Print a key's or certificate's key ID with SHA256 in addition to SHA1

2 files changed, 60 insertions, 57 deletions

diff --git a/lib/x509/output.c b/lib/x509/output.c
index 36b1f36a00..6a43a5b387 100644
--- a/lib/x509/output.c
+++ b/lib/x509/output.c
@@ -1576,28 +1576,55 @@ print_fingerprint(gnutls_buffer_st * str, gnutls_x509_crt_t cert,
 	adds(str, "\n");
 }
 
-static void print_keyid(gnutls_buffer_st * str, gnutls_x509_crt_t cert)
+typedef int get_id_func(void *obj, unsigned, unsigned char*, size_t*);
+
+static void print_obj_id(gnutls_buffer_st *str, const char *prefix, void *obj, get_id_func *get_id)
 {
+	unsigned char sha1_buffer[MAX_HASH_SIZE];
+	unsigned char sha2_buffer[MAX_HASH_SIZE];
 	int err;
-	unsigned char buffer[32];
-	size_t size = sizeof(buffer);
-	const char *name;
-	char *p;
-	unsigned int bits;
+	size_t sha1_size, sha2_size;
 
-	err = gnutls_x509_crt_get_key_id(cert, 0, buffer, &size);
+	sha1_size = sizeof(sha1_buffer);
+	err = get_id(obj, GNUTLS_KEYID_USE_SHA1, sha1_buffer, &sha1_size);
 	if (err == GNUTLS_E_UNIMPLEMENTED_FEATURE) /* unsupported algo */
 		return;
 
 	if (err < 0) {
-		addf(str, "error: get_key_id: %s\n", gnutls_strerror(err));
+		addf(str, "error: get_key_id(sha1): %s\n", gnutls_strerror(err));
 		return;
 	}
 
-	adds(str, _("\tPublic Key ID:\n\t\t"));
-	_gnutls_buffer_hexprint(str, buffer, size);
+	sha2_size = sizeof(sha2_buffer);
+	err = get_id(obj, GNUTLS_KEYID_USE_SHA256, sha2_buffer, &sha2_size);
+	if (err == GNUTLS_E_UNIMPLEMENTED_FEATURE) /* unsupported algo */
+		return;
+
+	if (err < 0) {
+		addf(str, "error: get_key_id(sha256): %s\n", gnutls_strerror(err));
+		return;
+	}
+
+	addf(str, _("%sPublic Key ID:\n\t\tsha1:"), prefix);
+	_gnutls_buffer_hexprint(str, sha1_buffer, sha1_size);
+	addf(str, "\n%s\tsha256:", prefix);
+	_gnutls_buffer_hexprint(str, sha2_buffer, sha2_size);
 	adds(str, "\n");
 
+	return;
+}
+
+static void print_keyid(gnutls_buffer_st * str, gnutls_x509_crt_t cert)
+{
+	int err;
+	const char *name;
+	char *p;
+	unsigned int bits;
+	unsigned char sha1_buffer[MAX_HASH_SIZE];
+	size_t sha1_size;
+
+	print_obj_id(str, "\t", cert, (get_id_func*)gnutls_x509_crt_get_key_id);
+
 	err = gnutls_x509_crt_get_pk_algorithm(cert, &bits);
 	if (err < 0)
 		return;
@@ -1614,10 +1641,16 @@ static void print_keyid(gnutls_buffer_st * str, gnutls_x509_crt_t cert)
 	} else {
 		name = gnutls_pk_get_name(err);
 	}
+
 	if (name == NULL)
 		return;
 
