wip

bin/dnssec

@@ -1,36 +1,47 @@
 #!/usr/bin/env python3
 
+from sys import argv
 from os.path import realpath, dirname
 from bundlewrap.repo import Repository
 from base64 import b64decode, urlsafe_b64encode
-from jwkest import long_to_base64
 from cryptography.utils import int_to_bytes
+from cryptography.hazmat.primitives import serialization as crypto_serialization
+from struct import pack, unpack
+from hashlib import sha1, sha256
+
 
 def long_to_base64(n):
     return urlsafe_b64encode(int_to_bytes(n, None)).decode()
 
-#repo = Repository(dirname(dirname(realpath(__file__))))
+domain = argv[1]
-repo = Repository('.')
+repo = Repository(dirname(dirname(realpath(__file__))))
-domain = 'ckn.li'
+#repo = Repository('.')
 
-pk = repo.libs.rsa.generate_deterministic_rsa_private_key(
+flags = 256
+protocol = 3
+algorithm = 8
+algorithm_name = 'RSASHA256'
+
+# Private Key
+
+priv = repo.libs.rsa.generate_deterministic_rsa_private_key(
     b64decode(str(repo.vault.random_bytes_as_base64_for('dnssec' + domain)))
 )
 
 # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers
 # https://crypto.stackexchange.com/a/21104
-public_exponent = pk.private_numbers().public_numbers.e
+public_exponent = priv.private_numbers().public_numbers.e
-modulo = pk.private_numbers().public_numbers.n
+modulo = priv.private_numbers().public_numbers.n
-private_exponent = pk.private_numbers().d
+private_exponent = priv.private_numbers().d
-prime1 = pk.private_numbers().p
+prime1 = priv.private_numbers().p
-prime2 = pk.private_numbers().q
+prime2 = priv.private_numbers().q
-exponent1 = pk.private_numbers().dmp1
+exponent1 = priv.private_numbers().dmp1
-exponent2 = pk.private_numbers().dmq1
+exponent2 = priv.private_numbers().dmq1
-coefficient = pk.private_numbers().iqmp
+coefficient = priv.private_numbers().iqmp
 
 print(f"""
 Private-key-format: v1.3
-Algorithm: 8 (RSASHA256)
+Algorithm: {algorithm} ({algorithm_name})
 Modulus: {long_to_base64(modulo)}
 PublicExponent: {long_to_base64(public_exponent)}
 PrivateExponent: {long_to_base64(private_exponent)}
@@ -43,3 +54,57 @@ Created: 20230428110109
 Publish: 20230428110109
 Activate: 20230428110109
 """)
+
+# DNSKEY
+
+pub = priv.public_key()
+
+dnskey = ''.join(pub.public_bytes(
+    crypto_serialization.Encoding.PEM,
+    crypto_serialization.PublicFormat.SubjectPublicKeyInfo
+).decode().split('\n')[1:-2])
+
+value = f"{flags} {protocol} {algorithm} {dnskey}"
+print(f"""
+{domain}. IN DNSKEY {value}
+""")
+
+# DS
+# https://gist.github.com/wido/4c6288b2f5ba6d16fce37dca3fc2cb4a#file-dnskey_to_dsrecord-py-L40
+
+
+def _calc_ds(domain, flags, protocol, algorithm, dnskey):
+    if domain.endswith('.') is False:
+        domain += '.'
+
+    signature = bytes()
+    for i in domain.split('.'):
+        signature += pack('B', len(i)) + i.encode()
+
+    signature += pack('!HBB', int(flags), int(protocol), int(algorithm))
+    signature += b64decode(dnskey)
+
+    return {
+        'sha1':    sha1(signature).hexdigest().upper(),
+        'sha256':  sha256(signature).hexdigest().upper(),
+    }
+
+def _calc_keyid(flags, protocol, algorithm, dnskey):
+    st = pack('!HBB', int(flags), int(protocol), int(algorithm))
+    st += b64decode(dnskey)
+
+    cnt = 0
+    for idx in range(len(st)):
+        s = unpack('B', st[idx:idx+1])[0]
+        if (idx % 2) == 0:
+            cnt += s << 8
+        else:
+            cnt += s
+
+    return ((cnt & 0xFFFF) + (cnt >> 16)) & 0xFFFF
+
+keyid = _calc_keyid(flags, protocol, algorithm, dnskey)
+ds = _calc_ds(domain, flags, protocol, algorithm, dnskey)
+
+print(f"{domain}. IN DS {str(keyid)} {str(algorithm)} 1 {ds['sha1'].lower()}")
+print(f"{domain}. IN DS {str(keyid)} {str(algorithm)} 2 {ds['sha256'].lower()}")

bundles/opendkim/metadata.py

@@ -1,7 +1,5 @@
-from os.path import join, exists
 from re import sub
 from cryptography.hazmat.primitives import serialization as crypto_serialization
-from cryptography.hazmat.primitives.asymmetric import rsa
 from base64 import b64decode