Document usage of FetchChain, BuildChain, AutoSTARTTLS, and CertInfo

2026-04-29 13:33:27 +07:00 · 2026-04-29 13:33:27 +07:00 · 8a7f9feaf7
commit 8a7f9feaf7
parent fa212f0fae
1 changed files with 32 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -144,6 +144,38 @@ existing downstream parsers.
 | ---------------- | ------ | ------- | -------------------------------------------- |
 | `probeTimeoutMs` | number | 10000   | Per-endpoint dial + handshake timeout in ms. |

+## For embedders: certificate-fetch helpers
+
+The `checker` package also exports a small, stable surface for hosts that
+want to reuse the dial/STARTTLS/handshake plumbing outside of a
+`Collect` cycle — typically an HTTP handler that prefills a TLSA editor
+from a live endpoint.
+
+```go
+import tls "git.happydns.org/checker-tls/checker"
+
+starttls := req.STARTTLS
+if starttls == "" {
+    starttls = tls.AutoSTARTTLS(req.Port) // well-known port → dialect
+}
+
+certs, err := tls.FetchChain(ctx, host, req.Port, starttls, 10*time.Second)
+if err != nil {
+    return err
+}
+chain := tls.BuildChain(certs) // []tls.CertInfo, leaf first
+```
+
+| Symbol            | Role                                                                                                  |
+| ----------------- | ----------------------------------------------------------------------------------------------------- |
+| `FetchChain`      | Dials, runs the STARTTLS upgrade if requested, and returns the peer `*x509.Certificate` chain (leaf first). Uses `InsecureSkipVerify` so the chain is returned even when PKIX would reject it — callers do their own validation. |
+| `BuildChain`      | Projects an `[]*x509.Certificate` to `[]CertInfo`, with the four DANE/TLSA `(selector, matching_type)` hashes precomputed. Same projection `Collect` writes into observations. |
+| `AutoSTARTTLS`    | Maps a well-known port (25, 110, 143, 389, 587, 5222) to the STARTTLS dialect `FetchChain` should drive. Returns `""` when no mapping applies. |
+| `CertInfo`        | DANE-friendly per-certificate view: DN, expiry, DER, SPKI DER, and `(cert\|spki) × (sha256\|sha512)` hex digests. |
+
+These three helpers are part of the package's public contract: signatures
+will not change without a bump of the importing module's `go.mod`.
+
 ## Running

 ```bash