Re: [dane] Meeting at IETF89 (London).

[Viktor Dukhovni]

On Wed, Jan 22, 2014 at 09:00:08PM +0100, Olaf Kolkman wrote:

> [shameless plug ahead]
> 
> On 17 jan. 2014, at 01:04, Viktor Dukhovni <viktor1d...@dukhovni.org> wrote:
> 
> >   /etc/postfix/main.cf:
> >     # Server TLS
> >     smtpd_tls_security_level = may
> >     smtpd_tls_loglevel = 1
> >     smtpd_tls_cert_file = ${config_directory}/smtpd-chain.pem
> >     smtpd_tls_key_file = ${config_directory}/smtpd-key.pem
> >     smtpd_tls_dh1024_param_file ${config_directory}/dh2048.pem
> >     smtpd_tls_dh512_param_file ${config_directory}/dh512.pem
> 
> 
> Of course one should publish the TLSA RR once the server bit has
> been configured. Easy generation:

Yes, of course.

> ldns-dane -c ${config_directory}/smtpd-chain.pem create \
>       <mx.example.com> 25 domain-issued full

Or the short shell script below my signature, provided OpenSSL is
installed and the version is >= 1.0.0.

    $ tlsagen /usr/pkg/etc/mail-cert.pem mail.example.com:25 dane-ee spki 
sha2-256
    _25._tcp.mail.example.com. IN TLSA 3 1 1 
89EF5B500559318251538FB1DA0BD309D38BD021EB0311A3227BE7B331B05BAC

-- 
        Viktor.

#! /bin/sh

extract() {
  case "$4" in
  0) openssl x509 -in "$1" -outform DER;;
  1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;;
  esac
}
digest() {
  case "$5" in
  0) cat;;
  1) openssl dgst -sha256 -binary;;
  2) openssl dgst -sha512 -binary;;
  esac
}
encode() {
  perl -e '
    ($cert, $hostport, $u, $s, $m) = @ARGV;
    ($host, $port) = split(":", $hostport); $port ||= 25;
    $/=undef;
    ($a=<STDIN>) =~ s/(.)/sprintf("%02X", ord($1))/egs;
    printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n",
      $port, $host, $u, $s, $m, $a;
  ' "$@"
}

error() { echo "$1" 1>&2; exit 1; }
usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; }
if [ $# -ne 5 ]; then usage; fi

case "$(echo $3 | tr '[A-Z]' '[a-z]')" in
0|pkix-[ct]a)   usage=0;;
1|pkix-ee)      usage=1;;
2|dane-[ct]a)   usage=2;;
3|dane-ee)      usage=3;;
*)              error "Invalid certificate usage: $3";;
esac

case "$(echo $4 | tr '[A-Z]' '[a-z]')" in
0|cert)         selector=0;;
1|spki|pkey)    selector=1;;
*)              error "Invalid selector: $4";;
esac

case "$(echo $5 | tr '[A-Z]' '[a-z]')" in
0|full)                         mtype=0;;
1|sha2-256|sha256|sha-256)      mtype=1;;
2|sha2-512|sha512|sha-512)      mtype=2;;
*)                              error "Invalid matching type: $5";;
esac

set -- "$1" "$2" "$usage" "$selector" "$mtype"
extract "$@" | digest "$@" | encode "$@"
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane