Saturday, December 3, 2011

Hacked dane tool

I just made a hack to the dane tool so that it now supports Certificate Usage field and adds the correct selector and matching type fields.

79c79
< def create_tlsa(hostname, certtype, reftype):
---
> def create_tlsa(hostname, usage, selector, reftype):
100c100
< v4TLSA = draft_genTLSA(hostname, a, certtype, reftype)
---
> v4TLSA = draft_genTLSA(hostname, a, usage, selector, reftype)
102c102
< rfcv4TLSA = rfc_genTLSA(hostname, a, certtype, reftype)
---
> rfcv4TLSA = rfc_genTLSA(hostname, a, usage, selector, reftype)
114c114
< v6TLSA = draft_genTLSA(hostname, aaaa, certtype, reftype)
---
> v6TLSA = draft_genTLSA(hostname, aaaa, usage, selector, reftype)
116c116
< rfcv6TLSA = rfc_genTLSA(hostname, aaaa, certtype, reftype)
---
> rfcv6TLSA = rfc_genTLSA(hostname, aaaa, usage, selector, reftype)
133c133
< def draft_genTLSA(hostname, address, certtype, reftype):
---
> def draft_genTLSA(hostname, address, usage, selector, reftype):
156,157c156,157
< if certtype != 1:
< print "Only EE-cert supported right now"
---
> if selector != 0:
> print "Only full EE-cert supported right now"
161c161
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,len(certhex)/2+2,certtype,reftype, certhex)
---
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,len(certhex)/2+3,usage,selector,reftype, certhex)
168,170c168,170
< # certtype and reftype are part of the length
< data_length += 2
< return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s%s"%(hostname,data_length,certtype,reftype, hashCert(reftype,dercert))
---
> # selector and reftype are part of the length
> data_length += 3
> return "_443._tcp.%s IN TYPE65468 \# %s 0%s0%s0%s%s"%(hostname,data_length,usage,selector,reftype, hashCert(reftype,dercert))
172c172
< def rfc_genTLSA(hostname, address, certtype, reftype):
---
> def rfc_genTLSA(hostname, address, usage, selector, reftype):
184,186c184,186
< if certtype != 1:
< print "Only EE-cert supported right now"
< return "_443._tcp.%s IN TLSA %s %s %s"%(hostname, certtype, reftype, hashCert(reftype,dercert))
---
> if selector != 0:
> print "Only full EE-cert supported right now"
> return "_443._tcp.%s IN TLSA %s %s %s %s"%(hostname, usage, selector, reftype, hashCert(reftype,dercert))
236a237
> parser.add_argument('--usage', action='store',help='certificate usage [0,1,2] (default:1)', default=1)
264a266,268
> if args.usage:
> if not (args.usage != 0 or args.usage != 1 or args.usage != 2):
> sys.exit("Certificate Usage must be (0, 1, or 2)")
316c320
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
356c360
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,0,reftype)
359c363
< create_tlsa(host,1,reftype)
---
> create_tlsa(host,args.usage,1,reftype)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)