[rt-commit] r171 - in /redwax-tool/trunk: ChangeLog Makefile.am config.h.in configure.ac redwax-tool.c redwax-tool.h redwax-tool.spec.in redwax_ldns.c redwax_ldns.h redwax_openssl.c redwax_unbound.c redwax_unbound.h
rt-commit at redwax.eu
rt-commit at redwax.eu
Sat Feb 10 21:54:46 CET 2024
Author: minfrin at redwax.eu
Date: Sat Feb 10 21:54:44 2024
New Revision: 171
Log:
Add calculation of TLSA records to metadata-out.
Add optional modules for ldns and unbound libraries.
Added:
redwax-tool/trunk/redwax_ldns.c
redwax-tool/trunk/redwax_ldns.h
redwax-tool/trunk/redwax_unbound.c
redwax-tool/trunk/redwax_unbound.h
Modified:
redwax-tool/trunk/ChangeLog
redwax-tool/trunk/Makefile.am
redwax-tool/trunk/config.h.in
redwax-tool/trunk/configure.ac
redwax-tool/trunk/redwax-tool.c
redwax-tool/trunk/redwax-tool.h
redwax-tool/trunk/redwax-tool.spec.in
redwax-tool/trunk/redwax_openssl.c
Modified: redwax-tool/trunk/ChangeLog
==============================================================================
--- redwax-tool/trunk/ChangeLog (original)
+++ redwax-tool/trunk/ChangeLog Sat Feb 10 21:54:44 2024
@@ -1,6 +1,11 @@
Changes with v0.9.5
+ *) Add calculation of TLSA records to metadata-out.
+ [Graham Leggett]
+
+ *) Add optional modules for ldns and unbound libraries.
+ [Graham Leggett]
Changes with v0.9.4
Modified: redwax-tool/trunk/Makefile.am
==============================================================================
--- redwax-tool/trunk/Makefile.am (original)
+++ redwax-tool/trunk/Makefile.am Sat Feb 10 21:54:44 2024
@@ -8,7 +8,7 @@
endif
bin_PROGRAMS = redwax-tool
-redwax_tool_SOURCES = redwax-tool.c redwax-tool.h redwax_openssl.c redwax_openssl.h redwax_nss.c redwax_nss.h redwax_p11kit.c redwax_p11kit.h redwax_libical.c redwax_libical.h redwax_keychain.c redwax_keychain.h redwax_util.c redwax_util.h
+redwax_tool_SOURCES = redwax-tool.c redwax-tool.h redwax_openssl.c redwax_openssl.h redwax_nss.c redwax_nss.h redwax_p11kit.c redwax_p11kit.h redwax_libical.c redwax_libical.h redwax_keychain.c redwax_keychain.h redwax_ldns.c redwax_ldns.h redwax_unbound.c redwax_unbound.h redwax_util.c redwax_util.h
EXTRA_DIST = redwax-tool.spec
dist_man_MANS = redwax-tool.1
Modified: redwax-tool/trunk/config.h.in
==============================================================================
--- redwax-tool/trunk/config.h.in (original)
+++ redwax-tool/trunk/config.h.in Sat Feb 10 21:54:44 2024
@@ -23,6 +23,9 @@
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
+
+/* Define to 1 if you have the <ldns/ldns.h> header file. */
+#undef HAVE_LDNS_LDNS_H
/* Define to 1 if you have the <libgen.h> header file. */
#undef HAVE_LIBGEN_H
@@ -136,6 +139,9 @@
/* Define to 1 if you have the <sys/types.h> header file. */
#undef HAVE_SYS_TYPES_H
+
+/* Define to 1 if you have the <unbound.h> header file. */
+#undef HAVE_UNBOUND_H
/* Define to 1 if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
Modified: redwax-tool/trunk/configure.ac
==============================================================================
--- redwax-tool/trunk/configure.ac (original)
