#!/usr/bin/python
-# swede - A tool to create DANE/TLSA (draft 15) records.
+# swede - A tool to create DANE/TLSA records.
# This tool is really simple and not foolproof, it doesn't check the CN in the
# Subject field of the certificate. It also doesn't check if the supplied
# certificate is a CA certificate if usage 1 is specified (or any other
global resolvconf
ctx = unbound.ub_ctx()
ctx.add_ta_file('root.key')
+ ctx.set_option("dlv-anchor-file:", "dlv.isc.org.key")
# Use the local cache
if resolvconf and os.path.isfile(resolvconf):
ctx.resolvconf(resolvconf)
if self.getPort() != '*':
err.append('Port %s not a number' % self.getPort())
if not self.usage in [0,1,2,3]:
- err.append('Usage: invalid (%s is not one of 0, 1 or 2)' % self.usage)
+ err.append('Usage: invalid (%s is not one of 0, 1, 2 or 3)' % self.usage)
if not self.selector in [0,1]:
err.append('Selector: invalid (%s is not one of 0 or 1)' % self.selector)
if not self.mtype in [0,1,2]:
parser = argparse.ArgumentParser(description='Create and verify DANE records.', epilog='This tool has a few limitations: it only IPv4 for SSL connections.')
subparsers = parser.add_subparsers(title='Functions', help='Available functions, see %(prog)s function -h for function-specific help')
- parser_verify = subparsers.add_parser('verify', help='Verify a TLSA record, exit 0 when all TLSA records are matched, exit 2 when a record does not match the received certificate, exit 1 on error.', epilog='Caveat: For TLSA validation, this program chases through the certificate chain offered by the server, not it\'s local certificates.')
+ parser_verify = subparsers.add_parser('verify', help='Verify a TLSA record, exit 0 when all TLSA records are matched, exit 2 when a record does not match the received certificate, exit 1 on error.', epilog='Caveat: For TLSA validation, this program chases through the certificate chain offered by the server, not its local certificates.')
parser_verify.set_defaults(function='verify')
parser_create = subparsers.add_parser('create', help='Create a TLSA record')
parser_create.set_defaults(function='create')
if not args.quiet:
print 'Received the following record for name %s:' % record.name
print '\tUsage:\t\t\t\t%d (%s)' % (record.usage, {0:'CA Constraint', 1:'End-Entity Constraint + chain to CA', 2:'Trust Anchor', 3:'End-Entity'}.get(record.usage, 'INVALID'))
- print '\tSelector:\t\t\t%d (%s)' % (record.selector, {0:'Certificate', 1:'SubjectPublicKeyInfo'}.get(record.usage, 'INVALID'))
- print '\tMatching Type:\t\t\t%d (%s)' % (record.mtype, {0:'Full Certificate', 1:'SHA-256', 2:'SHA-512'}.get(record.usage, 'INVALID'))
+ print '\tSelector:\t\t\t%d (%s)' % (record.selector, {0:'Certificate', 1:'SubjectPublicKeyInfo'}.get(record.selector, 'INVALID'))
+ print '\tMatching Type:\t\t\t%d (%s)' % (record.mtype, {0:'Full Certificate', 1:'SHA-256', 2:'SHA-512'}.get(record.mtype, 'INVALID'))
print '\tCertificate for Association:\t%s' % record.cert
try:
elif record.usage == 2: # Usage 2, use the cert in the record as trust anchor
#FIXME: doesnt comply to the spec
matched = False
+ previous_issuer = None
for cert in chain:
+ if previous_issuer:
+ if not str(previous_issuer) == str(cert.get_subject()): # The chain cannot be valid
+ print "FAIL: Certificates don't chain"
+ break
+ previous_issuer = cert.get_issuer()
if verifyCertMatch(record, cert):
matched = True
continue
else:
print genTLSA(args.host, args.protocol, args.port, cert, args.output, args.usage, args.selector, args.mtype)
+ # Clear the cert from memory (to stop M2Crypto from segfaulting)
+ # And cleanup the connection and context
+ cert=None
+ connection.clear()
+ connection.close()
+ ctx.close()
+
else: # Pass the path to the certificate to the genTLSA function
if args.output == 'both':
print genTLSA(args.host, args.protocol, args.port, args.certificate, 'draft', args.usage, args.selector, args.mtype)
git.svenne.dk / public / dnssec-swede-utility.git / blobdiff