calculate and display SHA1/MD5 fingerprint if verification of SSL certificate failed.

git-svn-id: svn://sylpheed.sraoss.jp/sylpheed/trunk@2350 ee746299-78ed-0310-b773-934348b2243d

3 files changed, 47 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 3acfb630..b63c29ad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2009-11-19
+
+	* libsylph/ssl.c
+	  src/sslmanager.c: calculate and display SHA1/MD5 fingerprint
+	  if verification of SSL certificate failed.
+
 2009-11-16
 
 	* version 3.0.0beta2
diff --git a/libsylph/ssl.c b/libsylph/ssl.c
index e9ac2f24..a22998ab 100644
--- a/libsylph/ssl.c
+++ b/libsylph/ssl.c
@@ -274,6 +274,10 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
 	if ((server_cert = SSL_get_peer_certificate(sockinfo->ssl)) != NULL) {
 		gchar *str;
 		glong verify_result;
+		guchar keyid[EVP_MAX_MD_SIZE];
+		gchar keyidstr[EVP_MAX_MD_SIZE * 3 + 1] = "";
+		guint keyidlen = 0;
+		gint i;
 
 		debug_print(_("Server certificate:\n"));
 
@@ -286,6 +290,18 @@ gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
 			debug_print(_("  Issuer: %s\n"), str);
 			OPENSSL_free(str);
 		}
+		if (X509_digest(server_cert, EVP_sha1(), keyid, &keyidlen)) {
+			for (i = 0; i < keyidlen; i++)
+				g_snprintf(keyidstr + i * 3, 4, "%02x:", keyid[i]);
+			keyidstr[keyidlen * 3 - 1] = '\0';
+			debug_print("  SHA1 fingerprint: %s\n", keyidstr);
+		}
+		if (X509_digest(server_cert, EVP_md5(), keyid, &keyidlen)) {
+			for (i = 0; i < keyidlen; i++)
+				g_snprintf(keyidstr + i * 3, 4, "%02x:", keyid[i]);
+			keyidstr[keyidlen * 3 - 1] = '\0';
+			debug_print("  MD5 fingerprint: %s\n", keyidstr);
+		}
 
 		verify_result = SSL_get_verify_result(sockinfo->ssl);
 		if (verify_result == X509_V_OK) {
diff --git a/src/sslmanager.c b/src/sslmanager.c
index eaed7786..8459cdf3 100644
--- a/src/sslmanager.c
+++ b/src/sslmanager.c
@@ -51,6 +51,11 @@ gint ssl_manager_verify_cert(SockInfo *sockinfo, const gchar *hostname,
 	const gchar *title;
 	gchar *message;
 	gchar *subject, *issuer;
+	guchar keyid[EVP_MAX_MD_SIZE];
+	gchar sha1_keyidstr[EVP_MAX_MD_SIZE * 3 + 1] = "";
+	gchar md5_keyidstr[EVP_MAX_MD_SIZE * 3 + 1] = "";
+	guint keyidlen = 0;
+	gint i;
 	gint result;
 
 	if (verify_result == X509_V_OK)
@@ -61,16 +66,35 @@ gint ssl_manager_verify_cert(SockInfo *sockinfo, const gchar *hostname,
 	subject = X509_NAME_oneline(X509_get_subject_name(server_cert),
 				    NULL, 0);
 	issuer = X509_NAME_oneline(X509_get_issuer_name(server_cert), NULL, 0);
+	if (X509_digest(server_cert, EVP_sha1(), keyid, &keyidlen)) {
+		for (i = 0; i < keyidlen; i++)
+			g_snprintf(sha1_keyidstr + i * 3, 4, "%02x:", keyid[i]);
+		sha1_keyidstr[keyidlen * 3 - 1] = '\0';
+	} else {
+		g_snprintf(sha1_keyidstr, sizeof(sha1_keyidstr),
+			   "(cannot calculate digest)");
+	}
+	if (X509_digest(server_cert, EVP_md5(), keyid, &keyidlen)) {
+		for (i = 0; i < keyidlen; i++)
+			g_snprintf(md5_keyidstr + i * 3, 4, "%02x:", keyid[i]);
+		md5_keyidstr[keyidlen * 3 - 1] = '\0';
+	} else {
+		g_snprintf(md5_keyidstr, sizeof(md5_keyidstr),
+			   "(cannot calculate digest)");
+	}
 	message = g_strdup_printf
 		(_("The SSL certificate of %s cannot be verified by the following reason:\n"
 		   "  %s\n\n"
 		   "Server certificate:\n"
 		   "  Subject: %s\n"
 		   "  Issuer: %s\n\n"
+		   "  SHA1 fingerprint: %s\n"
+		   "  MD5 fingerprint: %s\n\n"
 		   "Do you accept this certificate?"),
 		 hostname, X509_verify_cert_error_string(verify_result),
 		 subject ? subject : "(unknown)",
-		 issuer ? issuer : "(unknown)");
+		 issuer ? issuer : "(unknown)",
+		 sha1_keyidstr, md5_keyidstr);
 	if (issuer)
 		OPENSSL_free(issuer);
 	if (subject)