From: Łukasz Stelmach <stlman@poczta.fm>
Date: Tue, 13 Jun 2023 11:26:39 +0000 (+0200)
Subject: Show SHA-256 digest of a public key in 'nsm-format-certificate'
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=3021a0656f31c03ebfcaf535e54605c76acf23b6;p=emacs.git

Show SHA-256 digest of a public key in 'nsm-format-certificate'

* lisp/net/nsm.el (nsm-format-certificate): Show public key
digest (SHA-256 if available).  Displaying the digest enables
users to verify the certificate with other tools like 'gnutls-cli'
which present much more detailed information.

* src/gnutls (emacs_gnutls_certificate_details): Export SHA-256
public key digest if supported by GnuTLS.  (Bug#64043)
---

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index dc04bf50c24..7cbeb48f5be 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -1030,10 +1030,14 @@ protocol."
 	 "  Hostname:"
 	 (nsm-certificate-part (plist-get cert :subject) "CN" t) "\n")
 	(when (and (plist-get cert :public-key-algorithm)
-		   (plist-get cert :signature-algorithm))
+		   (plist-get cert :signature-algorithm)
+		   (or (plist-get cert :public-key-id-sha256)
+		       (plist-get cert :public-key-id)))
 	  (insert
 	   "  Public key:" (plist-get cert :public-key-algorithm)
-	   ", signature: " (plist-get cert :signature-algorithm) "\n"))
+	   ", signature: " (plist-get cert :signature-algorithm) "\n"
+	   "  Public key ID:" (or (plist-get cert :public-key-id-sha256)
+				  (plist-get cert :public-key-id)) "\n"))
         (when (and (plist-get status :key-exchange)
 		   (plist-get status :cipher)
 		   (plist-get status :mac)
diff --git a/src/gnutls.c b/src/gnutls.c
index 8f0e2d01703..e3f1093d977 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -51,6 +51,10 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 #  define HAVE_GNUTLS_ETM_STATUS
 # endif
 
+# if GNUTLS_VERSION_NUMBER >= 0x030401
+#  define HAVE_GNUTLS_KEYID_USE_SHA256
+# endif
+
 # if GNUTLS_VERSION_NUMBER < 0x030600
 #  define HAVE_GNUTLS_COMPRESSION_GET
 # endif
@@ -1278,6 +1282,23 @@ emacs_gnutls_certificate_details (gnutls_x509_crt_t cert)
       xfree (buf);
     }
 
+#ifdef HAVE_GNUTLS_KEYID_USE_SHA256
+  /* Public key ID, SHA-256 version. */
+  buf_size = 0;
+  err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, NULL, &buf_size);
+  check_memory_full (err);
+  if (err == GNUTLS_E_SHORT_MEMORY_BUFFER)
+    {
+      void *buf = xmalloc (buf_size);
+      err = gnutls_x509_crt_get_key_id (cert, GNUTLS_KEYID_USE_SHA256, buf, &buf_size);
+      check_memory_full (err);
+      if (err >= GNUTLS_E_SUCCESS)
+	res = nconc2 (res, list2 (intern (":public-key-id-sha256"),
+				  gnutls_hex_string (buf, buf_size, "sha256:")));
+      xfree (buf);
+    }
+#endif
+
   /* Certificate fingerprint. */
   buf_size = 0;
   err = gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1,