From b2d80d3ad7dc313371e97d0e4c7e3f35a9ade827 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD=20=D0=9F=D0=B0=D0=BB=D0=B0?=
 =?UTF-8?q?=D1=83=D0=B7=D0=BE=D0=B2?= <git-dpa@aegee.org>
Date: Sun, 25 Aug 2019 10:37:49 +0000
Subject: [PATCH] Add option to verify several TLSA records for a service

---
 README.md  |  6 ++++++
 check_dane | 16 ++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 2ff7018..7ef8dfd 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,7 @@ Usage
     --nameserver NAMESERVER
                           Use a custom nameserver.
     --timeout TIMEOUT     Network timeout in sec. Default: 10
+    --tlsa_records        Verify more than one TLSA records for the service (see below)
     --version             show program's version number and exit
 
 Supported TLSA records
@@ -37,6 +38,11 @@ Supported TLSA records
    * Selector: "Full certificate" (0) and SubjectPublicKeyInfo (1)
    * Matching Type: "Exact match" (0), SHA-256 hash (1) and SHA-512 hash (2)
 
+Which TLSA Records to Check
+===========================
+
+By default check_dane ensures that any TLSA record matches.  With --tlsa_records check_dane can verify, that specific records are present and valid.  This is useful, if for a service more than one records are published, like 3 0 1 and 3 0 2.  To verify several records, use --tlsa_records and pass after them the space-separated tuples, e.g '--tlsa_records 301 302'.
+
 Requirements
 ============
 
diff --git a/check_dane b/check_dane
index 6337b54..c2effe6 100755
--- a/check_dane
+++ b/check_dane
@@ -321,6 +321,7 @@ def main() -> None:
     parser.add_argument("--nameserver", help="Use a custom nameserver.")
     parser.add_argument("--timeout", type=int, default=10, help="Network timeout in sec. Default: 10")
     parser.add_argument("--version", action="version", version="%(prog)s " + VERSION)
+    parser.add_argument("--tlsa_records", type=int, nargs='+', default=[], help="Verify several TLSA records", metavar="TLSA_RECORD")
     args = parser.parse_args()
 
     pyver = sys.version_info
@@ -376,19 +377,30 @@ def main() -> None:
 
     for tlsa in tlsa_records:
         if validate_dane(cert_binary, pkix_valid, tlsa):
+            tup = tlsa.usage * 100 + tlsa.selector * 10 + tlsa.mtype
             dane_valid_cert = True
-            break
+            if tup in args.tlsa_records:
+                args.tlsa_records.remove(tup)
+            if not args.tlsa_records:
+                break
 
     if not dane_valid_cert:
         # test if it would match if it were pkix_valid
         additional_msg = ""
         for tlsa in tlsa_records:
             if validate_dane(cert_binary, True, tlsa):
+                tup = tlsa.usage * 100 + tlsa.selector * 10 + tlsa.mtype
                 additional_msg = "\nIt matches a TLSA usage=1 record but fails PKIX validation:\n" + pkix_error
-                break
+                if tup in args.tlsa_records:
+                    args.tlsa_records.remove(tup)
+                if not args.tlsa_records:
+                    break
 
         nagios_critical("Certificate doesn't match TLSA record" + additional_msg)
 
+    if args.tlsa_records:
+        nagios_critical("TLSA records {} not validated".format(args.tlsa_records))
+
     if pkix_valid and args.min_days_valid:
         days_parts = args.min_days_valid.split(",")