]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
[master] contrib/dane/mkdane.sh
authorEvan Hunt <each@isc.org>
Sun, 28 Oct 2012 03:46:45 +0000 (20:46 -0700)
committerEvan Hunt <each@isc.org>
Sun, 28 Oct 2012 03:46:45 +0000 (20:46 -0700)
3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
from X.509 certificates, for use with DANE
(DNS-based Authentication of Named Entities).
[RT #30513]

CHANGES
contrib/dane/mkdane.sh [new file with mode: 0755]
contrib/dane/tlsa6698.pem [new file with mode: 0644]

diff --git a/CHANGES b/CHANGES
index b83eee78048038c9911b74142ac4f11ed58b354e..72f3e96a2d03dc7e3c87c14f49ee8f6e0cc57492 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+3409.  [contrib]       contrib/dane/mkdane.sh: Tool to generate TLSA RR's
+                       from X.509 certificates, for use with DANE
+                       (DNS-based Authentication of Named Entities).
+                       [RT #30513]
+
 3408.  [bug]           Some DNSSEC-related options (update-check-ksk,
                        dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
                        are now legal in slave zones as long as
diff --git a/contrib/dane/mkdane.sh b/contrib/dane/mkdane.sh
new file mode 100755 (executable)
index 0000000..fbae4aa
--- /dev/null
@@ -0,0 +1,137 @@
+#!/bin/sh
+# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+#
+# Generate a DNS RR from an x.509 certificate
+# Currently only supports TLSA, but can be extended to support
+# other DANE types such as SMIMEA in the future.
+#
+# Requires: openssl
+
+USAGE="$BASENAME [options] <filename>
+Options:
+        -f <input format>: PEM | DLR
+        -n <name>: record name (default: _443._tcp)
+        -o <origin>: zone origin (default: none; name will be relative)
+        -m <matching type>: NONE (0) | SHA256 (1) | SHA512 (2)
+        -r <RR type>: TLSA
+        -s <selector>: FULL (0) | PK (1)
+        -t <ttl>: TTL of the TLSA record (default: none)
+        -u <certificate usage>: CA (0) | SERVICE (1) | TA (2) | DOMAIN (3)"
+
+NM="_443._tcp"
+CU=2
+SELECTOR=0
+MTYPE=1
+IN=
+FORM=PEM
+TTL=
+RRTYPE=TLSA
+BASENAME=`basename $0`;
+
+while getopts "xn:o:u:s:t:m:i:f:r:" c; do
+    case $c in
+       x) set -x; DEBUG=-x;;
+       m) MTYPE="$OPTARG";;
+        n) NM="$OPTARG";;
+        o) ORIGIN="$OPTARG";;
+        r) RRTYPE="$OPTARG";;
+       s) SELECTOR="$OPTARG";;
+        t) TTL="$OPTARG";;
+       u) CU="$OPTARG";;
+       *) echo "$USAGE" 1>&2; exit 1;;
+    esac
+done
+shift `expr $OPTIND - 1 || true`
+
+if test "$#" -eq 1; then
+    IN=$1
+else
+    echo "$USAGE" 1>&2; exit 1
+fi
+
+ORIGIN=`echo $ORIGIN | sed 's/\([^.]$\)/\1./'`
+if [ -n "$ORIGIN" ]; then
+    NM=`echo $NM | sed 's/\.$//'`
+    NM="$NM.$ORIGIN"
+fi
+
+case "$CU" in
+    [Cc][Aa]) CU=0;;
+    [Ss][Ee][Rr][Vv]*) CU=1;;
+    [Tt][Aa]) CU=2;;
+    [Dd][Oo][Mm]*) CU=3;;
+    [0123]) ;;
+    *) echo "bad certificate usage -u \"$CU\"" 1>&2; exit 1;;
+esac
+
+case "$SELECTOR" in
+    [Ff][Uu][Ll][Ll]) SELECTOR=0;;
+    [Pp][Kk]) SELECTOR=1;;
+    [01]) ;;
+    *) echo "bad selector -s \"$SELECTOR\"" 1>&2; exit 1;;
+esac
+
+case "$MTYPE" in
+    0|[Nn][Oo][Nn][Ee]) HASH='od -A n -v -t xC';;
+    1|[Ss][Hh][Aa]256) HASH='openssl dgst -sha256';;
+    2|[Ss][Hh][Aa]512) HASH='openssl dgst -sha512';;