+++ redwax-tool/trunk/configure.ac Sat Feb 10 21:54:44 2024
@@ -83,6 +83,36 @@
fi
])
+AC_ARG_WITH(ldns,[ --with-ldns use ldns library],
+ [
+ if test "$with_ldns" != "no"; then
+ PKG_CHECK_MODULES(ldns, ldns >= 1.7.0)
+
+ CFLAGS="$CFLAGS $ldns_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $ldns_CPPFLAGS"
+ LDFLAGS="$LDFLAGS $ldns_LDFLAGS"
+ LIBS="$LIBS $ldns_LIBS"
+
+ AC_CHECK_HEADERS([ldns/ldns.h])
+
+ fi
+ ])
+
+AC_ARG_WITH(unbound,[ --with-unbound use unbound library],
+ [
+ if test "$with_unbound" != "no"; then
+ PKG_CHECK_MODULES(libunbound, libunbound >= 1.16)
+
+ CFLAGS="$CFLAGS $libunbound_CFLAGS"
+ CPPFLAGS="$CPPFLAGS $libunbound_CPPFLAGS"
+ LDFLAGS="$LDFLAGS $libunbound_LDFLAGS"
+ LIBS="$LIBS $libunbound_LIBS"
+
+ AC_CHECK_HEADERS([unbound.h])
+
+ fi
+ ])
+
AC_ARG_WITH([bash-completion-dir],
AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
[Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
Modified: redwax-tool/trunk/redwax-tool.c
==============================================================================
--- redwax-tool/trunk/redwax-tool.c (original)
+++ redwax-tool/trunk/redwax-tool.c Sat Feb 10 21:54:44 2024
@@ -55,6 +55,8 @@
extern module p11kit_module;
extern module libical_module;
extern module keychain_module;
+extern module ldns_module;
+extern module unbound_module;
module *redwax_modules[] = {
&core_module,
@@ -63,6 +65,8 @@
&p11kit_module,
&libical_module,
&keychain_module,
+ &ldns_module,
+ &unbound_module,
NULL
};
@@ -113,6 +117,7 @@
APR_HOOK_LINK(compare_certificate);
APR_HOOK_LINK(normalise_key);
APR_HOOK_LINK(normalise_certificate);
+ APR_HOOK_LINK(add_dns_metadata);
);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, int, initialise,
@@ -198,6 +203,8 @@
(redwax_tool_t * r, redwax_key_t *key, int index), (r, key, index), DECLINED);
APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(rt, REDWAX, apr_status_t, normalise_certificate,
(redwax_tool_t * r, redwax_certificate_t *cert, int index), (r, cert, index), DECLINED);
+APR_IMPLEMENT_EXTERNAL_HOOK_RUN_ALL(rt, REDWAX, apr_status_t, add_dns_metadata,
+ (redwax_tool_t *r, redwax_metadata_t *m, const redwax_certificate_t *cert), (r, m, cert), OK, DECLINED);
#define REDWAX_TOOL_COMPLINE "COMP_LINE"
#define REDWAX_TOOL_COMMANDLINE "COMMAND_LINE"
Modified: redwax-tool/trunk/redwax-tool.h
==============================================================================
--- redwax-tool/trunk/redwax-tool.h (original)
+++ redwax-tool/trunk/redwax-tool.h Sat Feb 10 21:54:44 2024
@@ -59,6 +59,8 @@
(v ? ((void **)(v))[(m)->module_index] : NULL)
#define redwax_set_module_config(v,m,val) \
((((void **)(v))[(m)->module_index]) = (val))
+
+typedef struct redwax_metadata_t redwax_metadata_t;
typedef struct redwax_filter_t {
int filter_applied;
@@ -768,5 +770,14 @@
APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, normalise_certificate,
(redwax_tool_t *r, redwax_certificate_t *cert, int index));
+/**
+ * Hook to add DNS entries to metadata.
+ *
+ * @param r The redwax-tool context.
+ * @param m The metadata tree.
+ * @param cert The certificate.
