[!!IMPORTANT!!] Change calculation of SPKI hash value, so not compati…

…bility before.
nanorkyo · Nov 13, 2017 · 1c52e4a · 1c52e4a
1 parent 934dc55
commit 1c52e4a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -140,6 +140,11 @@ certmgr は設定ファイルを必要とします。
 ## バージョン番号
 「0.YYYYMMDD」。将来内部フォーマットの仕様および更新ルールが確定したら、バージョン１に格上げする予定（いわゆる x.y フォーマット）。
 
+### 0.20171113
+証明書のユニーク性を確認するためのＳＰＫＩ（Subject Public Key Info）ハッシュ値取得方法をＨＰＫＰ仕様に改めました。
+この結果、既存の証明書情報の照合ができなくなっています。
+一旦すべての証明書を export して、新しい証明書リポジトリに import してください。
+
 ## 著者
 重村法克
 

diff --git a/certmgr.pl b/certmgr.pl
@@ -138,19 +138,21 @@ ($)
 sub openssl_req_pubkey($) {
  my $pem = shift;
  my $pubkey = filtcmd($pem, qw{openssl req -noout -pubkey});
- return sha256_base64($pubkey);
+ my $pubder = filtcmd($pubkey, qw{openssl pkey -pubin -outform der});
+ return sha256_base64($pubder);
 } # openssl_req_pubkey
 
 sub openssl_x509_pubkey($) {
  my $pem = shift;
  my $pubkey = filtcmd($pem, qw{openssl x509 -noout -pubkey});
- return sha256_base64($pubkey);
+ my $pubder = filtcmd($pubkey, qw{openssl pkey -pubin -outform der});
+ return sha256_base64($pubder);
 } # openssl_x509_pubkey
 
 sub openssl_pkey_pubkey($) {
  my $pem = shift;
- my $pubkey = filtcmd($pem, qw{openssl pkey -pubout});
- return sha256_base64($pubkey);
+ my $pubder = filtcmd($pem, qw{openssl pkey -pubout -outform der});
+ return sha256_base64($pubder);
 } # openssl_pkey_pubkey
 
 sub openssl_x509_date($) {
@@ -794,6 +796,7 @@ ($$$)
  printf "Subject: %s\n", ($subject ne "" ? $subject : "N/A");
  printf "Issuer: %s\n", ($issuer ne "" ? $issuer : "N/A");
  printf "Expiration Date: %s\n", (defined $startdate && defined $enddate ? "${startdate}Z - ${enddate}Z" : "N/A");
+ printf "HPKP type Hash Value: %s\n", $hash;
  printf "\n";
 } # info_file
 
@@ -802,8 +805,8 @@ ($$$)
 
  my $where = ($argv =~ /^\d+$/) ? "certid" : "commonname";
 
- my($certid, $cn, $active, $marked, $subject, $issuer, $startdate, $enddate, $incrt , $incsr, $inkey) = $dbh->selectrow_array(sprintf(q{
- SELECT certid, commonname, is_active, is_marked, sslcrt.subject, issuer, startdate, enddate, crttext IS NOT NULL, csrtext IS NOT NULL, keytext IS NOT NULL
+ my($certid, $cn, $active, $marked, $subject, $issuer, $startdate, $enddate, $incrt , $incsr, $inkey, $hash) = $dbh->selectrow_array(sprintf(q{
+ SELECT certid, commonname, is_active, is_marked, sslcrt.subject, issuer, startdate, enddate, crttext IS NOT NULL, csrtext IS NOT NULL, keytext IS NOT NULL, COALESCE(sslcrt.hashkey, sslcsr.hashkey, sslkey.hashkey)
  FROM certificate
  LEFT JOIN sslcrt USING(certid)
  LEFT JOIN sslcsr USING(certid)
@@ -828,6 +831,7 @@ ($$$)
  printf "Subject: %s\n", ($subject ne "" ? $subject : "N/A");
  printf "Issuer: %s\n", ($issuer ne "" ? $issuer : "N/A");
  printf "Expiration Date: %s\n", (defined $startdate && defined $enddate ? "$startdate - $enddate" : "N/A");
+ printf "HPKP type Hash Value: %s\n", $hash;
  printf "\n";
 } # info_repo