Bug #110361 for Net-SSLeay: Please export X509_get_X509

Tue Dec 15 11:59:19 2015 guilhem [...] cpan.org - Ticket created

Subject:

Please export X509_get_X509_PUBKEY to return certificate SPKIs

Openssl X509_get_pubkey's is already available. But as Victor Duchovni puts it [0], "This is not the subjectPublicKeyInfo. It is just the key bits, sans algorithm and parameters. A common pitfall is to mistake this for the subjectPublicKeyInfo or to assume that X509_pubkey_digest() returns the digest of the subjectPublicKeyInfo." The full certificate digest (SPKI), including algorithm and parameters, is accessible by Openssl X509_get_X509_PUBKEY's instead, which is currently not available in Net::SSLeay. In another message to OpenSSL-users mailing list, Victor Duchovni wrote [1]: "The full certificate digest, with a suitably second-preimage resistant hash can be used a compact proxy for the full certificate, and some applications (e.g. RFC 6698 DANE TLSA) encourage or at least support the use of digests as secure replacements for the underlying certificate. The same can be said of the digest of the full public key (algorithm, parameters and key data), when one wants to trust the holder of the private key rather than any particular CA's name binding to that key. And indeed RFC 6698 also supports public-key fingerprint security bindings." This hopefully justifies the need of a function returning the Subject Public Key Info (SPKI) in Net::SSLeay. Here is some code to export X509_get_X509_PUBKEY. --8<----------------------------------------------------------------------8>-- void X509_get_X509_PUBKEY(x) const X509 *x PPCODE: X509_PUBKEY *pkey; STRLEN len; unsigned char *pc, *pi; if (!(pkey = X509_get_X509_PUBKEY(x))) croak("invalid certificate"); if (!(len = i2d_X509_PUBKEY(pkey, NULL))) croak("invalid certificate public key"); Newx(pc,len,unsigned char); if (!pc) croak("out of memory"); pi = pc; i2d_X509_PUBKEY(pkey, &pi); if (pi-pc != len) croak("invalid encoded length"); XPUSHs(sv_2mortal(newSVpv((char*)pc,len))); Safefree(pc); --8<----------------------------------------------------------------------8>-- [0] http://openssl.6102.n7.nabble.com/X509-and-Extract-Public-Key-td43623.html#a43626 [1] http://openssl.6102.n7.nabble.com/X509-digest-and-X509-pubkey-digest-tp43302.html

Tue Dec 15 16:24:43 2015 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #110361] Please export X509_get_X509_PUBKEY to return certificate SPKIs
Date:	Wed, 16 Dec 2015 07:24:28 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hi, thanks for your note and careful explanation. Your patch and a test case are now in SVN 458 and will appear in the next release. Cheers. On Tuesday, December 15, 2015 11:59:20 AM Guilhem Moulin via RT wrote: Show quoted text

