GNU bug report logs - #64043
[PATCH] Export SHA-256 digest of a public key

Previous Next

Package: emacs;

Reported by: Łukasz Stelmach <stlman <at> poczta.fm>

Date: Tue, 13 Jun 2023 11:36:01 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 64043 in the body.
You can then email your comments to 64043 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-gnu-emacs <at> gnu.org:
bug#64043; Package emacs. (Tue, 13 Jun 2023 11:36:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Łukasz Stelmach <stlman <at> poczta.fm>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs <at> gnu.org. (Tue, 13 Jun 2023 11:36:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Łukasz Stelmach <stlman <at> poczta.fm>
To: bug-gnu-emacs <at> gnu.org
Cc: Łukasz Stelmach <stlman <at> poczta.fm>
Subject: [PATCH] Export SHA-256 digest of a public key
Date: Tue, 13 Jun 2023 13:26:39 +0200

* lisp/net/nsm.el (nsm-format-certificate): Show public key
digest (SHA-256 if available). Displaying the digest enables users
to verify the certificate with other tools like gnutls-cli(1)
which present much more detailed information.

* src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public
key digest if supported by GnuTLS.
---
 lisp/net/nsm.el |  8 ++++++--
 src/gnutls.c    | 21 +++++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index dc04bf50c24..7cbeb48f5be 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -1030,10 +1030,14 @@ nsm-format-certificate
 	 "  Hostname:"
 	 (nsm-certificate-part (plist-get cert :subject) "CN" t) "\n")
 	(when (and (plist-get cert :public-key-algorithm)
-		   (plist-get cert :signature-algorithm))
+		   (plist-get cert :signature-algorithm)
+		   (or (plist-get cert :public-key-id-sha256)
+		       (plist-get cert :public-key-id)))
 	  (insert
 	   "  Public key:" (plist-get cert :public-key-algorithm)
-	   ", signature: " (plist-get cert :signature-algorithm) "\n"))
+	   ", signature: " (plist-get cert :signature-algorithm) "\n"
+	   "  Public key ID:" (or (plist-get cert :public-key-id-sha256)
+				  (plist-get cert :public-key-id)) "\n"))
         (when (and (plist-get status :key-exchange)
 		   (plist-get status :cipher)
 		   (plist-get status :mac)
diff --git a/src/gnutls.c b/src/gnutls.c
index 8f0e2d01703..e3f1093d977 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -51,6 +51,10 @@
 #  define HAVE_GNUTLS_ETM_STATUS
 # endif
 
+# if GNUTLS_VERSION_NUMBER >= 0x030401
+#  define HAVE_GNUTLS_KEYID_USE_SHA256
+# endif
+
 # if GNUTLS_VERSION_NUMBER < 0x030600
 #  define HAVE_GNUTLS_COMPRESSION_GET
 # endif
@@ -1278,6 +1282,23 @@ emacs_gnutls_certificate_details (gnutls_x509_crt_t cert)
       xfree (buf);
     }
 
+#ifdef HAVE_GNUTLS_KEYID_USE_SHA256
+  /* Public key ID, SHA-256 version. */
+  buf_size = 0;
+  err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, NULL, &buf_size);
+  check_memory_full (err);
+  if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+      void *buf = xmalloc (buf_size);
+      err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, buf, &buf_size);
+      check_memory_full (err);
+      if (err >= GNUTLS_E_SUCCESS)
+	res = nconc2 (res, list2 (intern (":public-key-id-sha256"),
+				  gnutls_hex_string (buf, buf_size, "sha256:")));
+      xfree (buf);
+    }
+#endif
+
   /* Certificate fingerprint. */
   buf_size = 0;
   err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
-- 
2.30.2
Reply sent to Eli Zaretskii <eliz <at> gnu.org>:
You have taken responsibility. (Sat, 15 Jul 2023 07:45:02 GMT) Full text and rfc822 format available.
Notification sent to Łukasz Stelmach <stlman <at> poczta.fm>:
bug acknowledged by developer. (Sat, 15 Jul 2023 07:45:02 GMT) Full text and rfc822 format available.

Message #10 received at 64043-done <at> debbugs.gnu.org (full text, mbox):

From: Eli Zaretskii <eliz <at> gnu.org>
To: Łukasz Stelmach <stlman <at> poczta.fm>
Cc: 64043-done <at> debbugs.gnu.org
Subject: Re: bug#64043: [PATCH] Export SHA-256 digest of a public key
Date: Sat, 15 Jul 2023 10:44:41 +0300

> Cc: Łukasz Stelmach <stlman <at> poczta.fm>
> From: Łukasz Stelmach <stlman <at> poczta.fm>
> Date: Tue, 13 Jun 2023 13:26:39 +0200
> 
> * lisp/net/nsm.el (nsm-format-certificate): Show public key
> digest (SHA-256 if available). Displaying the digest enables users
> to verify the certificate with other tools like gnutls-cli(1)
> which present much more detailed information.
> 
> * src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public
> key digest if supported by GnuTLS.

Thanks, installed on the master branch, and closing the bug.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 12 Aug 2023 11:24:09 GMT) Full text and rfc822 format available.
This bug report was last modified 1 year and 364 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.