check_dane/tlsa.py

   1 #!/usr/bin/python3
   2
   3 import sys
   4 import codecs
   5 import hashlib
   6
   7 from .cert import get_spki
   8
   9 from unbound import RR_TYPE_A, RR_TYPE_AAAA
  10 from unbound import idn2dname, ub_strerror
  11
  12 def verify_tlsa_record(resolver, record, certificate):
  13     print(record)
  14     print(hashlib.sha256(certificate).hexdigest())
  15     s, r = resolver.resolve(record, rrtype=52)
  16     if 0 != s:
  17         ub_strerror(s)
  18         return
  19
  20     for record in r.data.data:
  21         hexencoder = codecs.getencoder('hex')
  22         usage = record[0]
  23         selector = record[1]
  24         matching = record[2]
  25         data = record[3:]
  26
  27         if usage != 3:
  28             sys.stderr.write("Only 'Domain-issued certificate' records supported\n")
  29
  30         if selector == 0:
  31             verifieddata = certificate
  32         elif selector == 1:
  33             verifieddata = get_spki(certificate)
  34         else:
  35             # currently only 0 and 1 are assigned
  36             sys.stderr.write("Only selectors 0 and 1 supported\n")
  37
  38         if matching == 0:
  39             if verifieddata == data:
  40                 print("success")
  41                 return 0
  42         elif matching == 1:
  43             if hashlib.sha256(verifieddata).digest() == data:
  44                 print("success")
  45                 return 0
  46         elif matching == 2:
  47             if hashlib.sha512(verifieddata).digest() == data:
  48                 print("success")
  49                 return 0
  50         else:
  51             # currently only 0, 1 and 2 are assigned
  52             sys.stderr.write("Only matching types 0, 1 and 2 supported\n")
  53
  54     sys.stderr.write("could not verify any tlsa record\n")
  55     return -1