On Thu, Feb 16, 2023 at 08:18:46PM -0800, Ian Zimmerman via Exim-users wrote:
> An excellent suggestion, thanks. I think I got stuck in this unproductive
> (it seems) rut of authentication by verification because of two things:
>
> - not immediately obvious how to *compute* the checksum to match in
> the first place. I don't expect it's just the checksum over the pem
> file, is it?
No, PEM is not suitably canonical, for that you'd want the ASN.1 DER
form of the public key (or full certificate, whichever you prefer).
> - the documentation for the md5 (and sha1) expansion operators is cryptic:
>
> If the string is a single variable of type certificate, returns the
> MD5 hash fingerprint of the certificate.
MD5 is deprecated, ideally Exim also support sha256 in the same role.
The hash should be computed over the DER form.
> what is a "variable of type certificate" in exim's proudly unityped
> macro language?
I am a Postfix maintainer, mostly lurking on this list, except when it
comes to TLS-related or especially DANE-related issues. So can't answer
anything about Exim variables. On the command-line, to extract the public
key and/or certificate digests:
# key digest
$ openssl x509 -in cert.pem -pubkey -noout |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 -binary |
xxd -p -c32
# cert digest
$ openssl x509 -in cert.pem -outform DER |
openssl dgst -sha256 -binary |
xxd -p -c32
--
VIktor.
