mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-22 23:01:43 -04:00
[master] contrib/dane/mkdane.sh
3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's from X.509 certificates, for use with DANE (DNS-based Authentication of Named Entities). [RT #30513]
This commit is contained in:
Evan Hunt
parent
15d29ab5fe
commit
e7dfefe19d
3 changed files with 168 additions and 0 deletions
5
CHANGES
5
CHANGES
|
|
@ -1,3 +1,8 @@
|
|||
3409. [contrib] contrib/dane/mkdane.sh: Tool to generate TLSA RR's
|
||||
from X.509 certificates, for use with DANE
|
||||
(DNS-based Authentication of Named Entities).
|
||||
[RT #30513]
|
||||
|
||||
3408. [bug] Some DNSSEC-related options (update-check-ksk,
|
||||
dnssec-loadkeys-interval, dnssec-dnskey-kskonly)
|
||||
are now legal in slave zones as long as
|
||||
|
|
|
|||
137
contrib/dane/mkdane.sh
Executable file
137
contrib/dane/mkdane.sh
Executable file
|
|
@ -0,0 +1,137 @@
|
|||
#!/bin/sh
|
||||
# Copyright (C) 2010, 2012 Internet Systems Consortium, Inc. ("ISC")
|
||||
#
|
||||
# Permission to use, copy, modify, and/or distribute this software for any
|
||||
# purpose with or without fee is hereby granted, provided that the above
|
||||
# copyright notice and this permission notice appear in all copies.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||||
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||||
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||||
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||||
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||||
# PERFORMANCE OF THIS SOFTWARE.
|
||||
#
|
||||
# Generate a DNS RR from an x.509 certificate
|
||||
# Currently only supports TLSA, but can be extended to support
|
||||
# other DANE types such as SMIMEA in the future.
|
||||
#
|
||||
# Requires: openssl
|
||||
|
||||
USAGE="$BASENAME [options] <filename>
|
||||
Options:
|
||||
-f <input format>: PEM | DLR
|
||||
-n <name>: record name (default: _443._tcp)
|
||||
-o <origin>: zone origin (default: none; name will be relative)
|
||||
-m <matching type>: NONE (0) | SHA256 (1) | SHA512 (2)
|
||||
-r <RR type>: TLSA
|
||||
-s <selector>: FULL (0) | PK (1)
|
||||
-t <ttl>: TTL of the TLSA record (default: none)
|
||||
-u <certificate usage>: CA (0) | SERVICE (1) | TA (2) | DOMAIN (3)"
|
||||
|
||||
NM="_443._tcp"
|
||||
CU=2
|
||||
SELECTOR=0
|
||||
MTYPE=1
|
||||
IN=
|
||||
FORM=PEM
|
||||
TTL=
|
||||
RRTYPE=TLSA
|
||||
BASENAME=`basename $0`;
|
||||
|
||||
while getopts "xn:o:u:s:t:m:i:f:r:" c; do
|
||||
case $c in
|
||||
x) set -x; DEBUG=-x;;
|
||||
m) MTYPE="$OPTARG";;
|
||||
n) NM="$OPTARG";;
|
||||
o) ORIGIN="$OPTARG";;
|
||||
r) RRTYPE="$OPTARG";;
|
||||
s) SELECTOR="$OPTARG";;
|
||||
t) TTL="$OPTARG";;
|
||||
u) CU="$OPTARG";;
|
||||
*) echo "$USAGE" 1>&2; exit 1;;
|
||||
esac
|
||||
done
|
||||
shift `expr $OPTIND - 1 || true`
|
||||
|
||||
if test "$#" -eq 1; then
|
||||
IN=$1
|
||||
else
|
||||
echo "$USAGE" 1>&2; exit 1
|
||||
fi
|
||||
|
||||
ORIGIN=`echo $ORIGIN | sed 's/\([^.]$\)/\1./'`
|
||||
if [ -n "$ORIGIN" ]; then
|
||||
NM=`echo $NM | sed 's/\.$//'`
|
||||
NM="$NM.$ORIGIN"
|
||||
fi
|
||||
|
||||
case "$CU" in
|
||||
[Cc][Aa]) CU=0;;
|
||||
[Ss][Ee][Rr][Vv]*) CU=1;;
|
||||
[Tt][Aa]) CU=2;;
|
||||
[Dd][Oo][Mm]*) CU=3;;
|
||||
[0123]) ;;
|
||||
*) echo "bad certificate usage -u \"$CU\"" 1>&2; exit 1;;
|
||||
esac
|
||||
|
||||
case "$SELECTOR" in
|
||||
[Ff][Uu][Ll][Ll]) SELECTOR=0;;
|
||||
[Pp][Kk]) SELECTOR=1;;
|
||||
[01]) ;;
|
||||
