From 963ece2959d5fdd82fae561be51990eece76a667 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Fri, 3 Oct 2014 11:02:54 +0200 Subject: [PATCH] ldns-dane tool has default selector type SPKI + initial support for RFC7218 type acronyms --- examples/ldns-dane.c | 86 ++++++++++++++++++++++---------------------- ldns/dane.h | 34 +++++++++++++----- 2 files changed, 69 insertions(+), 51 deletions(-) diff --git a/examples/ldns-dane.c b/examples/ldns-dane.c index 93c18e54..f390b918 100644 --- a/examples/ldns-dane.c +++ b/examples/ldns-dane.c @@ -157,26 +157,48 @@ struct dane_param_choice_struct { typedef struct dane_param_choice_struct dane_param_choice; dane_param_choice dane_certificate_usage_table[] = { - { "CA constraint" , 0 }, - { "CA-constraint" , 0 }, - { "Service certificate constraint" , 1 }, - { "Service-certificate-constraint" , 1 }, - { "Trust anchor assertion" , 2 }, - { "Trust-anchor-assertion" , 2 }, - { "anchor" , 2 }, - { "Domain-issued certificate" , 3 }, - { "Domain-issued-certificate" , 3 }, + { "PKIX-TA" , 0 }, + { "CA constraint" , 0 }, + { "CA-constraint" , 0 }, + { "PKIX-EE" , 1 }, + { "Service certificate constraint" , 1 }, + { "Service-certificate-constraint" , 1 }, + { "DANE-TA" , 2 }, + { "Trust anchor assertion" , 2 }, + { "Trust-anchor-assertion" , 2 }, + { "anchor" , 2 }, + { "DANE-EE" , 3 }, + { "Domain-issued certificate" , 3 }, + { "Domain-issued-certificate" , 3 }, + { "PrivCert" , 255 }, { NULL, -1 } }; dane_param_choice dane_selector_table[] = { - { "Full certificate" , 0 }, - { "Full-certificate" , 0 }, - { "certificate" , 0 }, - { "SubjectPublicKeyInfo", 1 }, - { "PublicKey" , 1 }, - { "pubkey" , 1 }, - { "key" , 1 }, + { "Cert" , 0 }, + { "Full certificate" , 0 }, + { "Full-certificate" , 0 }, + { "certificate" , 0 }, + { "SPKI" , 1 }, + { "SubjectPublicKeyInfo", 1 }, + { "PublicKey" , 1 }, + { "pubkey" , 1 }, + { "key" , 1 }, + { "PrivSel" , 255 }, + { NULL, -1 } +}; + +dane_param_choice dane_matching_type_table[] = { + { "Full" , 0 }, + { "no-hash-used" , 0 }, + { "no hash used" , 0 }, + { "SHA2-256" , 1 }, + { "sha256" , 1 }, + { "sha-256" , 1 }, + { "SHA2-512" , 2 }, + { "sha512" , 2 }, + { "sha-512" , 2 }, + { "PrivMatch" , 255 }, { NULL, -1 } }; @@ -1532,8 +1554,7 @@ main(int argc, char* const* argv) dane_certificate_usage_table); argc--; } else { - certificate_usage = - LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE; + certificate_usage = LDNS_TLSA_USAGE_DANE_EE; } if (argc > 0) { selector = dane_int_within_range_table( @@ -1541,35 +1562,16 @@ main(int argc, char* const* argv) dane_selector_table); argc--; } else { - selector = LDNS_TLSA_SELECTOR_FULL_CERTIFICATE; + selector = LDNS_TLSA_SELECTOR_SPKI; } if (argc > 0) { - if (*argv && /* strlen(argv) > 0 */ - (strncasecmp(*argv, "no-hash-used", - strlen(*argv)) == 0 || - strncasecmp(*argv, "no hash used", - strlen(*argv)) == 0 )) { - matching_type = - LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED; - - } else if (strcasecmp(*argv, "sha256") == 0 || - strcasecmp(*argv, "sha-256") == 0) { - - matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256; + matching_type = dane_int_within_range_table( + *argv++, 2, "matching type", + dane_matching_type_table); - } else if (strcasecmp(*argv, "sha512") == 0 || - strcasecmp(*argv, "sha-512") == 0) { - - matching_type = LDNS_TLSA_MATCHING_TYPE_SHA512; - - } else { - matching_type = dane_int_within_range( - *argv, 2, "matching type"); - } - argv++; argc--; } else { - matching_type = LDNS_TLSA_MATCHING_TYPE_SHA256; + matching_type = LDNS_TLSA_MATCHING_TYPE_SHA2_256; } if (argc > 0) { diff --git a/ldns/dane.h b/ldns/dane.h index 6adecd57..529e4f31 100644 --- a/ldns/dane.h +++ b/ldns/dane.h @@ -42,13 +42,19 @@ extern "C" { enum ldns_enum_tlsa_certificate_usage { /** CA constraint */ - LDNS_TLSA_USAGE_CA_CONSTRAINT = 0, + LDNS_TLSA_USAGE_PKIX_TA = 0, + LDNS_TLSA_USAGE_CA_CONSTRAINT = 0, /** Sevice certificate constraint */ - LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT = 1, + LDNS_TLSA_USAGE_PKIX_EE = 1, + LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT = 1, /** Trust anchor assertion */ - LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION = 2, + LDNS_TLSA_USAGE_DANE_TA = 2, + LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION = 2, /** Domain issued certificate */ - LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE = 3 + LDNS_TLSA_USAGE_DANE_EE = 3, + LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE = 3, + /** Reserved for Private Use */ + LDNS_TLSA_USAGE_PRIVCERT = 255 }; typedef enum ldns_enum_tlsa_certificate_usage ldns_tlsa_certificate_usage; @@ -61,13 +67,18 @@ enum ldns_enum_tlsa_selector * Full certificate: the Certificate binary structure * as defined in [RFC5280] */ - LDNS_TLSA_SELECTOR_FULL_CERTIFICATE = 0, + LDNS_TLSA_SELECTOR_CERT = 0, + LDNS_TLSA_SELECTOR_FULL_CERTIFICATE = 0, /** * SubjectPublicKeyInfo: DER-encoded binary structure * as defined in [RFC5280] */ - LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO = 1 + LDNS_TLSA_SELECTOR_SPKI = 1, + LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO = 1, + + /** Reserved for Private Use */ + LDNS_TLSA_SELECTOR_PRIVSEL = 255 }; typedef enum ldns_enum_tlsa_selector ldns_tlsa_selector; @@ -77,11 +88,16 @@ typedef enum ldns_enum_tlsa_selector ldns_tlsa_selector; enum ldns_enum_tlsa_matching_type { /** Exact match on selected content */ - LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED = 0, + LDNS_TLSA_MATCHING_FULL = 0, + LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED = 0, /** SHA-256 hash of selected content [RFC6234] */ - LDNS_TLSA_MATCHING_TYPE_SHA256 = 1, + LDNS_TLSA_MATCHING_TYPE_SHA2_256 = 1, + LDNS_TLSA_MATCHING_TYPE_SHA256 = 1, /** SHA-512 hash of selected content [RFC6234] */ - LDNS_TLSA_MATCHING_TYPE_SHA512 = 2 + LDNS_TLSA_MATCHING_TYPE_SHA2_512 = 2, + LDNS_TLSA_MATCHING_TYPE_SHA512 = 2, + /** Reserved for Private Use */ + LDNS_TLSA_MATCHING_TYPE_PRIVMATCH = 255 }; typedef enum ldns_enum_tlsa_matching_type ldns_tlsa_matching_type; -- 2.47.3