make-tlsa

   1 #!/usr/bin/python3
   2
   3 from pyasn1_modules import pem, rfc2459
   4 from pyasn1_modules import pem, rfc2459
   5 from pyasn1.codec.der import decoder
   6 from pyasn1.type import univ
   7 import sys
   8 import os
   9 import subprocess
  10
  11 def main():
  12    for root, _, files in os.walk(sys.argv[1]):
  13       for filename in files:
  14          if filename == 'cert.pem':
  15             certname = os.path.join(root, filename)
  16 #            print(certname)
  17             altnames = parse_cert(certname)
  18             for altname in altnames:
  19                subprocess.Popen(["ldns-dane", "create", "-c", certname,
  20                                  altname, "443", "3", "1", "1"])
  21
  22
  23
  24 def parse_cert(fname):
  25    names = []
  26    with open(fname) as fhd:
  27       bits = pem.readPemFromFile(fhd)
  28       cert = decoder.decode(bits, asn1Spec=rfc2459.Certificate())[0]
  29       extensions = cert['tbsCertificate']['extensions']
  30       for extension in extensions:
  31          if extension['extnID'] != univ.ObjectIdentifier('2.5.29.17'):
  32             continue
  33
  34          data = extension['extnValue'].asOctets()
  35          altnames = decoder.decode(data)[0]
  36          altnames = decoder.decode(altnames, asn1Spec=rfc2459.SubjectAltName())[0]
  37          for altname in altnames:
  38             result = altname['dNSName']
  39             if result is not None:
  40                names.append(str(result))
  41
  42    return names
  43
  44
  45 if __name__ == '__main__':
  46    main()