make-tlsa

   1 #!/usr/bin/python3
   2
   3 from pyasn1_modules import pem, rfc2459
   4 from pyasn1.codec.der import decoder
   5 from pyasn1.type import univ
   6 import sys
   7 import os
   8 import subprocess
   9
  10 def main():
  11    for root, _, files in os.walk(sys.argv[1]):
  12       for filename in files:
  13          if filename == 'cert.pem':
  14             certname = os.path.join(root, filename)
  15             altnames = parse_cert(certname)
  16             for altname in altnames:
  17                subprocess.Popen(["ldns-dane", "create", "-c", certname,
  18                                  altname, "443", "3", "1", "1"])
  19
  20
  21
  22 def parse_cert(fname):
  23    names = []
  24    with open(fname) as fhd:
  25       bits = pem.readPemFromFile(fhd)
  26       cert = decoder.decode(bits, asn1Spec=rfc2459.Certificate())[0]
  27       extensions = cert['tbsCertificate']['extensions']
  28       for extension in extensions:
  29          if extension['extnID'] != univ.ObjectIdentifier('2.5.29.17'):
  30             continue
  31
  32          data = extension['extnValue'].asOctets()
  33          altnames = decoder.decode(data)[0]
  34          altnames = decoder.decode(altnames, asn1Spec=rfc2459.SubjectAltName())[0]
  35          for altname in altnames:
  36             result = altname['dNSName']
  37             if result is not None:
  38                names.append(str(result))
  39
  40    return names
  41
  42
  43 if __name__ == '__main__':
  44    main()