Commit faeaf6bf authored by ale's avatar ale

Add support for generating TSIG credentials

Requires the dnssec-keygen tool (part of bind9utils package in Debian).
parent 04ee374c
......@@ -56,12 +56,44 @@ def generate_binary_secret(length=32):
return base64.b64encode(os.urandom(n)).rstrip('=')
def generate_tsig_key():
"""Create TSIG keys to use with Bind version 9.
The result is a dictionary with the attributes 'algo', 'public'
and 'private'.
"""
tmp_dir = tempfile.mkdtemp()
try:
# dnssec-keygen outputs the random base name it has chosen for
# its output files. We need to provide a zone name, but it
# doesn't matter what the value is.
base = subprocess.check_output([
'/usr/sbin/dnssec-keygen', '-a', 'HMAC-SHA512', '-b', '512',
'-n', 'USER', '-r', '/dev/urandom', '-K', tmp_dir, 'pwgen',
]).strip()
result = {'algo': 'HMAC-SHA512'}
with open(os.path.join(tmp_dir, base + '.key')) as fd:
result['public'] = fd.read().split()[7]
with open(os.path.join(tmp_dir, base + '.private')) as fd:
for line in fd.readlines():
if line.startswith('Key: '):
result['private'] = line.split()[1]
if not result.get('public') or not result.get('private'):
raise Exception('Could not parse dnssec-keygen output')
return result
finally:
shutil.rmtree(tmp_dir, ignore_errors=True)
def generate_password(entry):
ptype = entry.get('type', 'simple')
if ptype == 'simple':
return generate_simple_password(length=entry.get('length', 32))
elif ptype == 'binary':
return generate_binary_secret(length=entry.get('length', 32))
elif ptype == 'tsig':
return generate_tsig_key()
else:
raise Exception('Unknown password type "%s"' % ptype)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment