From d172f15cebb7fad9d5f93305d16ca8dde2cb07b3 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 9 Oct 2024 13:40:43 +0200
Subject: [PATCH] System/Trust - minor compat fix in certctl.py

---
 src/opnsense/scripts/system/certctl.py | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/opnsense/scripts/system/certctl.py b/src/opnsense/scripts/system/certctl.py
index b326964b06e..bc7d00b843c 100755
--- a/src/opnsense/scripts/system/certctl.py
+++ b/src/opnsense/scripts/system/certctl.py
@@ -57,10 +57,18 @@ def certificate_iterator(filename):
     needs_copy = len(x509_items) > 1
     for x509_item in x509_items:
         data = x509_item.public_bytes(serialization.Encoding.PEM) if needs_copy else filename
-        tmp = OpenSSL.crypto.X509().get_issuer()
-        for item in x509_item.issuer:
-            setattr(tmp, item.rfc4514_attribute_name, item.value)
-        hashval = hex(tmp.hash()).lstrip('0x').zfill(8)
+        # XXX: need to check subject_name_hash as below for crl does not offer the same results in all cases
+        if fext == 'crl':
+            tmp = OpenSSL.crypto.X509().get_issuer()
+            for item in x509_item.issuer:
+                setattr(tmp, item.rfc4514_attribute_name, item.value)
+            hashval = hex(tmp.hash()).lstrip('0x').zfill(8)
+        else:
+            cert = OpenSSL.crypto.load_certificate(
+                OpenSSL.crypto.FILETYPE_PEM,
+                x509_item.public_bytes(serialization.Encoding.PEM)
+            )
+            hashval = hex(cert.subject_name_hash()).lstrip('0x').zfill(8)
         yield {
             'hash': hashval,
             'target_pattern': '%s.%s%%d' % (hashval, 'r' if fext == 'crl' else ''),