On Sun, Dec 15, 2013 at 09:18:12PM +0100, Patrick Ben Koetter wrote:
> tlsagen mail.state-of-mind.de.pem mail.state-of-mind.de DANE-EE CERT SHA2-256
> _25._tcp.mail.state-of-mind.de. IN TLSA 0 0 1
> 4CCFD929E7C2646022AD1A80F66B29C2F37C14D95245C0624490B90074A014A7
>
> Hmmm, looking at this DANE-EE seems to be the right option to specify usage
> '3'. Could it be there's something wrong with your script?
Yes, I broke it when adding support for named usages. One of the changes
of shell variable names accidentally bled into the in-line perl.
Fixed version attached.
--
Viktor.
#! /bin/sh
extract() {
case "$4" in
0) openssl x509 -in "$1" -outform DER;;
1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;;
esac
}
digest() {
case "$5" in
0) cat;;
1) openssl dgst -sha256 -binary;;
2) openssl dgst -sha512 -binary;;
esac
}
encode() {
perl -e '
($cert, $hostport, $u, $s, $m) = @ARGV;
($host, $port) = split(":", $hostport); $port ||= 25;
$/=undef;
($a=<STDIN>) =~ s/(.)/sprintf("%02X", ord($1))/egs;
printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n",
$port, $host, $u, $s, $m, $a;
' "$@"
}
error() { echo "$1" 1>&2; exit 1; }
usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; }
if [ $# -ne 5 ]; then usage; fi
case "$(echo $3 | tr '[A-Z]' '[a-z]')" in
0|pkix-[ct]a) usage=0;;
1|pkix-ee) usage=1;;
2|dane-[ct]a) usage=2;;
3|dane-ee) usage=3;;
*) error "Invalid certificate usage: $3";;
esac
case "$(echo $4 | tr '[A-Z]' '[a-z]')" in
0|cert) selector=0;;
1|spki|pkey) selector=1;;
*) error "Invalid selector: $4";;
esac
case "$(echo $5 | tr '[A-Z]' '[a-z]')" in
0|full) mtype=0;;
1|sha2-256|sha256|sha-256) mtype=1;;
2|sha2-512|sha512|sha-512) mtype=2;;
*) error "Invalid matching type: $5";;
esac
set -- "$1" "$2" "$usage" "$selector" "$mtype"
extract "$@" | digest "$@" | encode "$@"
