int asn1encodeRSApub(RSApub *pk, uchar *buf, int len);
int asn1encodedigest(DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*),
uchar *digest, uchar *buf, int len);
-
+
+int X509digestSPKI(uchar *, int, DigestState* (*)(uchar*, ulong, uchar*, DigestState*), uchar *);
+
/*
* elgamal
*/
int asn1encodedigest(DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*),
uchar *digest, uchar *buf, int len);
+int X509digestSPKI(uchar *, int, DigestState* (*)(uchar*, ulong, uchar*, DigestState*), uchar *);
/*
* elgamal
(and, optionally, the
.B -x
flag)
-is given, the remote server must present a key
-whose SHA1 hash is listed in
-the file
+is given, the remote server must present a public key
+whose SHA1 or SHA256 hash is listed in the file
.I trustedkeys
but not in the file
.IR excludedkeys .
Thumbprint *thumb;
AuthInfo *ai = nil;
+ fmtinstall('B', mpfmt);
+ fmtinstall('[', encodefmt);
fmtinstall('H', encodefmt);
ARGBEGIN{
if(fd < 0)
sysfatal("tlsclient: %r");
+ if(debug)
+ X509dump(conn->cert, conn->certlen);
+
if(thumb){
if(!okCertificate(conn->cert, conn->certlen, thumb))
sysfatal("cert for %s not recognized: %r", servername ? servername : addr);
if(okThumbprint(hash, SHA2_256dlen, table))
return 1;
+ if(X509digestSPKI(cert, len, sha2_256, hash) < 0)
+ return 0;
+ if(okThumbprint(hash, SHA2_256dlen, table))
+ return 1;
+
len = enc64(thumb, sizeof(thumb), hash, SHA2_256dlen);
while(len > 0 && thumb[len-1] == '=')
len--;
return cert;
}
+static void
+digestSPKI(int alg, uchar *pubkey, int npubkey, DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*), uchar *digest)
+{
+ Bytes *b = nil;
+ Elem e = mkseq(mkel(mkalg(alg), mkel(mkbits(pubkey, npubkey), nil)));
+ encode(e, &b);
+ freevalfields(&e.val);
+ (*fun)(b->data, b->len, digest, nil);
+ freebytes(b);
+}
+
+int
+X509digestSPKI(uchar *cert, int ncert, DigestState* (*fun)(uchar*, ulong, uchar*, DigestState*), uchar *digest)
+{
+ CertX509 *c;
+
+ c = decode_cert(cert, ncert);
+ if(c == nil){
+ werrstr("cannot decode cert");
+ return -1;
+ }
+ digestSPKI(c->publickey_alg, c->publickey->data, c->publickey->len, fun, digest);
+ freecert(c);
+ return 0;
+}
+
static char*
tagdump(Tag tag)
{
ecdomfree(&ecdom);
break;
}
+
+ digestSPKI(c->publickey_alg, c->publickey->data, c->publickey->len, sha2_256, digest);
+ print("publickey_thumbprint sha256=%.*[\n", SHA2_256dlen, digest);
+
+ sha2_256(cert, ncert, digest, nil);
+ print("cert_thumbprint sha256=%.*[\n", SHA2_256dlen, digest);
+
+ sha1(cert, ncert, digest, nil);
+ print("cert_thumbprint sha1=%.*H\n", SHA1dlen, digest);
+
freecert(c);
print("end X509dump\n");
}