View Ticket
2024-06-28
22:44 Closed ticket [c2f2f1be54]: Expose SHA-256 fingerprint of certificate plus 5 other changes artifact: 14aa05b28d user: bohagan
2020-02-12
13:30 New ticket [c2f2f1be54]. artifact: 0edacaae40 user: anonymous

Ticket Hash: c2f2f1be542937dcfe9ba89c7f12190e5fed9f70
Title: Expose SHA-256 fingerprint of certificate
Status: Closed Type: Feature Request
Severity: Important Priority: Immediate
Subsystem: Resolution: Fixed
Last Modified: 2024-06-28 22:44:54
Version Found In:
User Comments:
anonymous added on 2020-02-12 13:30:14:

TclTLS already provides a way to access a certificate's SHA-1 fingerprint. It would be helpful if the same could be done for SHA-256, for example like this:

Index: tlsX509.c
==================================================================
--- tlsX509.c
+++ tlsX509.c
@@ -103,14 +103,17 @@
     char certStr[CERT_STR_SIZE], *certStr_p;
     int certStr_len, toRead;
 #ifndef NO_SSL_SHA
     int shai;
     char sha_hash_ascii[SHA_DIGEST_LENGTH * 2 + 1];
+    char sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2 + 1];
     unsigned char sha_hash_binary[SHA_DIGEST_LENGTH];
+    unsigned char sha256_hash_binary[SHA256_DIGEST_LENGTH];
     const char *shachars="0123456789ABCDEF";
 
     sha_hash_ascii[SHA_DIGEST_LENGTH * 2] = '\0';
+    sha256_hash_ascii[SHA256_DIGEST_LENGTH * 2] = '\0';
 #endif
 
     certStr[0] = 0;
     if ((bio = BIO_new(BIO_s_mem())) == NULL) {
        subject[0] = 0;
@@ -172,10 +175,18 @@
         sha_hash_ascii[shai * 2 + 1] = shachars[(sha_hash_binary[shai] & 0x0F)];
     }
     Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha1_hash", -1) );
     Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha_hash_ascii, SHA_DIGEST_LENGTH * 2) );
 
+    X509_digest(cert, EVP_sha256(), sha256_hash_binary, NULL);
+    for (shai = 0; shai < SHA256_DIGEST_LENGTH; shai++) {
+        sha256_hash_ascii[shai * 2]     = shachars[(sha256_hash_binary[shai] & 0xF0) >> 4];
+        sha256_hash_ascii[shai * 2 + 1] = shachars[(sha256_hash_binary[shai] & 0x0F)];
+    }
+    Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj("sha256_hash", -1) );
+    Tcl_ListObjAppendElement( interp, certPtr, Tcl_NewStringObj(sha256_hash_ascii, SHA256_DIGEST_LENGTH * 2) );
+
 #endif
     Tcl_ListObjAppendElement( interp, certPtr,
            Tcl_NewStringObj( "subject", -1) );
     Tcl_ListObjAppendElement( interp, certPtr,
            Tcl_NewStringObj( subject, -1) );


bohagan added on 2024-06-28 22:44:54:
This has been implemented in commit [3f9e284b4e924730].