Include thumbprint functions

voltone / x509

Elixir package for working with X.509 certificates, Certificate Signing Requests (CSRs), Certificate Revocation Lists (CRLs) and RSA/ECC key pairs

BSD 3-Clause "New" or "Revised" License

120 stars 28 forks source link

Include thumbprint functions #40

Open victorolinasc opened 3 years ago

victorolinasc commented 3 years ago

I think it is quite common to work with thumbprints when handling x509. For example, JWKS has the following standard claims among others:

x5t: thumbprint using sha1
x5t#S256: thumbprint using sha256

We can, currently, generate a thumbprint by doing something like:

:crypto.hash(:sha, X509.Certificate.to_der(cert)) |> Base.url_encode64(padding: false)

I've spent a while trying to find how openssl generates the thumbprint with some confusing answers. It would be great if this was built-in to avoid confusing implementations.

Thanks for your wonderful work!

voltone commented 3 years ago

Essentially these fingerprints are always some hash over the DER encoded certificate. The question is which hash, and how to represent it: hex (lowercase or uppercase?), base64 (regular or url-safe? with or without padding)?

To be honest I'm not sure if adding a handful of variants would help, or would just cause more confusion when people are trying to match them with yet another variant that their browser or CLI tool displays...

victorolinasc commented 3 years ago

You are totally right! Forgot about the mess in browsers about this concept. The differences does indeed exist.

I came here from the JWKS specification which specifies the encoding to be base64_url https://tools.ietf.org/html/rfc7515#page-12 so, at least in some places, the encoding is standardized.

Please, feel free to close this if you think is not needed/wanted. Thanks again for your attention :)