*) echo "bad selector -s \"$SELECTOR\"" 1>&2; exit 1;;
|
||||
esac
|
||||
|
||||
case "$MTYPE" in
|
||||
0|[Nn][Oo][Nn][Ee]) HASH='od -A n -v -t xC';;
|
||||
1|[Ss][Hh][Aa]256) HASH='openssl dgst -sha256';;
|
||||
2|[Ss][Hh][Aa]512) HASH='openssl dgst -sha512';;
|
||||
*) echo "bad matching type -m \"$MTYPE\"" 1>&2; exit 1;;
|
||||
esac
|
||||
|
||||
case "$FORM" in
|
||||
[Pp][Ee][Mm]) FORM=PEM;;
|
||||
[Dd][Ll][Rr]) FORM=DLR;;
|
||||
*) echo "bad input file format -f \"$FORM\"" 1>&2; exit 1
|
||||
esac
|
||||
|
||||
case "$RRTYPE" in
|
||||
[Tt][Ll][Ss][Aa]) RRTYPE=TLSA;;
|
||||
*) echo "invalid RR type" 1>&2; exit 1
|
||||
esac
|
||||
|
||||
if test -z "$IN" -o ! -s "$IN"; then
|
||||
echo "bad input file -i \"$IN\"" 1>&2; exit 1
|
||||
fi
|
||||
|
||||
echo "; $BASENAME -o$NM -u$CU -s$SELECTOR -m$MTYPE -f$FORM $IN"
|
||||
|
||||
(if test "$SELECTOR" = 0; then
|
||||
openssl x509 -in "$IN" -inform "$FORM" -outform DER
|
||||
else
|
||||
openssl x509 -in "$IN" -inform "$FORM" -noout -pubkey \
|
||||
| sed -e '/PUBLIC KEY/d' \
|
||||
| openssl base64 -d
|
||||
fi) \
|
||||
| $HASH \
|
||||
| awk '
|
||||
# format Association Data as in Appendix C of the DANE RFC
|
||||
BEGIN {
|
||||
print "'"$NM\t\t$TTL\tIN TLSA\t$CU $SELECTOR $MTYPE"' (";
|
||||
leader = "\t\t\t\t\t";
|
||||
}
|
||||
/.+/ {
|
||||
gsub(/ +/, "", $0);
|
||||
buf = buf $0;
|
||||
while (length(buf) >= 36) {
|
||||
print leader substr(buf, 1, 36);
|
||||
buf = substr(buf, 37);
|
||||
}
|
||||
}
|
||||
END {
|
||||
if (length(buf) > 34)
|
||||
print leader buf "\n" leader ")";
|
||||
else
|
||||
print leader buf " )";
|
||||
}'
|
||||
26
contrib/dane/tlsa6698.pem
Normal file
26
contrib/dane/tlsa6698.pem
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEVDCCArwCCQCrWNJOd60q9jANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJO
|
||||
TDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQww
|
||||
CgYDVQQKEwNPUzMxIzAhBgNVBAMTGmRhbmUua2lldi5wcmFjdGljdW0ub3MzLm5s
|
||||
MB4XDTEyMDExNjE2NTcwM1oXDTIyMDExMzE2NTcwM1owbDELMAkGA1UEBhMCTkwx
|
||||
FjAUBgNVBAgTDU5vb3JkLUhvbGxhbmQxEjAQBgNVBAcTCUFtc3RlcmRhbTEMMAoG
|
||||
A1UEChMDT1MzMSMwIQYDVQQDExpkYW5lLmtpZXYucHJhY3RpY3VtLm9zMy5ubDCC
|
||||
AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOYshKWv5Z8KKmslDe5oesjF
|
||||
xgT1fSbOshGRQP+sOMS5y76JIwguf4Fia2rV3qDIdxx048qn9hMFSu+jZz5I/+R7
|
||||
P3r5h94oGmgjCyS52hqY3L5RGVtg5C/XUXwyjZg+JqgnyHerkU7kwb/erUi9Jb5f
|
||||
LEc7qcHLvd2gw3TQ1Yw4nMPW2MIGYuGc92jzJEG399FK6olmznwyoXIqs4Yj0AgC
|
||||
mp5HAog/i5d6Gh5Skr+K1yI51AOTN7hqOsYPoAEpBFIXe/F5hgmgWhMPAzRXpSEm
|
||||
KfvduOcOKp5lVoc8T3ykauSosXjwX7MZAF4cHH1L1336NANVY8EmqiwzKLkA55kK
|
||||
yXh/AdqC90w9S2Z0zOzh/Uxu+eZkT0Y17e2jnYsOL3yOBtrndWITvT1ggxF1vikE
|
||||
QrSvxa5vRrdphVoGfBCX5heWJSnhZvIq7hDduYG4zW/xfT1wcjFpA42/vBpEnI0N
|
||||
MbxoPF884mFI5C7Ju9TZ8mFWmyW1PB1/wt3/a0ysBQIDAQABMA0GCSqGSIb3DQEB
|
||||
BQUAA4IBgQArKr4GPpyGrEofeDU3IJEHnIJ2qcLF0exXZN5SP92r3qs/005v5sug
|
||||
VFgKZ4WmY1ldkBMrk9Rzkp6B+giH0v/3ioHH0BS5d3irasnl5pD29anpK7X7q3G4
|
||||
V65ptuGL3MsLpvzZ1LCEo082NRSMSV1I/mNZA7iI7B3rJhBUjt1I1j+GUTpFYkaY
|
||||
MUjA1duC1zpMNQpCu2YddjQw/GyOX50T6ht2qlKkw1jl6gQAD3lGGDA6ts7qTpqO
|
||||
nHTXPBsLe68W3t52lrXi8gb3dxAPVyfhaE1BMvXmkvR69nVuqLQhAAvgMbXY8CIO
|
||||
Q2tR+xVP6VlTM8E6JAP53gjl3cWiL9YYLjOVk+JjdEUCILwU8+QP8z8IRSawnDQl
|
||||
BwLoo1KzMszLD53izysziCO5KvxhwLa4q9ta9xjtjdqXwpjka4KgGxSBSGjPpPLD
|
||||
Ymi//0pZH0Jli/dZGJAtPkJt/h1f8PxqISBx9tqL2DP+LlYNh3dejukzPAW2+461
|
||||
ZYnZENteqQM=
|
||||
-----END CERTIFICATE-----
|
||||
Loading…
Reference in a new issue