import sys
import codecs
import hashlib
+import logging
from .cert import get_spki
-from unbound import RR_TYPE_A, RR_TYPE_AAAA
-from unbound import idn2dname, ub_strerror
+from unbound import ub_strerror
+
+try:
+ from unbound import RR_TYPE_TLSA
+except ImportError:
+ RR_TYPE_TLSA = 52
def verify_tlsa_record(resolver, record, certificate):
- print(record)
- print(hashlib.sha256(certificate).hexdigest())
- s, r = resolver.resolve(record, rrtype=52)
+ logging.debug("searching for TLSA record on %s", record)
+ s, r = resolver.resolve(record, rrtype=RR_TYPE_TLSA)
if 0 != s:
ub_strerror(s)
return
+ if r.data is None:
+ logging.error("No TLSA record returned")
+ return 2
+
for record in r.data.data:
hexencoder = codecs.getencoder('hex')
usage = record[0]
data = record[3:]
if usage != 3:
- sys.stderr.write("Only 'Domain-issued certificate' records supported\n")
+ logging.warning("Only 'Domain-issued certificate' records supported\n")
if selector == 0:
verifieddata = certificate
if matching == 0:
if verifieddata == data:
- print("success")
+ logging.info("Found matching record: `TLSA %d %d %d %s`",
+ usage, selector, matching, hexencoder(data)[0])
return 0
elif matching == 1:
if hashlib.sha256(verifieddata).digest() == data:
- print("success")
+ logging.info("Found matching record: `TLSA %d %d %d %s`",
+ usage, selector, matching, hexencoder(data)[0].decode())
return 0
elif matching == 2:
if hashlib.sha512(verifieddata).digest() == data:
- print("success")
+ logging.info("Found matching record: `TLSA %d %d %d %s`",
+ usage, selector, matching, hexencoder(data)[0].decode())
return 0
else:
# currently only 0, 1 and 2 are assigned
- sys.stderr.write("Only matching types 0, 1 and 2 supported\n")
+ logging.warning("Only matching types 0, 1 and 2 supported\n")
- sys.stderr.write("could not verify any tlsa record\n")
- return -1
+ logging.error("could not verify any tlsa record\n")
+ return 2