On Fri, Sep 16, 2016 at 01:39:16PM +0200, Carsten Strotmann (sys4) wrote:

> On 16/09/2016 13:36 PM, Andreas Schulze wrote:
> > Hello,
> > 
> > I like to publish a PKIX-TA which mean I publisch a whole certificate, the 
> > whole blob...

In almost all cases this is a bad idea, a SHA2-256 digest is quite secure 
enough,
and is much less bloated.

> > I found https://www.huque.com/bin/gen_tlsa but some commandline voodoo 
> > using openssl or ldns-dane would be cool.
> > Any suggestions?
> 
> Viktor has posted his "tlsagen" script here on the list, that works fine
> (I've used it to generate a 0 0 0 for testing purposes last week).

Attaching "tlsagen" and "chaingen".  Note, the latter does not verify
the integrity of the chain, garbage-in = garbage-out.

-- 
        Viktor.
#! /usr/bin/env bash
# Bash needed for PIPESTATUS array

extract() {
  case "$4" in
  0) openssl x509 -in "$1" -outform DER;;
  1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;;
  esac
}
digest() {
  case "$5" in
  0) cat;;
  1) openssl dgst -sha256 -binary;;
  2) openssl dgst -sha512 -binary;;
  esac
}
encode() {
  local cert=$1; shift
  local hostport=$1; shift
  local u=$1; shift
  local s=$1; shift
  local m=$1; shift
  local host=$hostport
  local port=25

  OIFS="$IFS"; IFS=":"; set -- $hostport; IFS="$OIFS"
  if [ $# -eq 2 ]; then host=$1; port=$2; fi

  printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n" \
    "$port" "$host" "$u" "$s" "$m" \
     "$(od -vAn -tx1 | tr -d ' \012')"
}

error() { echo "$1" 1>&2; exit 1; }
usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; }
if [ $# -ne 5 ]; then usage; fi

case "$(echo $3 | tr '[A-Z]' '[a-z]')" in
0|pkix-[ct]a)   usage=0;;
1|pkix-ee)      usage=1;;
2|dane-[ct]a)   usage=2;;
3|dane-ee)      usage=3;;
*)              error "Invalid certificate usage: $3";;
esac

case "$(echo $4 | tr '[A-Z]' '[a-z]')" in
0|cert)         selector=0;;
1|spki|pkey)    selector=1;;
*)              error "Invalid selector: $4";;
esac

case "$(echo $5 | tr '[A-Z]' '[a-z]')" in
0|full)                         mtype=0;;
1|sha2-256|sha256|sha-256)      mtype=1;;
2|sha2-512|sha512|sha-512)      mtype=2;;
*)                              error "Invalid matching type: $5";;
esac

set -- "$1" "$2" "$usage" "$selector" "$mtype"
rr=$(
    extract "$@" | digest "$@" | encode "$@"
    exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} | ${PIPESTATUS[2]} ))
)
status=$?

if [ $status -ne 0 ]; then
    exit $status
fi
echo "$rr"
#! /usr/bin/env bash
# Bash needed for PIPESTATUS array

extract() {
  case "$4" in
  0) openssl x509 -in "$1" -outform DER;;
  1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;;
  esac
}
digest() {
  case "$5" in
  0) cat;;
  1) openssl dgst -sha256 -binary;;
  2) openssl dgst -sha512 -binary;;
  esac
}
encode() {
  local cert=$1; shift
  local hostport=$1; shift
  local u=$1; shift
  local s=$1; shift
  local m=$1; shift
  local host=$hostport
  local port=25

  OIFS="$IFS"; IFS=":"; set -- $hostport; IFS="$OIFS"
  if [ $# -eq 2 ]; then host=$1; port=$2; fi

  printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n" \
    "$port" "$host" "$u" "$s" "$m" \
     "$(od -vAn -tx1 | tr -d ' \012')"
}

genrr() {
    rr=$(
        extract "$@" | digest "$@" | encode "$@"
        exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} | ${PIPESTATUS[2]} ))
    )
    status=$?; if [ $status -ne 0 ]; then exit $status; fi
    echo "$rr"
}

error() { echo "$1" 1>&2; exit 1; }
usage() { error "Usage: $0 chain.pem host[:port]"; }
if [ $# -ne 2 ]; then usage; fi

# Validate and normalize the chain
#
certfile=$1; shift
chain="$(
    openssl crl2pkcs7 -nocrl -certfile "$certfile" |
        openssl pkcs7 -print_certs
    exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} ))
)"
status=$?; if [ $status -ne 0 ]; then exit $status; fi

hostport=$1; shift
usage=3
cert=
printf "%s\n\n" "$chain" |
while read line
do
    if [[ -z "$cert" && ! "$line" =~ ^-----BEGIN ]]; then
        continue
    fi
    cert=$(printf "%s\n%s" "$cert" "$line")
    if [ -z "$line" -a ! -z "$cert" ]; then
        echo "$cert" |
            openssl x509 -noout -subject -issuer -dates |
            sed -e 's/^/;; /'
        echo ";;"
        genrr <(echo "$cert") "$hostport" $usage 0 1
        genrr <(echo "$cert") "$hostport" $usage 1 1
        genrr <(echo "$cert") "$hostport" $usage 0 2
        genrr <(echo "$cert") "$hostport" $usage 1 2
        echo
        cert=""
        usage=2
    fi
done

Reply via email to