From 47ee3eed1cc3cd7a4760eccd0e83953b9970e08d Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sun, 23 Feb 2014 00:22:38 +0100
Subject: [PATCH] [bind] Ajout d'enregistrement tls depuis la base ldap

---
 gestion/gen_confs/bind.py | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/gestion/gen_confs/bind.py b/gestion/gen_confs/bind.py
index 1508e05d..7d20d025 100755
--- a/gestion/gen_confs/bind.py
+++ b/gestion/gen_confs/bind.py
@@ -51,17 +51,18 @@ class ResourceRecord(object):
         return str(self)
 
 class TLSA(ResourceRecord):
-    def __init__(self, name, port, proto, cert, certtype, reftype, compat=True, ttl=None):
+    def __init__(self, name, port, proto, cert, certtype, reftype, selector=0, compat=True, format='pem', ttl=None):
         """
             name: nom du domaine du certificat
             port: port où écoute le service utilisant le certificat
             proto: udp ou tcp
-            cert: le certificat au format pem (selector est donc toujours à 0)
+            cert: le certificat au format ``format`` (pem ou der) (selector est donc toujours à 0)
             certtype: type d'enregistrement 0 = CA pinning, 1 = cert pinning, 2 = self trusted CA, 3 = self trusted cert
             reftype: 0 = plain cert, 1 = sha256, 2 = sha512
             compat: on génère un enregistement compris même par les serveurs dns n'implémentant pas TLSA
         """
-        selector = 0
+        if not format in ['pem', 'der']:
+            raise ValueError("format should be pem or der")
         if cert is None and proto == 'tcp' and name[-1] == '.':
             try:
                 cert = ssl.get_server_certificate((name[:-1], port), ca_certs='/etc/ssl/certs/ca-certificates.crt')
@@ -69,10 +70,13 @@ class TLSA(ResourceRecord):
                 raise ValueError("Unable de retrieve cert dynamically: %s" % e)
         elif cert is None:
             raise ValueError("cert can only be retrive if proto is tcp and name fqdn")
-        dercert = ssl.PEM_cert_to_DER_cert(cert)
+        if format is not 'der':
+            dercert = ssl.PEM_cert_to_DER_cert(cert)
+        else:
+            dercert = cert
         if not dercert:
             raise ValueError("Impossible de convertir le certificat au format DER %s %s %s\n%s" % (name, port, proto, cert))
-        certhex = TLSA.hashCert(reftype, dercert)
+        certhex = TLSA.hashCert(reftype, str(dercert))
         if compat:
             super(TLSA, self).__init__(
                 'TYPE52',
@@ -271,6 +275,16 @@ class Zone(ZoneBase):
             except (KeyError, TypeError):
                 pass
 
+    def add_tlsa_record(self, cert):
+        if 'TLSACert' in cert['objectClass']:
+            for host in cert['hostCert']:
+                nom=self.get_name(host)
+                if nom is None: continue
+                for port in cert['portTCPin']:
+                    self.add(TLSA(nom, port, 'tcp', cert['certificat'][0], cert['certificatUsage'][0], cert['matchingType'][0], cert['selector'][0], format='der'))
+                for port in cert['portUDPin']:
+                    self.add(TLSA(nom, port, 'udp', cert['certificat'][0], cert['certificatUsage'][0], cert['matchingType'][0], cert['selector'][0], format='der'))
+
     def add_machine(self, machine):
         for host in machine['host']:
             nom=self.get_name(host)
@@ -279,6 +293,8 @@ class Zone(ZoneBase):
             self.add_a_record(nom, machine)
             self.add_aaaa_record(nom, machine)
             self.add_sshfp_record(nom, machine)
+            for cert in machine.certificats():
+                self.add_tlsa_record(cert)
 
 
         if machine['host']: