Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 09 December 2013 01:32 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1B7D1AE19B for <dane@ietfa.amsl.com>; Sun, 8 Dec 2013 17:32:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_afvHWp_bm5 for <dane@ietfa.amsl.com>; Sun, 8 Dec 2013 17:32:27 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id D14C21AE198 for <dane@ietf.org>; Sun, 8 Dec 2013 17:32:26 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B91C22AABD1; Mon, 9 Dec 2013 01:32:21 +0000 (UTC)
Date: Mon, 9 Dec 2013 01:32:21 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131209013221.GV761@mournblade.imrryr.org>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> <20131205175314.GH761@mournblade.imrryr.org> <E78C07CA-B742-43B2-8848-33DEB22A8014@kumari.net> <201312080234.rB82YeoW029387@new.toad.com> <20131208235315.GU761@mournblade.imrryr.org> <20131209010945.5AA2FB5C445@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20131209010945.5AA2FB5C445@rock.dv.isc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 01:32:29 -0000

On Mon, Dec 09, 2013 at 12:09:44PM +1100, Mark Andrews wrote:

> > I am not fundamentally opposed to human-readable TLSA RRs:
> > 
> >     ; _25._tcp.mx.example.com. IN TLSA 3 1 2
> >     _25._tcp.mx.example.com. IN TLSA TRUSTED-LEAF PUBLIC-KEY SHA2-512 {blob}[
> 
> If anything other than numeric values appear in the records you
> will break existing TLSA record parsers.  Names are useful when
> describing things.  ...

Thanks, finally I said something wrong enough, to elicit a follow-up!
:-) Yes, tools that emit records in canonical form should use
numbers.  Users may elect to enter mnemonic forms when supported
by the target application.

Now that you're here, any suggestions for good names, or thoughts
on what to do with the draft?

> TLSA, like DNSKEY, will need tools to take certs etc. and generate
> TLSA records.  Those tools can use names but they emit records in
> numeric form.

A humble example below.

-- 
	Viktor.

#! /bin/sh

extract() {
  case "$(echo $4 | tr '[A-Z]' '[a-z]')" in
  0|cert*)
	openssl x509 -in "$1" -outform DER;;
  1|spki|public*)
	openssl x509 -in "$1" -noout -pubkey |
	    openssl pkey -pubin -outform DER;;
  *) error "Invalid selector: $4";;
  esac
}
digest() {
  case "$(echo $5 | tr '[A-Z]' '[a-z]')" in
  0|full*) cat;;
  1|sha2-256|sha256|sha-256) openssl dgst -sha256 -binary;;
  2|sha2-512|sha512|sha-512) openssl dgst -sha512 -binary;;
  *) error "Invalid matching type: $5";;
  esac
}
encode() {
  perl -e '
    ($cert, $hostport, $u, $s, $m) = @ARGV;
    ($host, $port) = split(":", $hostport); $port ||= 443;
    $/=undef;
    ($a=<STDIN>) =~ s/(.)/sprintf("%02X", ord($1))/egs;
    printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n",
	  $port, $host, $u, $s, $m, $a;
  ' "$@"
}

error() { echo "$1" 1>&2; exit 1; }
usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; }
if [ $# -ne 5 ]; then usage; fi

case "$(echo $3 | tr '[A-Z]' '[a-z]')" in
0|PKIX-CA|PKIX-TA|VALID-CA)	usage=0;;
1|PKIX-EE|VALID-LEAF)		usage=1;;
2|DANE-TA|TRUSTED-CA)		usage=2;;
3|DANE-EE|TRUSTED-LEAF)		usage=3;;
*) error "Invalid certificate usage: $3";;
esac

extract "$@" | digest "$@" | encode "$@"