[bind] Ajout d'enregistrement tls depuis la base ldap

2014-02-23 00:22:38 +01:00 · 2014-02-23 00:22:38 +01:00 · 47ee3eed1c
commit 47ee3eed1c
parent 17199ba900
1 changed files with 21 additions and 5 deletions
--- a/gestion/gen_confs/bind.py
+++ b/gestion/gen_confs/bind.py
@ -51,17 +51,18 @@ class ResourceRecord(object):
        return str(self)

 class TLSA(ResourceRecord):
-    def __init__(self, name, port, proto, cert, certtype, reftype, compat=True, ttl=None):
+    def __init__(self, name, port, proto, cert, certtype, reftype, selector=0, compat=True, format='pem', ttl=None):
        """
            name: nom du domaine du certificat
            port: port où écoute le service utilisant le certificat
            proto: udp ou tcp
-            cert: le certificat au format pem (selector est donc toujours à 0)
+            cert: le certificat au format ``format`` (pem ou der) (selector est donc toujours à 0)
            certtype: type d'enregistrement 0 = CA pinning, 1 = cert pinning, 2 = self trusted CA, 3 = self trusted cert
            reftype: 0 = plain cert, 1 = sha256, 2 = sha512
            compat: on génère un enregistement compris même par les serveurs dns n'implémentant pas TLSA
        """
-        selector = 0
+        if not format in ['pem', 'der']:
+            raise ValueError("format should be pem or der")
        if cert is None and proto == 'tcp' and name[-1] == '.':
            try:
                cert = ssl.get_server_certificate((name[:-1], port), ca_certs='/etc/ssl/certs/ca-certificates.crt')
@ -69,10 +70,13 @@ class TLSA(ResourceRecord):
                raise ValueError("Unable de retrieve cert dynamically: %s" % e)
        elif cert is None:
            raise ValueError("cert can only be retrive if proto is tcp and name fqdn")
+        if format is not 'der':
            dercert = ssl.PEM_cert_to_DER_cert(cert)
+        else:
+            dercert = cert
        if not dercert:
            raise ValueError("Impossible de convertir le certificat au format DER %s %s %s\n%s" % (name, port, proto, cert))
-        certhex = TLSA.hashCert(reftype, dercert)
+        certhex = TLSA.hashCert(reftype, str(dercert))
        if compat:
            super(TLSA, self).__init__(
                'TYPE52',
@ -271,6 +275,16 @@ class Zone(ZoneBase):
            except (KeyError, TypeError):
                pass

+    def add_tlsa_record(self, cert):
+        if 'TLSACert' in cert['objectClass']:
+            for host in cert['hostCert']:
+                nom=self.get_name(host)
+                if nom is None: continue
+                for port in cert['portTCPin']:
+                    self.add(TLSA(nom, port, 'tcp', cert['certificat'][0], cert['certificatUsage'][0], cert['matchingType'][0], cert['selector'][0], format='der'))
+                for port in cert['portUDPin']:
+                    self.add(TLSA(nom, port, 'udp', cert['certificat'][0], cert['certificatUsage'][0], cert['matchingType'][0], cert['selector'][0], format='der'))
+
    def add_machine(self, machine):
        for host in machine['host']:
            nom=self.get_name(host)
@ -279,6 +293,8 @@ class Zone(ZoneBase):
            self.add_a_record(nom, machine)
            self.add_aaaa_record(nom, machine)
            self.add_sshfp_record(nom, machine)
+            for cert in machine.certificats():
+                self.add_tlsa_record(cert)


        if machine['host']: