Code cleanup
authorChristoph Egger <christoph@christoph-egger.org>
Tue, 30 Aug 2016 11:05:20 +0000 (13:05 +0200)
committerChristoph Egger <christoph@christoph-egger.org>
Tue, 30 Aug 2016 11:05:25 +0000 (13:05 +0200)
check_dane/cert.py
check_dane/tlsa.py
check_dane_smtp
check_dane_ssh

index a66a134..9ba4175 100644 (file)
@@ -26,7 +26,7 @@ def verify_certificate(cert, args):
         logging.error("expires in %8s,%16s", deltastr[0], deltastr[1])
         return 2
     elif delta.days < args.warndays:
-        logging.warn("expires in %8s,%16s", deltastr[0], deltastr[1])
+        logging.warning("expires in %8s,%16s", deltastr[0], deltastr[1])
         return 1
 
     return 0
index 3cd1d94..2e22057 100644 (file)
@@ -7,13 +7,12 @@ import logging
 
 from .cert import get_spki
 
-from unbound import RR_TYPE_A, RR_TYPE_AAAA
-from unbound import idn2dname, ub_strerror
+from unbound import ub_strerror
 
 try:
     from unbound import RR_TYPE_TLSA
 except ImportError:
-    RR_TYPE_TLSA=52
+    RR_TYPE_TLSA = 52
 
 def verify_tlsa_record(resolver, record, certificate):
     s, r = resolver.resolve(record, rrtype=RR_TYPE_TLSA)
@@ -45,15 +44,18 @@ def verify_tlsa_record(resolver, record, certificate):
 
         if matching == 0:
             if verifieddata == data:
-                logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0])
+                logging.info("Found matching record: `TLSA %d %d %d %s`",
+                             usage, selector, matching, hexencoder(data)[0])
                 return 0
         elif matching == 1:
             if hashlib.sha256(verifieddata).digest() == data:
-                logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0].decode())
+                logging.info("Found matching record: `TLSA %d %d %d %s`",
+                             usage, selector, matching, hexencoder(data)[0].decode())
                 return 0
         elif matching == 2:
             if hashlib.sha512(verifieddata).digest() == data:
-                logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0].decode())
+                logging.info("Found matching record: `TLSA %d %d %d %s`",
+                             usage, selector, matching, hexencoder(data)[0].decode())
                 return 0
         else:
             # currently only 0, 1 and 2 are assigned
index 3358c71..d9c2732 100755 (executable)
@@ -9,8 +9,9 @@ import argparse
 import logging
 
 from socket import socket, AF_INET6, AF_INET, create_connection
-from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, cert_time_to_seconds, SSLError, CertificateError, create_default_context
-from unbound import ub_ctx, ub_strerror
+from ssl import SSLError, CertificateError, SSLContext
+from ssl import PROTOCOL_TLSv1_2, CERT_REQUIRED
+from unbound import ub_ctx
 
 from check_dane.tlsa import verify_tlsa_record
 from check_dane.cert import verify_certificate, add_certificate_options
@@ -121,7 +122,8 @@ def main():
         return 2
 
     retval = verify_certificate(connection.getpeercert(), args)
-    nretval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (port, host), connection.getpeercert(binary_form=True))
+    nretval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (port, host),
+                                 connection.getpeercert(binary_form=True))
     retval = max(retval, nretval)
 
     close_connection(connection)
index fe56dea..90a7a02 100755 (executable)
@@ -16,7 +16,7 @@ import paramiko
 try:
     from unbound import RR_TYPE_SSHFP
 except ImportError:
-    RR_TYPE_SSHFP=44
+    RR_TYPE_SSHFP = 44
 
 
 class HostKeyMatchSSHFP(BaseException):
@@ -58,22 +58,30 @@ class HostKeyLookup(paramiko.client.MissingHostKeyPolicy):
             elif hashtype == 2:
                 actualhash = hashlib.sha256(actualhostkey).digest()
             else:
-                logging.warn("Only hashtypes 1 and 2 supported")
+                logging.warning("Only hashtypes 1 and 2 supported")
 
             if keytype == 1 and actualkeytype == 'ssh-rsa':
                 if data == actualhash:
+                    logging.info("Found matching record: `SSHFP %d %d %s`",
+                                 keytype, hashtype, hexencoder(data)[0].decode())
                     raise HostKeyMatchSSHFP
 
             elif keytype == 2 and actualkeytype == 'ssh-dss':
                 if data == actualhash:
+                    logging.info("Found matching record: `SSHFP %d %d %s`",
+                                 keytype, hashtype, hexencoder(data)[0].decode())
                     raise HostKeyMatchSSHFP
 
             elif keytype == 3 and actualkeytype == 'ssh-ecdsa':
                 if data == actualhash:
+                    logging.info("Found matching record: `SSHFP %d %d %s`",
+                                 keytype, hashtype, hexencoder(data)[0].decode())
                     raise HostKeyMatchSSHFP
 
             elif keytype == 4 and actualkeytype == 'ssh-ed25519':
                 if data == actualhash:
+                    logging.info("Found matching record: `SSHFP %d %d %s`",
+                                 keytype, hashtype, hexencoder(data)[0].decode())
                     raise HostKeyMatchSSHFP
 
         logging.error("No matching SSHFP record found")