Adding utility methods & docs to TlsaRecordType
This commit is contained in:
parent
8e6a0523fc
commit
4fe359a3c1
|
@ -27,9 +27,35 @@ class TlsaUsage(_TlsaRecordBase):
|
|||
https://www.rfc-editor.org/rfc/rfc7672.html#section-3.1.3
|
||||
"""
|
||||
|
||||
# A value of 0 is for what is commonly called CA constraint
|
||||
# (and PKIX-TA). The certificate provided when establishing TLS must
|
||||
# be issued by the listed root-CA or one of its intermediate CAs,
|
||||
# with a valid certification path to a root-CA already trusted by
|
||||
# the application doing the verification. The record may just point
|
||||
# to an intermediate CA, in which case the certificate for this
|
||||
# service must come via this CA, but the entire chain to a trusted
|
||||
# root-CA must still be valid.
|
||||
PKIX_TA = 0
|
||||
|
||||
# A value of 1 is for what is commonly called service certificate
|
||||
# constraint (and PKIX-EE). The certificate used must match the TLSA
|
||||
# record, and it must also pass PKIX certification path validation
|
||||
# to a trusted root-CA.
|
||||
PKIX_EE = 1
|
||||
|
||||
# A value of 2 is for what is commonly called trust anchor assertion
|
||||
# (and DANE-TA). The TLSA record matches the certificate of the root
|
||||
# CA, or one of the intermediate CAs, of the certificate in use by
|
||||
# the service. The certification path must be valid up to the
|
||||
# matching certificate, but there is no need for a trusted root-CA.
|
||||
DANE_TA = 2
|
||||
|
||||
# A value of 3 is for what is commonly called domain issued
|
||||
# certificate (and DANE-EE). The TLSA record matches the used
|
||||
# certificate itself. The used certificate does not need to be
|
||||
# signed by other parties. This is useful for self-signed
|
||||
# certificates, but also for cases where the validator does not have
|
||||
# a list of trusted root certificates.
|
||||
DANE_EE = 3
|
||||
|
||||
|
||||
|
@ -39,7 +65,12 @@ class TlsaSelector(_TlsaRecordBase):
|
|||
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
|
||||
"""
|
||||
|
||||
# A value of 0 means to select the entire certificate for matching.
|
||||
ENTIRE = 0
|
||||
|
||||
# A value of 1 means to select just the public key for certificate
|
||||
# matching. Matching the public key is often sufficient, as this is
|
||||
# likely to be unique.
|
||||
PUBLICKEY = 1
|
||||
|
||||
|
||||
|
@ -49,8 +80,14 @@ class TlsaMatchingType(_TlsaRecordBase):
|
|||
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
|
||||
"""
|
||||
|
||||
# A type of 0 means the entire information selected is present in
|
||||
# the certificate association data.
|
||||
ENTIRE = 0
|
||||
|
||||
# A type of 1 means to do a SHA-256 hash of the selected data.
|
||||
SHA256 = 1
|
||||
|
||||
# A type of 2 means to do a SHA-512 hash of the selected data.
|
||||
SHA512 = 2
|
||||
|
||||
|
||||
|
|
|
@ -1,12 +1,37 @@
|
|||
from __future__ import annotations
|
||||
|
||||
from dataclasses import dataclass
|
||||
|
||||
from dns.rdtypes.ANY.TLSA import TLSA
|
||||
|
||||
from ..config_types.common import TlsaMatchingType, TlsaSelector, TlsaUsage
|
||||
|
||||
|
||||
@dataclass
|
||||
class TlsaRecordType(object):
|
||||
'A generated TLSA record type.'
|
||||
"""
|
||||
A generated TLSA record type. See:
|
||||
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
|
||||
"""
|
||||
usage: TlsaUsage
|
||||
selector: TlsaSelector
|
||||
matching_type: TlsaMatchingType
|
||||
hexvalue: str
|
||||
cert: bytes
|
||||
|
||||
@staticmethod
|
||||
def from_rdtype(item: TLSA):
|
||||
return TlsaRecordType(
|
||||
usage=TlsaUsage(value=item.usage),
|
||||
selector=TlsaSelector(value=item.selector),
|
||||
matching_type=TlsaMatchingType(value=item.mtype), cert=item.cert)
|
||||
|
||||
def __eq__(self, other: object) -> bool:
|
||||
if isinstance(other, TlsaRecordType):
|
||||
return self.usage == other.usage \
|
||||
and self.selector == other.selector \
|
||||
and self.matching_type == other.matching_type \
|
||||
and self.cert == other.cert
|
||||
return False
|
||||
|
||||
def __hash__(self) -> int:
|
||||
return hash((self.usage, self.selector, self.matching_type, self.cert))
|
||||
|
|
Loading…
Reference in New Issue