8000 Add option to verify several TLSA records for a service by dilyanpalauzov · Pull Request #9 · debfx/check_dane · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on Apr 19, 2021. It is now read-only.

Add option to verify several TLSA records for a service #9

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add option to verify several TLSA records for a service #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ Usage
--nameserver NAMESERVER
Use a custom nameserver.
--timeout TIMEOUT Network timeout in sec. Default: 10
--tlsa_records Verify more than one TLSA records for the service (see below)
--version show program's version number and exit

Supported TLSA records
Expand All @@ -37,6 +38,11 @@ Supported TLSA records
* Selector: "Full certificate" (0) and SubjectPublicKeyInfo (1)
* Matching Type: "Exact match" (0), SHA-256 hash (1) and SHA-512 hash (2)

Which TLSA Records to Check
===========================

By default check_dane ensures that any TLSA record matches. With --tlsa_records check_dane can verify, that specific records are present and valid. This is useful, if for a service more than one records are published, like 3 0 1 and 3 0 2. To verify several records, use --tlsa_records and pass after them the space-separated tuples, e.g '--tlsa_records 301 302'.

Requirements
============

Expand Down
16 changes: 14 additions & 2 deletions check_dane
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,7 @@ def main() -> None:
parser.add_argument("--nameserver", help="Use a custom nameserver.")
parser.add_argument("--timeout", type=int, default=10, help="Network timeout in sec. Default: 10")
parser.add_argument("--version", action="version", version="%(prog)s " + VERSION)
parser.add_argument("--tlsa_records", type=int, nargs='+', default=[], help="Verify several TLSA records", metavar="TLSA_RECORD")
args = parser.parse_args()

pyver = sys.version_info
Expand Down Expand Up @@ -376,19 +377,30 @@ def main() -> None:

for tlsa in tlsa_records:
if validate_dane(cert_binary, pkix_valid, tlsa):
tup = tlsa.usage * 100 + tlsa.selector * 10 + tlsa.mtype
dane_valid_cert = True
break
if tup in args.tlsa_records:
args.tlsa_records.remove(tup)
if not args.tlsa_records:
break

if not dane_valid_cert:
# test if it would match if it were pkix_valid
additional_msg = ""
for tlsa in tlsa_records:
if validate_dane(cert_binary, True, tlsa):
tup = tlsa.usage * 100 + tlsa.selector * 10 + tlsa.mtype
additional_msg = "\nIt matches a TLSA usage=1 record but fails PKIX validation:\n" + pkix_error
break
if tup in args.tlsa_records:
args.tlsa_records.remove(tup)
if not args.tlsa_records:
break

nagios_critical("Certificate doesn't match TLSA record" + additional_msg)

if args.tlsa_records:
nagios_critical("TLSA records {} not validated".format(args.tlsa_records))

if pkix_valid and args.min_days_valid:
days_parts = args.min_days_valid.split(",")

Expand Down
0