-	p = _gnutls_key_fingerprint_randomart(buffer, size, name, bits,
+	sha1_size = sizeof(sha1_buffer);
+	err = gnutls_x509_crt_get_key_id(cert, GNUTLS_KEYID_USE_SHA1, sha1_buffer, &sha1_size);
+	if (err == GNUTLS_E_UNIMPLEMENTED_FEATURE) /* unsupported algo */
+		return;
+
+	p = _gnutls_key_fingerprint_randomart(sha1_buffer, sha1_size, name, bits,
 					      "\t\t");
 	if (p == NULL)
 		return;
@@ -2427,36 +2460,7 @@ print_crq(gnutls_buffer_st * str, gnutls_x509_crq_t cert,
 
 static void print_crq_other(gnutls_buffer_st * str, gnutls_x509_crq_t crq)
 {
-	int err;
-	size_t size = 0;
-	unsigned char *buffer = NULL;
-
-	err = gnutls_x509_crq_get_key_id(crq, 0, buffer, &size);
-	if (err != GNUTLS_E_SHORT_MEMORY_BUFFER) {
-		addf(str, "error: get_key_id: %s\n", gnutls_strerror(err));
-		return;
-	}
-
-	buffer = gnutls_malloc(size);
-	if (!buffer) {
-		addf(str, "error: malloc: %s\n",
-		     gnutls_strerror(GNUTLS_E_MEMORY_ERROR));
-		return;
-	}
-
-	err = gnutls_x509_crq_get_key_id(crq, 0, buffer, &size);
-	if (err < 0) {
-		gnutls_free(buffer);
-		addf(str, "error: get_key_id2: %s\n",
-		     gnutls_strerror(err));
-		return;
-	}
-
-	adds(str, _("\tPublic Key ID:\n\t\t"));
-	_gnutls_buffer_hexprint(str, buffer, size);
-	adds(str, "\n");
-
-	gnutls_free(buffer);
+	print_obj_id(str, "\t", crq, (get_id_func*)gnutls_x509_crq_get_key_id);
 }
 
 /**
@@ -2500,8 +2504,6 @@ static void
 print_pubkey_other(gnutls_buffer_st * str, gnutls_pubkey_t pubkey,
 		   gnutls_certificate_print_formats_t format)
 {
-	uint8_t buffer[MAX_HASH_SIZE];
-	size_t size = sizeof(buffer);
 	int ret;
 	unsigned int usage;
 
@@ -2516,16 +2518,7 @@ print_pubkey_other(gnutls_buffer_st * str, gnutls_pubkey_t pubkey,
 	adds(str, _("Public Key Usage:\n"));
 	print_key_usage2(str, "\t", pubkey->key_usage);
 
-	ret = gnutls_pubkey_get_key_id(pubkey, 0, buffer, &size);
-	if (ret < 0) {
-		addf(str, "error: get_key_id: %s\n", gnutls_strerror(ret));
-		return;
-	}
-
-	adds(str, "\n");
-	adds(str, _("Public Key ID: "));
-	_gnutls_buffer_hexprint(str, buffer, size);
-	adds(str, "\n");
+	print_obj_id(str, "", pubkey, (get_id_func*)gnutls_pubkey_get_key_id);
 }
 
 /**
diff --git a/src/certtool-common.c b/src/certtool-common.c
index 3c02c05a0e..04af0e9429 100644
--- a/src/certtool-common.c
+++ b/src/certtool-common.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2003-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2003-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2015-2016 Red Hat, Inc.
  *
  * This file is part of GnuTLS.
  *
@@ -1183,16 +1184,25 @@ static void privkey_info_int(FILE *outfile, common_info_st * cinfo,
 	}
 
 	size = lbuffer_size;
-	if ((ret =
-	     gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA1, lbuffer, &size)) < 0) {
+	ret =
+	     gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA256, lbuffer, &size);
+	if (ret < 0) {
 		fprintf(stderr, "Error in key id calculation: %s\n",
 			gnutls_strerror(ret));
 	} else {
 		gnutls_datum_t art;
 
-		fprintf(outfile, "Public Key ID: %s\n",
+		fprintf(outfile, "Public Key ID:\n\tsha256:%s\n",
 			raw_to_string(lbuffer, size));
 
+		size = lbuffer_size;
+		ret =
+		     gnutls_x509_privkey_get_key_id(key, GNUTLS_KEYID_USE_SHA1, lbuffer, &size);
+		if (ret >= 0) {
+			fprintf(outfile, "\tsha1:%s\n",
+				raw_to_string(lbuffer, size));
+		}
+
 		ret =
 		    gnutls_random_art(GNUTLS_RANDOM_ART_OPENSSH, cprint,
 				      bits, lbuffer, size, &art);