Add -printhash option to certspotter-authorize

cmd/certspotter-authorize/main.go

@@ -131,13 +131,15 @@ func main() {
 	version, source := certspotterVersion()
 
 	var flags struct {
-		cert     string
-		stateDir string
-		version  bool
+		cert      string
+		stateDir  string
+		printhash bool
+		version   bool
 	}
 
 	flag.StringVar(&flags.cert, "cert", "", "Path to a PEM-encoded certificate (- to read from stdin)")
 	flag.StringVar(&flags.stateDir, "state_dir", defaultStateDir(), "State directory used by certspotter")
+	flag.BoolVar(&flags.printhash, "printhash", false, "Instead of authorizing certificate, print its TBS hash and exit")
 	flag.BoolVar(&flags.version, "version", false, "Print version and exit")
 	flag.Parse()
 
@@ -172,6 +174,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	if flags.printhash {
+		fmt.Println(hex.EncodeToString(tbsHash[:]))
+		os.Exit(0)
+	}
+
 	_, err = createNotifiedMarker(flags.stateDir, tbsHash)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "%s: %s\n", programName, err)

man/certspotter-authorize.md

@@ -38,6 +38,10 @@ and will trigger notifications.
     `$CERTSPOTTER_STATE_DIR` if set, or `~/.certspotter` otherwise.
     This should be the same directory used by **certspotter(8)**.
 
+-printhash
+
+:   Instead of authorizing the certificate, print its TBS hash (a hex-encoded SHA-256 digest) to stdout and exit.
+
 -version
 
 :   Print version information and exit.