[gen_conf/bind] Adding a TLSA ResourceRecord for DANE

2014-02-12 20:10:42 +01:00 · 2014-02-12 20:10:42 +01:00 · 8112452efa
commit 8112452efa
parent 0a53f26ebc
1 changed files with 58 additions and 0 deletions
--- a/gestion/gen_confs/bind.py
+++ b/gestion/gen_confs/bind.py
@ -7,9 +7,11 @@ Licence : GPLv3
 """

 import sys
+import ssl
 import time
 import base64
 import hashlib
+import binascii
 import netaddr
 sys.path.append('/usr/scripts/')

@ -48,6 +50,62 @@ class ResourceRecord(object):
    def __repr__(self):
        return str(self)

+class TLSA(ResourceRecord):
+    def __init__(self, name, port, proto, cert, certtype, reftype, compat=True, ttl=None):
+        """
+            name: nom du domaine du certificat
+            port: port où écoute le service utilisant le certificat
+            proto: udp ou tcp
+            cert: le certificat au format pem (selector est donc toujours à 0)
+            certtype: type d'enregistrement 0 = CA pinning, 1 = cert pinning, 2 = self trusted CA, 3 = self trusted cert
+            reftype: 0 = plain cert, 1 = sha256, 2 = sha512
+            compat: on génère un enregistement compris même par les serveurs dns n'implémentant pas TLSA
+        """
+        selector = 0
+        if cert is None and proto == 'tcp':
+            try:
+                cert = ssl.get_server_certificate((name[:-1], port))
+                sys.stderr.write("Warning: it is not safe to retrive cert for %s through the network, consider using an other solution\n" % name[:-1])
+            except Exception as e:
+                raise ValueError("Unable de retrieve cert dynamically: %s" % e)
+        elif cert is None:
+            raise ValueError("cert can only be retrive if proto is tcp")
+        dercert = ssl.PEM_cert_to_DER_cert(cert)
+        if not dercert:
+            raise ValueError("Impossible de convertir le certificat au format DER %s %s %s\n%s" % (name, port, proto, cert))
+        certhex = TLSA.hashCert(reftype, dercert)
+        if compat:
+            super(TLSA, self).__init__(
+                'TYPE52',
+                '_%s._%s%s' % (port, proto, '.' + name if name else ''),
+                "\# %s 0%s0%s0%s%s" % (len(certhex)/2 +3, certtype, selector, reftype, certhex),
+                ttl
+            )
+        else:
+            super(TLSA, self).__init__(
+             'TLSA',
+             '_%s._%s%s' % (port, proto, '.' + name if name else ''),
+             "%s %s %s %s"% (certtype, selector, reftype, certhex),
+             ttl
+            )
+
+    @staticmethod
+    def hashCert(reftype, certblob):
+        """
+            certblob: un certificat au format DER
+        """
+        if reftype == 0:
+            return binascii.b2a_hex(certblob).upper()
+        elif reftype == 1:
+            hashobj = hashlib.sha256()
+            hashobj.update(certblob)
+        elif reftype == 2:
+            hashobj = hashlib.sha512()
+            hashobj.update(certblob)
+        else:
+            raise ValueError("reftype sould be 0 1 or 2, not %s" % reftype)
+        return hashobj.hexdigest().upper()
+
 class SOA(ResourceRecord):
    def __init__(self, master, email, serial, refresh, retry, expire, ttl):
        super(SOA, self).__init__('SOA', '@', '%s. %s. (\n    %s ; numero de serie\n    %s ; refresh (s)\n    %s ; retry (s)\n    %s ; expire (s)\n    %s ; TTL (s)\n    )' % (master, email, serial, refresh, retry, expire, ttl))