VirtIT/wext-httpspluschecker_api
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Checking fails when TLSA record has selector 0 (use full certificate) #2

New Issue
Closed
opened 2019-03-08 15:39:07 +01:00 by tih · 1 comment
tih commented 2019-03-08 15:39:07 +01:00
Copy Link

The checker happens to fail for my domain: point it at www.hamartun.priv.no, and it will abort, thus:

Traceback (most recent call last):
  File "./index.py", line 125, in <module>
    if tlsa_validation(domain) is True:
  File "./index.py", line 64, in tlsa_validation
    certdata = cert.as_der()
AttributeError: 'bytes' object has no attribute 'as_der'

This is because I use the less common value 0 for the selector in my TLSA record, with the fingerprint covering the whole certificate. I made a quick modification to my locally installed copy, like this:

--- index.py    2019-03-07 12:46:56.335364000 +0100
+++ test.py     2019-03-08 15:17:11.886850478 +0100
@@ -54,13 +54,14 @@
             conn = ssl.create_connection((DOMAIN , 443))
             context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
             sock = context.wrap_socket(conn, server_hostname=DOMAIN)
-            cert = ssl.DER_cert_to_PEM_cert(sock.getpeercert(True))
-            cert = cert.encode('ascii') 
+            dercert = sock.getpeercert(True)
+            pemcert = ssl.DER_cert_to_PEM_cert(dercert)
+            cert = pemcert.encode('ascii') 
         except:
             return(False)
 
         if selector == "0":
-            certdata = cert.as_der()
+            certdata = dercert
         elif selector == "1":
             cert = x509.load_pem_x509_certificate(cert, default_backend())
             certdata = cert.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
The checker happens to fail for my domain: point it at www.hamartun.priv.no, and it will abort, thus: ``` Traceback (most recent call last): File "./index.py", line 125, in <module> if tlsa_validation(domain) is True: File "./index.py", line 64, in tlsa_validation certdata = cert.as_der() AttributeError: 'bytes' object has no attribute 'as_der' ``` This is because I use the less common value 0 for the selector in my TLSA record, with the fingerprint covering the whole certificate. I made a quick modification to my locally installed copy, like this: ``` --- index.py 2019-03-07 12:46:56.335364000 +0100 +++ test.py 2019-03-08 15:17:11.886850478 +0100 @@ -54,13 +54,14 @@ conn = ssl.create_connection((DOMAIN , 443)) context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) sock = context.wrap_socket(conn, server_hostname=DOMAIN) - cert = ssl.DER_cert_to_PEM_cert(sock.getpeercert(True)) - cert = cert.encode('ascii') + dercert = sock.getpeercert(True) + pemcert = ssl.DER_cert_to_PEM_cert(dercert) + cert = pemcert.encode('ascii') except: return(False) if selector == "0": - certdata = cert.as_der() + certdata = dercert elif selector == "1": cert = x509.load_pem_x509_certificate(cert, default_backend()) certdata = cert.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo) ```
beu commented 2019-03-23 11:19:29 +01:00
Owner
Copy Link

Thank you for your help

Thank you for your help
beu closed this issue 2019-03-23 11:19:30 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: VirtIT/wext-httpspluschecker_api#2
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?