+ */
+APR_DECLARE_EXTERNAL_HOOK(rt, REDWAX, apr_status_t, add_dns_metadata,
+ (redwax_tool_t *r, redwax_metadata_t *m, const redwax_certificate_t *cert));
#endif
Modified: redwax-tool/trunk/redwax-tool.spec.in
==============================================================================
--- redwax-tool/trunk/redwax-tool.spec.in (original)
+++ redwax-tool/trunk/redwax-tool.spec.in Sat Feb 10 21:54:44 2024
@@ -20,6 +20,8 @@
BuildRequires: pkgconfig(nss)
BuildRequires: pkgconfig(p11-kit-1)
BuildRequires: pkgconfig(libical)
+BuildRequires: pkgconfig(ldns)
+BuildRequires: pkgconfig(libunbound)
%description
The redwax tool allows certificates and keys in a range of formats to
@@ -45,6 +47,8 @@
%license COPYING
%changelog
+* Thu Feb 08 2024 Graham Leggett <minfrin at sharp.fm> 0.9.4-1
+- Feature release
* Sun Oct 15 2023 Graham Leggett <minfrin at sharp.fm> 0.9.3-1
- Feature release
* Mon Jan 02 2023 Graham Leggett <minfrin at sharp.fm> 0.9.2-1
Added: redwax-tool/trunk/redwax_ldns.c
==============================================================================
--- redwax-tool/trunk/redwax_ldns.c (added)
+++ redwax-tool/trunk/redwax_ldns.c Sat Feb 10 21:54:44 2024
@@ -0,0 +1,199 @@
+/**
+ * Copyright (C) 2024 Graham Leggett <minfrin at sharp.fm>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+/*
+ * redwax_ldns - DNS handling routines.
+ *
+ */
+
+#include <apr_strings.h>
+
+#include "config.h"
+#include "redwax-tool.h"
+
+#include "redwax_util.h"
+
+#if HAVE_LDNS_LDNS_H
+
+#include <ldns/ldns.h>
+
+module ldns_module;
+
+static apr_status_t redwax_ldns_initialise(redwax_tool_t *r)
+{
+
+ return OK;
+}
+
+static apr_status_t redwax_ldns_tlsa_metadata_data(redwax_tool_t *r,
+ redwax_metadata_t *m, const redwax_certificate_t *cert,
+ ldns_tlsa_selector selector,
+ ldns_tlsa_matching_type matching_type, X509 *x)
+{
+ ldns_rr* tlsa;
+
+ ldns_output_format_storage fmt_storage;
+ ldns_output_format *fmt = ldns_output_format_init(&fmt_storage);
+
+ fmt->flags |= LDNS_FMT_SHORT;
+
+ if (LDNS_STATUS_OK == ldns_dane_create_tlsa_rr(&tlsa,
+ LDNS_TLSA_USAGE_PKIX_EE,
+ selector,
+ matching_type, x)) {
+
+ ldns_buffer* buf = ldns_buffer_new(LDNS_MAX_PACKETLEN);
+ char* str;
+ ldns_status s;
+
+ ldns_buffer_clear(buf);
+
+ if (ldns_rr_rd_count(tlsa) > 3) {
+
+ s = ldns_rdf2buffer_str(buf, ldns_rr_rdf(tlsa, 3));
+
+ if (s != LDNS_STATUS_OK) {
+ redwax_print_error(r, "metadata-out: TLSA: %s\n",
+ ldns_get_errorstr_by_id(s));
+
+ ldns_buffer_free(buf);
+ return APR_EINVAL;
+ }
+
+ }
+
+ str = ldns_buffer_export2str(buf);
+ ldns_buffer_free(buf);
+
+ switch (matching_type) {
+ case LDNS_TLSA_MATCHING_TYPE_FULL:
+
+ redwax_metadata_push_object(m, "Full", 0);
+
+ break;
+ case LDNS_TLSA_MATCHING_TYPE_SHA2_256:
+
+ redwax_metadata_push_object(m, "SHA2-256", 0);
+
+ break;
+ case LDNS_TLSA_MATCHING_TYPE_SHA2_512:
+
+ redwax_metadata_push_object(m, "SHA2-512", 0);
+
+ break;
