diff --git a/README.md b/README.md index 61d4e1b..2d7e158 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,38 @@ existing downstream parsers. | ---------------- | ------ | ------- | -------------------------------------------- | | `probeTimeoutMs` | number | 10000 | Per-endpoint dial + handshake timeout in ms. | +## For embedders: certificate-fetch helpers + +The `checker` package also exports a small, stable surface for hosts that +want to reuse the dial/STARTTLS/handshake plumbing outside of a +`Collect` cycle — typically an HTTP handler that prefills a TLSA editor +from a live endpoint. + +```go +import tls "git.happydns.org/checker-tls/checker" + +starttls := req.STARTTLS +if starttls == "" { + starttls = tls.AutoSTARTTLS(req.Port) // well-known port → dialect +} + +certs, err := tls.FetchChain(ctx, host, req.Port, starttls, 10*time.Second) +if err != nil { + return err +} +chain := tls.BuildChain(certs) // []tls.CertInfo, leaf first +``` + +| Symbol | Role | +| ----------------- | ----------------------------------------------------------------------------------------------------- | +| `FetchChain` | Dials, runs the STARTTLS upgrade if requested, and returns the peer `*x509.Certificate` chain (leaf first). Uses `InsecureSkipVerify` so the chain is returned even when PKIX would reject it — callers do their own validation. | +| `BuildChain` | Projects an `[]*x509.Certificate` to `[]CertInfo`, with the four DANE/TLSA `(selector, matching_type)` hashes precomputed. Same projection `Collect` writes into observations. | +| `AutoSTARTTLS` | Maps a well-known port (25, 110, 143, 389, 587, 5222) to the STARTTLS dialect `FetchChain` should drive. Returns `""` when no mapping applies. | +| `CertInfo` | DANE-friendly per-certificate view: DN, expiry, DER, SPKI DER, and `(cert\|spki) × (sha256\|sha512)` hex digests. | + +These three helpers are part of the package's public contract: signatures +will not change without a bump of the importing module's `go.mod`. + ## Running ```bash