Add two patches by David Voit (thanks!)
[public/dnssec-swede-utility.git] / swede
diff --git a/swede b/swede
index 02ebd165eddf7c25e327c0215e3bdc1359dad100..cc2b21da04582ec839b9439a41c1f42faab50a40 100755 (executable)
--- a/swede
+++ b/swede
@@ -127,6 +127,7 @@ def getRecords(hostname, rrtype='A', secure=True):
        global resolvconf
        ctx = unbound.ub_ctx()
        ctx.add_ta_file('root.key')
+       ctx.set_option("dlv-anchor-file:", "dlv.isc.org.key")
        # Use the local cache
        if resolvconf and os.path.isfile(resolvconf):
                ctx.resolvconf(resolvconf)
@@ -416,8 +417,8 @@ if __name__ == '__main__':
                        if not args.quiet:
                                print 'Received the following record for name %s:' % record.name
                                print '\tUsage:\t\t\t\t%d (%s)' % (record.usage, {0:'CA Constraint', 1:'End-Entity Constraint + chain to CA', 2:'Trust Anchor', 3:'End-Entity'}.get(record.usage, 'INVALID'))
-                               print '\tSelector:\t\t\t%d (%s)' % (record.selector, {0:'Certificate', 1:'SubjectPublicKeyInfo'}.get(record.usage, 'INVALID'))
-                               print '\tMatching Type:\t\t\t%d (%s)' % (record.mtype, {0:'Full Certificate', 1:'SHA-256', 2:'SHA-512'}.get(record.usage, 'INVALID'))
+                               print '\tSelector:\t\t\t%d (%s)' % (record.selector, {0:'Certificate', 1:'SubjectPublicKeyInfo'}.get(record.selector, 'INVALID'))
+                               print '\tMatching Type:\t\t\t%d (%s)' % (record.mtype, {0:'Full Certificate', 1:'SHA-256', 2:'SHA-512'}.get(record.mtype, 'INVALID'))
                                print '\tCertificate for Association:\t%s' % record.cert
 
                        try:
@@ -466,7 +467,8 @@ if __name__ == '__main__':
 
                                # Good, now let's verify
                                if record.usage == 1: # End-host cert
-                                       if verifyCertMatch(record, chain[0]):
+                                       cert = chain[0]
+                                       if verifyCertMatch(record, cert):
                                                if verify_result == 0: # The cert chains to a valid CA cert according to the system-certificates
                                                        print 'SUCCESS (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record and chains to a valid CA certificate'
                                                else: