libsec: implement SPKI fingerprinting for okCertificate()

Instead of only using a hash over the whole certificate for white/black-listing, now we can also use a hash over the Subject Public Key Info (SPKI) field of the certificate which contians the public key algorithm and the public key itself. This allows certificates to be renewed independendtly of the public key. X509dump() now prints the public key thumbprint in addition to the certificate thumbprint. tlsclient will print the certificate when run with -D flag. okCertificate() will print the public key thumbprint in its error string when no match has been found.
author: cinap_lenrek <cinap_lenrek@felloff.net> 2017-12-30 03:07:47 +0100
committer: cinap_lenrek <cinap_lenrek@felloff.net> 2017-12-30 03:07:47 +0100
commit: 57f8b6ec7591007ff22627038b51c4f4aa2a9be8 (patch)
tree: 3d4cbe53bdb48b2c2b4145bafb5b4f2853f638fa /sys/src/cmd
parent: b42d441a230bad9fd1ae8e3543b1c0f28c7c62aa (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/src/cmd/tlsclient.c b/sys/src/cmd/tlsclient.c
index 1b79fb739..7be56c279 100644
--- a/sys/src/cmd/tlsclient.c
+++ b/sys/src/cmd/tlsclient.c
@@ -49,6 +49,8 @@ main(int argc, char **argv)
 	Thumbprint *thumb;
 	AuthInfo *ai = nil;
 
+	fmtinstall('B', mpfmt);
+	fmtinstall('[', encodefmt);
 	fmtinstall('H', encodefmt);
 
 	ARGBEGIN{
@@ -122,6 +124,9 @@ main(int argc, char **argv)
 	if(fd < 0)
 		sysfatal("tlsclient: %r");
 
+	if(debug)
+		X509dump(conn->cert, conn->certlen);
+
 	if(thumb){
 		if(!okCertificate(conn->cert, conn->certlen, thumb))
 			sysfatal("cert for %s not recognized: %r", servername ? servername : addr);
author	cinap_lenrek <cinap_lenrek@felloff.net>	2017-12-30 03:07:47 +0100
committer	cinap_lenrek <cinap_lenrek@felloff.net>	2017-12-30 03:07:47 +0100
commit	57f8b6ec7591007ff22627038b51c4f4aa2a9be8 (patch)
tree	3d4cbe53bdb48b2c2b4145bafb5b4f2853f638fa /sys/src/cmd
parent	b42d441a230bad9fd1ae8e3543b1c0f28c7c62aa (diff)