--- Begin Message ---
|
Subject: |
[PATCH] Export SHA-256 digest of a public key |
|
Date: |
Tue, 13 Jun 2023 13:26:39 +0200 |
* lisp/net/nsm.el (nsm-format-certificate): Show public key
digest (SHA-256 if available). Displaying the digest enables users
to verify the certificate with other tools like gnutls-cli(1)
which present much more detailed information.
* src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public
key digest if supported by GnuTLS.
---
lisp/net/nsm.el | 8 ++++++--
src/gnutls.c | 21 +++++++++++++++++++++
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index dc04bf50c24..7cbeb48f5be 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -1030,10 +1030,14 @@ nsm-format-certificate
" Hostname:"
(nsm-certificate-part (plist-get cert :subject) "CN" t) "\n")
(when (and (plist-get cert :public-key-algorithm)
- (plist-get cert :signature-algorithm))
+ (plist-get cert :signature-algorithm)
+ (or (plist-get cert :public-key-id-sha256)
+ (plist-get cert :public-key-id)))
(insert
" Public key:" (plist-get cert :public-key-algorithm)
- ", signature: " (plist-get cert :signature-algorithm) "\n"))
+ ", signature: " (plist-get cert :signature-algorithm) "\n"
+ " Public key ID:" (or (plist-get cert :public-key-id-sha256)
+ (plist-get cert :public-key-id)) "\n"))
(when (and (plist-get status :key-exchange)
(plist-get status :cipher)
(plist-get status :mac)
diff --git a/src/gnutls.c b/src/gnutls.c
index 8f0e2d01703..e3f1093d977 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -51,6 +51,10 @@
# define HAVE_GNUTLS_ETM_STATUS
# endif
+# if GNUTLS_VERSION_NUMBER >= 0x030401
+# define HAVE_GNUTLS_KEYID_USE_SHA256
+# endif
+
# if GNUTLS_VERSION_NUMBER < 0x030600
# define HAVE_GNUTLS_COMPRESSION_GET
# endif
@@ -1278,6 +1282,23 @@ emacs_gnutls_certificate_details (gnutls_x509_crt_t cert)
xfree (buf);
}
+#ifdef HAVE_GNUTLS_KEYID_USE_SHA256
+ /* Public key ID, SHA-256 version. */
+ buf_size = 0;
+ err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, NULL,
&buf_size);
+ check_memory_full (err);
+ if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
+ {
+ void *buf = xmalloc (buf_size);
+ err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, buf,
&buf_size);
+ check_memory_full (err);
+ if (err >= GNUTLS_E_SUCCESS)
+ res = nconc2 (res, list2 (intern (":public-key-id-sha256"),
+ gnutls_hex_string (buf, buf_size,
"sha256:")));
+ xfree (buf);
+ }
+#endif
+
/* Certificate fingerprint. */
buf_size = 0;
err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
--
2.30.2
--- End Message ---
--- Begin Message ---
|
Subject: |
Re: bug#64043: [PATCH] Export SHA-256 digest of a public key |
|
Date: |
Sat, 15 Jul 2023 10:44:41 +0300 |
> Cc: Łukasz Stelmach <stlman@poczta.fm>
> From: Łukasz Stelmach <stlman@poczta.fm>
> Date: Tue, 13 Jun 2023 13:26:39 +0200
>
> * lisp/net/nsm.el (nsm-format-certificate): Show public key
> digest (SHA-256 if available). Displaying the digest enables users
> to verify the certificate with other tools like gnutls-cli(1)
> which present much more detailed information.
>
> * src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public
> key digest if supported by GnuTLS.
Thanks, installed on the master branch, and closing the bug.
--- End Message ---