On Mon, Jul 8, 2019 at 8:43 PM Lars Ingebrigtsen <address@hidden
> Julian Scheid <address@hidden
> > Currently, `gnutls-peer-status' only allows accessing high-level
> > information extracted from the certificate, such as the issuer, but not
> > the certificate data itself.
> Other details are returned in the process object, like
> gnutls_x509_crt_get_fingerprint of the certificate.
Thanks for pointing this out, but it appears to be hardwired to use
SHA-1 when RFC 5929 requires the hash to use signatureAlgorithm,
or SHA-256 when signatureAlgorithm is MD5 or SHA-1.
> Does this hash relate in any way to gnutls_x509_crt_get_fingerprint?
I _think_ gnutls_x509_crt_get_fingerprint could be used here, although
I haven't verified yet that it satisfies the following requirement
from RFC 5929:
> The hash of the TLS server's certificate [RFC5280] as it appears,
> octet for octet, in the server's Certificate message.
I would assume that it does, though.
So, to make this work it looks like I'd need either
1) the fingerprint, but using the hash function as required by the RFC, or
2) the certificate as a binary blob.