Skip to main content

Python library to generate a TLSA record format based on the active certificate on a host.

Project description

Author: Oscar Koeroo

pyDANETLSA

Generate TLSA record for DANE. Generated either by probing the resource and using a StartTLS or plain TLS handshake to extract the certificate, public key and formulate a TLSA 3 1 1 format. Also a X.509 in PEM or DER file format is possible.

Class: danetlsa

Initializer / init():

Start a new instance of pyDANETLSA and initialize it with the following named attributes:

  • fqdn: Fully Qualified Domain Name which sets the full name of a host, e.g. smtp.koeroo.net. From this value the domain and host part is extracted. However, the algorithm expects a zone of two components, being the TLD and the zone name. If this is either three or one for gTLDs the calculation is borked. Use the domain attribute to force the calculation to become relative to the provided domain instead of guessing the zone structure.

  • port: The TCP or UDP port number for with the DANE TLSA record is to be generated.

  • tlsa_protocol: Select the output TLSA protocol. Options are limited to 'tcp', 'udp' and 'sctp'. Default is 'tcp'.

  • probe_protocol: Selects the probe method/read method. Choices are fixed to:

    • DANETLSA_IMAP: Probes IMAP with StartTLS on the provided port.
    • DANETLSA_POP3: Probes POP3 with StartTLS on the provided port.
    • DANETLSA_SMTP: Probes SMTP with StartTLS on the provided port.
    • DANETLSA_TLS: Probes with plain TLS on the provided port.
    • DANETLSA_PEM: Reads a certificate from the certfile property. The file must be in PEM format.
    • DANETLSA_DER: Reads a certificate from the certfile property. The file must be in DER format.
  • certfile: Optional for network probe protocol selections. File path to a PEM or DER certificate to read. File must exist and must be a file (or symlink to a file).

connect()

See engage()

engage()

This will trigger the reading of the file or start the network connection to the selected protocol to extract the certificate, transform the certificate in the right internal formats and generate the information required for a DANE TLSA record. This information can then be retried with other methods.

subject_dn()

Returns the Subject DN in classic OpenSSL subject format.

/C=NL/ST=Zuid-Holland/L='s-Gravenhage/O=Rijksoverheid/CN=ncsc.nl

process_pubkey_hex()

Internal function to process the public key hex value from the fetched certificate. Returns the hex value

78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35

pubkey_hex()

Returns the hex value of the public key.

78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35

tlsa_rdata_3_1_1()

Returns the 3 1 1 format value.

3 1 1 78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35

tlsa_rr_name_host()

Returns the resource record name for TLSA appropriate for the service.

_25._tcp.smtp

tlsa_rr_name_fqdn()

Returns the resource record name as full FQDN value for TLSA appropriate for the service.

_25._tcp.smtp.koeroo.net.

tlsa_rr()

Returns full resource record, which looks a lot like a zone file.

_25._tcp.smtp IN TLSA 3 1 1 78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35

tlsa_rr_fqdn()

Returns full resource record, which looks a lot like a zone file, the host is now an absolute name.

_465._tcp.smtp.koeroo.net. IN TLSA 3 1 1 78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35

Example:

#!/usr/bin/env python3

import pyDANETLSA

print("Protocol support list:", pyDANETLSA.DANETLS_protocols)

d = pyDANETLSA.danetlsa(fqdn='smtp.koeroo.net.', port=25,  protocol=pyDANETLSA.DANETLSA_SMTP)
d.engage()
print("TLSA RR with FQDN", d.tlsa_rr_fqdn())

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyDANETLSA-0.1.0.tar.gz (5.3 kB view details)

Uploaded Source

Built Distribution

pyDANETLSA-0.1.0-py3-none-any.whl (5.3 kB view details)

Uploaded Python 3

File details

Details for the file pyDANETLSA-0.1.0.tar.gz.

File metadata

  • Download URL: pyDANETLSA-0.1.0.tar.gz
  • Upload date:
  • Size: 5.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4

File hashes

Hashes for pyDANETLSA-0.1.0.tar.gz
Algorithm Hash digest
SHA256 f1f6a39038ad2a0c9fc802060b520f3afe92becb2d6c34820b2ab454056c8b17
MD5 bcb34104d47cde5495fff65c35f60e1d
BLAKE2b-256 a5f3e52b0a2853356a7272adf6d8ebc0647aaad01c6aa4b1552800767a46101a

See more details on using hashes here.

File details

Details for the file pyDANETLSA-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: pyDANETLSA-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 5.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.4.1 importlib_metadata/4.0.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4

File hashes

Hashes for pyDANETLSA-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c833eb2b7c11833865069f5475ee6b3c6030e1c6f189ed69388cb40f4d24d299
MD5 13123dd1e947121c550079e055e52465
BLAKE2b-256 d43b14f89b6249be9ff85345c03c4fd5f32284525a2b79af38d363b89ab906f4

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page