On Thu, Feb 16, 2023 at 08:18:46PM -0800, Ian Zimmerman via Exim-users wrote:
> An excellent suggestion, thanks. I think I got stuck in this unproductive > (it seems) rut of authentication by verification because of two things: > > - not immediately obvious how to *compute* the checksum to match in > the first place. I don't expect it's just the checksum over the pem > file, is it? No, PEM is not suitably canonical, for that you'd want the ASN.1 DER form of the public key (or full certificate, whichever you prefer). > - the documentation for the md5 (and sha1) expansion operators is cryptic: > > If the string is a single variable of type certificate, returns the > MD5 hash fingerprint of the certificate. MD5 is deprecated, ideally Exim also support sha256 in the same role. The hash should be computed over the DER form. > what is a "variable of type certificate" in exim's proudly unityped > macro language? I am a Postfix maintainer, mostly lurking on this list, except when it comes to TLS-related or especially DANE-related issues. So can't answer anything about Exim variables. On the command-line, to extract the public key and/or certificate digests: # key digest $ openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | xxd -p -c32 # cert digest $ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -binary | xxd -p -c32 -- VIktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/