Show SHA-256 digest of a public key in 'nsm-format-certificate'

* lisp/net/nsm.el (nsm-format-certificate): Show public key
digest (SHA-256 if available).  Displaying the digest enables
users to verify the certificate with other tools like 'gnutls-cli'
which present much more detailed information.

* src/gnutls (emacs_gnutls_certificate_details): Export SHA-256
public key digest if supported by GnuTLS.  (Bug#64043)

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index dc04bf50c24582712d4214390a8aacb6fe36a297..7cbeb48f5be4a2b7bac2aa9f006e8c9fafbcbf5e 100644 (file)
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -1030,10 +1030,14 @@ protocol."
         "  Hostname:"
         (nsm-certificate-part (plist-get cert :subject) "CN" t) "\n")
        (when (and (plist-get cert :public-key-algorithm)
-                  (plist-get cert :signature-algorithm))
+                  (plist-get cert :signature-algorithm)
+                  (or (plist-get cert :public-key-id-sha256)
+                      (plist-get cert :public-key-id)))
          (insert
           "  Public key:" (plist-get cert :public-key-algorithm)
-          ", signature: " (plist-get cert :signature-algorithm) "\n"))
+          ", signature: " (plist-get cert :signature-algorithm) "\n"
+          "  Public key ID:" (or (plist-get cert :public-key-id-sha256)
+                                 (plist-get cert :public-key-id)) "\n"))
         (when (and (plist-get status :key-exchange)
                   (plist-get status :cipher)
                   (plist-get status :mac)

diff --git a/src/gnutls.c b/src/gnutls.c
index 8f0e2d0170398165fa253a91870552fe40e7e392..e3f1093d97768bed14623a928f2253fe8bcd89be 100644 (file)
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -51,6 +51,10 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 #  define HAVE_GNUTLS_ETM_STATUS
 # endif
 
+# if GNUTLS_VERSION_NUMBER >= 0x030401
+#  define HAVE_GNUTLS_KEYID_USE_SHA256
+# endif
+
 # if GNUTLS_VERSION_NUMBER < 0x030600
 #  define HAVE_GNUTLS_COMPRESSION_GET
 # endif
@@ -1278,6 +1282,23 @@ emacs_gnutls_certificate_details (gnutls_x509_crt_t cert)
       xfree (buf);
     }
 
+#ifdef HAVE_GNUTLS_KEYID_USE_SHA256
+  /* Public key ID, SHA-256 version. */
+  buf_size = 0;
+  err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, NULL, &buf_size);
+  check_memory_full (err);
+  if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+      void *buf = xmalloc (buf_size);
+      err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, buf, &buf_size);
+      check_memory_full (err);
+      if (err >= GNUTLS_E_SUCCESS)
+       res = nconc2 (res, list2 (intern (":public-key-id-sha256"),
+                                 gnutls_hex_string (buf, buf_size, "sha256:")));
+      xfree (buf);
+    }
+#endif
+
   /* Certificate fingerprint. */
   buf_size = 0;
   err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,