From 717ea33160ab8c1617b03ad0e292b6235881c568 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 3 Nov 2023 23:08:07 +0100
Subject: util.prosodyctl.check: Print DANE TLSA records for certificates

Not the prosodyctl check dane I wanted to make but a start.
---
 util/prosodyctl/check.lua | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/util/prosodyctl/check.lua b/util/prosodyctl/check.lua
index 99799163..343b062f 100644
--- a/util/prosodyctl/check.lua
+++ b/util/prosodyctl/check.lua
@@ -1115,6 +1115,9 @@ local function check(arg)
 		local cert_ok;
 		print"Checking certificates..."
 		local x509_verify_identity = require"prosody.util.x509".verify_identity;
+		local use_dane = configmanager.get("*", "use_dane");
+		local pem2der = require"prosody.util.x509".pem2der;
+		local sha256 = require"prosody.util.hashes".sha256;
 		local create_context = require "prosody.core.certmanager".create_context;
 		local ssl = dependencies.softreq"ssl";
 		-- local datetime_parse = require"util.datetime".parse_x509;
@@ -1180,6 +1183,13 @@ local function check(arg)
 							print("    Not valid for server-to-server connections to "..host..".")
 							cert_ok = false
 						end
+						if use_dane then
+							if cert.pubkey then
+								print("    DANE: TLSA 3 1 1 "..sha256(pem2der(cert:pubkey()), true))
+							elseif cert.pem then
+								print("    DANE: TLSA 3 0 1 "..sha256(pem2der(cert:pem()), true))
+							end
+						end
 					end
 				end
 			end
-- 
cgit v1.2.3