tlsa/gen_tlsa.pl

#! /usr/bin/perl
# Copyright (c) 2017 Florian Obser <florian@narrans.de>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

use strict;
use warnings;
use 5.010;
use autodie;

use Digest::SHA;
use MIME::Base64;
use Net::DNS;

use constant WAIT_BEGIN => 1;
use constant WAIT_END =>2;

sub usage {
    say STDERR "$0 DNS-LABEL CERT-FILE";
    exit(1);
}

usage() if (scalar(@ARGV) != 2);

my $tlsa = gen_tlsa(@ARGV);

say $tlsa->string();

sub gen_tlsa {
    my ($label, $cert_file) = @_;
    my $state = WAIT_BEGIN;
    my $pem = '';
    my ($fh, $line, $rr);
    
    open($fh, '<', $cert_file);
    while($line = <$fh>) {
	if ($state == WAIT_BEGIN) {
	    if ($line=~/^-----BEGIN CERTIFICATE-----/) {
		$state = WAIT_END;
	    }
	} elsif ($state == WAIT_END) {
	    if ($line=~/^-----END CERTIFICATE-----/) {
		last;
	    } else {
		$pem.=$line;
	    }
	}
    }
    close($fh);
    $rr = new Net::DNS::RR($label.' IN TLSA 1 0 1 '.
			   Digest::SHA::sha256_hex(decode_base64($pem)));
    return $rr;
}