emschu/dot_stubby_config_generator.py

## dot_stubby_config_generator.py
import subprocess

# get spki of dns servers and generate a stubby compatilble configuration

# Never blindly trust the output! Verify it on your own by hand!

# configure DoT servers here
servers = {
    1: {"ip": ["49.182.19.48"], "server": "dns2.digitalcourage.de", "port": "853" },
    2: {"ip": ["2a02:2970:1002::18"], "server": "dns2.digitalcourage.de", "port": "853" },
}

ciphers = "option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'\n\toption tls_min_version '1.2'"

openWrtConfig = []
for i, server in servers.items():
    cmd = []
    cmd.append(r"openssl s_client -showcerts -connect %s:%s </dev/null 2>/dev/null|openssl x509 -outform PEM >mycert.pem" % (server["server"], server["port"]))
    cmd.append(r" && openssl x509 -pubkey -noout -in mycert.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64; rm mycert.pem")
    fullCmd = "".join(cmd)
    # print("cmd:", fullCmd)
    output = subprocess.run([fullCmd], check=False, shell=True, capture_output=True, text=True)

    spki = output.stdout
    print("SPKI for server '%s' and port '%s': sha256/%s" % (server["server"], server["port"], spki))

    config = "config resolver\n"
    config = config + "\toption tls_port %s\n" % server["port"]
    for ip in server["ip"]:
        config = config + "\toption address '%s'\n" % ip
    config =  config + ("\toption tls_auth_name '%s'\n" % server["server"])
    spki = spki.split("\n")[0]
    if str(spki) != "":
        config = config + "\tlist spki 'sha256/%s'\n" % spki

    if str(ciphers) != "":
        config = config + "\t%s\n" % ciphers

    openWrtConfig.append(config)

print("stubby resolver config for the router:\n%s" % "\n".join(openWrtConfig))
	import subprocess

	# get spki of dns servers and generate a stubby compatilble configuration

	# Never blindly trust the output! Verify it on your own by hand!

	# configure DoT servers here
	servers = {
	1: {"ip": ["49.182.19.48"], "server": "dns2.digitalcourage.de", "port": "853" },
	2: {"ip": ["2a02:2970:1002::18"], "server": "dns2.digitalcourage.de", "port": "853" },
	}

	ciphers = "option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'\n\toption tls_min_version '1.2'"

	openWrtConfig = []
	for i, server in servers.items():
	cmd = []
	cmd.append(r"openssl s_client -showcerts -connect %s:%s </dev/null 2>/dev/null\|openssl x509 -outform PEM >mycert.pem" % (server["server"], server["port"]))
	cmd.append(r" && openssl x509 -pubkey -noout -in mycert.pem \| openssl pkey -pubin -outform der \| openssl dgst -sha256 -binary \| openssl enc -base64; rm mycert.pem")
	fullCmd = "".join(cmd)
	# print("cmd:", fullCmd)
	output = subprocess.run([fullCmd], check=False, shell=True, capture_output=True, text=True)

	spki = output.stdout
	print("SPKI for server '%s' and port '%s': sha256/%s" % (server["server"], server["port"], spki))

	config = "config resolver\n"
	config = config + "\toption tls_port %s\n" % server["port"]
	for ip in server["ip"]:
	config = config + "\toption address '%s'\n" % ip
	config = config + ("\toption tls_auth_name '%s'\n" % server["server"])
	spki = spki.split("\n")[0]
	if str(spki) != "":
	config = config + "\tlist spki 'sha256/%s'\n" % spki

	if str(ciphers) != "":
	config = config + "\t%s\n" % ciphers

	openWrtConfig.append(config)

	print("stubby resolver config for the router:\n%s" % "\n".join(openWrtConfig))