From: Julian Scheid <julians37@gmail.com>
To: Lars Ingebrigtsen <larsi@gnus.org>
Cc: 35787@debbugs.gnu.org
Subject: bug#35787: 26.2; gnutls: accessing raw server certificate data
Date: Mon, 8 Jul 2019 22:20:46 -0600 [thread overview]
Message-ID: <CAD1CDTUFXkhuGyiJcsR5QiRyyZ9gDp+V6N=-ip85_M4p4crp5A@mail.gmail.com> (raw)
In-Reply-To: <87r270dj2l.fsf@mouse.gnus.org>
[-- Attachment #1: Type: text/plain, Size: 2374 bytes --]
On Mon, Jul 8, 2019 at 8:43 PM Lars Ingebrigtsen <larsi@gnus.org> wrote:
>
> Julian Scheid <julians37@gmail.com> writes:
> > Currently, `gnutls-peer-status' only allows accessing high-level
> > information extracted from the certificate, such as the issuer, but not
> > the certificate data itself.
>
> Other details are returned in the process object, like
> gnutls_x509_crt_get_fingerprint of the certificate.
Thanks for pointing this out, but it appears to be hardwired to use
SHA-1 when RFC 5929 requires the hash to use signatureAlgorithm,
or SHA-256 when signatureAlgorithm is MD5 or SHA-1.
> Does this hash relate in any way to gnutls_x509_crt_get_fingerprint?
I _think_ gnutls_x509_crt_get_fingerprint could be used here, although
I haven't verified yet that it satisfies the following requirement
from RFC 5929:
> The hash of the TLS server's certificate [RFC5280] as it appears,
> octet for octet, in the server's Certificate message.
I would assume that it does, though.
So, to make this work it looks like I'd need either
1) the fingerprint, but using the hash function as required by the RFC, or
2) the certificate as a binary blob.
Thanks again,
Julian
On Mon, Jul 8, 2019 at 8:43 PM Lars Ingebrigtsen <larsi@gnus.org> wrote:
> Julian Scheid <julians37@gmail.com> writes:
>
> > Hello, I would like to request a feature: accessing the raw certificate
> > of a server connected to via `gnutls-negotiate' (or such).
> >
> > Currently, `gnutls-peer-status' only allows accessing high-level
> > information extracted from the certificate, such as the issuer, but not
> > the certificate data itself.
>
> Other details are returned in the process object, like
> gnutls_x509_crt_get_fingerprint of the certificate.
>
> > Access to the raw certificate data would allow implementing the
> > `tls-server-endpoint' channel binding type as per
> > https://tools.ietf.org/html/rfc5929#section-4.1 , which requires
> >> [t]he hash of the TLS server's certificate [RFC5280] as it
> >> appears, octet for octet, in the server's Certificate message. Note
> >> that the Certificate message contains a certificate_list, in which
> >> the first element is the server's certificate.
>
> Does this hash relate in any way to gnutls_x509_crt_get_fingerprint?
>
> --
> (domestic pets only, the antidote for overdose, milk.)
> bloggy blog: http://lars.ingebrigtsen.no
>
[-- Attachment #2: Type: text/html, Size: 3387 bytes --]
next prev parent reply other threads:[~2019-07-09 4:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-18 1:48 bug#35787: 26.2; gnutls: accessing raw server certificate data Julian Scheid
2019-07-09 2:42 ` Lars Ingebrigtsen
2019-07-09 4:20 ` Julian Scheid [this message]
2019-07-09 13:44 ` Lars Ingebrigtsen
2019-09-24 5:44 ` Lars Ingebrigtsen
2019-09-24 7:36 ` Julian Scheid
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD1CDTUFXkhuGyiJcsR5QiRyyZ9gDp+V6N=-ip85_M4p4crp5A@mail.gmail.com' \
--to=julians37@gmail.com \
--cc=35787@debbugs.gnu.org \
--cc=larsi@gnus.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).