From 717ea33160ab8c1617b03ad0e292b6235881c568 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 3 Nov 2023 23:08:07 +0100 Subject: util.prosodyctl.check: Print DANE TLSA records for certificates Not the prosodyctl check dane I wanted to make but a start. --- util/prosodyctl/check.lua | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'util') diff --git a/util/prosodyctl/check.lua b/util/prosodyctl/check.lua index 99799163..343b062f 100644 --- a/util/prosodyctl/check.lua +++ b/util/prosodyctl/check.lua @@ -1115,6 +1115,9 @@ local function check(arg) local cert_ok; print"Checking certificates..." local x509_verify_identity = require"prosody.util.x509".verify_identity; + local use_dane = configmanager.get("*", "use_dane"); + local pem2der = require"prosody.util.x509".pem2der; + local sha256 = require"prosody.util.hashes".sha256; local create_context = require "prosody.core.certmanager".create_context; local ssl = dependencies.softreq"ssl"; -- local datetime_parse = require"util.datetime".parse_x509; @@ -1180,6 +1183,13 @@ local function check(arg) print(" Not valid for server-to-server connections to "..host..".") cert_ok = false end + if use_dane then + if cert.pubkey then + print(" DANE: TLSA 3 1 1 "..sha256(pem2der(cert:pubkey()), true)) + elseif cert.pem then + print(" DANE: TLSA 3 0 1 "..sha256(pem2der(cert:pem()), true)) + end + end end end end -- cgit v1.2.3