Because nobody has this documented it seems:

If you want to generate TLSA records in Python in a script (possibly because you use Python-based tooling like fabric or ansible) and want to do that using the well-known modern pyca/cryptography library, nowhere on the internet is this documented.

Here's a very small fragment that shows how to do the full cert hash, and the limited public-key only one.

import hashlib
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat

with file(', 'cert.pem'), 'r') as f:
    mx_pem_certbytes = f.read()
mx_cert = x509.load_pem_x509_certificate(mx_pem_certbytes, default_backend())

mx_pubkey = mx_cert.public_key()
mx_pubkey_bytes = mx_pubkey.public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
digest = hashlib.sha256(mx_pubkey_bytes).hexdigest()
print('_25._tcp.example.com TLSA 3 0 1 {digest}'.format(digest=digest))

mx_der_certbytes = mx_cert.public_bytes(Encoding.DER)
digest2 = hashlib.sha256(mx_der_certbytes).hexdigest()
print('_25._tcp.example.com TLSA 3 1 1 {digest}'.format(digest=digest2))

Next step then is to use something like dns-lexicon to actually provision your DNS provider.

Good luck automating all the things.


Published

Category

tricks

Tags