ValiMail/dane_jwe_jws

View on GitHub
dane_jwe_jws/util.py

Summary

Maintainability
A
0 mins
Test Coverage
A
96%
"""General-purpose utilities."""
"""Utilities found here."""
from dane_discovery.identity import Identity
from jwcrypto import jwk


class Util:
    """General-purpose utilities."""

    @classmethod
    def build_dns_uri(cls, device_id):
        """Return a DNS URI for the device identity."""
        kid = "dns://{}?type=TLSA".format(device_id)
        return kid

    @classmethod
    def get_name_from_dns_uri(cls, dns_uri):
        """Return the DNS name from dns_uri.

        Support hostname extraction from input format consistent with relative
        and authoritative records as defined in
        https://tools.ietf.org/html/rfc4501.

        Args:
            dns_uri (str): DNS URI.

        Return:
            str: DNS name.

        Raise:
            ValueError: If format is wrong, raise an error.
        """
        preamble = "dns:"
        ending = "?type=TLSA"
        if not dns_uri.startswith(preamble):
            raise ValueError("Bad format. See RFC 4501.")
        if not dns_uri.endswith(ending):
            raise ValueError("Bad format. See RFC 4501.")
        reduced = dns_uri.replace(preamble, "").replace(ending, "")
        hostname = reduced.split("/")[-1]
        return hostname

    @classmethod
    def get_pubkey_from_dns(cls, dns_name, dane_type=None, strict=True):
        """Return JWK for DNS-based identity.

        Args:
            dns_name (str): DNS name for locating TLSArr.
            dane_type (str): ``PKIX-EE``, ``DANE-EE``, or ``PKIX-CD``. This
                indicates the type of certificate we are interested in retrieving.
                Defaults to ``None``, which will cause the first entity certificate 
                to be returned.
            strict (bool): Fail if unable to validate certificate using a 
                signature via DNSSEC (or PKI for PKIX-CD)

        Return:
            JWK: Javascript Web Key containing public
                key retrieved from DNS.

        """
        identity = Identity(dns_name)
        if dane_type is not None:
            cert = identity.get_first_entity_certificate_by_type(dane_type, 
                                                                 strict=strict)
        else:
            cert = identity.get_first_entity_certificate(strict=strict)
        pubkey = jwk.JWK()
        pubkey.import_from_pyca(cert.public_key())
        return pubkey