etc/services - sync with NetBSD-8

[minix.git] / external / bsd / bind / dist / contrib / dane / mkdane.sh

#!/bin/sh
# Copyright (C) 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
# Generate a DNS RR from an x.509 certificate
# Currently only supports TLSA, but can be extended to support
# other DANE types such as SMIMEA in the future.
#
# Requires: openssl

USAGE="$BASENAME [options] <filename>
Options:
        -f <input format>: PEM | DLR
        -n <name>: record name (default: _443._tcp)
        -o <origin>: zone origin (default: none; name will be relative)
        -m <matching type>: NONE (0) | SHA256 (1) | SHA512 (2)
        -r <RR type>: TLSA
        -s <selector>: FULL (0) | PK (1)
        -t <ttl>: TTL of the TLSA record (default: none)
        -u <certificate usage>: CA (0) | SERVICE (1) | TA (2) | DOMAIN (3)"

NM="_443._tcp"
CU=2
SELECTOR=0
MTYPE=1
IN=
FORM=PEM
TTL=
RRTYPE=TLSA
BASENAME=`basename $0`;

while getopts "xn:o:u:s:t:m:i:f:r:" c; do
    case $c in
        x) set -x; DEBUG=-x;;
        m) MTYPE="$OPTARG";;
        n) NM="$OPTARG";;
        o) ORIGIN="$OPTARG";;
        r) RRTYPE="$OPTARG";;
        s) SELECTOR="$OPTARG";;
        t) TTL="$OPTARG";;
        u) CU="$OPTARG";;
        *) echo "$USAGE" 1>&2; exit 1;;
    esac
done
shift `expr $OPTIND - 1 || true`

if test "$#" -eq 1; then
    IN=$1
else
    echo "$USAGE" 1>&2; exit 1
fi

ORIGIN=`echo $ORIGIN | sed 's/\([^.]$\)/\1./'`
if [ -n "$ORIGIN" ]; then
    NM=`echo $NM | sed 's/\.$//'`
    NM="$NM.$ORIGIN"
fi

case "$CU" in
    [Cc][Aa]) CU=0;;
    [Ss][Ee][Rr][Vv]*) CU=1;;
    [Tt][Aa]) CU=2;;
    [Dd][Oo][Mm]*) CU=3;;
    [0123]) ;;
    *) echo "bad certificate usage -u \"$CU\"" 1>&2; exit 1;;
esac

case "$SELECTOR" in
    [Ff][Uu][Ll][Ll]) SELECTOR=0;;
    [Pp][Kk]) SELECTOR=1;;
    [01]) ;;
    *) echo "bad selector -s \"$SELECTOR\"" 1>&2; exit 1;;
esac

case "$MTYPE" in
    0|[Nn][Oo][Nn][Ee]) HASH='od -A n -v -t xC';;
    1|[Ss][Hh][Aa]256) HASH='openssl dgst -sha256';;
    2|[Ss][Hh][Aa]512) HASH='openssl dgst -sha512';;
    *) echo "bad matching type -m \"$MTYPE\"" 1>&2; exit 1;;
esac

case "$FORM" in
    [Pp][Ee][Mm]) FORM=PEM;;
    [Dd][Ll][Rr]) FORM=DLR;;
    *) echo "bad input file format -f \"$FORM\"" 1>&2; exit 1
esac

case "$RRTYPE" in
    [Tt][Ll][Ss][Aa]) RRTYPE=TLSA;;
    *) echo "invalid RR type" 1>&2; exit 1
esac

if test -z "$IN" -o ! -s "$IN"; then
    echo "bad input file -i \"$IN\"" 1>&2; exit 1
fi

echo "; $BASENAME -o$NM -u$CU -s$SELECTOR -m$MTYPE -f$FORM $IN"

(if test "$SELECTOR" = 0; then
    openssl x509 -in "$IN" -inform "$FORM" -outform DER
else
    openssl x509 -in "$IN" -inform "$FORM" -noout -pubkey               \
        | sed -e '/PUBLIC KEY/d'                                        \
        | openssl base64 -d 
fi)                                                                     \
    | $HASH                                                             \
    | awk '
        # format Association Data as in Appendix C of the DANE RFC
        BEGIN {
                print "'"$NM\t\t$TTL\tIN TLSA\t$CU $SELECTOR $MTYPE"' ("; 
                leader = "\t\t\t\t\t"; 
        }
        /.+/ {
            gsub(/ +/, "", $0);
            buf = buf $0;
            while (length(buf) >= 36) {
                print leader substr(buf, 1, 36);
                buf = substr(buf, 37);
            }
        }
        END {
            if (length(buf) > 34)
                print leader buf "\n" leader ")";
            else
                print leader buf " )";
        }'