happyDomain/checker-tls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
checker-tls/checker/types.go
Pierre-Olivier Mercier 17ecf3beb5 Publish certificate chain data for DANE consumers 
Add Chain []CertInfo to TLSProbe, carrying per-cert DER and precomputed
TLSA hashes (Cert/SPKI, SHA-256/SHA-512) plus the raw SPKI DER. This
lets downstream checkers (checker-dane) perform TLSA matching against
the observed chain without re-running a TLS handshake.
2026-04-24 12:14:58 +07:00

110 lines
4.3 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// Package checker implements a TLS checker for happyDomain. See README for
// the payload shape and consumer contract.
package checker
import "time"
// ObservationKeyTLSProbes is the observation key this checker writes.
const ObservationKeyTLSProbes = "tls_probes"
// Option ids on CheckerOptions.
const (
OptionEndpoints = "endpoints"
OptionProbeTimeoutMs = "probeTimeoutMs"
)
// Defaults shared between the definition's Default field and the runtime
// fallback when probeTimeoutMs is unset or invalid.
const (
DefaultProbeTimeoutMs = 10000
// MaxConcurrentProbes caps parallel probes per collect run to avoid
// exhausting file descriptors on domains with many endpoints.
MaxConcurrentProbes = 32
)
// Severity values used in Issue.Severity (lowercase, ascii).
const (
SeverityCrit = "crit"
SeverityWarn = "warn"
SeverityInfo = "info"
)
// TLSData is the full collected payload written under ObservationKeyTLSProbes.
type TLSData struct {
Probes map[string]TLSProbe `json:"probes"`
CollectedAt time.Time `json:"collected_at"`
}
// TLSProbe captures the outcome of probing a single endpoint. Field names
// mirror what consumers already parse (checker-xmpp's tlsProbeView).
type TLSProbe struct {
Host string `json:"host"`
Port uint16 `json:"port"`
Endpoint string `json:"endpoint"`
Type string `json:"type"`
SNI string `json:"sni,omitempty"`
TLSVersion string `json:"tls_version,omitempty"`
CipherSuite string `json:"cipher_suite,omitempty"`
HostnameMatch *bool `json:"hostname_match,omitempty"`
ChainValid *bool `json:"chain_valid,omitempty"`
NotAfter time.Time `json:"not_after,omitempty"`
Issuer string `json:"issuer,omitempty"`
// IssuerDN is the leaf's issuer as an RFC 2253 DN string, suitable for
// matching the CCADB CAA Identifiers CSV "Subject" column when the AKI
// lookup misses.
IssuerDN string `json:"issuer_dn,omitempty"`
// IssuerAKI is the uppercase hex of the leaf's Authority Key Identifier
// extension (i.e. the issuer cert's SKI). This is the primary lookup key
// into the CCADB CAA Identifiers CSV ("Subject Key Identifier (Hex)").
IssuerAKI string `json:"issuer_aki,omitempty"`
Subject string `json:"subject,omitempty"`
DNSNames []string `json:"dns_names,omitempty"`
// Chain carries one entry per certificate presented by the server
// (leaf first, then intermediates in order). Each entry precomputes
// the four TLSA selector×matching_type hashes plus the raw DER so
// DANE consumers can match without re-handshaking or re-parsing.
Chain []CertInfo `json:"chain,omitempty"`
ElapsedMS int64 `json:"elapsed_ms,omitempty"`
Error string `json:"error,omitempty"`
Issues []Issue `json:"issues,omitempty"`
}
// CertInfo describes one certificate in the presented chain together with
// pre-hashed forms suitable for DANE/TLSA matching (RFC 6698 §2.1).
//
// Hex fields are lowercase, matching the representation emitted by
// miekg/dns for TLSA RR Certificate fields.
type CertInfo struct {
// DERBase64 is the standard base64 encoding of the certificate's DER
// form. Carried so consumers can do matching-type 0 (Full) without
// requiring a precomputed "full" hash and for fallback inspection.
DERBase64 string `json:"der_base64,omitempty"`
// Subject / Issuer are short human-readable DNs for the HTML report.
Subject string `json:"subject,omitempty"`
Issuer string `json:"issuer,omitempty"`
// NotAfter is the certificate's expiry. Carried so editors can show
// "expires on …" without re-parsing the DER.
NotAfter time.Time `json:"not_after,omitempty"`
// Selector 0 = full certificate.
CertSHA256 string `json:"cert_sha256,omitempty"`
CertSHA512 string `json:"cert_sha512,omitempty"`
// Selector 1 = SubjectPublicKeyInfo.
SPKISHA256 string `json:"spki_sha256,omitempty"`
SPKISHA512 string `json:"spki_sha512,omitempty"`
// SPKIDERBase64 lets consumers handle (selector=1, matching=0) without
// re-parsing the certificate.
SPKIDERBase64 string `json:"spki_der_base64,omitempty"`
}
// Issue is a single TLS finding surfaced to the consumer.
type Issue struct {
Code string `json:"code"`
Severity string `json:"severity"`
Message string `json:"message,omitempty"`
Fix string `json:"fix,omitempty"`
}
Reference in a new issue View git blame Copy permalink