From unknown Sat Aug 16 20:02:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#64043: [PATCH] Export SHA-256 digest of a public key Resent-From: =?UTF-8?Q?=C5=81ukasz?= Stelmach Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 13 Jun 2023 11:36:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 64043 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: 64043@debbugs.gnu.org Cc: =?UTF-8?Q?=C5=81ukasz?= Stelmach X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16866561077304 (code B ref -1); Tue, 13 Jun 2023 11:36:01 +0000 Received: (at submit) by debbugs.gnu.org; 13 Jun 2023 11:35:07 +0000 Received: from localhost ([127.0.0.1]:41486 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q92Ik-0001ti-RM for submit@debbugs.gnu.org; Tue, 13 Jun 2023 07:35:07 -0400 Received: from lists.gnu.org ([209.51.188.17]:36160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q92Ii-0001tY-9X for submit@debbugs.gnu.org; Tue, 13 Jun 2023 07:35:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q92Ii-0002uq-3a for bug-gnu-emacs@gnu.org; Tue, 13 Jun 2023 07:35:04 -0400 Received: from smtpo71.interia.pl ([217.74.67.71]) by eggs.gnu.org with esmtps (TLS1.2:RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1q92If-0000o3-Dg for bug-gnu-emacs@gnu.org; Tue, 13 Jun 2023 07:35:03 -0400 Received: from localhost (unknown [213.134.173.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by www.poczta.fm (INTERIA.PL) with ESMTPSA; Tue, 13 Jun 2023 13:27:10 +0200 (CEST) From: =?UTF-8?Q?=C5=81ukasz?= Stelmach Date: Tue, 13 Jun 2023 13:26:39 +0200 Message-Id: <20230613112639.2550160-1-stlman@poczta.fm> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Organization: Samsung R&D Institute Poland Content-Transfer-Encoding: 8bit X-IPL-Priority-Group: 0-0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=interia.pl; s=biztos; t=1686655631; bh=pONKQ2NIuuqtoJrX4CTmM6Fz+eVcmSucagjwHH5gHh8=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=F0zX5eNeUox6y/aQyfHEwCtjANzvL2GI7fEsG+bPw1pjzuyEo+AZCm2lAvq1syMX0 /YujQ7OL1Ci9MLoEDehf++pio1rh8rc4/s6Xd7BGsti5pvHSTxFOZGAE4s4nFQShDa p4+uzOitYqZOcI1YdJf0NGcYKcRS7nWeANEotxA0= Received-SPF: pass client-ip=217.74.67.71; envelope-from=stlman@poczta.fm; helo=smtpo71.interia.pl X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) * lisp/net/nsm.el (nsm-format-certificate): Show public key digest (SHA-256 if available). Displaying the digest enables users to verify the certificate with other tools like gnutls-cli(1) which present much more detailed information. * src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public key digest if supported by GnuTLS. --- lisp/net/nsm.el | 8 ++++++-- src/gnutls.c | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index dc04bf50c24..7cbeb48f5be 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -1030,10 +1030,14 @@ nsm-format-certificate " Hostname:" (nsm-certificate-part (plist-get cert :subject) "CN" t) "\n") (when (and (plist-get cert :public-key-algorithm) - (plist-get cert :signature-algorithm)) + (plist-get cert :signature-algorithm) + (or (plist-get cert :public-key-id-sha256) + (plist-get cert :public-key-id))) (insert " Public key:" (plist-get cert :public-key-algorithm) - ", signature: " (plist-get cert :signature-algorithm) "\n")) + ", signature: " (plist-get cert :signature-algorithm) "\n" + " Public key ID:" (or (plist-get cert :public-key-id-sha256) + (plist-get cert :public-key-id)) "\n")) (when (and (plist-get status :key-exchange) (plist-get status :cipher) (plist-get status :mac) diff --git a/src/gnutls.c b/src/gnutls.c index 8f0e2d01703..e3f1093d977 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -51,6 +51,10 @@ # define HAVE_GNUTLS_ETM_STATUS # endif +# if GNUTLS_VERSION_NUMBER >= 0x030401 +# define HAVE_GNUTLS_KEYID_USE_SHA256 +# endif + # if GNUTLS_VERSION_NUMBER < 0x030600 # define HAVE_GNUTLS_COMPRESSION_GET # endif @@ -1278,6 +1282,23 @@ emacs_gnutls_certificate_details (gnutls_x509_crt_t cert) xfree (buf); } +#ifdef HAVE_GNUTLS_KEYID_USE_SHA256 + /* Public key