libsec: implement SPKI fingerprinting for okCertificate()
Instead of only using a hash over the whole certificate for white/black-listing, now we can also use a hash over the Subject Public Key Info (SPKI) field of the certificate which contians the public key algorithm and the public key itself. This allows certificates to be renewed independendtly of the public key. X509dump() now prints the public key thumbprint in addition to the certificate thumbprint. tlsclient will print the certificate when run with -D flag. okCertificate() will print the public key thumbprint in its error string when no match has been found.
This commit is contained in:
cinap_lenrek
parent
b42d441a23
commit
57f8b6ec75
6 changed files with 52 additions and 4 deletions
|
|
@ -134,9 +134,8 @@ flag
|
|||
(and, optionally, the
|
||||
.B -x
|
||||
flag)
|
||||
is given, the remote server must present a key
|
||||
whose SHA1 hash is listed in
|
||||
the file
|
||||
is given, the remote server must present a public key
|
||||
whose SHA1 or SHA256 hash is listed in the file
|
||||
.I trustedkeys
|
||||
but not in the file
|
||||
.IR excludedkeys .
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue