Quantcast

[gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Tim Ruehsen
Hi,

is there a tool (certtool ?) or script to generate the base64 encoded sha256
sums of a cert's pubkey?

Primary for usage in the Public-Key-Pins HTTP header.

Thanks, Tim

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Nikos Mavrogiannopoulos
On Mon, Feb 20, 2017 at 11:05 AM, Tim Ruehsen <[hidden email]> wrote:
> Hi,
>
> is there a tool (certtool ?) or script to generate the base64 encoded sha256
> sums of a cert's pubkey?

I do not think there is a direct option to get it in base64, but you
can get it in hex as:
certtool --key-id --hash sha256 --infile cert.pem
or (for older releases which didn't have --key-id)
certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' ' -f 1

Then you can go to base64 as:
certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' '
-f 1|xxd -r -p|base64

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Tim Ruehsen
On Monday, February 20, 2017 12:47:05 PM CET Nikos Mavrogiannopoulos wrote:

> On Mon, Feb 20, 2017 at 11:05 AM, Tim Ruehsen <[hidden email]> wrote:
> > Hi,
> >
> > is there a tool (certtool ?) or script to generate the base64 encoded
> > sha256 sums of a cert's pubkey?
>
> I do not think there is a direct option to get it in base64, but you
> can get it in hex as:
> certtool --key-id --hash sha256 --infile cert.pem
> or (for older releases which didn't have --key-id)
> certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' ' -f 1
>
> Then you can go to base64 as:
> certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' '
> -f 1|xxd -r -p|base64
Great !
This last one I was looking for :-)

Many Thanks, Tim

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Daniel Kahn Gillmor-7
In reply to this post by Nikos Mavrogiannopoulos
On Mon 2017-02-20 06:47:05 -0500, Nikos Mavrogiannopoulos wrote:

> On Mon, Feb 20, 2017 at 11:05 AM, Tim Ruehsen <[hidden email]> wrote:
>> Hi,
>>
>> is there a tool (certtool ?) or script to generate the base64 encoded sha256
>> sums of a cert's pubkey?
>
> I do not think there is a direct option to get it in base64, but you
> can get it in hex as:
> certtool --key-id --hash sha256 --infile cert.pem
> or (for older releases which didn't have --key-id)
> certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' ' -f 1
>
> Then you can go to base64 as:
> certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' '
> -f 1|xxd -r -p|base64
If you want it in C, please take a look at daemon/tls.c from
https://gitlab.labs.nic.cz/knot/resolver.git, which has a
get_oob_key_pin() function that uses gnutls primitives (except for the
b64 encoding).

It would be nice see that particular digest caluclation be included in
the output of certtool -i, fwiw.

    --dkg

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Tim Ruehsen
On Monday, February 20, 2017 2:43:01 PM CET Daniel Kahn Gillmor wrote:

> On Mon 2017-02-20 06:47:05 -0500, Nikos Mavrogiannopoulos wrote:
> > On Mon, Feb 20, 2017 at 11:05 AM, Tim Ruehsen <[hidden email]> wrote:
> >> Hi,
> >>
> >> is there a tool (certtool ?) or script to generate the base64 encoded
> >> sha256 sums of a cert's pubkey?
> >
> > I do not think there is a direct option to get it in base64, but you
> > can get it in hex as:
> > certtool --key-id --hash sha256 --infile cert.pem
> > or (for older releases which didn't have --key-id)
> > certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' ' -f
> > 1
> >
> > Then you can go to base64 as:
> > certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' '
> > -f 1|xxd -r -p|base64
>
> If you want it in C, please take a look at daemon/tls.c from
> https://gitlab.labs.nic.cz/knot/resolver.git, which has a
> get_oob_key_pin() function that uses gnutls primitives (except for the
> b64 encoding).
>
> It would be nice see that particular digest caluclation be included in
> the output of certtool -i, fwiw.
FYI, the C code is also in wget and now in wget2 (for HPKP).

And I agree to Daniel, having that in certtool makes it available to the
public quicker, since xxd, cut, base64 and sha256sum are not easily available
on any platform.

Regards, Tim

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Nikos Mavrogiannopoulos
On Tue, Feb 21, 2017 at 9:18 AM, Tim Ruehsen <[hidden email]> wrote:

>> If you want it in C, please take a look at daemon/tls.c from
>> https://gitlab.labs.nic.cz/knot/resolver.git, which has a
>> get_oob_key_pin() function that uses gnutls primitives (except for the
>> b64 encoding).
>>
>> It would be nice see that particular digest caluclation be included in
>> the output of certtool -i, fwiw.
>
> FYI, the C code is also in wget and now in wget2 (for HPKP).
>
> And I agree to Daniel, having that in certtool makes it available to the
> public quicker, since xxd, cut, base64 and sha256sum are not easily available
> on any platform.

Well adding something is easy, but the output of certificate
information seems already quite bloated with Fingerprint
(sha1/sha256), Public Key ID (sha1/sha256) and random art. Any ideas
on what we could remove?

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Daniel Kahn Gillmor-7
On Wed 2017-02-22 04:54:14 -0500, Nikos Mavrogiannopoulos wrote:
> Well adding something is easy, but the output of certificate
> information seems already quite bloated with Fingerprint
> (sha1/sha256), Public Key ID (sha1/sha256) and random art. Any ideas
> on what we could remove?

I've always been dubious about the utility of random art.  it seems
*more* difficult for humans to do an exact match on than fingerprints,
and it takes up a lot of space.  I'm not sure what its advantages are,
but if space is at a premium, it looks like the obvious choice to cut
to me.

    --dkg

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Nikos Mavrogiannopoulos
On Wed, Feb 22, 2017 at 11:51 PM, Daniel Kahn Gillmor
<[hidden email]> wrote:

> On Wed 2017-02-22 04:54:14 -0500, Nikos Mavrogiannopoulos wrote:
>> Well adding something is easy, but the output of certificate
>> information seems already quite bloated with Fingerprint
>> (sha1/sha256), Public Key ID (sha1/sha256) and random art. Any ideas
>> on what we could remove?
>
> I've always been dubious about the utility of random art.  it seems
> *more* difficult for humans to do an exact match on than fingerprints,
> and it takes up a lot of space.  I'm not sure what its advantages are,
> but if space is at a premium, it looks like the obvious choice to cut
> to me.

I kind of agree. Space is not really a premium but I'm of the opinion
that very long output qualifies more as noise rather than something
useful. I've added the ability for certtool to print the key pins in
both 3.5.x and master, and I have removed the random art printing in
master only.

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Daniel Kahn Gillmor-7
On Thu 2017-02-23 07:21:06 -0500, Nikos Mavrogiannopoulos wrote:
> I kind of agree. Space is not really a premium but I'm of the opinion
> that very long output qualifies more as noise rather than something
> useful. I've added the ability for certtool to print the key pins in
> both 3.5.x and master, and I have removed the random art printing in
> master only.

Thanks, Nikos!

        --dkg

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

signature.asc (847 bytes) Download Attachment
Loading...