Bug#414941: Patch to add access to peer certificate fingerprints

Wed, 14 Mar 2007 14:09:03 -0800 

Package: libnet-ssleay-perl
Version: 1.30-1
Severity: wishlist
Tags: patch


Hello,

(Patch submitted on behalf of Thierry Walrant)

Here is a small patch to add the possibility for a Perl script to
check the peer certificate fingerprints e.g. in a similar way
fetchmail does.
This adds the capability to strongly authenticate the peer when
using Net::SSLeay

Phil.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages libnet-ssleay-perl depends on:
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libssl0.9.8                 0.9.8c-4     SSL shared libraries
ii  perl                        5.8.8-7      Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.8.7]   5.8.8-7      The Pathologically Eclectic Rubbis

libnet-ssleay-perl recommends no packages.

-- no debconf information

--- libnet-ssleay-perl-1.30/SSLeay.xs	2005-12-15 18:06:54.000000000 +0100
+++ libnet-ssleay-perl-1.30/SSLeay.xs	2007-03-14 14:46:03.000000000 +0100
@@ -2506,6 +2506,46 @@
      int idx
 
 void
+X509_get_fingerprint(cert,type)
+		X509 * 	cert
+		char *	type
+	PREINIT:
+		const EVP_MD *digest_tp = NULL;
+		unsigned char digest[EVP_MAX_MD_SIZE];
+		unsigned int dsz, k = 0;
+		char text[EVP_MAX_MD_SIZE * 3 + 1];
+	CODE:
+		if (!k && !stricmp(type,"md5")) {
+		 	k = 1; digest_tp = EVP_md5();
+		}
+		if (!k && !stricmp(type,"sha1")) {
+			k = 1; digest_tp = EVP_sha1();
+		}
+		if (!k && !stricmp(type,"sha256")) {
+			k = 1; digest_tp = EVP_sha256();
+		}
+		if (!k && !stricmp(type,"ripemd160")) {
+			k = 1; digest_tp = EVP_ripemd160();
+		}
+		if (!k)	/* Default digest */
+			digest_tp = EVP_sha1();
+		if ( digest_tp == NULL ) {
+			/* Out of memory */
+			XSRETURN_UNDEF;
+		}
+		if (!X509_digest(cert, digest_tp, digest, &dsz)) {
+			/* Out of memory */
+			XSRETURN_UNDEF;
+		}
+		text[0] = '\0';
+		for(k=0; k<dsz; k++) {
+			sprintf(&text[strlen(text)], "%02X:", digest[k]);
+		}
+		text[strlen(text)-1] = '\0';
+		ST(0) = sv_newmortal();   /* Undefined to start with */
+		sv_setpvn( ST(0), text, strlen(text));
+
+void
 X509_get_subjectAltNames(cert)
      X509 *      cert
      PPCODE:

Reply via email to