bug#64043: [PATCH] Export SHA-256 digest of a public key

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#64043: [PATCH] Export SHA-256 digest of a public key

From:	Łukasz Stelmach
Subject:	bug#64043: [PATCH] Export SHA-256 digest of a public key
Date:	Tue, 13 Jun 2023 13:26:39 +0200

* lisp/net/nsm.el (nsm-format-certificate): Show public key
digest (SHA-256 if available). Displaying the digest enables users
to verify the certificate with other tools like gnutls-cli(1)
which present much more detailed information.

* src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public
key digest if supported by GnuTLS.
---
 lisp/net/nsm.el |  8 ++++++--
 src/gnutls.c    | 21 +++++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index dc04bf50c24..7cbeb48f5be 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -1030,10 +1030,14 @@ nsm-format-certificate
         "  Hostname:"
         (nsm-certificate-part (plist-get cert :subject) "CN" t) "\n")
        (when (and (plist-get cert :public-key-algorithm)
-                  (plist-get cert :signature-algorithm))
+                  (plist-get cert :signature-algorithm)
+                  (or (plist-get cert :public-key-id-sha256)
+                      (plist-get cert :public-key-id)))
          (insert
           "  Public key:" (plist-get cert :public-key-algorithm)
-          ", signature: " (plist-get cert :signature-algorithm) "\n"))
+          ", signature: " (plist-get cert :signature-algorithm) "\n"
+          "  Public key ID:" (or (plist-get cert :public-key-id-sha256)
+                                 (plist-get cert :public-key-id)) "\n"))
         (when (and (plist-get status :key-exchange)
                   (plist-get status :cipher)
                   (plist-get status :mac)
diff --git a/src/gnutls.c b/src/gnutls.c
index 8f0e2d01703..e3f1093d977 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -51,6 +51,10 @@
 #  define HAVE_GNUTLS_ETM_STATUS
 # endif
 
+# if GNUTLS_VERSION_NUMBER >= 0x030401
+#  define HAVE_GNUTLS_KEYID_USE_SHA256
+# endif
+
 # if GNUTLS_VERSION_NUMBER < 0x030600
 #  define HAVE_GNUTLS_COMPRESSION_GET
 # endif
@@ -1278,6 +1282,23 @@ emacs_gnutls_certificate_details (gnutls_x509_crt_t cert)
       xfree (buf);
     }
 
+#ifdef HAVE_GNUTLS_KEYID_USE_SHA256
+  /* Public key ID, SHA-256 version. */
+  buf_size = 0;
+  err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, NULL, 
&buf_size);
+  check_memory_full (err);
+  if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+      void *buf = xmalloc (buf_size);
+      err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, buf, 
&buf_size);
+      check_memory_full (err);
+      if (err >= GNUTLS_E_SUCCESS)
+       res = nconc2 (res, list2 (intern (":public-key-id-sha256"),
+                                 gnutls_hex_string (buf, buf_size, 
"sha256:")));
+      xfree (buf);
+    }
+#endif
+
   /* Certificate fingerprint. */
   buf_size = 0;
   err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
-- 
2.30.2

[Prev in Thread]

Current Thread

[Next in Thread]

bug#64043: [PATCH] Export SHA-256 digest of a public key, Łukasz Stelmach <=

Prev by Date: bug#64023: 29.0.91; gnus-icalendar does not update timestamp when description is empty
Next by Date: bug#64018: 29.0.91; Improve tree-sitter docs
Previous by thread: bug#63569: 30.0.50; ERC 5.6: Add automatic nickname highlighting to ERC
Next by thread: bug#64045: [PATCH] Improve wording of the documentation about declare form
Index(es):
- Date
- Thread