Skip to main content

A library for using DANE for public key discovery.

Project description

A library for using DANE TLSA records for certificate discovery.

Documentation Status https://circleci.com/gh/ValiMail/dane-discovery.svg?style=shield Maintainability Test Coverage

Quick Start

Installation

pip install dane-discovery

Load a certificate from DNS and print the PEM representation

from dane_discovery.dane import DANE
dns_name = "dns.name.having.a.tlsa.record"
tlsa_record = DANE.get_first_leaf_certificate(dns_name)
if not tlsa_record:
    raise ValueError("No leaf certificate found for {}.".format(dns_name))

der_cert = DANE.certificate_association_to_der(tlsa_record["certificate_association"])
print(DANE.der_to_pem(der_cert))


Load a DANE identity from DNS and print the request context
-----------------------------------------------------------
from dane_discovery.identity import Identity
dns_name = "dns.name.having.a.tlsa.record"
dane_identity = Identity(dns_name)
print(dane_identity)

Name: abc123.air-quality-sensor._device.example.net
Request context:
  DNSSEC: False
  TLS: False
  TCP: True
Credential index: 0
  certificate usage: DANE-EE
  selector: Full certificate match
  matching type: Exact match against certificate association
  x509 attributes:
    {'extensions': {'BasicConstrints': {'ca': False, 'path_length': None},
                    'KeyUsage': {'content_commitment': True,
                                 'crl_sign': False,
                                 'data_encipherment': False,
                                 'digital_signature': True,
                                 'key_agreement': False,
                                 'key_cert_sign': False,
                                 'key_encipherment': True}},
     'subject': {'commonName': 'abc123.air-quality-sensor._device.example.net',
                 'countryName': 'US',
                 'organizationName': 'Example Networks',
                 'stateOrProvinceName': 'CA'}}

More examples

Changelog

v0.15

Fix

  • Correct issue with CLI scripts being excluded from package. [Ash Wilson]

v0.14 (2021-06-04)

Changes

  • Increment minor version, update CHANGELOG.rst. [Ash Wilson]

  • Include /.well-known/ in CA URL. [Ash Wilson]

    Close #62

v0.13 (2021-06-04)

Changes

  • Incerement minor version, update CHANGELOG.rst. [Ash Wilson]

  • Retrieving invalid TLSA record from DNS throws TLSAError. [Ash Wilson]

    Close #59

  • Update pattern for generating authority server URL. [Ash Wilson]

    Close #58

v0.12 (2021-05-28)

New

  • Implement new method for Identity to retrieve first entity certificate. [Ash Wilson]

    Close #56

Other

v0.11 (2021-05-18)

v0.10 (2021-05-11)

Changes

  • Generate DER certificates, include as a control in testing when changing representations between PEM, TLSA, DER. [Ash Wilson]

Other

v0.9 (2021-03-02)

Changes

  • Add filtering to certificate retrieval tool. [Ash Wilson]

    Close #39

  • Rename CLI sc8ripts to align with package name. [Ash Wilson]

    Close #38

v0.8 (2021-02-27)

New

  • Add dane_pkix_cd_get_ca_certificates. [Ash Wilson]

    Close #32

  • Add dane_pkix_cd_get_certificates. [Ash Wilson]

    Close #31

  • Add authenticate_pkix_cd script. [Ash Wilson]

    Close #29

  • Add PKIX-CD validation for local certificates. [Ash Wilson]

    Close #28

v0.7 (2021-02-18)

New

  • Add certificate_object to output from Identity.process_tlsa() [Ash Wilson]

    Close #23

  • Add support for EC certificates and keys. [Ash Wilson]

    Close #24

v0.6 (2020-11-10)

New

  • Add support for PKIX-CD. [Ash Wilson]

    Breaking changes! Test thoroughly before updating to this version!

    Close #20

  • Add Identity.get_ca_certificate_for_identity() [Ash Wilson]

    Close #18

  • Add Identity.verify_certificate_signature(). [Ash Wilson]

v0.5 (2020-10-15)

Fix

  • Clean up parsing of TLSA records when DNSSEC is in use. [Ash Wilson]

v0.4 (2020-10-15)

Fix

  • Fix parsing of full DNS response message. [Ash Wilson]

v0.3 (2020-10-15)

New

  • Identity __repr__() indicates request context and x509 extensions. [Ash Wilson]

Changes

  • DANE.get_tlsa_records() returns request context. [Ash Wilson]

v0.2 (2020-08-13)

New

  • Support generating TLSA records for matching type 1, 2. [Ash Wilson]

    Closes #3

v0.1 (2020-08-04)

New

  • Add certificate_association_to_der() and der_to_pem() for formatting certs from TLSA RRs. [Ash Wilson]

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for dane-discovery, version 0.15
Filename, size File type Python version Upload date Hashes
Filename, size dane_discovery-0.15-py3-none-any.whl (19.2 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size dane_discovery-0.15.tar.gz (18.4 kB) File type Source Python version None Upload date Hashes View

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring DigiCert DigiCert EV certificate Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page