+ case LDNS_TLSA_MATCHING_TYPE_PRIVMATCH:
+
+ redwax_metadata_push_object(m, "PrivMatch", 0);
+
+ break;
+ }
+
+ if (cert->common.category == REDWAX_CERTIFICATE_END_ENTITY) {
+
+ redwax_metadata_add_string(m, "PKIX-EE", apr_psprintf(r->pool, "%d %d %d", LDNS_TLSA_USAGE_PKIX_EE, selector, matching_type));
+ redwax_metadata_add_string(m, "DANE-EE", apr_psprintf(r->pool, "%d %d %d", LDNS_TLSA_USAGE_DANE_EE, selector, matching_type));
+
+ }
+ else {
+
+ redwax_metadata_add_string(m, "PKIX-TA", apr_psprintf(r->pool, "%d %d %d", LDNS_TLSA_USAGE_PKIX_TA, selector, matching_type));
+ redwax_metadata_add_string(m, "DANE-TA", apr_psprintf(r->pool, "%d %d %d", LDNS_TLSA_USAGE_DANE_TA, selector, matching_type));
+
+ }
+
+ redwax_metadata_add_string(m, "CertificateAssociationData", apr_pstrdup(r->pool, str));
+
+ redwax_metadata_pop_object(m);
+
+ LDNS_FREE(str);
+ }
+ else {
+ return APR_EINVAL;
+ }
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t redwax_ldns_add_tlsa_metadata(redwax_tool_t *r,
+ redwax_metadata_t *m, const redwax_certificate_t *cert)
+{
+ const unsigned char *der = cert->der;
+
+ X509 *x = d2i_X509(NULL, &der, cert->len);
+
+ if (!x) {
+ return APR_EINVAL;
+ }
+
+ redwax_metadata_push_object(m, "TLSA", 0);
+
+ redwax_metadata_push_object(m, "Cert", 0);
+
+ redwax_ldns_tlsa_metadata_data(r, m, cert,
+ LDNS_TLSA_SELECTOR_CERT,
+ LDNS_TLSA_MATCHING_TYPE_FULL, x);
+
+ redwax_ldns_tlsa_metadata_data(r, m, cert,
+ LDNS_TLSA_SELECTOR_CERT,
+ LDNS_TLSA_MATCHING_TYPE_SHA2_256, x);
+
+ redwax_ldns_tlsa_metadata_data(r, m, cert,
+ LDNS_TLSA_SELECTOR_CERT,
+ LDNS_TLSA_MATCHING_TYPE_SHA2_512, x);
+
+ redwax_metadata_pop_object(m);
+
+ redwax_metadata_push_object(m, "SPKI", 0);
+
+ redwax_ldns_tlsa_metadata_data(r, m, cert,
+ LDNS_TLSA_SELECTOR_SPKI,
+ LDNS_TLSA_MATCHING_TYPE_FULL, x);
+
+ redwax_ldns_tlsa_metadata_data(r, m, cert,
+ LDNS_TLSA_SELECTOR_SPKI,
+ LDNS_TLSA_MATCHING_TYPE_SHA2_256, x);
+
+ redwax_ldns_tlsa_metadata_data(r, m, cert,
+ LDNS_TLSA_SELECTOR_SPKI,
+ LDNS_TLSA_MATCHING_TYPE_SHA2_512, x);
+
+ redwax_metadata_pop_object(m);
+
+ redwax_metadata_pop_object(m);
+
+ return OK;
+}
+
+void redwax_add_default_ldns_hooks()
+{
+ rt_hook_initialise(redwax_ldns_initialise, NULL, NULL, APR_HOOK_MIDDLE);
+ rt_hook_add_dns_metadata(redwax_ldns_add_tlsa_metadata, NULL, NULL, APR_HOOK_MIDDLE);
+}
+
+#else
+
+void redwax_add_default_ldns_hooks()
+{
+}
+
+#endif
+
+REDWAX_DECLARE_MODULE(ldns) =
+{
+ STANDARD_MODULE_STUFF,
+ redwax_add_default_ldns_hooks /* register hooks */
+};
Added: redwax-tool/trunk/redwax_ldns.h
==============================================================================
--- redwax-tool/trunk/redwax_ldns.h (added)
+++ redwax-tool/trunk/redwax_ldns.h Sat Feb 10 21:54:44 2024
@@ -0,0 +1,30 @@
+/**
+ * Copyright (C) 2024 Graham Leggett <minfrin at sharp.fm>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+/*
+ * redwax_ldns - DNS handling routines.
