Skip Menu |
 

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id: 110361
Status: open
Priority: 0/
Queue: Net-SSLeay

People
Owner: Nobody in particular
Requestors: guilhem [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Please export X509_get_X509_PUBKEY to return certificate SPKIs
Download (untitled) / with headers
text/plain 2.1k
Openssl X509_get_pubkey's is already available. But as Victor Duchovni puts it [0], "This is not the subjectPublicKeyInfo. It is just the key bits, sans algorithm and parameters. A common pitfall is to mistake this for the subjectPublicKeyInfo or to assume that X509_pubkey_digest() returns the digest of the subjectPublicKeyInfo." The full certificate digest (SPKI), including algorithm and parameters, is accessible by Openssl X509_get_X509_PUBKEY's instead, which is currently not available in Net::SSLeay. In another message to OpenSSL-users mailing list, Victor Duchovni wrote [1]: "The full certificate digest, with a suitably second-preimage resistant hash can be used a compact proxy for the full certificate, and some applications (e.g. RFC 6698 DANE TLSA) encourage or at least support the use of digests as secure replacements for the underlying certificate. The same can be said of the digest of the full public key (algorithm, parameters and key data), when one wants to trust the holder of the private key rather than any particular CA's name binding to that key. And indeed RFC 6698 also supports public-key fingerprint security bindings." This hopefully justifies the need of a function returning the Subject Public Key Info (SPKI) in Net::SSLeay. Here is some code to export X509_get_X509_PUBKEY. --8<----------------------------------------------------------------------8>-- void X509_get_X509_PUBKEY(x) const X509 *x PPCODE: X509_PUBKEY *pkey; STRLEN len; unsigned char *pc, *pi; if (!(pkey = X509_get_X509_PUBKEY(x))) croak("invalid certificate"); if (!(len = i2d_X509_PUBKEY(pkey, NULL))) croak("invalid certificate public key"); Newx(pc,len,unsigned char); if (!pc) croak("out of memory"); pi = pc; i2d_X509_PUBKEY(pkey, &pi); if (pi-pc != len) croak("invalid encoded length"); XPUSHs(sv_2mortal(newSVpv((char*)pc,len))); Safefree(pc); --8<----------------------------------------------------------------------8>-- [0] http://openssl.6102.n7.nabble.com/X509-and-Extract-Public-Key-td43623.html#a43626 [1] http://openssl.6102.n7.nabble.com/X509-digest-and-X509-pubkey-digest-tp43302.html
Subject: Re: [rt.cpan.org #110361] Please export X509_get_X509_PUBKEY to return certificate SPKIs
Date: Wed, 16 Dec 2015 07:24:28 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Hi, thanks for your note and careful explanation. Your patch and a test case are now in SVN 458 and will appear in the next release. Cheers. On Tuesday, December 15, 2015 11:59:20 AM Guilhem Moulin via RT wrote: Show quoted text
> Tue Dec 15 11:59:19 2015: Request 110361 was acted upon. > Transaction: Ticket created by GUILHEM > Queue: Net-SSLeay > Subject: Please export X509_get_X509_PUBKEY to return certificate SPKIs > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: guilhem@cpan.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=110361 > > > > Openssl X509_get_pubkey's is already available. But as Victor Duchovni puts > it [0], > > "This is not the subjectPublicKeyInfo. It is just the key bits, sans > algorithm and parameters. A common pitfall is to mistake this for > the subjectPublicKeyInfo or to assume that X509_pubkey_digest() > returns the digest of the subjectPublicKeyInfo." > > The full certificate digest (SPKI), including algorithm and parameters, is > accessible by Openssl X509_get_X509_PUBKEY's instead, which is currently not > available in Net::SSLeay. In another message to OpenSSL-users mailing > list, Victor Duchovni wrote [1]: > > "The full certificate digest, with a suitably second-preimage > resistant hash can be used a compact proxy for the full certificate, > and some applications (e.g. RFC 6698 DANE TLSA) encourage or at least > support the use of digests as secure replacements for the underlying > certificate. > The same can be said of the digest of the full public key (algorithm, > parameters and key data), when one wants to trust the holder of > the private key rather than any particular CA's name binding to > that key. And indeed RFC 6698 also supports public-key fingerprint > security bindings." > > This hopefully justifies the need of a function returning the Subject Public > Key Info (SPKI) in Net::SSLeay. Here is some code to export > X509_get_X509_PUBKEY. > > --8<----------------------------------------------------------------------8> > -- void > X509_get_X509_PUBKEY(x) > const X509 *x > PPCODE: > X509_PUBKEY *pkey; > STRLEN len; > unsigned char *pc, *pi; > if (!(pkey = X509_get_X509_PUBKEY(x))) croak("invalid certificate"); > if (!(len = i2d_X509_PUBKEY(pkey, NULL))) croak("invalid certificate > public key"); Newx(pc,len,unsigned char); > if (!pc) croak("out of memory"); > pi = pc; > i2d_X509_PUBKEY(pkey, &pi); > if (pi-pc != len) croak("invalid encoded length"); > XPUSHs(sv_2mortal(newSVpv((char*)pc,len))); > Safefree(pc); > --8<----------------------------------------------------------------------8> > -- > > > [0] > http://openssl.6102.n7.nabble.com/X509-and-Extract-Public-Key-td43623.html# > a43626 [1] > http://openssl.6102.n7.nabble.com/X509-digest-and-X509-pubkey-digest-tp4330 > 2.html
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474
Download (untitled) / with headers
text/plain 225b
On Tue Dec 15 16:24:43 2015, mikem@airspayce.com wrote: Show quoted text
> Your patch and a test case are now in SVN 458 and will appear in the next release.
Thanks for the prompt action! I also attached a patch to document the new method.
Subject: X509_get_X509_PUBKEY.patch
diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod index c403b14..c5609e6 100644 --- a/lib/Net/SSLeay.pod +++ b/lib/Net/SSLeay.pod @@ -5234,6 +5234,21 @@ Returns public key corresponding to given X509 object $x. # # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure) +B<NOTE:> This method returns only the public key's key bits, without the +algorithm or parameters. Use C<X509_get_X509_PUBKEY()> to return the full +public key (SPKI) instead. + +=item * X509_get_X509_PUBKEY + +B<COMPATIBILITY:> not available in Net-SSLeay-1.72 and before + +Returns the full public key (SPKI) of given X509 certificate $x. + + Net::SSLeay::X509_get_X509_PUBKEY($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: public key data in DER format (binary) + =item * X509_get_serialNumber B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before
Subject: Re: [rt.cpan.org #110361] Please export X509_get_X509_PUBKEY to return certificate SPKIs
Date: Tue, 22 Dec 2015 09:40:16 +1000
To: bug-Net-SSLeay [...] rt.cpan.org
From: Mike McCauley <mikem [...] airspayce.com>
Download (untitled) / with headers
text/plain 618b
Thanks. Patched in SVN 459 Cheers. On Monday, December 21, 2015 06:28:22 PM you wrote: Show quoted text
> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=110361 > > > On Tue Dec 15 16:24:43 2015, mikem@airspayce.com wrote:
> > Your patch and a test case are now in SVN 458 and will appear in the next > > release.
> Thanks for the prompt action! I also attached a patch to document the new > method.
-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.