]> git.siccegge.de Git - tools.git/blob - make-tlsa
projects / tools.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Actually output zonefilesnippets
[tools.git] / make-tlsa
1 #!/usr/bin/python3
2
3 from pyasn1_modules import pem, rfc2459
4 from pyasn1.codec.der import decoder
5 from pyasn1.type import univ
6 import sys
7 import os
8 import subprocess
9
10 def main():
11 records = dict()
12 for root, _, files in os.walk(sys.argv[1]):
13 for filename in files:
14 if filename == 'cert.pem':
15 certname = os.path.join(root, filename)
16 altnames = parse_cert(certname)
17 for altname in altnames:
18 nameparts = altname.split('.')
19 zone = '.'.join(nameparts[-2:])
20 domain = '.'.join(nameparts[:-2])
21 if domain == "":
22 continue
23
24 ldns = subprocess.Popen(["ldns-dane", "create", "-c", certname,
25 altname, "443", "3", "1", "1"],
26 stdout=subprocess.PIPE)
27 data = ldns.stdout.read().decode().strip().split('\t')
28 record = "{0:<35s}\t{1}".format(data[0], '\t'.join(data[2:]))
29 if not zone in records:
30 records[zone] = []
31 records[zone].append(record)
32
33 for zone, data in records.items():
34 with open(os.path.join("output", zone), "w") as zonefile:
35 zonefile.write('\n'.join(data))
36
37
38 def parse_cert(fname):
39 names = []
40 with open(fname) as fhd:
41 bits = pem.readPemFromFile(fhd)
42 cert = decoder.decode(bits, asn1Spec=rfc2459.Certificate())[0]
43 extensions = cert['tbsCertificate']['extensions']
44 for extension in extensions:
45 if extension['extnID'] != univ.ObjectIdentifier('2.5.29.17'):
46 continue
47
48 data = extension['extnValue'].asOctets()
49 altnames = decoder.decode(data)[0]
50 altnames = decoder.decode(altnames, asn1Spec=rfc2459.SubjectAltName())[0]
51 for altname in altnames:
52 result = altname['dNSName']
53 if result is not None:
54 names.append(str(result))
55
56 return names
57
58
59 if __name__ == '__main__':
60 main()