Incorrect PEM to Fingerprint

[muhammadvellani]

After generating the certificate and public key by the method mentioned in the docs

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

I experienced some issues with the fingerprints when PEM files were fed to the client and server example codes. the finger prints exported on the python console were shorter than the SHA1 or SHA256 and saw that the certificate_fingerprint_from_der function in utils.py was exporting incorrect fingerprints

def certificate_fingerprint_from_der(der_bytes): hash = hashlib.sha256(der_bytes).digest().hex() return ":".join([hash[i-2:i].upper() for i in range(-20, 0, 2)])

when I exported pem to fingerprint using openssl command on linux openssl x509 -in cert_s.pem -fingerprint -sha256 -noout the fingerprint was same as "hash" but without the ":" and upper case.

changing the function to ":".join([hash[i:i+2].upper() for i in range(0, len(hash), 2)]) gave me same finger print as the openssl ssh256 fingerprint export function.

[stan-janssen]

Thanks for the report.

There's two things. First is that the hash function was indeed incorrect, and it was fixed in https://github.com/OpenLEADR/openleadr-python/commit/1d9f0e70cf760b2e6c305169d24ba2f827c5f2b9, but I had not released it as a new version yet.

Second, the fingerprint that OpenADR defines is not the same as the OpenSSL fingerprint; the explicit fingerprint format op OpenADR is defined in the spec at page 62, which states that the fingerprint used in OpenADR is the last 29 characters of the fingerprint that OpenSSL generates.

I will release a new version that contains the earlier fix.

[muhammadvellani]

Thanks for the reply. You are correct. I received the new update an is printing according to OpenADR spec sheet (last 29 chars). . Closing this one right now. Appreciate your quick response.