On Fri, Sep 16, 2016 at 01:39:16PM +0200, Carsten Strotmann (sys4) wrote:
> On 16/09/2016 13:36 PM, Andreas Schulze wrote:
> > Hello,
> >
> > I like to publish a PKIX-TA which mean I publisch a whole certificate, the
> > whole blob...
In almost all cases this is a bad idea, a SHA2-256 digest is quite secure
enough,
and is much less bloated.
> > I found https://www.huque.com/bin/gen_tlsa but some commandline voodoo
> > using openssl or ldns-dane would be cool.
> > Any suggestions?
>
> Viktor has posted his "tlsagen" script here on the list, that works fine
> (I've used it to generate a 0 0 0 for testing purposes last week).
Attaching "tlsagen" and "chaingen". Note, the latter does not verify
the integrity of the chain, garbage-in = garbage-out.
--
Viktor.
#! /usr/bin/env bash
# Bash needed for PIPESTATUS array
extract() {
case "$4" in
0) openssl x509 -in "$1" -outform DER;;
1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;;
esac
}
digest() {
case "$5" in
0) cat;;
1) openssl dgst -sha256 -binary;;
2) openssl dgst -sha512 -binary;;
esac
}
encode() {
local cert=$1; shift
local hostport=$1; shift
local u=$1; shift
local s=$1; shift
local m=$1; shift
local host=$hostport
local port=25
OIFS="$IFS"; IFS=":"; set -- $hostport; IFS="$OIFS"
if [ $# -eq 2 ]; then host=$1; port=$2; fi
printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n" \
"$port" "$host" "$u" "$s" "$m" \
"$(od -vAn -tx1 | tr -d ' \012')"
}
error() { echo "$1" 1>&2; exit 1; }
usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; }
if [ $# -ne 5 ]; then usage; fi
case "$(echo $3 | tr '[A-Z]' '[a-z]')" in
0|pkix-[ct]a) usage=0;;
1|pkix-ee) usage=1;;
2|dane-[ct]a) usage=2;;
3|dane-ee) usage=3;;
*) error "Invalid certificate usage: $3";;
esac
case "$(echo $4 | tr '[A-Z]' '[a-z]')" in
0|cert) selector=0;;
1|spki|pkey)selector=1;;
*) error "Invalid selector: $4";;
esac
case "$(echo $5 | tr '[A-Z]' '[a-z]')" in
0|full) mtype=0;;
1|sha2-256|sha256|sha-256) mtype=1;;
2|sha2-512|sha512|sha-512) mtype=2;;
*) error "Invalid matching type: $5";;
esac
set -- "$1" "$2" "$usage" "$selector" "$mtype"
rr=$(
extract "$@" | digest "$@" | encode "$@"
exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} | ${PIPESTATUS[2]} ))
)
status=$?
if [ $status -ne 0 ]; then
exit $status
fi
echo "$rr"
#! /usr/bin/env bash
# Bash needed for PIPESTATUS array
extract() {
case "$4" in
0) openssl x509 -in "$1" -outform DER;;
1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;;
esac
}
digest() {
case "$5" in
0) cat;;
1) openssl dgst -sha256 -binary;;
2) openssl dgst -sha512 -binary;;
esac
}
encode() {
local cert=$1; shift
local hostport=$1; shift
local u=$1; shift
local s=$1; shift
local m=$1; shift
local host=$hostport
local port=25
OIFS="$IFS"; IFS=":"; set -- $hostport; IFS="$OIFS"
if [ $# -eq 2 ]; then host=$1; port=$2; fi
printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n" \
"$port" "$host" "$u" "$s" "$m" \
"$(od -vAn -tx1 | tr -d ' \012')"
}
genrr() {
rr=$(
extract "$@" | digest "$@" | encode "$@"
exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} | ${PIPESTATUS[2]} ))
)
status=$?; if [ $status -ne 0 ]; then exit $status; fi
echo "$rr"
}
error() { echo "$1" 1>&2; exit 1; }
usage() { error "Usage: $0 chain.pem host[:port]"; }
if [ $# -ne 2 ]; then usage; fi
# Validate and normalize the chain
#
certfile=$1; shift
chain="$(
openssl crl2pkcs7 -nocrl -certfile "$certfile" |
openssl pkcs7 -print_certs
exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} ))
)"
status=$?; if [ $status -ne 0 ]; then exit $status; fi
hostport=$1; shift
usage=3
cert=
printf "%s\n\n" "$chain" |
while read line
do
if [[ -z "$cert" && ! "$line" =~ ^-BEGIN ]]; then
continue
fi
cert=$(printf "%s\n%s" "$cert" "$line")
if [ -z "$line" -a ! -z "$cert" ]; then
echo "$cert" |
openssl x509 -noout -subject -issuer -dates |
sed -e 's/^/;; /'
echo ";;"
genrr <(echo "$cert") "$hostport" $usage 0 1
genrr <(echo "$cert") "$hostport" $usage 1 1
genrr <(echo "$cert") "$hostport" $usage 0 2
genrr <(echo "$cert") "$hostport" $usage 1 2
echo
cert=""
usage=2
fi
done