ID, SHA-256 version. */ + buf_size = 0; + err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, NULL, &buf_size); + check_memory_full (err); + if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) + { + void *buf = xmalloc (buf_size); + err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, buf, &buf_size); + check_memory_full (err); + if (err >= GNUTLS_E_SUCCESS) + res = nconc2 (res, list2 (intern (":public-key-id-sha256"), + gnutls_hex_string (buf, buf_size, "sha256:"))); + xfree (buf); + } +#endif + /* Certificate fingerprint. */ buf_size = 0; err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1, -- 2.30.2 From unknown Sat Aug 16 20:02:36 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: =?UTF-8?Q?=C5=81ukasz?= Stelmach Subject: bug#64043: closed (Re: bug#64043: [PATCH] Export SHA-256 digest of a public key) Message-ID: References: <834jm5ehzq.fsf@gnu.org> <20230613112639.2550160-1-stlman@poczta.fm> X-Gnu-PR-Message: they-closed 64043 X-Gnu-PR-Package: emacs X-Gnu-PR-Keywords: patch Reply-To: 64043@debbugs.gnu.org Date: Sat, 15 Jul 2023 07:45:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1689407102-5192-1" This is a multi-part message in MIME format... ------------=_1689407102-5192-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #64043: [PATCH] Export SHA-256 digest of a public key which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 64043@debbugs.gnu.org. --=20 64043: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D64043 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1689407102-5192-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 64043-done) by debbugs.gnu.org; 15 Jul 2023 07:44:29 +0000 Received: from localhost ([127.0.0.1]:43974 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qKZx7-0001Km-8x for submit@debbugs.gnu.org; Sat, 15 Jul 2023 03:44:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36628) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qKZx5-0001KZ-4E for 64043-done@debbugs.gnu.org; Sat, 15 Jul 2023 03:44:28 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qKZwz-0005jJ-3p; Sat, 15 Jul 2023 03:44:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:References:Subject:In-Reply-To:To:From: Date; bh=Us5+Vg6HTVRqjI1XaD75q+6Y9D7lvVtaRUPGCX53RQ0=; b=WneSRnGugKtP+d2Z+Zo8 R9L9WOH36aGeA5KsbJGpizOMAIJTi0D+hwXrivnR3RKaGbjoRjnnEnaRTj/3CJLH713N5GySg6cFI Nc4xg9o0O6cRM2aimUvoX+eqHh+xBbozThK3uwqr4ff/pYCtIrKVs81+y5ajpcFocHuRgNLHBNN2R KL5z2Zny+dk8DErBSdO3iTqM7vaSL6mOQtp0O0nfWzbEh+cT0CPbhAIgd2JHv7jD1W65E6pFwqaD0 ZRG30SyKRVsONdOyT2juECkCvw/yoGpao6rEUcygjunCsOd8d1DPljm9zyis4jrD5DF2JdFNt8qmg 1dKXLVtRZtf61Q==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qKZwy-0001sd-KU; Sat, 15 Jul 2023 03:44:20 -0400 Date: Sat, 15 Jul 2023 10:44:41 +0300 Message-Id: <834jm5ehzq.fsf@gnu.org> From: Eli Zaretskii To: =?utf-8?Q?=C5=81ukasz?= Stelmach In-Reply-To: <20230613112639.2550160-1-stlman@poczta.fm> (message from =?utf-8?Q?=C5=81ukasz?= Stelmach on Tue, 13 Jun 2023 13:26:39 +0200) Subject: Re: bug#64043: [PATCH] Export SHA-256 digest of a public key References: <20230613112639.2550160-1-stlman@poczta.fm> MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 64043-done Cc: 64043-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Cc: Łukasz Stelmach > From: Łukasz Stelmach > Date: Tue, 13 Jun 2023 13:26:39 +0200 > > * lisp/net/nsm.el (nsm-format-certificate): Show public key > digest (SHA-256 if available). Displaying the digest enables users > to verify the certificate with other tools like gnutls-cli(1) > which present much more detailed information. > > * src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public > key digest if supported by GnuTLS. Thanks, installed on the master branch, and closing the bug. ------------=_1689407102-5192-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 13 Jun 2023 11:35:07 +0000 Received: from localhost ([127.0.0.1]:41486 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q92Ik-0001ti-RM for submit@debbugs.gnu.org; Tue, 13 Jun 2023 07:35:07 -0400 Received: from lists.gnu.org ([209.51.188.17]:36160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1q92Ii-0001tY-9X for submit@debbugs.gnu.org; Tue, 13 Jun 2023 07:35:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q92Ii-0002uq-3a for bug-gnu-emacs@gnu.org; Tue, 13 Jun 2023 07:35:04 -0400 Received: from smtpo71.interia.pl ([217.74.67.71]) by eggs.gnu.org with esmtps (TLS1.2:RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1q92If-0000o3-Dg for bug-gnu-emacs@gnu.org; Tue, 13 Jun 2023 07:35:03 -0400 Received: from localhost (unknown [213.134.173.