Adding utility methods & docs to TlsaRecordType

src/daneupdate/utils/config_types/common.py

@@ -27,9 +27,35 @@ class TlsaUsage(_TlsaRecordBase):
     https://www.rfc-editor.org/rfc/rfc7672.html#section-3.1.3
     """
 
+    # A value of 0 is for what is commonly called CA constraint
+    # (and PKIX-TA). The certificate provided when establishing TLS must
+    # be issued by the listed root-CA or one of its intermediate CAs,
+    # with a valid certification path to a root-CA already trusted by
+    # the application doing the verification. The record may just point
+    # to an intermediate CA, in which case the certificate for this
+    # service must come via this CA, but the entire chain to a trusted
+    # root-CA must still be valid.
     PKIX_TA = 0
+
+    # A value of 1 is for what is commonly called service certificate
+    # constraint (and PKIX-EE). The certificate used must match the TLSA
+    # record, and it must also pass PKIX certification path validation
+    # to a trusted root-CA.
     PKIX_EE = 1
+
+    # A value of 2 is for what is commonly called trust anchor assertion
+    # (and DANE-TA). The TLSA record matches the certificate of the root
+    # CA, or one of the intermediate CAs, of the certificate in use by
+    # the service. The certification path must be valid up to the
+    # matching certificate, but there is no need for a trusted root-CA.
     DANE_TA = 2
+
+    # A value of 3 is for what is commonly called domain issued
+    # certificate (and DANE-EE). The TLSA record matches the used
+    # certificate itself. The used certificate does not need to be
+    # signed by other parties. This is useful for self-signed
+    # certificates, but also for cases where the validator does not have
+    # a list of trusted root certificates.
     DANE_EE = 3
 
 
@@ -39,7 +65,12 @@ class TlsaSelector(_TlsaRecordBase):
     https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
     """
 
+    # A value of 0 means to select the entire certificate for matching.
     ENTIRE = 0
+
+    # A value of 1 means to select just the public key for certificate
+    # matching. Matching the public key is often sufficient, as this is
+    # likely to be unique.
     PUBLICKEY = 1
 
 
@@ -49,8 +80,14 @@ class TlsaMatchingType(_TlsaRecordBase):
     https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
     """
 
+    # A type of 0 means the entire information selected is present in
+    # the certificate association data.
     ENTIRE = 0
+
+    # A type of 1 means to do a SHA-256 hash of the selected data.
     SHA256 = 1
+
+    # A type of 2 means to do a SHA-512 hash of the selected data.
     SHA512 = 2
 
 

src/daneupdate/utils/tlsa/record_type.py

@@ -1,12 +1,37 @@
+from __future__ import annotations
+
 from dataclasses import dataclass
 
+from dns.rdtypes.ANY.TLSA import TLSA
+
 from ..config_types.common import TlsaMatchingType, TlsaSelector, TlsaUsage
 
 
 @dataclass
 class TlsaRecordType(object):
-    'A generated TLSA record type.'
+    """
+    A generated TLSA record type. See:
+    https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
+    """
     usage: TlsaUsage
     selector: TlsaSelector
     matching_type: TlsaMatchingType
-    hexvalue: str
+    cert: bytes
+
+    @staticmethod
+    def from_rdtype(item: TLSA):
+        return TlsaRecordType(
+            usage=TlsaUsage(value=item.usage),
+            selector=TlsaSelector(value=item.selector),
+            matching_type=TlsaMatchingType(value=item.mtype), cert=item.cert)
+
+    def __eq__(self, other: object) -> bool:
+        if isinstance(other, TlsaRecordType):
+            return self.usage == other.usage \
+                and self.selector == other.selector \
+                and self.matching_type == other.matching_type \
+                and self.cert == other.cert
+        return False
+
+    def __hash__(self) -> int:
+        return hash((self.usage, self.selector, self.matching_type, self.cert))