
, selector
, matching
, hexencoder(data
)[0])
175 if hashlib
.sha256(verifieddata
).digest() == data
:
176 logging
.info("Found matching record: `TLSA %d %d %d %s`",
177 usage
, selector
, matching
, hexencoder(data
)[0].decode())
180 if hashlib
.sha512(verifieddata
).digest() == data
:
181 logging
.info("Found matching record: `TLSA %d %d %d %s`",
182 usage
, selector
, matching
, hexencoder(data
)[0].decode())
185 # currently only 0, 1 and 2 are assigned
186 logging
.warning("Only matching types 0, 1 and 2 supported\n")
188 logging
.error("could not verify any tlsa record\n")