Publish certificate chain data for DANE consumers

Add Chain []CertInfo to TLSProbe, carrying per-cert DER and precomputed TLSA hashes (Cert/SPKI, SHA-256/SHA-512) plus the raw SPKI DER. This lets downstream checkers (checker-dane) perform TLSA matching against the observed chain without re-running a TLS handshake.
2026-04-23 19:05:25 +07:00 · 2026-04-23 19:05:25 +07:00 · 17ecf3beb5
commit 17ecf3beb5
parent ccc5b0cd98
2 changed files with 67 additions and 0 deletions
--- a/checker/types.go
+++ b/checker/types.go
@ -59,11 +59,48 @@ type TLSProbe struct {
 	IssuerAKI     string    `json:"issuer_aki,omitempty"`
 	Subject       string    `json:"subject,omitempty"`
 	DNSNames      []string  `json:"dns_names,omitempty"`
+	// Chain carries one entry per certificate presented by the server
+	// (leaf first, then intermediates in order). Each entry precomputes
+	// the four TLSA selector×matching_type hashes plus the raw DER so
+	// DANE consumers can match without re-handshaking or re-parsing.
+	Chain         []CertInfo `json:"chain,omitempty"`
 	ElapsedMS     int64     `json:"elapsed_ms,omitempty"`
 	Error         string    `json:"error,omitempty"`
 	Issues        []Issue   `json:"issues,omitempty"`
 }

+// CertInfo describes one certificate in the presented chain together with
+// pre-hashed forms suitable for DANE/TLSA matching (RFC 6698 §2.1).
+//
+// Hex fields are lowercase, matching the representation emitted by
+// miekg/dns for TLSA RR Certificate fields.
+type CertInfo struct {
+	// DERBase64 is the standard base64 encoding of the certificate's DER
+	// form. Carried so consumers can do matching-type 0 (Full) without
+	// requiring a precomputed "full" hash and for fallback inspection.
+	DERBase64 string `json:"der_base64,omitempty"`
+
+	// Subject / Issuer are short human-readable DNs for the HTML report.
+	Subject string `json:"subject,omitempty"`
+	Issuer  string `json:"issuer,omitempty"`
+
+	// NotAfter is the certificate's expiry. Carried so editors can show
+	// "expires on …" without re-parsing the DER.
+	NotAfter time.Time `json:"not_after,omitempty"`
+
+	// Selector 0 = full certificate.
+	CertSHA256 string `json:"cert_sha256,omitempty"`
+	CertSHA512 string `json:"cert_sha512,omitempty"`
+
+	// Selector 1 = SubjectPublicKeyInfo.
+	SPKISHA256 string `json:"spki_sha256,omitempty"`
+	SPKISHA512 string `json:"spki_sha512,omitempty"`
+
+	// SPKIDERBase64 lets consumers handle (selector=1, matching=0) without
+	// re-parsing the certificate.
+	SPKIDERBase64 string `json:"spki_der_base64,omitempty"`
+}
+
 // Issue is a single TLS finding surfaced to the consumer.
 type Issue struct {
 	Code     string `json:"code"`