> Tue Dec 15 11:59:19 2015: Request 110361 was acted upon. > Transaction: Ticket created by GUILHEM > Queue: Net-SSLeay > Subject: Please export X509_get_X509_PUBKEY to return certificate SPKIs > Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: guilhem@cpan.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=110361 > > > > Openssl X509_get_pubkey's is already available. But as Victor Duchovni puts > it [0], > > "This is not the subjectPublicKeyInfo. It is just the key bits, sans > algorithm and parameters. A common pitfall is to mistake this for > the subjectPublicKeyInfo or to assume that X509_pubkey_digest() > returns the digest of the subjectPublicKeyInfo." > > The full certificate digest (SPKI), including algorithm and parameters, is > accessible by Openssl X509_get_X509_PUBKEY's instead, which is currently not > available in Net::SSLeay. In another message to OpenSSL-users mailing > list, Victor Duchovni wrote [1]: > > "The full certificate digest, with a suitably second-preimage > resistant hash can be used a compact proxy for the full certificate, > and some applications (e.g. RFC 6698 DANE TLSA) encourage or at least > support the use of digests as secure replacements for the underlying > certificate. > The same can be said of the digest of the full public key (algorithm, > parameters and key data), when one wants to trust the holder of > the private key rather than any particular CA's name binding to > that key. And indeed RFC 6698 also supports public-key fingerprint > security bindings." > > This hopefully justifies the need of a function returning the Subject Public > Key Info (SPKI) in Net::SSLeay. Here is some code to export > X509_get_X509_PUBKEY. > > --8<----------------------------------------------------------------------8> > -- void > X509_get_X509_PUBKEY(x) > const X509 *x > PPCODE: > X509_PUBKEY *pkey; > STRLEN len; > unsigned char *pc, *pi; > if (!(pkey = X509_get_X509_PUBKEY(x))) croak("invalid certificate"); > if (!(len = i2d_X509_PUBKEY(pkey, NULL))) croak("invalid certificate > public key"); Newx(pc,len,unsigned char); > if (!pc) croak("out of memory"); > pi = pc; > i2d_X509_PUBKEY(pkey, &pi); > if (pi-pc != len) croak("invalid encoded length"); > XPUSHs(sv_2mortal(newSVpv((char*)pc,len))); > Safefree(pc); > --8<----------------------------------------------------------------------8> > -- > > > [0] > http://openssl.6102.n7.nabble.com/X509-and-Extract-Public-Key-td43623.html# > a43626 [1] > http://openssl.6102.n7.nabble.com/X509-digest-and-X509-pubkey-digest-tp4330 > 2.html

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Tue Dec 15 16:24:44 2015 The RT System itself - Status changed from 'new' to 'open'

Mon Dec 21 18:28:21 2015 guilhem [...] cpan.org - Correspondence added

On Tue Dec 15 16:24:43 2015, mikem@airspayce.com wrote: Show quoted text

> Your patch and a test case are now in SVN 458 and will appear in the next release.

Thanks for the prompt action! I also attached a patch to document the new method.

Subject:

X509_get_X509_PUBKEY.patch

diff --git a/lib/Net/SSLeay.pod b/lib/Net/SSLeay.pod index c403b14..c5609e6 100644 --- a/lib/Net/SSLeay.pod +++ b/lib/Net/SSLeay.pod @@ -5234,6 +5234,21 @@ Returns public key corresponding to given X509 object $x. # # returns: value corresponding to openssl's EVP_PKEY structure (0 on failure) +B<NOTE:> This method returns only the public key's key bits, without the +algorithm or parameters. Use C<X509_get_X509_PUBKEY()> to return the full +public key (SPKI) instead. + +=item * X509_get_X509_PUBKEY + +B<COMPATIBILITY:> not available in Net-SSLeay-1.72 and before + +Returns the full public key (SPKI) of given X509 certificate $x. + + Net::SSLeay::X509_get_X509_PUBKEY($x); + # $x - value corresponding to openssl's X509 structure + # + # returns: public key data in DER format (binary) + =item * X509_get_serialNumber B<COMPATIBILITY:> not available in Net-SSLeay-1.45 and before

Mon Dec 21 18:40:36 2015 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #110361] Please export X509_get_X509_PUBKEY to return certificate SPKIs
Date:	Tue, 22 Dec 2015 09:40:16 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Thanks. Patched in SVN 459 Cheers. On Monday, December 21, 2015 06:28:22 PM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=110361 > > > On Tue Dec 15 16:24:43 2015, mikem@airspayce.com wrote:

> > Your patch and a test case are now in SVN 458 and will appear in the next > > release.

> Thanks for the prompt action! I also attached a patch to document the new > method.

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Sun Jul 08 10:08:30 2018 chrisn [...] cpan.org - Status changed from 'open' to 'resolved'

Sun Jul 08 10:08:30 2018 chrisn [...] cpan.org - Given to MIKEM

Sun Jul 08 10:08:31 2018 chrisn [...] cpan.org - Fixed in 1.73 added

Bug #110361 for Net-SSLeay: Please export X509_get_X509_PUBKEY to return certificate SPKIs