Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]

[Viktor Dukhovni]

On Mon, Dec 09, 2013 at 12:09:44PM +1100, Mark Andrews wrote:

> > I am not fundamentally opposed to human-readable TLSA RRs:
> > 
> >     ; _25._tcp.mx.example.com. IN TLSA 3 1 2
> >     _25._tcp.mx.example.com. IN TLSA TRUSTED-LEAF PUBLIC-KEY SHA2-512 
> > {blob}[
> 
> If anything other than numeric values appear in the records you
> will break existing TLSA record parsers.  Names are useful when
> describing things.  ...

Thanks, finally I said something wrong enough, to elicit a follow-up!
:-) Yes, tools that emit records in canonical form should use
numbers.  Users may elect to enter mnemonic forms when supported
by the target application.

Now that you're here, any suggestions for good names, or thoughts
on what to do with the draft?

> TLSA, like DNSKEY, will need tools to take certs etc. and generate
> TLSA records.  Those tools can use names but they emit records in
> numeric form.

A humble example below.

-- 
        Viktor.

#! /bin/sh

extract() {
  case "$(echo $4 | tr '[A-Z]' '[a-z]')" in
  0|cert*)
        openssl x509 -in "$1" -outform DER;;
  1|spki|public*)
        openssl x509 -in "$1" -noout -pubkey |
            openssl pkey -pubin -outform DER;;
  *) error "Invalid selector: $4";;
  esac
}
digest() {
  case "$(echo $5 | tr '[A-Z]' '[a-z]')" in
  0|full*) cat;;
  1|sha2-256|sha256|sha-256) openssl dgst -sha256 -binary;;
  2|sha2-512|sha512|sha-512) openssl dgst -sha512 -binary;;
  *) error "Invalid matching type: $5";;
  esac
}
encode() {
  perl -e '
    ($cert, $hostport, $u, $s, $m) = @ARGV;
    ($host, $port) = split(":", $hostport); $port ||= 443;
    $/=undef;
    ($a=<STDIN>) =~ s/(.)/sprintf("%02X", ord($1))/egs;
    printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n",
          $port, $host, $u, $s, $m, $a;
  ' "$@"
}

error() { echo "$1" 1>&2; exit 1; }
usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; }
if [ $# -ne 5 ]; then usage; fi

case "$(echo $3 | tr '[A-Z]' '[a-z]')" in
0|PKIX-CA|PKIX-TA|VALID-CA)     usage=0;;
1|PKIX-EE|VALID-LEAF)           usage=1;;
2|DANE-TA|TRUSTED-CA)           usage=2;;
3|DANE-EE|TRUSTED-LEAF)         usage=3;;
*) error "Invalid certificate usage: $3";;
esac

extract "$@" | digest "$@" | encode "$@"
_______________________________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane