[gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Feb 20 20:43:01 CET 2017
On Mon 2017-02-20 06:47:05 -0500, Nikos Mavrogiannopoulos wrote:
> On Mon, Feb 20, 2017 at 11:05 AM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
>> Hi,
>>
>> is there a tool (certtool ?) or script to generate the base64 encoded sha256
>> sums of a cert's pubkey?
>
> I do not think there is a direct option to get it in base64, but you
> can get it in hex as:
> certtool --key-id --hash sha256 --infile cert.pem
> or (for older releases which didn't have --key-id)
> certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' ' -f 1
>
> Then you can go to base64 as:
> certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' '
> -f 1|xxd -r -p|base64
If you want it in C, please take a look at daemon/tls.c from
https://gitlab.labs.nic.cz/knot/resolver.git, which has a
get_oob_key_pin() function that uses gnutls primitives (except for the
b64 encoding).
It would be nice see that particular digest caluclation be included in
the output of certtool -i, fwiw.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170220/cf0247c6/attachment.sig>
More information about the Gnutls-devel
mailing list