crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[gen_conf/bind] Adding a TLSA ResourceRecord for DANE

Browse source
This commit is contained in:
Valentin Samir 2014-02-12 20:10:42 +01:00
parent 0a53f26ebc
commit 8112452efa
1 changed files with 58 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

58
gestion/gen_confs/bind.py
View file

@ -7,9 +7,11 @@ Licence : GPLv3
""" """
import sys import sys
import ssl
import time import time
import base64 import base64
import hashlib import hashlib
import binascii
import netaddr import netaddr
sys.path.append('/usr/scripts/') sys.path.append('/usr/scripts/')
@ -48,6 +50,62 @@ class ResourceRecord(object):
def __repr__(self): def __repr__(self):
return str(self) return str(self)
class TLSA(ResourceRecord):
def __init__(self, name, port, proto, cert, certtype, reftype, compat=True, ttl=None):
"""
name: nom du domaine du certificat
port: port écoute le service utilisant le certificat
proto: udp ou tcp
cert: le certificat au format pem (selector est donc toujours à 0)
certtype: type d'enregistrement 0 = CA pinning, 1 = cert pinning, 2 = self trusted CA, 3 = self trusted cert
reftype: 0 = plain cert, 1 = sha256, 2 = sha512
compat: on génère un enregistement compris même par les serveurs dns n'implémentant pas TLSA
"""
selector = 0
if cert is None and proto == 'tcp':
try:
cert = ssl.get_server_certificate((name[:-1], port))
sys.stderr.write("Warning: it is not safe to retrive cert for %s through the network, consider using an other solution\n" % name[:-1])
except Exception as e:
raise ValueError("Unable de retrieve cert dynamically: %s" % e)
elif cert is None:
raise ValueError("cert can only be retrive if proto is tcp")
dercert = ssl.PEM_cert_to_DER_cert(cert)
if not dercert:
raise ValueError("Impossible de convertir le certificat au format DER %s %s %s\n%s" % (name, port, proto, cert))
certhex = TLSA.hashCert(reftype, dercert)
if compat:
super(TLSA, self).__init__(
'TYPE52',
'_%s._%s%s' % (port, proto, '.' + name if name else ''),
"\# %s 0%s0%s0%s%s" % (len(certhex)/2 +3, certtype, selector, reftype, certhex),
ttl
)
else:
super(TLSA, self).__init__(
'TLSA',
'_%s._%s%s' % (port, proto, '.' + name if name else ''),
"%s %s %s %s"% (certtype, selector, reftype, certhex),
ttl
)
@staticmethod
def hashCert(reftype, certblob):
"""
certblob: un certificat au format DER
"""
if reftype == 0:
return binascii.b2a_hex(certblob).upper()
elif reftype == 1:
hashobj = hashlib.sha256()
hashobj.update(certblob)
elif reftype == 2:
hashobj = hashlib.sha512()
hashobj.update(certblob)
else:
raise ValueError("reftype sould be 0 1 or 2, not %s" % reftype)
return hashobj.hexdigest().upper()
class SOA(ResourceRecord): class SOA(ResourceRecord):
def __init__(self, master, email, serial, refresh, retry, expire, ttl): def __init__(self, master, email, serial, refresh, retry, expire, ttl):
super(SOA, self).__init__('SOA', '@', '%s. %s. (\n %s ; numero de serie\n %s ; refresh (s)\n %s ; retry (s)\n %s ; expire (s)\n %s ; TTL (s)\n )' % (master, email, serial, refresh, retry, expire, ttl)) super(SOA, self).__init__('SOA', '@', '%s. %s. (\n %s ; numero de serie\n %s ; refresh (s)\n %s ; retry (s)\n %s ; expire (s)\n %s ; TTL (s)\n )' % (master, email, serial, refresh, retry, expire, ttl))