dane-discovery

A library for using DANE TLSA records for certificate discovery.

Quick Start

Installation

pip install dane-discovery

Load a certificate from DNS and print the PEM representation

from dane_discovery.dane import DANE
from dane_discovery.pki import PKI
dns_name = "dns.name.having.a.tlsa.record"
tlsa_record = DANE.get_first_leaf_certificate(dns_name)
if not tlsa_record:
    raise ValueError("No leaf certificate found for {}.".format(dns_name))

der_cert = PKI.certificate_association_to_der(tlsa_record["certificate_association"])
print(PKI.der_to_pem(der_cert))

Load a DANE identity from DNS and print the request context

from dane_discovery.identity import Identity
dns_name = "dns.name.having.a.tlsa.record"
dane_identity = Identity(dns_name)
print(dane_identity.report())

Name: abc123.air-quality-sensor._device.example.net
Request context:
  DNSSEC: False
  TLS: False
  TCP: True
Credential index: 0
  certificate usage: DANE-EE
  selector: Full certificate match
  matching type: Exact match against certificate association
  x509 attributes:
    {'extensions': {'BasicConstrints': {'ca': False, 'path_length': None},
                    'KeyUsage': {'content_commitment': True,
                                 'crl_sign': False,
                                 'data_encipherment': False,
                                 'digital_signature': True,
                                 'key_agreement': False,
                                 'key_cert_sign': False,
                                 'key_encipherment': True}},
     'subject': {'commonName': 'abc123.air-quality-sensor._device.example.net',
                 'countryName': 'US',
                 'organizationName': 'Example Networks',
                 'stateOrProvinceName': 'CA'}}

More examples