2 tofuproxy -- flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU
3 manager, WARC/geminispace browser
4 Copyright (C) 2021-2022 Sergey Matveev <stargrave@stargrave.org>
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, version 3 of the License.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
30 "github.com/miekg/dns"
35 func dane(addr string, cert *x509.Certificate) (bool, bool) {
41 cols := strings.Split(addr, ":")
47 m.SetQuestion(dns.Fqdn(fmt.Sprintf("_%s._tcp.%s", port, host)), dns.TypeTLSA)
48 msg, err := dns.Exchange(m, DNSSrv)
50 log.Printf("DNS: %+v\n", err)
53 if msg.MsgHdr.Rcode != dns.RcodeSuccess {
57 for _, answer := range msg.Answer {
58 tlsa, ok := answer.(*dns.TLSA)
68 switch tlsa.Selector {
72 toMatch = cert.RawSubjectPublicKeyInfo
75 switch tlsa.MatchingType {
79 our := sha256.Sum256(toMatch)
82 our := sha512.Sum512(toMatch)
85 if tlsa.Certificate == hex.EncodeToString(hsh) {