From 82d1d24093e2f17cc6550e8f16be85fa4376c182 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Wed, 17 Feb 2016 21:08:57 -0500
Subject: systemd-resolve: easy querying of TLSA records

$ systemd-resolve --tlsa fedoraproject.org
_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
        -- Cert. usage: CA constraint
        -- Selector: Full Certificate
        -- Matching type: SHA-256

$ systemd-resolve --tlsa=tcp fedoraproject.org:443
_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
        ...

$ systemd-resolve --tlsa=udp fedoraproject.org
_443._udp.fedoraproject.org: resolve call failed: '_443._udp.fedoraproject.org' not found

v2:
- use uint16_t
- refuse port 0
---
 man/systemd-resolve.xml | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

(limited to 'man')

diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml
index c288fd974e..320663ce69 100644
--- a/man/systemd-resolve.xml
+++ b/man/systemd-resolve.xml
@@ -83,6 +83,13 @@
       <arg choice="plain"><replaceable>USER@DOMAIN</replaceable></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>systemd-resolve</command>
+      <arg choice="opt" rep="repeat">OPTIONS</arg>
+      <command> --tlsa</command>
+      <arg choice="plain"><replaceable>DOMAIN<optional>:PORT</optional></replaceable></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>systemd-resolve</command>
       <arg choice="opt" rep="repeat">OPTIONS</arg>
@@ -121,10 +128,15 @@
     is assumed to be a domain name, that is already prefixed with an SRV type, and an SRV lookup is done (no
     TXT).</para>
 
-    <para>The <option>--openpgp</option> switch may be use to query PGP keys stored as the
+    <para>The <option>--openpgp</option> switch may be used to query PGP keys stored as
     <ulink url="https://tools.ietf.org/html/draft-wouters-dane-openpgp-02">OPENPGPKEY</ulink> resource records.
     When this option is specified one or more e-mail address must be specified.</para>
 
+    <para>The <option>--tlsa</option> switch maybe be used to query TLS public
+    keys stored as
+    <ulink url="https://tools.ietf.org/html/rfc6698">TLSA</ulink> resource records.
+    When this option is specified one or more domain names must be specified.</para>
+
     <para>The <option>--statistics</option> switch may be used to show resolver statistics, including information about
     the number of successful and failed DNSSEC validations.</para>
 
@@ -216,6 +228,20 @@
         printed.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><option>--tlsa</option></term>
+
+        <listitem><para>Enables TLSA resource record resolution (see above).
+        A query will be performed for each of the specified names prefixed with
+        the port and family
+        (<literal>_<replaceable>port</replaceable>._<replaceable>family</replaceable>.<replaceable>domain</replaceable></literal>).
+        The port number may be specified after a colon
+        (<literal>:</literal>), otherwise <constant>443</constant> will be used
+        by default. The family may be specified as an argument after
+        <option>--tlsa</option>, otherwise <constant>tcp</constant> will be
+        used.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><option>--cname=</option><replaceable>BOOL</replaceable></term>
 
@@ -323,6 +349,18 @@ d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproje
         mQINBFBHPMsBEACeInGYJCb+7TurKfb6wGyTottCDtiSJB310i37/6ZYoeIay/5soJjlMyf
         MFQ9T2XNT/0LM6gTa0MpC1st9LnzYTMsT6tzRly1D1UbVI6xw0g0vE5y2Cjk3xUwAynCsSs
         ...
+</programlisting>
+    </example>
+
+    <example>
+      <title>Retrieve a TLS key (<literal>=tcp</literal> and
+      <literal>:443</literal> could be skipped)</title>
+
+      <programlisting>$ systemd-resolve --tlsa=tcp fedoraproject.org:443
+_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
+        -- Cert. usage: CA constraint
+        -- Selector: Full Certificate
+        -- Matching type: SHA-256
 </programlisting>
     </example>
   </refsect1>
-- 
cgit v1.2.3-54-g00ecf


From 236d312b8d0392f490aa7f09886942c17a06f12e Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Tue, 16 Feb 2016 20:36:10 -0500
Subject: resolve: print TLSA packets in hexadecimal

https://tools.ietf.org/html/rfc6698#section-2.2 says:
> The certificate association data field MUST be represented as a string
> of hexadecimal characters. Whitespace is allowed within the string of
> hexadecimal characters
---
 man/systemd-resolve.xml       |  2 +-
 src/resolve/resolved-dns-rr.c | 28 +++++++++-------------------
 2 files changed, 10 insertions(+), 20 deletions(-)

(limited to 'man')

diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml
index 320663ce69..de3bbce6dd 100644
--- a/man/systemd-resolve.xml
+++ b/man/systemd-resolve.xml
@@ -357,7 +357,7 @@ d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproje
       <literal>:443</literal> could be skipped)</title>
 
       <programlisting>$ systemd-resolve --tlsa=tcp fedoraproject.org:443
-_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
+_443._tcp.fedoraproject.org IN TLSA 0 0 1 19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0
         -- Cert. usage: CA constraint
         -- Selector: Full Certificate
         -- Matching type: SHA-256
diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c
index d0a86ef206..e83416da07 100644
--- a/src/resolve/resolved-dns-rr.c
+++ b/src/resolve/resolved-dns-rr.c
@@ -1116,40 +1116,30 @@ const char *dns_resource_record_to_string(DnsResourceRecord *rr) {
 
         case DNS_TYPE_TLSA: {
                 const char *cert_usage, *selector, *matching_type;
-                char *ss;
-                int n;
 
                 cert_usage = tlsa_cert_usage_to_string(rr->tlsa.cert_usage);
                 selector = tlsa_selector_to_string(rr->tlsa.selector);
                 matching_type = tlsa_matching_type_to_string(rr->tlsa.matching_type);
 
-                r = asprintf(&s, "%s %u %u %u %n",
-                             k,
-                             rr->tlsa.cert_usage,
-                             rr->tlsa.selector,
-                             rr->tlsa.matching_type,
-                             &n);
-                if (r < 0)
-                        return NULL;
-
-                r = base64_append(&s, n,
-                                  rr->tlsa.data, rr->tlsa.data_size,
-                                  8, columns());
-                if (r < 0)
+                t = hexmem(rr->sshfp.fingerprint, rr->sshfp.fingerprint_size);
+                if (!t)
                         return NULL;
 
-                r = asprintf(&ss, "%s\n"
+                r = asprintf(&s,
+                             "%s %u %u %u %s\n"
                              "        -- Cert. usage: %s\n"
                              "        -- Selector: %s\n"
                              "        -- Matching type: %s",
-                             s,
+                             k,
+                             rr->tlsa.cert_usage,
+                             rr->tlsa.selector,
+                             rr->tlsa.matching_type,
+                             t,
                              cert_usage,
                              selector,
                              matching_type);
                 if (r < 0)
                         return NULL;
-                free(s);
-                s = ss;
 
                 break;
         }
-- 
cgit v1.2.3-54-g00ecf