GNU bug report logs - #64043
[PATCH] Export SHA-256 digest of a public key

Previous Next

Package: emacs;

Reported by: Łukasz Stelmach <stlman <at> poczta.fm>

Date: Tue, 13 Jun 2023 11:36:01 UTC

Severity: normal

Tags: patch

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Łukasz Stelmach <stlman <at> poczta.fm>
To: bug-gnu-emacs <at> gnu.org
Cc: Łukasz Stelmach <stlman <at> poczta.fm>
Subject: [PATCH] Export SHA-256 digest of a public key
Date: Tue, 13 Jun 2023 13:26:39 +0200

* lisp/net/nsm.el (nsm-format-certificate): Show public key
digest (SHA-256 if available). Displaying the digest enables users
to verify the certificate with other tools like gnutls-cli(1)
which present much more detailed information.

* src/gnutls (emacs_gnutls_certificate_details): Export SHA-256 public
key digest if supported by GnuTLS.
---
 lisp/net/nsm.el |  8 ++++++--
 src/gnutls.c    | 21 +++++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index dc04bf50c24..7cbeb48f5be 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -1030,10 +1030,14 @@ nsm-format-certificate
 	 "  Hostname:"
 	 (nsm-certificate-part (plist-get cert :subject) "CN" t) "\n")
 	(when (and (plist-get cert :public-key-algorithm)
-		   (plist-get cert :signature-algorithm))
+		   (plist-get cert :signature-algorithm)
+		   (or (plist-get cert :public-key-id-sha256)
+		       (plist-get cert :public-key-id)))
 	  (insert
 	   "  Public key:" (plist-get cert :public-key-algorithm)
-	   ", signature: " (plist-get cert :signature-algorithm) "\n"))
+	   ", signature: " (plist-get cert :signature-algorithm) "\n"
+	   "  Public key ID:" (or (plist-get cert :public-key-id-sha256)
+				  (plist-get cert :public-key-id)) "\n"))
         (when (and (plist-get status :key-exchange)
 		   (plist-get status :cipher)
 		   (plist-get status :mac)
diff --git a/src/gnutls.c b/src/gnutls.c
index 8f0e2d01703..e3f1093d977 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -51,6 +51,10 @@
 #  define HAVE_GNUTLS_ETM_STATUS
 # endif
 
+# if GNUTLS_VERSION_NUMBER >= 0x030401
+#  define HAVE_GNUTLS_KEYID_USE_SHA256
+# endif
+
 # if GNUTLS_VERSION_NUMBER < 0x030600
 #  define HAVE_GNUTLS_COMPRESSION_GET
 # endif
@@ -1278,6 +1282,23 @@ emacs_gnutls_certificate_details (gnutls_x509_crt_t cert)
       xfree (buf);
     }
 
+#ifdef HAVE_GNUTLS_KEYID_USE_SHA256
+  /* Public key ID, SHA-256 version. */
+  buf_size = 0;
+  err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, NULL, &buf_size);
+  check_memory_full (err);
+  if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+      void *buf = xmalloc (buf_size);
+      err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, buf, &buf_size);
+      check_memory_full (err);
+      if (err >= GNUTLS_E_SUCCESS)
+	res = nconc2 (res, list2 (intern (":public-key-id-sha256"),
+				  gnutls_hex_string (buf, buf_size, "sha256:")));
+      xfree (buf);
+    }
+#endif
+
   /* Certificate fingerprint. */
   buf_size = 0;
   err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,
-- 
2.30.2
This bug report was last modified 2 years and 2 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.