A library for using DANE for public key discovery.
Project description
A library for using DANE TLSA records for certificate discovery.
Quick Start
Installation
pip install dane-discovery
Load a certificate from DNS and print the PEM representation
from dane_discovery.dane import DANE
dns_name = "dns.name.having.a.tlsa.record"
tlsa_record = DANE.get_first_leaf_certificate(dns_name)
if not tlsa_record:
raise ValueError("No leaf certificate found for {}.".format(dns_name))
der_cert = DANE.certificate_association_to_der(tlsa_record["certificate_association"])
print(DANE.der_to_pem(der_cert))
Load a DANE identity from DNS and print the request context
-----------------------------------------------------------
from dane_discovery.identity import Identity
dns_name = "dns.name.having.a.tlsa.record"
dane_identity = Identity(dns_name)
print(dane_identity)
Name: abc123.air-quality-sensor._device.example.net
Request context:
DNSSEC: False
TLS: False
TCP: True
Credential index: 0
certificate usage: DANE-EE
selector: Full certificate match
matching type: Exact match against certificate association
x509 attributes:
{'extensions': {'BasicConstrints': {'ca': False, 'path_length': None},
'KeyUsage': {'content_commitment': True,
'crl_sign': False,
'data_encipherment': False,
'digital_signature': True,
'key_agreement': False,
'key_cert_sign': False,
'key_encipherment': True}},
'subject': {'commonName': 'abc123.air-quality-sensor._device.example.net',
'countryName': 'US',
'organizationName': 'Example Networks',
'stateOrProvinceName': 'CA'}}
Changelog
v0.15
Fix
Correct issue with CLI scripts being excluded from package. [Ash Wilson]
v0.14 (2021-06-04)
Changes
Increment minor version, update CHANGELOG.rst. [Ash Wilson]
Include /.well-known/ in CA URL. [Ash Wilson]
Close #62
v0.13 (2021-06-04)
Changes
Incerement minor version, update CHANGELOG.rst. [Ash Wilson]
Retrieving invalid TLSA record from DNS throws TLSAError. [Ash Wilson]
Close #59
Update pattern for generating authority server URL. [Ash Wilson]
Close #58
v0.12 (2021-05-28)
New
Implement new method for Identity to retrieve first entity certificate. [Ash Wilson]
Close #56
Other
Build(deps): update requests-mock requirement from ~=1.9.2 to ~=1.9.3. [dependabot[bot]]
Updates the requirements on [requests-mock](https://github.com/jamielennox/requests-mock) to permit the latest version. - [Release notes](https://github.com/jamielennox/requests-mock/releases) - [Commits](https://github.com/jamielennox/requests-mock/compare/1.9.2…1.9.3)
v0.11 (2021-05-18)
Build(deps): update pytest-cov requirement from ~=2.11 to ~=2.12. [dependabot[bot]]
Updates the requirements on [pytest-cov](https://github.com/pytest-dev/pytest-cov) to permit the latest version. - [Release notes](https://github.com/pytest-dev/pytest-cov/releases) - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-cov/compare/v2.11.0…v2.12.0)
v0.10 (2021-05-11)
Changes
Generate DER certificates, include as a control in testing when changing representations between PEM, TLSA, DER. [Ash Wilson]
Other
Build(deps): update requests requirement from ~=2.24.0 to >=2.24,<2.26. [dependabot[bot]]
Updates the requirements on [requests](https://github.com/psf/requests) to permit the latest version. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/master/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.24.0…v2.25.1)
Build(deps): bump dnspython from 2.0.0 to 2.1.0. [dependabot[bot]]
Bumps [dnspython](https://github.com/rthalley/dnspython) from 2.0.0 to 2.1.0. - [Release notes](https://github.com/rthalley/dnspython/releases) - [Changelog](https://github.com/rthalley/dnspython/blob/master/doc/whatsnew.rst) - [Commits](https://github.com/rthalley/dnspython/compare/v2.0.0…v2.1.0)
Build(deps): update pytest-cov requirement from ~=2.10 to ~=2.11. [dependabot[bot]]
Updates the requirements on [pytest-cov](https://github.com/pytest-dev/pytest-cov) to permit the latest version. - [Release notes](https://github.com/pytest-dev/pytest-cov/releases) - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest-cov/compare/v2.10.0…v2.11.1)
Build(deps): update requests-mock requirement from ~=1.8.0 to ~=1.9.2. [dependabot[bot]]
Updates the requirements on [requests-mock](https://github.com/jamielennox/requests-mock) to permit the latest version. - [Release notes](https://github.com/jamielennox/requests-mock/releases) - [Commits](https://github.com/jamielennox/requests-mock/compare/1.8.0…1.9.2)
Build(deps): update sphinx requirement from ~=3.1 to ~=4.0. [dependabot[bot]]
Updates the requirements on [sphinx](https://github.com/sphinx-doc/sphinx) to permit the latest version. - [Release notes](https://github.com/sphinx-doc/sphinx/releases) - [Changelog](https://github.com/sphinx-doc/sphinx/blob/4.x/CHANGES) - [Commits](https://github.com/sphinx-doc/sphinx/compare/v3.1.0…v4.0.1)
Build(deps): update pytest requirement from ~=6.0 to ~=6.2. [dependabot[bot]]
Updates the requirements on [pytest](https://github.com/pytest-dev/pytest) to permit the latest version. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/6.0.0…6.2.4)
Create dependabot.yml. [Peter Goldstein]
v0.9 (2021-03-02)
Changes
Add filtering to certificate retrieval tool. [Ash Wilson]
Close #39
Rename CLI sc8ripts to align with package name. [Ash Wilson]
Close #38
v0.8 (2021-02-27)
New
Add dane_pkix_cd_get_ca_certificates. [Ash Wilson]
Close #32
Add dane_pkix_cd_get_certificates. [Ash Wilson]
Close #31
Add authenticate_pkix_cd script. [Ash Wilson]
Close #29
Add PKIX-CD validation for local certificates. [Ash Wilson]
Close #28
v0.7 (2021-02-18)
New
Add certificate_object to output from Identity.process_tlsa() [Ash Wilson]
Close #23
Add support for EC certificates and keys. [Ash Wilson]
Close #24
v0.6 (2020-11-10)
New
Add support for PKIX-CD. [Ash Wilson]
Breaking changes! Test thoroughly before updating to this version!
Close #20
Add Identity.get_ca_certificate_for_identity() [Ash Wilson]
Close #18
Add Identity.verify_certificate_signature(). [Ash Wilson]
v0.5 (2020-10-15)
Fix
Clean up parsing of TLSA records when DNSSEC is in use. [Ash Wilson]
v0.4 (2020-10-15)
Fix
Fix parsing of full DNS response message. [Ash Wilson]
v0.3 (2020-10-15)
New
Identity __repr__() indicates request context and x509 extensions. [Ash Wilson]
Changes
DANE.get_tlsa_records() returns request context. [Ash Wilson]
v0.2 (2020-08-13)
New
Support generating TLSA records for matching type 1, 2. [Ash Wilson]
Closes #3
v0.1 (2020-08-04)
New
Add certificate_association_to_der() and der_to_pem() for formatting certs from TLSA RRs. [Ash Wilson]
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for dane_discovery-0.15-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8005402bd35bd0fae060f1736d316a87b41c6792cebb08a9650f3489c7f5c2e1 |
|
MD5 | a3ce86783ccb4912c27dd9f18848aefb |
|
BLAKE2b-256 | 7e13ba7b42e39abf3d96968caa691e1ade2c66f42b44179a6d06897379c4a3cf |