#3307: Poco::Crypto::X509Certificate: obtain certificate fingerprint

Crypto/include/Poco/Crypto/X509Certificate.h

@@ -20,6 +20,7 @@
 
 #include "Poco/Crypto/Crypto.h"
 #include "Poco/Crypto/OpenSSLInitializer.h"
+#include "Poco/DigestEngine.h"
 #include "Poco/DateTime.h"
 #include "Poco/SharedPtr.h"
 #include <vector>
@@ -126,6 +127,11 @@ public:
 	Poco::DateTime expiresOn() const;
 		/// Returns the date and time the certificate expires.
 
+	Poco::DigestEngine::Digest fingerprint(const std::string& algorithm = "SHA1") const;
+		/// Computes and returns the fingerprint of the certificate,
+		/// using the given algorithm. The algorithm must be supported
+		/// by OpenSSL, e.g., "SHA1" or "SHA256".
+
 	void save(std::ostream& stream) const;
 		/// Writes the certificate to the given stream.
 		/// The certificate is written in PEM format.

Crypto/src/X509Certificate.cpp

@@ -349,6 +349,24 @@ Poco::DateTime X509Certificate::expiresOn() const
 }
 
 
+Poco::DigestEngine::Digest X509Certificate::fingerprint(const std::string& algorithm) const
+{
+	unsigned char buffer[EVP_MAX_MD_SIZE];
+	unsigned int length;
+	const EVP_MD* md = EVP_get_digestbyname(algorithm.c_str());
+	if (!md) throw Poco::InvalidArgumentException(algorithm);
+
+	if (X509_digest(_pCert, md, buffer, &length))
+	{
+		return Poco::DigestEngine::Digest(buffer, buffer + length);
+	}
+	else
+	{
+		throw OpenSSLException("failed to compute fingerprint");
+	}
+}
+
+
 bool X509Certificate::issuedBy(const X509Certificate& issuerCertificate) const
 {
 	X509* pCert = const_cast<X509*>(_pCert);

Crypto/testsuite/src/CryptoTest.cpp

@@ -357,6 +357,9 @@ void CryptoTest::testCertificate()
 	assertTrue (organizationName == "Applied Informatics Software Engineering GmbH");
 	assertTrue (organizationUnitName == "Development");
 
+	const auto fingerprint = cert.fingerprint();
+	assertTrue (Poco::DigestEngine::digestToHex(fingerprint) == "ac84e4eb72c861ccb20f2900f3f17a9ac11f6579");
+
 	// fails with recent OpenSSL versions:
 	// assert (cert.issuedBy(cert));