[gnutls-devel] How to generate sums for Public-Key-Pins HTTP header ?

Tim Ruehsen tim.ruehsen at gmx.de
Tue Feb 21 09:18:47 CET 2017


On Monday, February 20, 2017 2:43:01 PM CET Daniel Kahn Gillmor wrote:
> On Mon 2017-02-20 06:47:05 -0500, Nikos Mavrogiannopoulos wrote:
> > On Mon, Feb 20, 2017 at 11:05 AM, Tim Ruehsen <tim.ruehsen at gmx.de> wrote:
> >> Hi,
> >> 
> >> is there a tool (certtool ?) or script to generate the base64 encoded
> >> sha256 sums of a cert's pubkey?
> > 
> > I do not think there is a direct option to get it in base64, but you
> > can get it in hex as:
> > certtool --key-id --hash sha256 --infile cert.pem
> > or (for older releases which didn't have --key-id)
> > certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' ' -f
> > 1
> > 
> > Then you can go to base64 as:
> > certtool --pubkey-info --outder --infile cert.pem|sha256sum|cut -d ' '
> > -f 1|xxd -r -p|base64
> 
> If you want it in C, please take a look at daemon/tls.c from
> https://gitlab.labs.nic.cz/knot/resolver.git, which has a
> get_oob_key_pin() function that uses gnutls primitives (except for the
> b64 encoding).
> 
> It would be nice see that particular digest caluclation be included in
> the output of certtool -i, fwiw.

FYI, the C code is also in wget and now in wget2 (for HPKP).

And I agree to Daniel, having that in certtool makes it available to the 
public quicker, since xxd, cut, base64 and sha256sum are not easily available 
on any platform.

Regards, Tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20170221/8ac4d642/attachment.sig>


More information about the Gnutls-devel mailing list