Add a public API to calculate fingerprints of LeafCert instances

[webknjaz]

So I've been finally integrating trustme into aiohttp's test today. Turns out that certificate fingerprint calculation isn't well-documented on the Internet for Python stdlib's ssl module. All examples use pyOpenSSL instead. So after fighting it for a while, I've figured out that one should turn certificate into DER format as opposed to PEM (ssl.PEM_cert_to_DER_cert()), because it's what SSLSocket.getpeercert() returns and what client uses to calculate hash: https://github.com/aio-libs/aiohttp/commit/c180800a4c90dc123d05311edbec92a3a82d6317#diff-484462fced51d1a06b1d93b4a44dd535R69

Ref: https://github.com/aio-libs/aiohttp/blob/c9dabcb/aiohttp/client_reqrep.py#L105-L136

So I think it'd be nice to wrap it into a method bound to LeafCert (and maybe Blob?). The suggested API is:

# fingerprint calc function wrapped with `lru_cache`
LeafCert.make_fingerprint(hash_function='sha256')

# @properties:
LeafCert.sha256_fingerprint
LeafCert.sha1_fingerprint
LeafCert.md5_fingerprint

Maybe fingerprint would need to be represented by its own Fingerprint class, not just some bytes.

[njsmith]

Sounds good to me. Maybe just LeafCert.fingerprint("sha1")? make_ is usually redundant in function names, and then once the function name is shortened the properties don't add much.

[njsmith]

It'd probably make sense on CA too, since CA certificates also have fingerprints.

[webknjaz]

I'd want fingerprint to be a property. Use nouns for attributes and verbs for function calls. Otherwise, it's confusing to read in code.

OTOH using anything but sha256 seems to be deprecated.

[dlenski]

There are at least two types of TLS cert fingerprints.

1. Hash of the whole cert (older)
2. Hash of just the public key (used in the newer pin-sha256 standard)

We figured out how to implement the latter in Python scripts using asn1crypto for OpenConnect in https://gitlab.com/openconnect/openconnect/-/blob/master/trojans/tncc-emulate.py#L652