+    *) echo "bad matching type -m \"$MTYPE\"" 1>&2; exit 1;;
+esac
+
+case "$FORM" in
+    [Pp][Ee][Mm]) FORM=PEM;;
+    [Dd][Ll][Rr]) FORM=DLR;;
+    *) echo "bad input file format -f \"$FORM\"" 1>&2; exit 1
+esac
+
+case "$RRTYPE" in
+    [Tt][Ll][Ss][Aa]) RRTYPE=TLSA;;
+    *) echo "invalid RR type" 1>&2; exit 1
+esac
+
+if test -z "$IN" -o ! -s "$IN"; then
+    echo "bad input file -i \"$IN\"" 1>&2; exit 1
+fi
+
+echo "; $BASENAME -o$NM -u$CU -s$SELECTOR -m$MTYPE -f$FORM $IN"
+
+(if test "$SELECTOR" = 0; then
+    openssl x509 -in "$IN" -inform "$FORM" -outform DER
+else
+    openssl x509 -in "$IN" -inform "$FORM" -noout -pubkey              \
+       | sed -e '/PUBLIC KEY/d'                                        \
+       | openssl base64 -d 
+fi)                                                                    \
+    | $HASH                                                            \
+    | awk '
+       # format Association Data as in Appendix C of the DANE RFC
+       BEGIN {
+               print "'"$NM\t\t$TTL\tIN TLSA\t$CU $SELECTOR $MTYPE"' ("; 
+               leader = "\t\t\t\t\t"; 
+       }
+       /.+/ {
+           gsub(/ +/, "", $0);
+           buf = buf $0;
+           while (length(buf) >= 36) {
+               print leader substr(buf, 1, 36);
+               buf = substr(buf, 37);
+           }
+       }
+       END {
+            if (length(buf) > 34)
+                print leader buf "\n" leader ")";
+            else
+                print leader buf " )";
+        }'
diff --git a/contrib/dane/tlsa6698.pem b/contrib/dane/tlsa6698.pem
new file mode 100644 (file)
index 0000000..9b9c1ee
--- /dev/null
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEVDCCArwCCQCrWNJOd60q9jANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJO
+TDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQww
+CgYDVQQKEwNPUzMxIzAhBgNVBAMTGmRhbmUua2lldi5wcmFjdGljdW0ub3MzLm5s
+MB4XDTEyMDExNjE2NTcwM1oXDTIyMDExMzE2NTcwM1owbDELMAkGA1UEBhMCTkwx
+FjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTEMMAoG
+A1UEChMDT1MzMSMwIQYDVQQDExpkYW5lLmtpZXYucHJhY3RpY3VtLm9zMy5ubDCC
+AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOYshKWv5Z8KKmslDe5oesjF
+xgT1fSbOshGRQP+sOMS5y76JIwguf4Fia2rV3qDIdxx048qn9hMFSu+jZz5I/+R7
+P3r5h94oGmgjCyS52hqY3L5RGVtg5C/XUXwyjZg+JqgnyHerkU7kwb/erUi9Jb5f
+LEc7qcHLvd2gw3TQ1Yw4nMPW2MIGYuGc92jzJEG399FK6olmznwyoXIqs4Yj0AgC
+mp5HAog/i5d6Gh5Skr+K1yI51AOTN7hqOsYPoAEpBFIXe/F5hgmgWhMPAzRXpSEm
+KfvduOcOKp5lVoc8T3ykauSosXjwX7MZAF4cHH1L1336NANVY8EmqiwzKLkA55kK
+yXh/AdqC90w9S2Z0zOzh/Uxu+eZkT0Y17e2jnYsOL3yOBtrndWITvT1ggxF1vikE
+QrSvxa5vRrdphVoGfBCX5heWJSnhZvIq7hDduYG4zW/xfT1wcjFpA42/vBpEnI0N
+MbxoPF884mFI5C7Ju9TZ8mFWmyW1PB1/wt3/a0ysBQIDAQABMA0GCSqGSIb3DQEB
+BQUAA4IBgQArKr4GPpyGrEofeDU3IJEHnIJ2qcLF0exXZN5SP92r3qs/005v5sug
+VFgKZ4WmY1ldkBMrk9Rzkp6B+giH0v/3ioHH0BS5d3irasnl5pD29anpK7X7q3G4
+V65ptuGL3MsLpvzZ1LCEo082NRSMSV1I/mNZA7iI7B3rJhBUjt1I1j+GUTpFYkaY
+MUjA1duC1zpMNQpCu2YddjQw/GyOX50T6ht2qlKkw1jl6gQAD3lGGDA6ts7qTpqO
+nHTXPBsLe68W3t52lrXi8gb3dxAPVyfhaE1BMvXmkvR69nVuqLQhAAvgMbXY8CIO
+Q2tR+xVP6VlTM8E6JAP53gjl3cWiL9YYLjOVk+JjdEUCILwU8+QP8z8IRSawnDQl
+BwLoo1KzMszLD53izysziCO5KvxhwLa4q9ta9xjtjdqXwpjka4KgGxSBSGjPpPLD
+Ymi//0pZH0Jli/dZGJAtPkJt/h1f8PxqISBx9tqL2DP+LlYNh3dejukzPAW2+461
+ZYnZENteqQM=
+-----END CERTIFICATE-----