+ *
+ */
+
+#ifndef REDWAX_LDNS_H_
+#define REDWAX_LDNS_H_
+
+#include "config.h"
+
+void redwax_add_default_ldns_hooks();
+
+#endif /* REDWAX_LDNS_H_ */
Modified: redwax-tool/trunk/redwax_openssl.c
==============================================================================
--- redwax-tool/trunk/redwax_openssl.c (original)
+++ redwax-tool/trunk/redwax_openssl.c Sat Feb 10 21:54:44 2024
@@ -4638,6 +4638,7 @@
static apr_status_t redwax_openssl_cert_metadata(redwax_tool_t *r,
redwax_metadata_t *m, const redwax_certificate_t *cert)
{
+ X509 *x = NULL;
redwax_metadata_push_object(m, "Certificate", 0);
redwax_metadata_add_string(m, "Origin", cert->origin);
@@ -4657,11 +4658,15 @@
apr_pstrndup(m->pool, cert->token, cert->token_len));
}
+ redwax_metadata_push_object(m, "DNS", 0);
+ rt_run_add_dns_metadata(r, m, cert);
+ redwax_metadata_pop_object(m);
+
if (r->text) {
const unsigned char *der = cert->der;
- X509 *x = d2i_X509(NULL, &der, cert->len);
+ x = d2i_X509(NULL, &der, cert->len);
if (x) {
Added: redwax-tool/trunk/redwax_unbound.c
==============================================================================
--- redwax-tool/trunk/redwax_unbound.c (added)
+++ redwax-tool/trunk/redwax_unbound.c Sat Feb 10 21:54:44 2024
@@ -0,0 +1,57 @@
+/**
+ * Copyright (C) 2024 Graham Leggett <minfrin at sharp.fm>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+/*
+ * redwax_unbound - DNS server access routines.
+ *
+ */
+
+#include <apr_strings.h>
+
+#include "config.h"
+#include "redwax-tool.h"
+
+#include "redwax_util.h"
+
+#if HAVE_UNBOUND_H
+
+module unbound_module;
+
+static apr_status_t redwax_unbound_initialise(redwax_tool_t *r)
+{
+
+ return OK;
+}
+
+void redwax_add_default_unbound_hooks()
+{
+ rt_hook_initialise(redwax_unbound_initialise, NULL, NULL, APR_HOOK_MIDDLE);
+}
+
+#else
+
+void redwax_add_default_unbound_hooks()
+{
+}
+
+#endif
+
+REDWAX_DECLARE_MODULE(unbound) =
+{
+ STANDARD_MODULE_STUFF,
+ redwax_add_default_unbound_hooks /* register hooks */
+};
Added: redwax-tool/trunk/redwax_unbound.h
==============================================================================
--- redwax-tool/trunk/redwax_unbound.h (added)
+++ redwax-tool/trunk/redwax_unbound.h Sat Feb 10 21:54:44 2024
@@ -0,0 +1,30 @@
+/**
+ * Copyright (C) 2024 Graham Leggett <minfrin at sharp.fm>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+/*
+ * redwax_unbound - DNS server access routines.
+ *
+ */
+
+#ifndef REDWAX_UNBOUND_H_
+#define REDWAX_UNBOUND_H_
+
+#include "config.h"
+
+void redwax_add_default_unbound_hooks();
+
+#endif /* REDWAX_UNBOUND_H_ */
More information about the rt-commit
mailing list