#! /usr/bin/perl
use strict;
use warnings;
use 5.010;
use autodie;

use Digest::SHA;
use MIME::Base64;


use constant WAIT_BEGIN => 1;
use constant WAIT_END =>2;

sub usage {
    say STDERR "$0 DNS-LABEL CERT-FILE";
    exit(1);
}

usage() if (scalar(@ARGV) != 2);

gen_tlsa(@ARGV);

sub gen_tlsa {
    my ($label, $cert_file) = @_;
    my $state = WAIT_BEGIN;
    my $pem = '';
    my ($fh, $line);
    
    open($fh, '<', $cert_file);
    while($line = <$fh>) {
	if ($state == WAIT_BEGIN) {
	    if ($line=~/^-----BEGIN CERTIFICATE-----/) {
		$state = WAIT_END;
	    }
	} elsif ($state == WAIT_END) {
	    if ($line=~/^-----END CERTIFICATE-----/) {
		last;
	    } else {
		$pem.=$line;
	    }
	}
    }
    close($fh);
    say($label, ' IN TLSA 1 0 1 ',
	Digest::SHA::sha256_hex(decode_base64($pem)));
}