From: Sergey Matveev <stargrave@stargrave.org>
Date: Tue, 15 Feb 2022 10:40:35 +0000 (+0300)
Subject: DANE check utility
X-Git-Tag: v0.1.0~33
X-Git-Url: http://www.git.stargrave.org/?a=commitdiff_plain;h=a47fce86141bc082924a7474dcce8f8c7b5e8f33;hp=decb4bfb406665dde1233e9936fee3edfe3e81da;p=tofuproxy.git

DANE check utility
---

diff --git a/cmd/danechk/main.go b/cmd/danechk/main.go
new file mode 100644
index 0000000..1e837d1
--- /dev/null
+++ b/cmd/danechk/main.go
@@ -0,0 +1,44 @@
+/*
+tofuproxy -- flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU
+             manager, WARC/geminispace browser
+Copyright (C) 2021-2022 Sergey Matveev <stargrave@stargrave.org>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 3 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+
+	"go.cypherpunks.ru/ucspi"
+	ttls "go.stargrave.org/tofuproxy/tls"
+)
+
+func main() {
+	dnsSrv := flag.String("dns", "[::1]:53", "DNS server")
+	crtPath := flag.String("cert", "cert.pem", "Path to X.509 certificate")
+	addr := flag.String("addr", "", "Domain name")
+	flag.Parse()
+	log.SetFlags(log.Lshortfile)
+	_, cert, err := ucspi.CertificateFromFile(*crtPath)
+	if err != nil {
+		log.Fatalln(err)
+	}
+	ttls.DNSSrv = *dnsSrv
+	exists, valid := ttls.DANE(*addr, cert)
+	fmt.Println("Exists:", exists)
+	fmt.Println("Valid:", valid)
+}
diff --git a/tls/dane.go b/tls/dane.go
index 5d017ec..ba6e7d0 100644
--- a/tls/dane.go
+++ b/tls/dane.go
@@ -32,7 +32,7 @@ import (
 
 var DNSSrv string
 
-func dane(addr string, cert *x509.Certificate) (bool, bool) {
+func DANE(addr string, cert *x509.Certificate) (bool, bool) {
 	if DNSSrv == "" {
 		return false, false
 	}
diff --git a/tls/verify.go b/tls/verify.go
index 0f21ce9..a63fb4a 100644
--- a/tls/verify.go
+++ b/tls/verify.go
@@ -198,7 +198,7 @@ func verifyCert(
 	if certTheirHash == certOurHash {
 		return ErrRejected{host}
 	}
-	daneExists, daneMatched := dane(host, certTheir)
+	daneExists, daneMatched := DANE(host, certTheir)
 	if daneExists {
 		if daneMatched {
 			fifos.LogDANE <- fmt.Sprintf("%s\tACK", host)