Python library to generate a TLSA record format based on the active certificate on a host.

## Project description

Author: Oscar Koeroo

# pyDANETLSA

Generate TLSA record for DANE. Generated either by probing the resource and using a StartTLS or plain TLS handshake to extract the certificate, public key and formulate a TLSA 3 1 1 format. Also a X.509 in PEM or DER file format is possible.

## Class: danetlsa

### Initializer / init():

Start a new instance of pyDANETLSA and initialize it with the following named attributes:

• fqdn: Fully Qualified Domain Name which sets the full name of a host, e.g. smtp.koeroo.net. From this value the domain and host part is extracted. However, the algorithm expects a zone of two components, being the TLD and the zone name. If this is either three or one for gTLDs the calculation is borked. Use the domain attribute to force the calculation to become relative to the provided domain instead of guessing the zone structure.

• port: The TCP or UDP port number for with the DANE TLSA record is to be generated.

• tlsa_protocol: Select the output TLSA protocol. Options are limited to 'tcp', 'udp' and 'sctp'. Default is 'tcp'.

• probe_protocol: Selects the probe method/read method. Choices are fixed to:

• DANETLSA_IMAP: Probes IMAP with StartTLS on the provided port.
• DANETLSA_POP3: Probes POP3 with StartTLS on the provided port.
• DANETLSA_SMTP: Probes SMTP with StartTLS on the provided port.
• DANETLSA_TLS: Probes with plain TLS on the provided port.
• DANETLSA_PEM: Reads a certificate from the certfile property. The file must be in PEM format.
• DANETLSA_DER: Reads a certificate from the certfile property. The file must be in DER format.
• certfile: Optional for network probe protocol selections. File path to a PEM or DER certificate to read. File must exist and must be a file (or symlink to a file).

See engage()

### engage()

This will trigger the reading of the file or start the network connection to the selected protocol to extract the certificate, transform the certificate in the right internal formats and generate the information required for a DANE TLSA record. This information can then be retried with other methods.

### subject_dn()

Returns the Subject DN in classic OpenSSL subject format.

/C=NL/ST=Zuid-Holland/L='s-Gravenhage/O=Rijksoverheid/CN=ncsc.nl


### process_pubkey_hex()

Internal function to process the public key hex value from the fetched certificate. Returns the hex value

78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35


### pubkey_hex()

Returns the hex value of the public key.

78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35


### tlsa_rdata_3_1_1()

Returns the 3 1 1 format value.

3 1 1 78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35


### tlsa_rr_name_host()

Returns the resource record name for TLSA appropriate for the service.

_25._tcp.smtp


### tlsa_rr_name_fqdn()

Returns the resource record name as full FQDN value for TLSA appropriate for the service.

_25._tcp.smtp.koeroo.net.


### tlsa_rr()

Returns full resource record, which looks a lot like a zone file.

_25._tcp.smtp IN TLSA 3 1 1 78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35


### tlsa_rr_fqdn()

Returns full resource record, which looks a lot like a zone file, the host is now an absolute name.

_465._tcp.smtp.koeroo.net. IN TLSA 3 1 1 78a80c6362af724f11433375890632cc099cd55a985c6e4a4a8ad741fe032f35


## Example:

#!/usr/bin/env python3

import pyDANETLSA

print("Protocol support list:", pyDANETLSA.DANETLS_protocols)

d = pyDANETLSA.danetlsa(fqdn='smtp.koeroo.net.', port=25,  protocol=pyDANETLSA.DANETLSA_SMTP)
d.engage()
print("TLSA RR with FQDN", d.tlsa_rr_fqdn())


## Project details

Uploaded source
Uploaded py3