logging.error("expires in %8s,%16s", deltastr[0], deltastr[1])
return 2
elif delta.days < args.warndays:
- logging.warn("expires in %8s,%16s", deltastr[0], deltastr[1])
+ logging.warning("expires in %8s,%16s", deltastr[0], deltastr[1])
return 1
return 0
from .cert import get_spki
-from unbound import RR_TYPE_A, RR_TYPE_AAAA
-from unbound import idn2dname, ub_strerror
+from unbound import ub_strerror
try:
from unbound import RR_TYPE_TLSA
except ImportError:
- RR_TYPE_TLSA=52
+ RR_TYPE_TLSA = 52
def verify_tlsa_record(resolver, record, certificate):
s, r = resolver.resolve(record, rrtype=RR_TYPE_TLSA)
if matching == 0:
if verifieddata == data:
- logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0])
+ logging.info("Found matching record: `TLSA %d %d %d %s`",
+ usage, selector, matching, hexencoder(data)[0])
return 0
elif matching == 1:
if hashlib.sha256(verifieddata).digest() == data:
- logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0].decode())
+ logging.info("Found matching record: `TLSA %d %d %d %s`",
+ usage, selector, matching, hexencoder(data)[0].decode())
return 0
elif matching == 2:
if hashlib.sha512(verifieddata).digest() == data:
- logging.info("Found matching record: `TLSA %d %d %d %s`", usage, selector, matching, hexencoder(data)[0].decode())
+ logging.info("Found matching record: `TLSA %d %d %d %s`",
+ usage, selector, matching, hexencoder(data)[0].decode())
return 0
else:
# currently only 0, 1 and 2 are assigned
import logging
from socket import socket, AF_INET6, AF_INET, create_connection
-from ssl import SSLContext, PROTOCOL_TLSv1_2, CERT_REQUIRED, cert_time_to_seconds, SSLError, CertificateError, create_default_context
-from unbound import ub_ctx, ub_strerror
+from ssl import SSLError, CertificateError, SSLContext
+from ssl import PROTOCOL_TLSv1_2, CERT_REQUIRED
+from unbound import ub_ctx
from check_dane.tlsa import verify_tlsa_record
from check_dane.cert import verify_certificate, add_certificate_options
return 2
retval = verify_certificate(connection.getpeercert(), args)
- nretval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (port, host), connection.getpeercert(binary_form=True))
+ nretval = verify_tlsa_record(resolver, "_%d._tcp.%s" % (port, host),
+ connection.getpeercert(binary_form=True))
retval = max(retval, nretval)
close_connection(connection)
try:
from unbound import RR_TYPE_SSHFP
except ImportError:
- RR_TYPE_SSHFP=44
+ RR_TYPE_SSHFP = 44
class HostKeyMatchSSHFP(BaseException):
elif hashtype == 2:
actualhash = hashlib.sha256(actualhostkey).digest()
else:
- logging.warn("Only hashtypes 1 and 2 supported")
+ logging.warning("Only hashtypes 1 and 2 supported")
if keytype == 1 and actualkeytype == 'ssh-rsa':
if data == actualhash:
+ logging.info("Found matching record: `SSHFP %d %d %s`",
+ keytype, hashtype, hexencoder(data)[0].decode())
raise HostKeyMatchSSHFP
elif keytype == 2 and actualkeytype == 'ssh-dss':
if data == actualhash:
+ logging.info("Found matching record: `SSHFP %d %d %s`",
+ keytype, hashtype, hexencoder(data)[0].decode())
raise HostKeyMatchSSHFP
elif keytype == 3 and actualkeytype == 'ssh-ecdsa':
if data == actualhash:
+ logging.info("Found matching record: `SSHFP %d %d %s`",
+ keytype, hashtype, hexencoder(data)[0].decode())
raise HostKeyMatchSSHFP
elif keytype == 4 and actualkeytype == 'ssh-ed25519':
if data == actualhash:
+ logging.info("Found matching record: `SSHFP %d %d %s`",
+ keytype, hashtype, hexencoder(data)[0].decode())
raise HostKeyMatchSSHFP
logging.error("No matching SSHFP record found")
projects / dane-monitoring-plugins.git / commitdiff