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by www.poczta.fm (INTERIA.PL) with ESMTPSA; Tue, 13 Jun 2023 13:27:10 +0200 (CEST) From: =?UTF-8?q?=C5=81ukasz=20Stelmach?= To: bug-gnu-emacs@gnu.org Subject: [PATCH] Export SHA-256 digest of a public key Date: Tue, 13 Jun 2023 13:26:39 +0200 Message-Id: <20230613112639.2550160-1-stlman@poczta.fm> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Organization: Samsung R&D Institute Poland Content-Transfer-Encoding: 8bit X-IPL-Priority-Group: 0-0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=interia.pl; s=biztos; t=1686655631; bh=pONKQ2NIuuqtoJrX4CTmM6Fz+eVcmSucagjwHH5gHh8=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=F0zX5eNeUox6y/aQyfHEwCtjANzvL2GI7fEsG+bPw1pjzuyEo+AZCm2lAvq1syMX0 /YujQ7OL1Ci9MLoEDehf++pio1rh8rc4/s6Xd7BGsti5pvHSTxFOZGAE4s4nFQShDa p4+uzOitYqZOcI1YdJf0NGcYKcRS7nWeANEotxA0= Received-SPF: pass client-ip=217.74.67.71; envelope-from=stlman@poczta.fm; helo=smtpo71.interia.pl X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?=C5=81ukasz=20Stelmach?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) * lisp/net/nsm.el (nsm-format-certificate): Show public key digest (SHA-256 if available). Displaying the digest enables users to verify the certificate with other tools like gnutls-cli(1) which present much more detailed information. * src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public key digest if supported by GnuTLS. --- lisp/net/nsm.el | 8 ++++++-- src/gnutls.c | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el index dc04bf50c24..7cbeb48f5be 100644 --- a/lisp/net/nsm.el +++ b/lisp/net/nsm.el @@ -1030,10 +1030,14 @@ nsm-format-certificate " Hostname:" (nsm-certificate-part (plist-get cert :subject) "CN" t) "\n") (when (and (plist-get cert :public-key-algorithm) - (plist-get cert :signature-algorithm)) + (plist-get cert :signature-algorithm) + (or (plist-get cert :public-key-id-sha256) + (plist-get cert :public-key-id))) (insert " Public key:" (plist-get cert :public-key-algorithm) - ", signature: " (plist-get cert :signature-algorithm) "\n")) + ", signature: " (plist-get cert :signature-algorithm) "\n" + " Public key ID:" (or (plist-get cert :public-key-id-sha256) + (plist-get cert :public-key-id)) "\n")) (when (and (plist-get status :key-exchange) (plist-get status :cipher) (plist-get status :mac) diff --git a/src/gnutls.c b/src/gnutls.c index 8f0e2d01703..e3f1093d977 100644 --- a/src/gnutls.c +++ b/src/gnutls.c @@ -51,6 +51,10 @@ # define HAVE_GNUTLS_ETM_STATUS # endif +# if GNUTLS_VERSION_NUMBER >= 0x030401 +# define HAVE_GNUTLS_KEYID_USE_SHA256 +# endif + # if GNUTLS_VERSION_NUMBER < 0x030600 # define HAVE_GNUTLS_COMPRESSION_GET # endif @@ -1278,6 +1282,23 @@ emacs_gnutls_certificate_details (gnutls_x509_crt_t cert) xfree (buf); } +#ifdef HAVE_GNUTLS_KEYID_USE_SHA256 + /* Public key ID, SHA-256 version. */ + buf_size = 0; + err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, NULL, &buf_size); + check_memory_full (err); + if (err == GNUTLS_E_SHORT_MEMORY_BUFFER) + { + void *buf = xmalloc (buf_size); + err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, buf, &buf_size); + check_memory_full (err); + if (err >= GNUTLS_E_SUCCESS) + res = nconc2 (res, list2 (intern (":public-key-id-sha256"), + gnutls_hex_string (buf, buf_size, "sha256:"))); + xfree (buf); + } +#endif + /* Certificate fingerprint. */ buf_size = 0; err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1, -- 2.30.2 ------------=_1689407102-5192-1--