# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1699049287 -3600
# Node ID 30b7cd40ee14be3ee7dd32fe026f655d3d78797f
# Parent  84d83f4a190f5e5c3a2caa101c251df8e76041aa
util.prosodyctl.check: Print DANE TLSA records for certificates

Not the prosodyctl check dane I wanted to make but a start.

diff -r 84d83f4a190f -r 30b7cd40ee14 util/prosodyctl/check.lua
--- a/util/prosodyctl/check.lua	Fri Nov 03 22:16:53 2023 +0100
+++ b/util/prosodyctl/check.lua	Fri Nov 03 23:08:07 2023 +0100
@@ -1115,6 +1115,9 @@
 		local cert_ok;
 		print"Checking certificates..."
 		local x509_verify_identity = require"prosody.util.x509".verify_identity;
+		local use_dane = configmanager.get("*", "use_dane");
+		local pem2der = require"prosody.util.x509".pem2der;
+		local sha256 = require"prosody.util.hashes".sha256;
 		local create_context = require "prosody.core.certmanager".create_context;
 		local ssl = dependencies.softreq"ssl";
 		-- local datetime_parse = require"util.datetime".parse_x509;
@@ -1180,6 +1183,13 @@
 							print("    Not valid for server-to-server connections to "..host..".")
 							cert_ok = false
 						end
+						if use_dane then
+							if cert.pubkey then
+								print("    DANE: TLSA 3 1 1 "..sha256(pem2der(cert:pubkey()), true))
+							elseif cert.pem then
+								print("    DANE: TLSA 3 0 1 "..sha256(pem2der(cert:pem()), true))
+							end
+						end
 					end
 				end
 			end